Using opensnitch and nftables.

[BobSquarePants]

Hi,

if someone use a "tight" nftables ruleset for example

type filter hook output priority 0; policy drop;
#by default drop any output connection unless otherwise specified.

if the nftables is not handled by opensnitch (it's what I want) then one, will have to allow progams in opensnitch and nftables... :/
so is such rule still make sense while using opensnitch ?
Is opensnitch available soon enough after boot to catch the undesirable ?

So is the previous rule could be

type filter hook output priority 0; policy accept;
#accept instead of drop

? what could be the risks doing so ?

Thanks.

[gustavo-iniguez-goya]

hi @BobSquarePants ,

Is opensnitch available soon enough after boot to catch the undesirable ?

I think so. The daemon is launched in multi-user stage, before the network is available.

so is such rule still make sense while using opensnitch ?
? what could be the risks doing so ?

Yeah, if you want to lock down the system it makes sense. The risks are that you might block legit connections.
In order to use DROP as the default outbound policy, you'll need a rule to allow established connections:
~ $ sudo nft add rule inet mangle output ct state new accept

That way, opensnitch will prompt you to allow NEW outbound connections, and that rule will allow the next packets of those allowed connections.

The ruleset should be as follow:

~ $ sudo nft list ruleset
table inet mangle {
	chain output {
		type route hook output priority mangle; policy drop;
		meta l4proto != tcp ct state related,new queue flags bypass to 0
		tcp flags & (fin | syn | rst | ack) == syn queue flags bypass to 0
		ct state established,related accept
	}
}

You can also configure it in /etc/opensnitchd/system-fw.json, under this line:

opensnitch/daemon/system-fw.json

Line 152 in c3939c7

"Rules": [

              {
              "Table": "",
              "Chain": "",
              "UUID": "fb34f6da-5d72-1234-ae8a-61e1c21bb003",
              "Enabled": true,
              "Position": "0",
              "Description": "allow established connections",
              "Parameters": "",
              "Expressions": [
                {
                  "Statement": {
                    "Op": "==",
                    "Name": "ct",
                    "Values": [
                      {
                        "Key": "state",
                        "Value": "related,established"
                      }
                    ]
                  }
                }
              ],
              "Target": "accept",
              "TargetParameters": ""
            },

The option in the GUI to configure the default outbound policy is disabled, because I didn't investigate at the time why it was not working.
But if everything works with this rule, maybe we can let the users configure it.

[BobSquarePants]

Thanks @gustavo-iniguez-goya
I will make some test (in the following weeks) and let you know :)