mirrors/opensnitch
1
0
Fork 0
mirror of https://github.com/evilsocket/opensnitch.git synced 2025-03-05 00:51:05 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
opensnitch/daemon/firewall/rules.go

314 lines
8.1 KiB
Go
Raw Normal View History

misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
package firewall
import (
"fmt"
firewall/rules.go formatted and documented.
2020-03-06 21:28:22 +01:00
"regexp"
added priority rules to bypass/extend interception In some scenarios (#47) may be useful to have a set of rules handled from OpenSnitch, although you can accomplish it with other software (ufw,...). This rules will sit just above default intercetion, so if you want to allow or deny something, just place it here. These priority rules are defined in /etc/opensnitchd/fw.json, with the following format (example): { "PriorityRules": { "out": { "allow": [ ], "deny": [ "-m conntrack --ctstate INVALID", "-p tcp ! --syn -m conntrack --ctstate NEW" ] } } } The structure must exist even if you haven't defined any rule, for example: { "PriorityRules": { "out": { "allow": [ ], "deny": [ ] } } }
2020-07-25 21:23:53 +02:00
"strings"
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
"sync"
firewall: check rules every 5s Every 5s check if our rules are loaded, and if they aren't, add them again.
2020-02-22 00:27:35 +01:00
"time"
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
added priority rules to bypass/extend interception In some scenarios (#47) may be useful to have a set of rules handled from OpenSnitch, although you can accomplish it with other software (ufw,...). This rules will sit just above default intercetion, so if you want to allow or deny something, just place it here. These priority rules are defined in /etc/opensnitchd/fw.json, with the following format (example): { "PriorityRules": { "out": { "allow": [ ], "deny": [ "-m conntrack --ctstate INVALID", "-p tcp ! --syn -m conntrack --ctstate NEW" ] } } } The structure must exist even if you haven't defined any rule, for example: { "PriorityRules": { "out": { "allow": [ ], "deny": [ ] } } }
2020-07-25 21:23:53 +02:00
"github.com/fsnotify/fsnotify"
updated import paths
2020-12-09 18:18:42 +01:00
"github.com/evilsocket/opensnitch/daemon/core"
"github.com/evilsocket/opensnitch/daemon/log"
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
)
firewall/rules.go formatted and documented.
2020-03-06 21:28:22 +01:00
// DropMark is the mark we place on a connection when we deny it.
// The connection is dropped later on OUTPUT chain.
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
const DropMark = 0x18BA5
firewall/rules.go formatted and documented.
2020-03-06 21:28:22 +01:00
// Action is the modifier we apply to a rule.
Fixed DNS responses firewall rule not deleted on exit Sometimes the INPUT rule for to queue DNS responses was not deleted. The code has also been reorganized. And a minor tweak to make an if{} more idiomatic.
2020-02-25 01:30:24 +01:00
type Action string
firewall/rules.go formatted and documented.
2020-03-06 21:28:22 +01:00
// Actions we apply to the firewall.
Fixed DNS responses firewall rule not deleted on exit Sometimes the INPUT rule for to queue DNS responses was not deleted. The code has also been reorganized. And a minor tweak to make an if{} more idiomatic.
2020-02-25 01:30:24 +01:00
const (
added priority rules to bypass/extend interception In some scenarios (#47) may be useful to have a set of rules handled from OpenSnitch, although you can accomplish it with other software (ufw,...). This rules will sit just above default intercetion, so if you want to allow or deny something, just place it here. These priority rules are defined in /etc/opensnitchd/fw.json, with the following format (example): { "PriorityRules": { "out": { "allow": [ ], "deny": [ "-m conntrack --ctstate INVALID", "-p tcp ! --syn -m conntrack --ctstate NEW" ] } } } The structure must exist even if you haven't defined any rule, for example: { "PriorityRules": { "out": { "allow": [ ], "deny": [ ] } } }
2020-07-25 21:23:53 +02:00
ADD = Action("-A")
INSERT = Action("-I")
DELETE = Action("-D")
FLUSH = Action("-F")
NEWCHAIN = Action("-N")
DELCHAIN = Action("-X")
Merge branch 'priority-rules' into main Added option to let the users define iptables rules. The system rules are added in the file /etc/opensnitchd/system-fw.json with this format: ``` { "SystemRules": [ { "Rule": { "Description": "Allow pptp VPN", "Table": "mangle", "Chain": "OUTPUT", "Parameters": "-p gre", "Target": "ACCEPT", "TargetParameters": "" } } ] } ``` On the mangle table, OUTPUT chain, these rules are added before the NFQUEUE interception rule, so any rule you add there bypasses the interception. Useful to allow traffic you don't want to intercept. This feature solves in some way the issue some users have connecting to VPNs when the Default Action configured in the daemon is Deny. For example: - OpenVPN when keepalive is configured and ICMP is used. - PPTP because the GRE routing protocol is blocked. - probably others like IPSEC. (regarding WireGuard, as far as I can tell it works just fine, see #61). closes #47
2020-11-13 00:14:39 +01:00
systemRulePrefix = "opensnitch-filter"
Fixed DNS responses firewall rule not deleted on exit Sometimes the INPUT rule for to queue DNS responses was not deleted. The code has also been reorganized. And a minor tweak to make an if{} more idiomatic.
2020-02-25 01:30:24 +01:00
)
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
// make sure we don't mess with multiple rules
// at the same time
firewall: check rules every 5s Every 5s check if our rules are loaded, and if they aren't, add them again.
2020-02-22 00:27:35 +01:00
var (
lock = sync.Mutex{}
Allow to change settings from the UI (1/2) We start receiving notifications from the UI, which allow us to change configurations and perform actions on the daemon. The concept of Node has also been introduced, which identifies every daemon (client) connected to the UI (server). These options has been added: - Enable/Disable firewall interception (for all nodes) - Change daemons (clients) configuration. globally or per node. - Change prompt dialog options. We have fixed some bugs along the way: - Close audit client connection gracefully. - Exclude our own connections from being intercepted. - Better handling of client connection status with the UI. We probably has also introduced some other bugs (not listed here).
2020-04-19 20:13:31 +02:00
queueNum = 0
running = false
Merge branch 'priority-rules' into main Added option to let the users define iptables rules. The system rules are added in the file /etc/opensnitchd/system-fw.json with this format: ``` { "SystemRules": [ { "Rule": { "Description": "Allow pptp VPN", "Table": "mangle", "Chain": "OUTPUT", "Parameters": "-p gre", "Target": "ACCEPT", "TargetParameters": "" } } ] } ``` On the mangle table, OUTPUT chain, these rules are added before the NFQUEUE interception rule, so any rule you add there bypasses the interception. Useful to allow traffic you don't want to intercept. This feature solves in some way the issue some users have connecting to VPNs when the Default Action configured in the daemon is Deny. For example: - OpenVPN when keepalive is configured and ICMP is used. - PPTP because the GRE routing protocol is blocked. - probably others like IPSEC. (regarding WireGuard, as far as I can tell it works just fine, see #61). closes #47
2020-11-13 00:14:39 +01:00
// check that rules are loaded every 30s
fixed exception if system-fw.json doesn't exist closes #88
2020-11-15 00:53:13 +01:00
rulesChecker = time.NewTicker(time.Second * 30)
Merge branch 'priority-rules' into main Added option to let the users define iptables rules. The system rules are added in the file /etc/opensnitchd/system-fw.json with this format: ``` { "SystemRules": [ { "Rule": { "Description": "Allow pptp VPN", "Table": "mangle", "Chain": "OUTPUT", "Parameters": "-p gre", "Target": "ACCEPT", "TargetParameters": "" } } ] } ``` On the mangle table, OUTPUT chain, these rules are added before the NFQUEUE interception rule, so any rule you add there bypasses the interception. Useful to allow traffic you don't want to intercept. This feature solves in some way the issue some users have connecting to VPNs when the Default Action configured in the daemon is Deny. For example: - OpenVPN when keepalive is configured and ICMP is used. - PPTP because the GRE routing protocol is blocked. - probably others like IPSEC. (regarding WireGuard, as far as I can tell it works just fine, see #61). closes #47
2020-11-13 00:14:39 +01:00
rulesCheckerChan = make(chan bool)
regexRulesQuery, _ = regexp.Compile(`NFQUEUE.*ctstate NEW,RELATED.*NFQUEUE num.*bypass`)
regexDropQuery, _ = regexp.Compile(`DROP.*mark match 0x18ba5`)
regexSystemRulesQuery, _ = regexp.Compile(systemRulePrefix + ".*")
systemChains = make(map[string]*fwRule)
firewall: check rules every 5s Every 5s check if our rules are loaded, and if they aren't, add them again.
2020-02-22 00:27:35 +01:00
)
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
firewall/rules.go formatted and documented.
2020-03-06 21:28:22 +01:00
// RunRule inserts or deletes a firewall rule.
Do not panic if we can't insert fw rules Some systems has the IPV6 protocol disabled, so we failed starting up with the error "Address family not supported by protocol" (#52). Now we don't exist even if we can't insert the needed rules, we'll just log the error.
2020-07-30 01:10:53 +02:00
func RunRule(action Action, enable bool, logError bool, rule []string) error {
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
if enable == false {
action = "-D"
}
Fixed DNS responses firewall rule not deleted on exit Sometimes the INPUT rule for to queue DNS responses was not deleted. The code has also been reorganized. And a minor tweak to make an if{} more idiomatic.
2020-02-25 01:30:24 +01:00
rule = append([]string{string(action)}, rule...)
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
lock.Lock()
defer lock.Unlock()
fixed errors when IPv6 is not enabled in the system If IPv6 was not enabled we failed to add IPv6 rules. closes #96
2020-11-26 16:25:48 +01:00
if _, err := core.Exec("iptables", rule); err != nil {
Do not panic if we can't insert fw rules Some systems has the IPV6 protocol disabled, so we failed starting up with the error "Address family not supported by protocol" (#52). Now we don't exist even if we can't insert the needed rules, we'll just log the error.
2020-07-30 01:10:53 +02:00
if logError {
fixed errors when IPv6 is not enabled in the system If IPv6 was not enabled we failed to add IPv6 rules. closes #96
2020-11-26 16:25:48 +01:00
log.Error("Error while running firewall rule, ipv4 err: %s", err)
Do not panic if we can't insert fw rules Some systems has the IPV6 protocol disabled, so we failed starting up with the error "Address family not supported by protocol" (#52). Now we don't exist even if we can't insert the needed rules, we'll just log the error.
2020-07-30 01:10:53 +02:00
log.Error("rule: %s", rule)
}
fixed errors when IPv6 is not enabled in the system If IPv6 was not enabled we failed to add IPv6 rules. closes #96
2020-11-26 16:25:48 +01:00
return err
}
if core.IPv6Enabled {
if _, err := core.Exec("ip6tables", rule); err != nil {
if logError {
log.Error("Error while running firewall rule, ipv6 err: %s", err)
log.Error("rule: %s", rule)
}
return err
}
Fix QueueDNSResponses to include ip6tables
2019-01-26 20:56:12 -08:00
}
IPv6 support
2018-11-21 00:25:47 +01:00
Do not panic if we can't insert fw rules Some systems has the IPV6 protocol disabled, so we failed starting up with the error "Address family not supported by protocol" (#52). Now we don't exist even if we can't insert the needed rules, we'll just log the error.
2020-07-30 01:10:53 +02:00
return nil
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
}
firewall/rules.go formatted and documented.
2020-03-06 21:28:22 +01:00
// QueueDNSResponses redirects DNS responses to us, in order to keep a cache
// of resolved domains.
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
// INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass
Do not panic if we can't insert fw rules Some systems has the IPV6 protocol disabled, so we failed starting up with the error "Address family not supported by protocol" (#52). Now we don't exist even if we can't insert the needed rules, we'll just log the error.
2020-07-30 01:10:53 +02:00
func QueueDNSResponses(enable bool, logError bool, qNum int) (err error) {
return RunRule(INSERT, enable, logError, []string{
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
"INPUT",
"--protocol", "udp",
"--sport", "53",
"-j", "NFQUEUE",
Allow to change settings from the UI (1/2) We start receiving notifications from the UI, which allow us to change configurations and perform actions on the daemon. The concept of Node has also been introduced, which identifies every daemon (client) connected to the UI (server). These options has been added: - Enable/Disable firewall interception (for all nodes) - Change daemons (clients) configuration. globally or per node. - Change prompt dialog options. We have fixed some bugs along the way: - Close audit client connection gracefully. - Exclude our own connections from being intercepted. - Better handling of client connection status with the UI. We probably has also introduced some other bugs (not listed here).
2020-04-19 20:13:31 +02:00
"--queue-num", fmt.Sprintf("%d", qNum),
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
"--queue-bypass",
})
}
firewall/rules.go formatted and documented.
2020-03-06 21:28:22 +01:00
// QueueConnections inserts the firewall rule which redirects connections to us.
// They are queued until the user denies/accept them, or reaches a timeout.
intercept RELATED packets We must intercept RELATED packets, not only for intercept protocols like ftp-data, but also to handle connection errors (ICMP errors), like the ones originated when dis/connecting from a wifi network.
2020-07-25 21:48:16 +02:00
// OUTPUT -t mangle -m conntrack --ctstate NEW,RELATED -j NFQUEUE --queue-num 0 --queue-bypass
Do not panic if we can't insert fw rules Some systems has the IPV6 protocol disabled, so we failed starting up with the error "Address family not supported by protocol" (#52). Now we don't exist even if we can't insert the needed rules, we'll just log the error.
2020-07-30 01:10:53 +02:00
func QueueConnections(enable bool, logError bool, qNum int) (err error) {
Merge branch 'priority-rules' into main Added option to let the users define iptables rules. The system rules are added in the file /etc/opensnitchd/system-fw.json with this format: ``` { "SystemRules": [ { "Rule": { "Description": "Allow pptp VPN", "Table": "mangle", "Chain": "OUTPUT", "Parameters": "-p gre", "Target": "ACCEPT", "TargetParameters": "" } } ] } ``` On the mangle table, OUTPUT chain, these rules are added before the NFQUEUE interception rule, so any rule you add there bypasses the interception. Useful to allow traffic you don't want to intercept. This feature solves in some way the issue some users have connecting to VPNs when the Default Action configured in the daemon is Deny. For example: - OpenVPN when keepalive is configured and ICMP is used. - PPTP because the GRE routing protocol is blocked. - probably others like IPSEC. (regarding WireGuard, as far as I can tell it works just fine, see #61). closes #47
2020-11-13 00:14:39 +01:00
return RunRule(INSERT, enable, logError, []string{
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
"OUTPUT",
"-t", "mangle",
"-m", "conntrack",
intercept RELATED packets We must intercept RELATED packets, not only for intercept protocols like ftp-data, but also to handle connection errors (ICMP errors), like the ones originated when dis/connecting from a wifi network.
2020-07-25 21:48:16 +02:00
"--ctstate", "NEW,RELATED",
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
"-j", "NFQUEUE",
Allow to change settings from the UI (1/2) We start receiving notifications from the UI, which allow us to change configurations and perform actions on the daemon. The concept of Node has also been introduced, which identifies every daemon (client) connected to the UI (server). These options has been added: - Enable/Disable firewall interception (for all nodes) - Change daemons (clients) configuration. globally or per node. - Change prompt dialog options. We have fixed some bugs along the way: - Close audit client connection gracefully. - Exclude our own connections from being intercepted. - Better handling of client connection status with the UI. We probably has also introduced some other bugs (not listed here).
2020-04-19 20:13:31 +02:00
"--queue-num", fmt.Sprintf("%d", qNum),
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
"--queue-bypass",
})
}
firewall/rules.go formatted and documented.
2020-03-06 21:28:22 +01:00
// DropMarked rejects packets marked by OpenSnitch.
misc: small fix or general refactoring i did not bother commenting
2018-04-10 13:11:39 +02:00
// OUTPUT -m mark --mark 101285 -j DROP
Do not panic if we can't insert fw rules Some systems has the IPV6 protocol disabled, so we failed starting up with the error "Address family not supported by protocol" (#52). Now we don't exist even if we can't insert the needed rules, we'll just log the error.
2020-07-30 01:10:53 +02:00
func DropMarked(enable bool, logError bool) (err error) {
return RunRule(ADD, enable, logError, []string{
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
"OUTPUT",
"-m", "mark",
"--mark", fmt.Sprintf("%d", DropMark),
misc: small fix or general refactoring i did not bother commenting
2018-04-10 13:11:39 +02:00
"-j", "DROP",
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
})
}
firewall: check rules every 5s Every 5s check if our rules are loaded, and if they aren't, add them again.
2020-02-22 00:27:35 +01:00
Merge branch 'priority-rules' into main Added option to let the users define iptables rules. The system rules are added in the file /etc/opensnitchd/system-fw.json with this format: ``` { "SystemRules": [ { "Rule": { "Description": "Allow pptp VPN", "Table": "mangle", "Chain": "OUTPUT", "Parameters": "-p gre", "Target": "ACCEPT", "TargetParameters": "" } } ] } ``` On the mangle table, OUTPUT chain, these rules are added before the NFQUEUE interception rule, so any rule you add there bypasses the interception. Useful to allow traffic you don't want to intercept. This feature solves in some way the issue some users have connecting to VPNs when the Default Action configured in the daemon is Deny. For example: - OpenVPN when keepalive is configured and ICMP is used. - PPTP because the GRE routing protocol is blocked. - probably others like IPSEC. (regarding WireGuard, as far as I can tell it works just fine, see #61). closes #47
2020-11-13 00:14:39 +01:00
// CreateSystemRule create the custom firewall chains and adds them to system.
func CreateSystemRule(rule *fwRule, logErrors bool) {
chainName := systemRulePrefix + "-" + rule.Chain
if _, ok := systemChains[rule.Table+"-"+chainName]; ok {
return
}
RunRule(NEWCHAIN, true, logErrors, []string{chainName, "-t", rule.Table})
added priority rules to bypass/extend interception In some scenarios (#47) may be useful to have a set of rules handled from OpenSnitch, although you can accomplish it with other software (ufw,...). This rules will sit just above default intercetion, so if you want to allow or deny something, just place it here. These priority rules are defined in /etc/opensnitchd/fw.json, with the following format (example): { "PriorityRules": { "out": { "allow": [ ], "deny": [ "-m conntrack --ctstate INVALID", "-p tcp ! --syn -m conntrack --ctstate NEW" ] } } } The structure must exist even if you haven't defined any rule, for example: { "PriorityRules": { "out": { "allow": [ ], "deny": [ ] } } }
2020-07-25 21:23:53 +02:00
Merge branch 'priority-rules' into main Added option to let the users define iptables rules. The system rules are added in the file /etc/opensnitchd/system-fw.json with this format: ``` { "SystemRules": [ { "Rule": { "Description": "Allow pptp VPN", "Table": "mangle", "Chain": "OUTPUT", "Parameters": "-p gre", "Target": "ACCEPT", "TargetParameters": "" } } ] } ``` On the mangle table, OUTPUT chain, these rules are added before the NFQUEUE interception rule, so any rule you add there bypasses the interception. Useful to allow traffic you don't want to intercept. This feature solves in some way the issue some users have connecting to VPNs when the Default Action configured in the daemon is Deny. For example: - OpenVPN when keepalive is configured and ICMP is used. - PPTP because the GRE routing protocol is blocked. - probably others like IPSEC. (regarding WireGuard, as far as I can tell it works just fine, see #61). closes #47
2020-11-13 00:14:39 +01:00
// Insert the rule at the top of the chain
if err := RunRule(INSERT, true, logErrors, []string{rule.Chain, "-t", rule.Table, "-j", chainName}); err == nil {
systemChains[rule.Table+"-"+chainName] = rule
}
added priority rules to bypass/extend interception In some scenarios (#47) may be useful to have a set of rules handled from OpenSnitch, although you can accomplish it with other software (ufw,...). This rules will sit just above default intercetion, so if you want to allow or deny something, just place it here. These priority rules are defined in /etc/opensnitchd/fw.json, with the following format (example): { "PriorityRules": { "out": { "allow": [ ], "deny": [ "-m conntrack --ctstate INVALID", "-p tcp ! --syn -m conntrack --ctstate NEW" ] } } } The structure must exist even if you haven't defined any rule, for example: { "PriorityRules": { "out": { "allow": [ ], "deny": [ ] } } }
2020-07-25 21:23:53 +02:00
}
Merge branch 'priority-rules' into main Added option to let the users define iptables rules. The system rules are added in the file /etc/opensnitchd/system-fw.json with this format: ``` { "SystemRules": [ { "Rule": { "Description": "Allow pptp VPN", "Table": "mangle", "Chain": "OUTPUT", "Parameters": "-p gre", "Target": "ACCEPT", "TargetParameters": "" } } ] } ``` On the mangle table, OUTPUT chain, these rules are added before the NFQUEUE interception rule, so any rule you add there bypasses the interception. Useful to allow traffic you don't want to intercept. This feature solves in some way the issue some users have connecting to VPNs when the Default Action configured in the daemon is Deny. For example: - OpenVPN when keepalive is configured and ICMP is used. - PPTP because the GRE routing protocol is blocked. - probably others like IPSEC. (regarding WireGuard, as far as I can tell it works just fine, see #61). closes #47
2020-11-13 00:14:39 +01:00
// DeleteSystemRules deletes the system rules
func DeleteSystemRules(logErrors bool) {
for _, r := range fwConfig.SystemRules {
chain := systemRulePrefix + "-" + r.Rule.Chain
if _, ok := systemChains[r.Rule.Table+"-"+chain]; !ok {
continue
}
RunRule(FLUSH, true, logErrors, []string{chain, "-t", r.Rule.Table})
RunRule(DELETE, false, logErrors, []string{r.Rule.Chain, "-t", r.Rule.Table, "-j", chain})
RunRule(DELCHAIN, true, logErrors, []string{chain, "-t", r.Rule.Table})
delete(systemChains, r.Rule.Table+"-"+chain)
}
added priority rules to bypass/extend interception In some scenarios (#47) may be useful to have a set of rules handled from OpenSnitch, although you can accomplish it with other software (ufw,...). This rules will sit just above default intercetion, so if you want to allow or deny something, just place it here. These priority rules are defined in /etc/opensnitchd/fw.json, with the following format (example): { "PriorityRules": { "out": { "allow": [ ], "deny": [ "-m conntrack --ctstate INVALID", "-p tcp ! --syn -m conntrack --ctstate NEW" ] } } } The structure must exist even if you haven't defined any rule, for example: { "PriorityRules": { "out": { "allow": [ ], "deny": [ ] } } }
2020-07-25 21:23:53 +02:00
}
Merge branch 'priority-rules' into main Added option to let the users define iptables rules. The system rules are added in the file /etc/opensnitchd/system-fw.json with this format: ``` { "SystemRules": [ { "Rule": { "Description": "Allow pptp VPN", "Table": "mangle", "Chain": "OUTPUT", "Parameters": "-p gre", "Target": "ACCEPT", "TargetParameters": "" } } ] } ``` On the mangle table, OUTPUT chain, these rules are added before the NFQUEUE interception rule, so any rule you add there bypasses the interception. Useful to allow traffic you don't want to intercept. This feature solves in some way the issue some users have connecting to VPNs when the Default Action configured in the daemon is Deny. For example: - OpenVPN when keepalive is configured and ICMP is used. - PPTP because the GRE routing protocol is blocked. - probably others like IPSEC. (regarding WireGuard, as far as I can tell it works just fine, see #61). closes #47
2020-11-13 00:14:39 +01:00
// AddSystemRule inserts a new rule.
func AddSystemRule(action Action, rule *fwRule, enable bool) (err error) {
chain := systemRulePrefix + "-" + rule.Chain
if rule.Table == "" {
rule.Table = "filter"
}
r := []string{chain, "-t", rule.Table}
if rule.Parameters != "" {
r = append(r, strings.Split(rule.Parameters, " ")...)
}
r = append(r, []string{"-j", rule.Target}...)
if rule.TargetParameters != "" {
r = append(r, strings.Split(rule.TargetParameters, " ")...)
}
added priority rules to bypass/extend interception In some scenarios (#47) may be useful to have a set of rules handled from OpenSnitch, although you can accomplish it with other software (ufw,...). This rules will sit just above default intercetion, so if you want to allow or deny something, just place it here. These priority rules are defined in /etc/opensnitchd/fw.json, with the following format (example): { "PriorityRules": { "out": { "allow": [ ], "deny": [ "-m conntrack --ctstate INVALID", "-p tcp ! --syn -m conntrack --ctstate NEW" ] } } } The structure must exist even if you haven't defined any rule, for example: { "PriorityRules": { "out": { "allow": [ ], "deny": [ ] } } }
2020-07-25 21:23:53 +02:00
Merge branch 'priority-rules' into main Added option to let the users define iptables rules. The system rules are added in the file /etc/opensnitchd/system-fw.json with this format: ``` { "SystemRules": [ { "Rule": { "Description": "Allow pptp VPN", "Table": "mangle", "Chain": "OUTPUT", "Parameters": "-p gre", "Target": "ACCEPT", "TargetParameters": "" } } ] } ``` On the mangle table, OUTPUT chain, these rules are added before the NFQUEUE interception rule, so any rule you add there bypasses the interception. Useful to allow traffic you don't want to intercept. This feature solves in some way the issue some users have connecting to VPNs when the Default Action configured in the daemon is Deny. For example: - OpenVPN when keepalive is configured and ICMP is used. - PPTP because the GRE routing protocol is blocked. - probably others like IPSEC. (regarding WireGuard, as far as I can tell it works just fine, see #61). closes #47
2020-11-13 00:14:39 +01:00
return RunRule(action, enable, true, r)
added priority rules to bypass/extend interception In some scenarios (#47) may be useful to have a set of rules handled from OpenSnitch, although you can accomplish it with other software (ufw,...). This rules will sit just above default intercetion, so if you want to allow or deny something, just place it here. These priority rules are defined in /etc/opensnitchd/fw.json, with the following format (example): { "PriorityRules": { "out": { "allow": [ ], "deny": [ "-m conntrack --ctstate INVALID", "-p tcp ! --syn -m conntrack --ctstate NEW" ] } } } The structure must exist even if you haven't defined any rule, for example: { "PriorityRules": { "out": { "allow": [ ], "deny": [ ] } } }
2020-07-25 21:23:53 +02:00
}
firewall/rules.go formatted and documented.
2020-03-06 21:28:22 +01:00
// AreRulesLoaded checks if the firewall rules are loaded.
firewall: check rules every 5s Every 5s check if our rules are loaded, and if they aren't, add them again.
2020-02-22 00:27:35 +01:00
func AreRulesLoaded() bool {
lock.Lock()
defer lock.Unlock()
fixed errors when IPv6 is not enabled in the system If IPv6 was not enabled we failed to add IPv6 rules. closes #96
2020-11-26 16:25:48 +01:00
var outDrop6 string
var outMangle6 string
Merge branch 'priority-rules' into main Added option to let the users define iptables rules. The system rules are added in the file /etc/opensnitchd/system-fw.json with this format: ``` { "SystemRules": [ { "Rule": { "Description": "Allow pptp VPN", "Table": "mangle", "Chain": "OUTPUT", "Parameters": "-p gre", "Target": "ACCEPT", "TargetParameters": "" } } ] } ``` On the mangle table, OUTPUT chain, these rules are added before the NFQUEUE interception rule, so any rule you add there bypasses the interception. Useful to allow traffic you don't want to intercept. This feature solves in some way the issue some users have connecting to VPNs when the Default Action configured in the daemon is Deny. For example: - OpenVPN when keepalive is configured and ICMP is used. - PPTP because the GRE routing protocol is blocked. - probably others like IPSEC. (regarding WireGuard, as far as I can tell it works just fine, see #61). closes #47
2020-11-13 00:14:39 +01:00
outDrop, err := core.Exec("iptables", []string{"-n", "-L", "OUTPUT"})
firewall: check rules every 5s Every 5s check if our rules are loaded, and if they aren't, add them again.
2020-02-22 00:27:35 +01:00
if err != nil {
return false
}
Merge branch 'priority-rules' into main Added option to let the users define iptables rules. The system rules are added in the file /etc/opensnitchd/system-fw.json with this format: ``` { "SystemRules": [ { "Rule": { "Description": "Allow pptp VPN", "Table": "mangle", "Chain": "OUTPUT", "Parameters": "-p gre", "Target": "ACCEPT", "TargetParameters": "" } } ] } ``` On the mangle table, OUTPUT chain, these rules are added before the NFQUEUE interception rule, so any rule you add there bypasses the interception. Useful to allow traffic you don't want to intercept. This feature solves in some way the issue some users have connecting to VPNs when the Default Action configured in the daemon is Deny. For example: - OpenVPN when keepalive is configured and ICMP is used. - PPTP because the GRE routing protocol is blocked. - probably others like IPSEC. (regarding WireGuard, as far as I can tell it works just fine, see #61). closes #47
2020-11-13 00:14:39 +01:00
outMangle, err := core.Exec("iptables", []string{"-n", "-L", "OUTPUT", "-t", "mangle"})
firewall: check rules every 5s Every 5s check if our rules are loaded, and if they aren't, add them again.
2020-02-22 00:27:35 +01:00
if err != nil {
return false
}
fixed errors when IPv6 is not enabled in the system If IPv6 was not enabled we failed to add IPv6 rules. closes #96
2020-11-26 16:25:48 +01:00
if core.IPv6Enabled {
outDrop6, err = core.Exec("ip6tables", []string{"-n", "-L", "OUTPUT"})
if err != nil {
return false
}
outMangle6, err = core.Exec("ip6tables", []string{"-n", "-L", "OUTPUT", "-t", "mangle"})
if err != nil {
return false
}
firewall: check rules every 5s Every 5s check if our rules are loaded, and if they aren't, add them again.
2020-02-22 00:27:35 +01:00
}
Merge branch 'priority-rules' into main Added option to let the users define iptables rules. The system rules are added in the file /etc/opensnitchd/system-fw.json with this format: ``` { "SystemRules": [ { "Rule": { "Description": "Allow pptp VPN", "Table": "mangle", "Chain": "OUTPUT", "Parameters": "-p gre", "Target": "ACCEPT", "TargetParameters": "" } } ] } ``` On the mangle table, OUTPUT chain, these rules are added before the NFQUEUE interception rule, so any rule you add there bypasses the interception. Useful to allow traffic you don't want to intercept. This feature solves in some way the issue some users have connecting to VPNs when the Default Action configured in the daemon is Deny. For example: - OpenVPN when keepalive is configured and ICMP is used. - PPTP because the GRE routing protocol is blocked. - probably others like IPSEC. (regarding WireGuard, as far as I can tell it works just fine, see #61). closes #47
2020-11-13 00:14:39 +01:00
systemRulesLoaded := true
if len(systemChains) > 0 {
for _, rule := range systemChains {
if chainOut4, err4 := core.Exec("iptables", []string{"-n", "-L", rule.Chain, "-t", rule.Table}); err4 == nil {
if regexSystemRulesQuery.FindString(chainOut4) == "" {
systemRulesLoaded = false
break
}
}
fixed errors when IPv6 is not enabled in the system If IPv6 was not enabled we failed to add IPv6 rules. closes #96
2020-11-26 16:25:48 +01:00
if core.IPv6Enabled {
if chainOut6, err6 := core.Exec("ip6tables", []string{"-n", "-L", rule.Chain, "-t", rule.Table}); err6 == nil {
if regexSystemRulesQuery.FindString(chainOut6) == "" {
systemRulesLoaded = false
break
}
Merge branch 'priority-rules' into main Added option to let the users define iptables rules. The system rules are added in the file /etc/opensnitchd/system-fw.json with this format: ``` { "SystemRules": [ { "Rule": { "Description": "Allow pptp VPN", "Table": "mangle", "Chain": "OUTPUT", "Parameters": "-p gre", "Target": "ACCEPT", "TargetParameters": "" } } ] } ``` On the mangle table, OUTPUT chain, these rules are added before the NFQUEUE interception rule, so any rule you add there bypasses the interception. Useful to allow traffic you don't want to intercept. This feature solves in some way the issue some users have connecting to VPNs when the Default Action configured in the daemon is Deny. For example: - OpenVPN when keepalive is configured and ICMP is used. - PPTP because the GRE routing protocol is blocked. - probably others like IPSEC. (regarding WireGuard, as far as I can tell it works just fine, see #61). closes #47
2020-11-13 00:14:39 +01:00
}
}
}
}
fixed errors when IPv6 is not enabled in the system If IPv6 was not enabled we failed to add IPv6 rules. closes #96
2020-11-26 16:25:48 +01:00
result := regexDropQuery.FindString(outDrop) != "" &&
regexRulesQuery.FindString(outMangle) != "" &&
Merge branch 'priority-rules' into main Added option to let the users define iptables rules. The system rules are added in the file /etc/opensnitchd/system-fw.json with this format: ``` { "SystemRules": [ { "Rule": { "Description": "Allow pptp VPN", "Table": "mangle", "Chain": "OUTPUT", "Parameters": "-p gre", "Target": "ACCEPT", "TargetParameters": "" } } ] } ``` On the mangle table, OUTPUT chain, these rules are added before the NFQUEUE interception rule, so any rule you add there bypasses the interception. Useful to allow traffic you don't want to intercept. This feature solves in some way the issue some users have connecting to VPNs when the Default Action configured in the daemon is Deny. For example: - OpenVPN when keepalive is configured and ICMP is used. - PPTP because the GRE routing protocol is blocked. - probably others like IPSEC. (regarding WireGuard, as far as I can tell it works just fine, see #61). closes #47
2020-11-13 00:14:39 +01:00
systemRulesLoaded
fixed errors when IPv6 is not enabled in the system If IPv6 was not enabled we failed to add IPv6 rules. closes #96
2020-11-26 16:25:48 +01:00
if core.IPv6Enabled {
result = result && regexDropQuery.FindString(outDrop6) != "" &&
regexRulesQuery.FindString(outMangle6) != ""
}
return result
firewall: check rules every 5s Every 5s check if our rules are loaded, and if they aren't, add them again.
2020-02-22 00:27:35 +01:00
}
firewall/rules.go formatted and documented.
2020-03-06 21:28:22 +01:00
// StartCheckingRules checks periodically if the rules are loaded.
// If they're not, we insert them again.
fixed exception if system-fw.json doesn't exist closes #88
2020-11-15 00:53:13 +01:00
func StartCheckingRules() {
firewall: check rules every 5s Every 5s check if our rules are loaded, and if they aren't, add them again.
2020-02-22 00:27:35 +01:00
for {
select {
case <-rulesCheckerChan:
Merge branch 'priority-rules' into main Added option to let the users define iptables rules. The system rules are added in the file /etc/opensnitchd/system-fw.json with this format: ``` { "SystemRules": [ { "Rule": { "Description": "Allow pptp VPN", "Table": "mangle", "Chain": "OUTPUT", "Parameters": "-p gre", "Target": "ACCEPT", "TargetParameters": "" } } ] } ``` On the mangle table, OUTPUT chain, these rules are added before the NFQUEUE interception rule, so any rule you add there bypasses the interception. Useful to allow traffic you don't want to intercept. This feature solves in some way the issue some users have connecting to VPNs when the Default Action configured in the daemon is Deny. For example: - OpenVPN when keepalive is configured and ICMP is used. - PPTP because the GRE routing protocol is blocked. - probably others like IPSEC. (regarding WireGuard, as far as I can tell it works just fine, see #61). closes #47
2020-11-13 00:14:39 +01:00
goto Exit
firewall: check rules every 5s Every 5s check if our rules are loaded, and if they aren't, add them again.
2020-02-22 00:27:35 +01:00
case <-rulesChecker.C:
Fixed DNS responses firewall rule not deleted on exit Sometimes the INPUT rule for to queue DNS responses was not deleted. The code has also been reorganized. And a minor tweak to make an if{} more idiomatic.
2020-02-25 01:30:24 +01:00
if rules := AreRulesLoaded(); rules == false {
added priority rules to bypass/extend interception In some scenarios (#47) may be useful to have a set of rules handled from OpenSnitch, although you can accomplish it with other software (ufw,...). This rules will sit just above default intercetion, so if you want to allow or deny something, just place it here. These priority rules are defined in /etc/opensnitchd/fw.json, with the following format (example): { "PriorityRules": { "out": { "allow": [ ], "deny": [ "-m conntrack --ctstate INVALID", "-p tcp ! --syn -m conntrack --ctstate NEW" ] } } } The structure must exist even if you haven't defined any rule, for example: { "PriorityRules": { "out": { "allow": [ ], "deny": [ ] } } }
2020-07-25 21:23:53 +02:00
log.Important("firewall rules changed, reloading")
fixed exception if system-fw.json doesn't exist closes #88
2020-11-15 00:53:13 +01:00
CleanRules(log.GetLogLevel() == log.DEBUG)
added priority rules to bypass/extend interception In some scenarios (#47) may be useful to have a set of rules handled from OpenSnitch, although you can accomplish it with other software (ufw,...). This rules will sit just above default intercetion, so if you want to allow or deny something, just place it here. These priority rules are defined in /etc/opensnitchd/fw.json, with the following format (example): { "PriorityRules": { "out": { "allow": [ ], "deny": [ "-m conntrack --ctstate INVALID", "-p tcp ! --syn -m conntrack --ctstate NEW" ] } } } The structure must exist even if you haven't defined any rule, for example: { "PriorityRules": { "out": { "allow": [ ], "deny": [ ] } } }
2020-07-25 21:23:53 +02:00
insertRules()
loadDiskConfiguration(true)
firewall: check rules every 5s Every 5s check if our rules are loaded, and if they aren't, add them again.
