mirrors/opensnitch
1
0
Fork 0
mirror of https://github.com/evilsocket/opensnitch.git synced 2025-03-04 00:24:40 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
opensnitch/daemon/system-fw.json

256 lines
6.5 KiB
JSON
Raw Permalink Normal View History

Merge branch 'priority-rules' into main Added option to let the users define iptables rules. The system rules are added in the file /etc/opensnitchd/system-fw.json with this format: ``` { "SystemRules": [ { "Rule": { "Description": "Allow pptp VPN", "Table": "mangle", "Chain": "OUTPUT", "Parameters": "-p gre", "Target": "ACCEPT", "TargetParameters": "" } } ] } ``` On the mangle table, OUTPUT chain, these rules are added before the NFQUEUE interception rule, so any rule you add there bypasses the interception. Useful to allow traffic you don't want to intercept. This feature solves in some way the issue some users have connecting to VPNs when the Default Action configured in the daemon is Deny. For example: - OpenVPN when keepalive is configured and ICMP is used. - PPTP because the GRE routing protocol is blocked. - probably others like IPSEC. (regarding WireGuard, as far as I can tell it works just fine, see #61). closes #47
2020-11-13 00:14:39 +01:00
{
Allow to configure firewall rules from the GUI (#660) * Allow to configure firewall rules from the GUI (WIP) New features: - Configure and list system firewall rules from the GUI (nftables). - Configure chains' policies. - Add simple rules to allow incoming ports. - Add simple rules to exclude apps (ports) from being intercepted. This feature is only available for nftables. iptables is still supported, you can add rules to the configuration file and they'll be loaded, but you can't configure them from the GUI. More information: #592
2022-05-03 22:05:12 +02:00
"Enabled": true,
"Version": 1,
"SystemRules": [
{
"Rule": {
"Table": "mangle",
"Chain": "OUTPUT",
"Enabled": false,
"Position": "0",
"Description": "Allow icmp",
"Parameters": "-p icmp",
"Expressions": [],
"Target": "ACCEPT",
"TargetParameters": ""
},
"Chains": []
},
{
"Chains": [
{
"Name": "forward",
"Table": "filter",
"Family": "inet",
"Priority": "",
"Type": "filter",
"Hook": "forward",
"Policy": "accept",
"Rules": []
},
{
"Name": "output",
"Table": "filter",
"Family": "inet",
"Priority": "",
"Type": "filter",
"Hook": "output",
"Policy": "accept",
"Rules": []
},
{
"Name": "input",
"Table": "filter",
"Family": "inet",
"Priority": "",
"Type": "filter",
"Hook": "input",
"Policy": "accept",
"Rules": [
{
"Enabled": false,
"Position": "0",
"Description": "Allow SSH server connections when input policy is DROP",
"Parameters": "",
"Expressions": [
{
"Statement": {
"Op": "",
"Name": "tcp",
"Values": [
{
"Key": "dport",
"Value": "22"
}
]
}
}
],
"Target": "accept",
"TargetParameters": ""
}
]
},
{
"Name": "filter-prerouting",
"Table": "nat",
"Family": "inet",
"Priority": "",
"Type": "filter",
"Hook": "prerouting",
"Policy": "accept",
"Rules": []
},
{
"Name": "prerouting",
"Table": "mangle",
"Family": "inet",
"Priority": "",
"Type": "mangle",
"Hook": "prerouting",
"Policy": "accept",
"Rules": []
},
{
"Name": "postrouting",
"Table": "mangle",
"Family": "inet",
"Priority": "",
"Type": "mangle",
"Hook": "postrouting",
"Policy": "accept",
"Rules": []
},
{
"Name": "prerouting",
"Table": "nat",
"Family": "inet",
"Priority": "",
"Type": "natdest",
"Hook": "prerouting",
"Policy": "accept",
"Rules": []
},
{
"Name": "postrouting",
"Table": "nat",
"Family": "inet",
"Priority": "",
"Type": "natsource",
"Hook": "postrouting",
"Policy": "accept",
"Rules": []
},
{
"Name": "input",
"Table": "nat",
"Family": "inet",
"Priority": "",
"Type": "natsource",
"Hook": "input",
"Policy": "accept",
"Rules": []
},
{
"Name": "output",
"Table": "nat",
"Family": "inet",
"Priority": "",
"Type": "natdest",
"Hook": "output",
"Policy": "accept",
"Rules": []
},
{
"Name": "output",
"Table": "mangle",
"Family": "inet",
"Priority": "",
"Type": "mangle",
"Hook": "output",
"Policy": "accept",
"Rules": [
{
"Enabled": true,
"Position": "0",
"Description": "Allow ICMP",
"Expressions": [
{
"Statement": {
"Op": "",
"Name": "icmp",
"Values": [
{
fw: support for icmpv6 nftables in system rules - Add support for all available nftables ICMPv6 types (ip6tables -m icmpv6 --help) - Build nftables ICMPv6 rules - Create a default outbound ICMPv6 echo-request/reply rule (currently outbound echo-request ICMPv6 is by default denied) Signed-off-by: Nico Berlee <nico.berlee@on2it.net>
