2018-04-06 13:55:03 +02:00
< p align = "center" >
2018-04-12 11:57:37 +02:00
< img alt = "opensnitch" src = "https://raw.githubusercontent.com/evilsocket/opensnitch/master/ui/opensnitch/res/icon.png" height = "160" / >
2018-04-06 13:55:03 +02:00
< p align = "center" >
< a href = "https://github.com/evilsocket/opensnitch/releases/latest" > < img alt = "Release" src = "https://img.shields.io/github/release/evilsocket/opensnitch.svg?style=flat-square" > < / a >
< a href = "https://github.com/evilsocket/opensnitch/blob/master/LICENSE.md" > < img alt = "Software License" src = "https://img.shields.io/badge/license-GPL3-brightgreen.svg?style=flat-square" > < / a >
< a href = "https://goreportcard.com/report/github.com/evilsocket/opensnitch/daemon" > < img alt = "Go Report Card" src = "https://goreportcard.com/badge/github.com/evilsocket/opensnitch/daemon?style=flat-square" > < / a >
< / p >
< / p >
2018-04-02 05:25:32 +02:00
2018-04-06 13:55:45 +02:00
**OpenSnitch** is a GNU/Linux port of the Little Snitch application firewall.
2018-04-05 18:50:25 +02:00
2018-04-06 19:30:59 +02:00
< p align = "center" >
< img src = "https://raw.githubusercontent.com/evilsocket/opensnitch/master/screenshot.png" alt = "OpenSnitch" / >
< / p >
2018-04-02 05:25:32 +02:00
2018-04-10 19:16:29 +02:00
### TL;DR
2018-04-11 15:35:29 +02:00
sudo apt-get install golang protobuf-compiler libpcap-dev libnetfilter-queue-dev
2018-04-13 13:57:25 +01:00
python3 -m pip install --user grpcio-tools
2018-04-10 19:18:09 +02:00
go get github.com/golang/protobuf/protoc-gen-go
2018-04-15 16:51:58 +02:00
go get -u github.com/golang/dep/cmd/dep
2018-04-10 19:16:29 +02:00
cd /path/to/this/repo
make
sudo make install
sudo systemctl enable opensnitchd
sudo service opensnitchd start
opensnitch-ui
2018-04-05 18:50:25 +02:00
### Daemon
The `daemon` is implemented in Go and needs to run as root in order to interact with the Netfilter packet queue, edit
2018-04-07 15:54:28 +02:00
iptables rules and so on, in order to compile it you will need to install the `protobuf-compiler` , `libpcap-dev` and `libnetfilter-queue-dev`
packages on your system, then just:
2018-04-05 18:50:25 +02:00
cd daemon
2018-04-10 18:38:04 +02:00
make
2018-04-05 18:50:25 +02:00
2018-04-10 19:16:29 +02:00
You can then install it as a systemd service by doing:
sudo make install
The new `opensnitchd` service will log to `/var/log/opensnitchd.log` , save the rules inside `/etc/opensnitchd/rules` and connect to the default UI service socket `unix:///tmp/osui.sock` .
2018-04-16 12:54:25 +02:00
### UI
2018-04-05 18:50:25 +02:00
2018-04-11 15:35:29 +02:00
The user interface is a Python 3 software running as a `gRPC` server on a unix socket, to order to install its dependencies:
2018-04-05 18:50:25 +02:00
cd ui
2018-04-11 15:35:29 +02:00
sudo pip3 install -r requirements.txt
2018-04-05 18:50:25 +02:00
2018-04-07 15:52:58 +02:00
You will also need to install the package `python-pyqt5` for your system (if anyone finds a way to make this work from
the `requirements.txt` file feel free to send a PR).
2018-04-10 16:56:29 +02:00
The UI is pip installable itself:
2018-04-11 15:35:29 +02:00
sudo pip3 install .
2018-04-10 16:56:29 +02:00
2018-04-16 12:54:25 +02:00
This will install the `opensnitch-ui` command on your system (you can auto startup it by `cp opensnitch_ui.desktop ~/.config/autostart/` ).
2018-04-14 05:44:33 +02:00
2018-04-16 12:54:25 +02:00
#### UI Configuration
By default the UI will load its configuration from `~/.opensnitch/ui-config.json` (customizable with the `--config` argument), the
default contents of this file are:
```json
{
"default_timeout": 15,
"default_action": "allow",
"default_duration": "until restart"
}
```
The `default_timeout` is the number of seconds after which the UI will take its default action, the `default_action` can be `allow` or `deny`
and the `default_duration` , which indicates for how long the default action should be taken, can be `once` , `until restart` or `always` to
persist the action as a new rule on disk.
2018-04-10 16:56:29 +02:00
2018-04-05 18:50:25 +02:00
### Running
2018-04-10 19:16:29 +02:00
Once you installed both the daemon and the UI, you can enable the `opensnitchd` service to run at boot time:
2018-04-05 19:15:08 +02:00
2018-04-10 19:16:29 +02:00
sudo systemctl enable opensnitchd
2018-04-05 19:15:08 +02:00
2018-04-10 19:16:29 +02:00
And run it with:
2018-04-05 18:50:25 +02:00
2018-04-10 19:16:29 +02:00
sudo service opensnitchd start
2018-04-05 18:50:25 +02:00
2018-04-10 19:16:29 +02:00
While the UI can be started just by executing the `opensnitch-ui` command.
2018-04-05 18:50:25 +02:00
2018-04-10 19:16:29 +02:00
#### Single UI with many computers
2018-04-07 01:52:43 +02:00
You can also use `--socket "[::]:50051"` to have the UI use TCP instead of a unix socket and run the daemon on another
computer with `-ui-socket "x.x.x.x:50051"` (where `x.x.x.x` is the IP of the computer running the UI service).
2018-04-06 14:11:58 +02:00
2018-04-07 15:01:57 +02:00
### Rules
2018-04-07 14:15:52 +02:00
2018-04-07 15:01:57 +02:00
Rules are stored as JSON files inside the `-rule-path` folder, in the simplest cast a rule looks like this:
2018-04-07 14:15:52 +02:00
```json
{
"created": "2018-04-07T14:13:27.903996051+02:00",
"updated": "2018-04-07T14:13:27.904060088+02:00",
"name": "deny-simple-www-google-analytics-l-google-com",
"enabled": true,
"action": "deny",
"duration": "always",
"operator": {
"type": "simple",
"operand": "dest.host",
"data": "www-google-analytics.l.google.com"
}
}
```
2018-04-07 15:01:57 +02:00
| Field | Description |
| -----------------|---------------|
| created | UTC date and time of creation. |
| update | UTC date and time of the last update. |
| name | The name of the rule. |
| enabled | Use to temporarily disable and enable rules without moving their files. |
| action | Can be `deny` or `allow` . |
| duration | For rules persisting on disk, this value is default to `always` . |
| operator.type | Can be `simple` , in which case a simple `==` comparision will be performed, or `regexp` if the `data` field is a regular expression to match. |
2018-04-15 16:18:49 +02:00
| operator.operand | What element of the connection to compare, can be one of: `true` (will always match), `process.path` (the path of the executable), `process.command` (full command line, including path and arguments), `provess.env.ENV_VAR_NAME` (use the value of an environment variable of the process given its name), `user.id` , `dest.ip` , `dest.host` or `dest.port` . |
2018-04-07 15:01:57 +02:00
| operator.data | The data to compare the `operand` to, can be a regular expression if `type` is `regexp` . |
An example with a regular expression:
2018-04-07 14:15:52 +02:00
```json
{
"created": "2018-04-07T14:13:27.903996051+02:00",
"updated": "2018-04-07T14:13:27.904060088+02:00",
"name": "deny-any-google-analytics",
"enabled": true,
"action": "deny",
"duration": "always",
"operator": {
"type": "regexp",
"operand": "dest.host",
2018-04-07 14:16:10 +02:00
"data": "(?i).*analytics.*\\.google\\.com"
2018-04-07 14:15:52 +02:00
}
}
```
2018-04-07 15:01:57 +02:00
An example whitelisting a whole process:
```json
{
"created": "2018-04-07T15:00:48.156737519+02:00",
"updated": "2018-04-07T15:00:48.156772601+02:00",
"name": "allow-simple-opt-google-chrome-chrome",
"enabled": true,
"action": "allow",
"duration": "always",
"operator": {
"type": "simple",
"operand": "process.path",
"data": "/opt/google/chrome/chrome"
}
}
```
2018-04-06 14:11:58 +02:00
### FAQ
##### Why Qt and not GTK?
I tried, but for very fast updates it failed bad on my configuration (failed bad = SIGSEGV), moreover I find Qt5 layout system superior and easier to use.
##### Why gRPC and not DBUS?
2018-04-07 01:52:43 +02:00
The UI service is able to use a TCP listener instead of a UNIX socket, that means the UI service itself can be executed on any
2018-04-06 14:11:58 +02:00
operating system, while receiving messages from a single local daemon instance or multiple instances from remote computers in the network,
therefore DBUS would have made the protocol and logic uselessly GNU/Linux specific.
