opensnitch/README.md

# OpenSnitch

OpenSnitch is a GNU/Linux port of the Little Snitch application firewall.

<p align="center">
  <img src="https://raw.githubusercontent.com/evilsocket/opensnitch/master/screenshot.png" alt="OpenSnitch"/>
</p>

**Warning: This is still alpha quality software, don't rely on it (yet) for your computer security.**

## Requirements

You'll need a GNU/Linux distribution with `iptables`, `NFQUEUE` and `ftrace` kernel support.

## Install

    sudo apt-get install build-essential python3-dev python3-setuptools libnetfilter-queue-dev python3-pyqt5
    cd opensnitch
    sudo python setup.py install

## Run

    sudo opensnitch

## Known Issues / Future Improvements

Before opening an issue, keep in mind that the current implementation is just an experiment to see the doability of the project, future improvements of OpenSnitch will include:

Split the project into `opensnitchd`, `opensnitch-ui` and `opensnitch-ruleman`:

* `opensnitchd` will be a (C++ ? TBD) daemon, running as root with the main logic. It'll fix [this](https://github.com/evilsocket/opensnitch/issues/28).
* `opensnitch-ui` python (?) UI running as normal user, getting the daemon messages. Will fix [this](https://github.com/evilsocket/opensnitch/issues/20).
* `opensnitch-ruleman` python (?) UI for rule editing.

## How Does It Work

OpenSnitch is an application level firewall, meaning then while running, it will detect and alert the user for every outgoing connection applications he's running are creating. This can be extremely **effective to detect and block unwanted connections** on your system that might be caused by a security breach, **causing data exfiltration to be much harder for an attacker**.
In order to do that, OpenSnitch relies on `NFQUEUE`, an `iptables` target/extension which allows an userland software to intercept IP packets and either `ALLOW` or `DROP` them, once started it'll install the following iptables rules:

    OUTPUT -t mangle -m conntrack --ctstate NEW -j NFQUEUE --queue-num 0 --queue-bypass

This will use `conntrack` iptables extension to pass all newly created connection packets to NFQUEUE number 0 (the one OpenSnitch is listening on), and then:

    INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass

This will also redirect DNS queries to OpenSnitch, allowing the software to perform and IP -> hostname resolution without performing active DNS queries itself.

Once a new connection is detected, the software relies on the `ftrace` kernel extension in order to track which PID (therefore which process) is creating the connection.

If `ftrace` is not available for your kernel, OpenSnitch will fallback using the `/proc` filesystem, even if this method will also work, it's vulnerable to application path manipulation as [described in this issue](https://github.com/evilsocket/opensnitch/issues/12), therefore **it's highly suggested to run OpenSnitch on a ftrace enabled kernel**.

## TODOs

    grep -r TODO opensnitch | cut -d '#' -f 2 | sort -u

## License

This project is copyleft of [Simone Margaritelli](http://www.evilsocket.net/) and released under the GPL 3 license.
Yo 2017-04-17 16:34:50 +02:00			`# OpenSnitch`

			`OpenSnitch is a GNU/Linux port of the Little Snitch application firewall.`

README update 2017-05-03 14:53:40 +02:00			`<p align="center">`
Various fixes, reverted to original UI since GTK doesn't really like being invoked from different threads. 2017-04-19 10:30:55 +02:00			`<img src="https://raw.githubusercontent.com/evilsocket/opensnitch/master/screenshot.png" alt="OpenSnitch"/>`
README update 2017-05-03 14:53:40 +02:00			`</p>`

			`Warning: This is still alpha quality software, don't rely on it (yet) for your computer security.`
Gay stuff 2017-04-17 16:39:33 +02:00
README update 2017-05-03 15:04:33 +02:00			`## Requirements`

			You'll need a GNU/Linux distribution with `iptables`, `NFQUEUE` and `ftrace` kernel support.

Proper packaging ... more or less. 2017-04-17 17:30:25 +02:00			`## Install`

Change to the readme file that reflects now dependency on the python3 2017-05-09 16:27:30 +02:00			`sudo apt-get install build-essential python3-dev python3-setuptools libnetfilter-queue-dev python3-pyqt5`
Proper packaging ... more or less. 2017-04-17 17:30:25 +02:00			`cd opensnitch`
			`sudo python setup.py install`

			`## Run`

			`sudo opensnitch`

README update 2017-05-03 15:45:16 +02:00			`## Known Issues / Future Improvements`

			`Before opening an issue, keep in mind that the current implementation is just an experiment to see the doability of the project, future improvements of OpenSnitch will include:`

			Split the project into `opensnitchd`, `opensnitch-ui` and `opensnitch-ruleman`:

README Fix 2017-05-04 12:30:15 +02:00			* `opensnitchd` will be a (C++ ? TBD) daemon, running as root with the main logic. It'll fix [this](https://github.com/evilsocket/opensnitch/issues/28).
README update 2017-05-03 15:45:16 +02:00			* `opensnitch-ui` python (?) UI running as normal user, getting the daemon messages. Will fix [this](https://github.com/evilsocket/opensnitch/issues/20).
			* `opensnitch-ruleman` python (?) UI for rule editing.

README update 2017-05-03 15:04:33 +02:00			`## How Does It Work`

			`OpenSnitch is an application level firewall, meaning then while running, it will detect and alert the user for every outgoing connection applications he's running are creating. This can be extremely effective to detect and block unwanted connections on your system that might be caused by a security breach, causing data exfiltration to be much harder for an attacker.`
			In order to do that, OpenSnitch relies on `NFQUEUE`, an `iptables` target/extension which allows an userland software to intercept IP packets and either `ALLOW` or `DROP` them, once started it'll install the following iptables rules:

Update README with qt5 2017-05-04 03:13:46 +08:00			`OUTPUT -t mangle -m conntrack --ctstate NEW -j NFQUEUE --queue-num 0 --queue-bypass`
README update 2017-05-03 15:04:33 +02:00
			This will use `conntrack` iptables extension to pass all newly created connection packets to NFQUEUE number 0 (the one OpenSnitch is listening on), and then:

			`INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass`

			`This will also redirect DNS queries to OpenSnitch, allowing the software to perform and IP -> hostname resolution without performing active DNS queries itself.`

			Once a new connection is detected, the software relies on the `ftrace` kernel extension in order to track which PID (therefore which process) is creating the connection.

			If `ftrace` is not available for your kernel, OpenSnitch will fallback using the `/proc` filesystem, even if this method will also work, it's vulnerable to application path manipulation as [described in this issue](https://github.com/evilsocket/opensnitch/issues/12), therefore it's highly suggested to run OpenSnitch on a ftrace enabled kernel.

Bunch of TODOs 2017-04-17 17:48:02 +02:00			`## TODOs`

			`grep -r TODO opensnitch \| cut -d '#' -f 2 \| sort -u`

Yo 2017-04-17 16:34:50 +02:00			`## License`

			`This project is copyleft of [Simone Margaritelli](http://www.evilsocket.net/) and released under the GPL 3 license.`