2022-07-02 18:02:27 +02:00
"Key": "type",
added icmp destination-unreachable to system-fw.json Allow destination-unreachable ICMP types by default, not to display ICMP pop-ups under certain circumstances. More info: https://github.com/evilsocket/opensnitch/discussions/946#discussioncomment-6035934
2023-07-26 11:40:17 +02:00
"Value": "echo-request,echo-reply,destination-unreachable"
fw: support for icmpv6 nftables in system rules - Add support for all available nftables ICMPv6 types (ip6tables -m icmpv6 --help) - Build nftables ICMPv6 rules - Create a default outbound ICMPv6 echo-request/reply rule (currently outbound echo-request ICMPv6 is by default denied) Signed-off-by: Nico Berlee <nico.berlee@on2it.net>
2022-07-02 18:02:27 +02:00
}
]
}
}
],
"Target": "accept",
"TargetParameters": ""
},
{
"Enabled": true,
better errors, fixed default sys fw conf
2022-12-16 17:09:37 +01:00
"Position": "0",
fw: support for icmpv6 nftables in system rules - Add support for all available nftables ICMPv6 types (ip6tables -m icmpv6 --help) - Build nftables ICMPv6 rules - Create a default outbound ICMPv6 echo-request/reply rule (currently outbound echo-request ICMPv6 is by default denied) Signed-off-by: Nico Berlee <nico.berlee@on2it.net>
2022-07-02 18:02:27 +02:00
"Description": "Allow ICMPv6",
"Expressions": [
{
"Statement": {
"Op": "",
"Name": "icmpv6",
"Values": [
{
Allow to configure firewall rules from the GUI (#660) * Allow to configure firewall rules from the GUI (WIP) New features: - Configure and list system firewall rules from the GUI (nftables). - Configure chains' policies. - Add simple rules to allow incoming ports. - Add simple rules to exclude apps (ports) from being intercepted. This feature is only available for nftables. iptables is still supported, you can add rules to the configuration file and they'll be loaded, but you can't configure them from the GUI. More information: #592
2022-05-03 22:05:12 +02:00
"Key": "type",
added icmp destination-unreachable to system-fw.json Allow destination-unreachable ICMP types by default, not to display ICMP pop-ups under certain circumstances. More info: https://github.com/evilsocket/opensnitch/discussions/946#discussioncomment-6035934
2023-07-26 11:40:17 +02:00
"Value": "echo-request,echo-reply,destination-unreachable"
Allow to configure firewall rules from the GUI (#660) * Allow to configure firewall rules from the GUI (WIP) New features: - Configure and list system firewall rules from the GUI (nftables). - Configure chains' policies. - Add simple rules to allow incoming ports. - Add simple rules to exclude apps (ports) from being intercepted. This feature is only available for nftables. iptables is still supported, you can add rules to the configuration file and they'll be loaded, but you can't configure them from the GUI. More information: #592
2022-05-03 22:05:12 +02:00
}
]
}
}
],
"Target": "accept",
"TargetParameters": ""
},
{
"Enabled": false,
"Position": "0",
"Description": "Exclude WireGuard VPN from being intercepted",
"Parameters": "",
"Expressions": [
{
"Statement": {
"Op": "",
sys firewall: fixed wrong wireguard protocol Changed 'tcp' to 'udp' to make wireguard rule work
2022-09-15 15:36:49 +02:00
"Name": "udp",
Allow to configure firewall rules from the GUI (#660) * Allow to configure firewall rules from the GUI (WIP) New features: - Configure and list system firewall rules from the GUI (nftables). - Configure chains' policies. - Add simple rules to allow incoming ports. - Add simple rules to exclude apps (ports) from being intercepted. This feature is only available for nftables. iptables is still supported, you can add rules to the configuration file and they'll be loaded, but you can't configure them from the GUI. More information: #592
2022-05-03 22:05:12 +02:00
"Values": [
{
"Key": "dport",
"Value": "51820"
}
]
}
}
],
"Target": "accept",
"TargetParameters": ""
}
]
},
{
"Name": "forward",
"Table": "mangle",
"Family": "inet",
"Priority": "",
"Type": "mangle",
"Hook": "forward",
"Policy": "accept",
"Rules": [
{
"UUID": "7d7394e1-100d-4b87-a90a-cd68c46edb0b",
"Enabled": false,
"Position": "0",
"Description": "Intercept forwarded connections (docker, etc)",
"Expressions": [
{
"Statement": {
"Op": "",
"Name": "ct",
"Values": [
{
"Key": "state",
"Value": "new"
}
]
}
}
],
"Target": "queue",
"TargetParameters": "num 0"
Merge branch 'priority-rules' into main Added option to let the users define iptables rules. The system rules are added in the file /etc/opensnitchd/system-fw.json with this format: ``` { "SystemRules": [ { "Rule": { "Description": "Allow pptp VPN", "Table": "mangle", "Chain": "OUTPUT", "Parameters": "-p gre", "Target": "ACCEPT", "TargetParameters": "" } } ] } ``` On the mangle table, OUTPUT chain, these rules are added before the NFQUEUE interception rule, so any rule you add there bypasses the interception. Useful to allow traffic you don't want to intercept. This feature solves in some way the issue some users have connecting to VPNs when the Default Action configured in the daemon is Deny. For example: - OpenVPN when keepalive is configured and ICMP is used. - PPTP because the GRE routing protocol is blocked. - probably others like IPSEC. (regarding WireGuard, as far as I can tell it works just fine, see #61). closes #47
2020-11-13 00:14:39 +01:00
}
Allow to configure firewall rules from the GUI (#660) * Allow to configure firewall rules from the GUI (WIP) New features: - Configure and list system firewall rules from the GUI (nftables). - Configure chains' policies. - Add simple rules to allow incoming ports. - Add simple rules to exclude apps (ports) from being intercepted. This feature is only available for nftables. iptables is still supported, you can add rules to the configuration file and they'll be loaded, but you can't configure them from the GUI. More information: #592
2022-05-03 22:05:12 +02:00
]
Merge branch 'priority-rules' into main Added option to let the users define iptables rules. The system rules are added in the file /etc/opensnitchd/system-fw.json with this format: ``` { "SystemRules": [ { "Rule": { "Description": "Allow pptp VPN", "Table": "mangle", "Chain": "OUTPUT", "Parameters": "-p gre", "Target": "ACCEPT", "TargetParameters": "" } } ] } ``` On the mangle table, OUTPUT chain, these rules are added before the NFQUEUE interception rule, so any rule you add there bypasses the interception. Useful to allow traffic you don't want to intercept. This feature solves in some way the issue some users have connecting to VPNs when the Default Action configured in the daemon is Deny. For example: - OpenVPN when keepalive is configured and ICMP is used. - PPTP because the GRE routing protocol is blocked. - probably others like IPSEC. (regarding WireGuard, as far as I can tell it works just fine, see #61). closes #47
2020-11-13 00:14:39 +01:00
}
Allow to configure firewall rules from the GUI (#660) * Allow to configure firewall rules from the GUI (WIP) New features: - Configure and list system firewall rules from the GUI (nftables). - Configure chains' policies. - Add simple rules to allow incoming ports. - Add simple rules to exclude apps (ports) from being intercepted. This feature is only available for nftables. iptables is still supported, you can add rules to the configuration file and they'll be loaded, but you can't configure them from the GUI. More information: #592
2022-05-03 22:05:12 +02:00
]
}
]
Merge branch 'priority-rules' into main Added option to let the users define iptables rules. The system rules are added in the file /etc/opensnitchd/system-fw.json with this format: ``` { "SystemRules": [ { "Rule": { "Description": "Allow pptp VPN", "Table": "mangle", "Chain": "OUTPUT", "Parameters": "-p gre", "Target": "ACCEPT", "TargetParameters": "" } } ] } ``` On the mangle table, OUTPUT chain, these rules are added before the NFQUEUE interception rule, so any rule you add there bypasses the interception. Useful to allow traffic you don't want to intercept. This feature solves in some way the issue some users have connecting to VPNs when the Default Action configured in the daemon is Deny. For example: - OpenVPN when keepalive is configured and ICMP is used. - PPTP because the GRE routing protocol is blocked. - probably others like IPSEC. (regarding WireGuard, as far as I can tell it works just fine, see #61). closes #47
2020-11-13 00:14:39 +01:00
}
Reference in a new issue Copy permalink