torsocks: option to disable all network traffic

[ilf]

I've already talked to dgoulet about this:

I would love an option to make torsocks disable all network traffic. There are many good use cases to run applications without Internet communication. For example, commands in mailcap(4) to display non-text.

This is a classic job for (application) firewalls, but torsocks has all the functionality already, f.e. if used with an invalid --port where no Tor or proxy is actually listening. But this is an ugly hack.

A --disable-network option would be very easy for torsocks, and very useful. Of course, it's low priority.

[onirony]

One really easy way to implement this would be to have the --disable-network option ask the OS for an unused ephemeral port and set TORSOCKS_TOR_PORT to that.

As you noted, applications like Firejail are pretty much created for exactly this kind of situation, and it's really easy to use:

firejail --net=none [command]

This reminds me of those early-nineties debates between acolytes of the GNU and BSD camps, where GNU created very fully-featured utilities and BSD was creating small utilities that did one thing well.

Anyway, I'll gladly implement this if y'all deem my admittedly-also-pretty-hacky (but also good enough in all plausible scenarios!) ephemeral port solution to be an acceptable approach. Or in the likely event that someone suggests a better way, I'll do it that way.

[ilf]

You are absolutely right, quoting ​the UNIX philosophy: "Make each program do one thing well. To do a new job, build afresh rather than complicate old programs by adding new 'features'."

As I said, "this is a classic job for (application) firewalls, but torsocks has all the functionality already".

Your approach sounds reasonable, although I'm not sure how complicated checking that the ephemeral port is actually unused is.

I'll leave the decision on this to the authors and maintainers.