Traffic not blocked if service not running

[voidray]

Not sure if this is a bug, but I want to block all connections if the service is not running.
I set "DefaultAction": "deny" in /etc/opensnitchd/default-config.json, but this is only applied if the service is running.
I would like to have aynthing blocked and then decide what to allow (whitelist). Ideally in the UI I can see what is necessary.
The same question was asked here #884, but the issue was closed.

Ideally the service wouldn't be needed and the ui would just define the rules. This is how for example SimpleWall works on Windows, where the Windows internal firewall is used. I don't know the internals of OpenSnitch and the firewall concept in Linux to be able to say if that is possible in Linux.

[gustavo-iniguez-goya]

Hi @voidray ,

The main component of OpenSnitch is the daemon, the GUI is just a frontend to control the daemon. All the functionality is implemented in the daemon.

I would like to have aynthing blocked and then decide what to allow (whitelist).

You can change the DefaultAction to 'deny', well from the GUI (Preferences->Nodes) or well from the configuration: /etc/opensnichd/default-config.json

If the GUI is running, you'll be prompted to allow/deny outbound connections. If it's not running, all outbound connections should be denied.

[voidray]

If the daemon is not running outbound connections are not blocked, that is what my problem is.

[gustavo-iniguez-goya]

ok, but why is it not running? please, post the log /var/log/opensnitchd.log and the output of sudo systemctl status opensnitch

By the way, what distro and opensnitch version are you running?

Also it'll be useful launching it manually to see what's going on:

first be sure that it's not running: $ pgrep opensnitch (nothing should be printed)

then launch it as root:

~ $ sudo su
~ # /usr/bin/opensnitchd -rules-path /etc/opensnitchd/rules/

[voidray]

To quote from the linked ticket "If the app crashes or even from a delay in launching at boot, all apps are allowed internet access until opensnitch is opened again, which could open up security issues."
I'm evaluating OpenSnitch and having to relay on a running service for security is problematic. Besides the mentioned reasons in the references ticket, there also could be for example a installation of a new version during which all traffic would be allowed.

[gustavo-iniguez-goya]

hmm, there could be an option to block all traffic if the daemon is not running under this item

opensnitch/daemon/default-config.json

Line 18 in 14747a0

"FwOptions": {

either by adding a fw rule to block outbound connections, or a module.

For now the service must be running to block outbound connections.

[gustavo-iniguez-goya]

I think @BobSquarePants is trying to accomplish the same behaviour in #1201 @voidray .

Right now there're two options:

• configure a table+chain with Drop policy in /etc/nftables.conf

table inet myfilter {
    chain output {
        type route hook output priority mangle; policy drop;
    }
}

• change OpenSnitch inet mangle table to Drop in /etc/opensnitch/system-fw.conf
  

  opensnitch/daemon/system-fw.json

  Lines 149 to 151 in f63a48d

  	"Type": "mangle",
  	"Hook": "output",
  	"Policy": "accept",

In both cases you'll need a rule to allow established connections (because we only act on NEW connections):

Show rule

            {
              "Table": "",
              "Chain": "",
              "UUID": "profile-drop-outbound-e1fc1a1c-c21c-11ec-9a2a-3c970e298b0c",
              "Enabled": true,
              "Position": "0",
              "Description": "[profile-drop-outbound] allow established,related connections",
              "Parameters": "",
              "Expressions": [
                {
                  "Statement": {
                    "Op": "",
                    "Name": "ct",
                    "Values": [
                      { 
                        "Key": "state",
                        "Value": "established,related"
                      }
                    ]
                  }
                }
              ],
              "Target": "accept",
              "TargetParameters": ""
            }

By doing this, if the daemon dies, new connections will be dropped.

It's possible to configure it from the GUI, but it's disabled right now. If you think @voidray it'd be useful I can enable it.

Anyway, this would be a temporary solution. There're better ways of doing this, like loading a XDP module to allow/deny already approved/denied connections. Although probably it'd interfere with many services of the system (network namespaces, ...)

[voidray]

I changed the /etc/nftables.conf and /etc/opensnitch/system-fw.conf files, but when I stop opensnitchd internet access is still possible. After only changing /etc/nftables.conf all traffic is blocked, but the change in /etc/opensnitch/system-fw.conf allows it somehow again (I rebooted the whole system after the changes). I added the json without any changes in system-fw.conf under "Rules" before the first element (Allow ICMP").
Regarding UI: If it is possible to cover this in the UI that would be helpful.

[gustavo-iniguez-goya]

When stopping the daemon we delete the rules we added. If the're tables configured in /etc/nftables.conf with no rules, named like the ones we create (inet mangle output), we're deleting them. That's probably why it is not working.
I'll fix that because we didn't create those tables from /etc/nftables.conf and we should not delete them.

You can try killing the daemon instead of stopping it: killall -9 opensnitchd

I'll enable the option in the GUI, with a warning detailing the implications.