-
-
Notifications
You must be signed in to change notification settings - Fork 520
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Traffic not blocked if service not running #1183
Comments
Hi @voidray , The main component of OpenSnitch is the daemon, the GUI is just a frontend to control the daemon. All the functionality is implemented in the daemon.
You can change the DefaultAction to 'deny', well from the GUI (Preferences->Nodes) or well from the configuration: If the GUI is running, you'll be prompted to allow/deny outbound connections. If it's not running, all outbound connections should be denied. |
If the daemon is not running outbound connections are not blocked, that is what my problem is. |
ok, but why is it not running? please, post the log /var/log/opensnitchd.log and the output of By the way, what distro and opensnitch version are you running? Also it'll be useful launching it manually to see what's going on: first be sure that it's not running: then launch it as root: ~ $ sudo su
~ # /usr/bin/opensnitchd -rules-path /etc/opensnitchd/rules/ |
To quote from the linked ticket "If the app crashes or even from a delay in launching at boot, all apps are allowed internet access until opensnitch is opened again, which could open up security issues." |
hmm, there could be an option to block all traffic if the daemon is not running under this item opensnitch/daemon/default-config.json Line 18 in 14747a0
either by adding a fw rule to block outbound connections, or a module. For now the service must be running to block outbound connections. |
I think @BobSquarePants is trying to accomplish the same behaviour in #1201 @voidray . Right now there're two options:
In both cases you'll need a rule to allow established connections (because we only act on NEW connections): Show rule
By doing this, if the daemon dies, new connections will be dropped. It's possible to configure it from the GUI, but it's disabled right now. If you think @voidray it'd be useful I can enable it. Anyway, this would be a temporary solution. There're better ways of doing this, like loading a XDP module to allow/deny already approved/denied connections. Although probably it'd interfere with many services of the system (network namespaces, ...) |
I changed the /etc/nftables.conf and /etc/opensnitch/system-fw.conf files, but when I stop opensnitchd internet access is still possible. After only changing /etc/nftables.conf all traffic is blocked, but the change in /etc/opensnitch/system-fw.conf allows it somehow again (I rebooted the whole system after the changes). I added the json without any changes in system-fw.conf under "Rules" before the first element (Allow ICMP"). |
When stopping the daemon we delete the rules we added. If the're tables configured in /etc/nftables.conf with no rules, named like the ones we create (inet mangle output), we're deleting them. That's probably why it is not working. You can try killing the daemon instead of stopping it: I'll enable the option in the GUI, with a warning detailing the implications. |
Nfqueue bypass option skips the enqueue of packets to userspace if no application is listening to the queue. https://wiki.nftables.org/wiki-nftables/index.php/Queueing_to_userspace If this flag is not specified, and for example the daemon dies unexpectedly, all the outbound traffic will be blocked. Up until now we've been using this flag by default not to block network traffic if the daemon dies or is killed for some reason. But some users want to use precisely this behaviour (#884, #1183, #1201). Now you can configure it, to block connections if the daemon unexpectedly dies. The option is on by default in the configuration (QueueBypass: true). If this item is not present in the daemon config file, then it'll be false.
Not sure if this is a bug, but I want to block all connections if the service is not running.
I set "DefaultAction": "deny" in /etc/opensnitchd/default-config.json, but this is only applied if the service is running.
I would like to have aynthing blocked and then decide what to allow (whitelist). Ideally in the UI I can see what is necessary.
The same question was asked here #884, but the issue was closed.
Ideally the service wouldn't be needed and the ui would just define the rules. This is how for example SimpleWall works on Windows, where the Windows internal firewall is used. I don't know the internals of OpenSnitch and the firewall concept in Linux to be able to say if that is possible in Linux.
The text was updated successfully, but these errors were encountered: