2018-04-06 13:55:03 +02:00
< p align = "center" >
2018-04-06 13:55:45 +02:00
< img alt = "opensnitch" src = "https://raw.githubusercontent.com/evilsocket/opensnitch/master/ui/res/icon.png" height = "160" / >
2018-04-06 13:55:03 +02:00
< p align = "center" >
< a href = "https://github.com/evilsocket/opensnitch/releases/latest" > < img alt = "Release" src = "https://img.shields.io/github/release/evilsocket/opensnitch.svg?style=flat-square" > < / a >
< a href = "https://github.com/evilsocket/opensnitch/blob/master/LICENSE.md" > < img alt = "Software License" src = "https://img.shields.io/badge/license-GPL3-brightgreen.svg?style=flat-square" > < / a >
< a href = "https://goreportcard.com/report/github.com/evilsocket/opensnitch/daemon" > < img alt = "Go Report Card" src = "https://goreportcard.com/badge/github.com/evilsocket/opensnitch/daemon?style=flat-square" > < / a >
< / p >
< / p >
2018-04-02 05:25:32 +02:00
2018-04-06 13:55:45 +02:00
**OpenSnitch** is a GNU/Linux port of the Little Snitch application firewall.
2018-04-05 18:50:25 +02:00
2018-04-06 19:30:59 +02:00
< p align = "center" >
< img src = "https://raw.githubusercontent.com/evilsocket/opensnitch/master/screenshot.png" alt = "OpenSnitch" / >
< / p >
2018-04-02 05:25:32 +02:00
2018-04-05 18:50:25 +02:00
### Daemon
The `daemon` is implemented in Go and needs to run as root in order to interact with the Netfilter packet queue, edit
2018-04-07 15:54:28 +02:00
iptables rules and so on, in order to compile it you will need to install the `protobuf-compiler` , `libpcap-dev` and `libnetfilter-queue-dev`
packages on your system, then just:
2018-04-05 18:50:25 +02:00
cd daemon
go build .
### Qt5 UI
The user interface is a python script running as a `gRPC` server on a unix socket, to order to install its dependencies:
cd ui
pip install -r requirements.txt
2018-04-07 15:52:58 +02:00
You will also need to install the package `python-pyqt5` for your system (if anyone finds a way to make this work from
the `requirements.txt` file feel free to send a PR).
2018-04-05 18:50:25 +02:00
### Running
2018-04-05 19:15:08 +02:00
First, you need to decide in which folder opensnitch rules will be saved, it is suggested that you just:
mkdir -p ~/.opensnitch/rules
Now run the daemon:
2018-04-05 18:50:25 +02:00
2018-04-07 01:52:43 +02:00
sudo /path/to/daemon -ui-socket unix:///tmp/osui.sock -rules-path ~/.opensnitch/rules
2018-04-05 18:50:25 +02:00
And the UI service as your user:
2018-04-07 01:52:43 +02:00
python /path/to/ui/main.py --socket unix:///tmp/osui.sock
You can also use `--socket "[::]:50051"` to have the UI use TCP instead of a unix socket and run the daemon on another
computer with `-ui-socket "x.x.x.x:50051"` (where `x.x.x.x` is the IP of the computer running the UI service).
2018-04-06 14:11:58 +02:00
2018-04-07 15:01:57 +02:00
### Rules
2018-04-07 14:15:52 +02:00
2018-04-07 15:01:57 +02:00
Rules are stored as JSON files inside the `-rule-path` folder, in the simplest cast a rule looks like this:
2018-04-07 14:15:52 +02:00
```json
{
"created": "2018-04-07T14:13:27.903996051+02:00",
"updated": "2018-04-07T14:13:27.904060088+02:00",
"name": "deny-simple-www-google-analytics-l-google-com",
"enabled": true,
"action": "deny",
"duration": "always",
"operator": {
"type": "simple",
"operand": "dest.host",
"data": "www-google-analytics.l.google.com"
}
}
```
2018-04-07 15:01:57 +02:00
| Field | Description |
| -----------------|---------------|
| created | UTC date and time of creation. |
| update | UTC date and time of the last update. |
| name | The name of the rule. |
| enabled | Use to temporarily disable and enable rules without moving their files. |
| action | Can be `deny` or `allow` . |
| duration | For rules persisting on disk, this value is default to `always` . |
| operator.type | Can be `simple` , in which case a simple `==` comparision will be performed, or `regexp` if the `data` field is a regular expression to match. |
| operator.operand | What element of the connection to compare, can be one of: `true` (will always match), `process.path` (the path of the executable), `user.id` , `dest.ip` , `dest.host` or `dest.port` . |
| operator.data | The data to compare the `operand` to, can be a regular expression if `type` is `regexp` . |
An example with a regular expression:
2018-04-07 14:15:52 +02:00
```json
{
"created": "2018-04-07T14:13:27.903996051+02:00",
"updated": "2018-04-07T14:13:27.904060088+02:00",
"name": "deny-any-google-analytics",
"enabled": true,
"action": "deny",
"duration": "always",
"operator": {
"type": "regexp",
"operand": "dest.host",
2018-04-07 14:16:10 +02:00
"data": "(?i).*analytics.*\\.google\\.com"
2018-04-07 14:15:52 +02:00
}
}
```
2018-04-07 15:01:57 +02:00
An example whitelisting a whole process:
```json
{
"created": "2018-04-07T15:00:48.156737519+02:00",
"updated": "2018-04-07T15:00:48.156772601+02:00",
"name": "allow-simple-opt-google-chrome-chrome",
"enabled": true,
"action": "allow",
"duration": "always",
"operator": {
"type": "simple",
"operand": "process.path",
"data": "/opt/google/chrome/chrome"
}
}
```
2018-04-06 14:11:58 +02:00
### FAQ
##### Why Qt and not GTK?
I tried, but for very fast updates it failed bad on my configuration (failed bad = SIGSEGV), moreover I find Qt5 layout system superior and easier to use.
##### Why gRPC and not DBUS?
2018-04-07 01:52:43 +02:00
The UI service is able to use a TCP listener instead of a UNIX socket, that means the UI service itself can be executed on any
2018-04-06 14:11:58 +02:00
operating system, while receiving messages from a single local daemon instance or multiple instances from remote computers in the network,
therefore DBUS would have made the protocol and logic uselessly GNU/Linux specific.