2020-02-22 00:27:35 +01:00
}
}
}
Merge branch 'priority-rules' into main Added option to let the users define iptables rules. The system rules are added in the file /etc/opensnitchd/system-fw.json with this format: ``` { "SystemRules": [ { "Rule": { "Description": "Allow pptp VPN", "Table": "mangle", "Chain": "OUTPUT", "Parameters": "-p gre", "Target": "ACCEPT", "TargetParameters": "" } } ] } ``` On the mangle table, OUTPUT chain, these rules are added before the NFQUEUE interception rule, so any rule you add there bypasses the interception. Useful to allow traffic you don't want to intercept. This feature solves in some way the issue some users have connecting to VPNs when the Default Action configured in the daemon is Deny. For example: - OpenVPN when keepalive is configured and ICMP is used. - PPTP because the GRE routing protocol is blocked. - probably others like IPSEC. (regarding WireGuard, as far as I can tell it works just fine, see #61). closes #47
2020-11-13 00:14:39 +01:00
Exit:
log.Info("exit checking fw rules")
firewall: check rules every 5s Every 5s check if our rules are loaded, and if they aren't, add them again.
2020-02-22 00:27:35 +01:00
}
firewall/rules.go formatted and documented.
2020-03-06 21:28:22 +01:00
// StopCheckingRules stops checking if the firewall rules are loaded.
firewall: check rules every 5s Every 5s check if our rules are loaded, and if they aren't, add them again.
2020-02-22 00:27:35 +01:00
func StopCheckingRules() {
fixed exception if system-fw.json doesn't exist closes #88
2020-11-15 00:53:13 +01:00
rulesChecker.Stop()
firewall: check rules every 5s Every 5s check if our rules are loaded, and if they aren't, add them again.
2020-02-22 00:27:35 +01:00
rulesCheckerChan <- true
}
Allow to change settings from the UI (1/2) We start receiving notifications from the UI, which allow us to change configurations and perform actions on the daemon. The concept of Node has also been introduced, which identifies every daemon (client) connected to the UI (server). These options has been added: - Enable/Disable firewall interception (for all nodes) - Change daemons (clients) configuration. globally or per node. - Change prompt dialog options. We have fixed some bugs along the way: - Close audit client connection gracefully. - Exclude our own connections from being intercepted. - Better handling of client connection status with the UI. We probably has also introduced some other bugs (not listed here).
2020-04-19 20:13:31 +02:00
// IsRunning returns if the firewall rules are loaded or not.
func IsRunning() bool {
return running
}
Merge branch 'priority-rules' into main Added option to let the users define iptables rules. The system rules are added in the file /etc/opensnitchd/system-fw.json with this format: ``` { "SystemRules": [ { "Rule": { "Description": "Allow pptp VPN", "Table": "mangle", "Chain": "OUTPUT", "Parameters": "-p gre", "Target": "ACCEPT", "TargetParameters": "" } } ] } ``` On the mangle table, OUTPUT chain, these rules are added before the NFQUEUE interception rule, so any rule you add there bypasses the interception. Useful to allow traffic you don't want to intercept. This feature solves in some way the issue some users have connecting to VPNs when the Default Action configured in the daemon is Deny. For example: - OpenVPN when keepalive is configured and ICMP is used. - PPTP because the GRE routing protocol is blocked. - probably others like IPSEC. (regarding WireGuard, as far as I can tell it works just fine, see #61). closes #47
2020-11-13 00:14:39 +01:00
// CleanRules deletes the rules we added.
func CleanRules(logErrors bool) {
QueueDNSResponses(false, logErrors, queueNum)
QueueConnections(false, logErrors, queueNum)
DropMarked(false, logErrors)
DeleteSystemRules(logErrors)
added priority rules to bypass/extend interception In some scenarios (#47) may be useful to have a set of rules handled from OpenSnitch, although you can accomplish it with other software (ufw,...). This rules will sit just above default intercetion, so if you want to allow or deny something, just place it here. These priority rules are defined in /etc/opensnitchd/fw.json, with the following format (example): { "PriorityRules": { "out": { "allow": [ ], "deny": [ "-m conntrack --ctstate INVALID", "-p tcp ! --syn -m conntrack --ctstate NEW" ] } } } The structure must exist even if you haven't defined any rule, for example: { "PriorityRules": { "out": { "allow": [ ], "deny": [ ] } } }
2020-07-25 21:23:53 +02:00
}
func insertRules() {
Merge branch 'priority-rules' into main Added option to let the users define iptables rules. The system rules are added in the file /etc/opensnitchd/system-fw.json with this format: ``` { "SystemRules": [ { "Rule": { "Description": "Allow pptp VPN", "Table": "mangle", "Chain": "OUTPUT", "Parameters": "-p gre", "Target": "ACCEPT", "TargetParameters": "" } } ] } ``` On the mangle table, OUTPUT chain, these rules are added before the NFQUEUE interception rule, so any rule you add there bypasses the interception. Useful to allow traffic you don't want to intercept. This feature solves in some way the issue some users have connecting to VPNs when the Default Action configured in the daemon is Deny. For example: - OpenVPN when keepalive is configured and ICMP is used. - PPTP because the GRE routing protocol is blocked. - probably others like IPSEC. (regarding WireGuard, as far as I can tell it works just fine, see #61). closes #47
2020-11-13 00:14:39 +01:00
if err := QueueDNSResponses(true, true, queueNum); err != nil {
added priority rules to bypass/extend interception In some scenarios (#47) may be useful to have a set of rules handled from OpenSnitch, although you can accomplish it with other software (ufw,...). This rules will sit just above default intercetion, so if you want to allow or deny something, just place it here. These priority rules are defined in /etc/opensnitchd/fw.json, with the following format (example): { "PriorityRules": { "out": { "allow": [ ], "deny": [ "-m conntrack --ctstate INVALID", "-p tcp ! --syn -m conntrack --ctstate NEW" ] } } } The structure must exist even if you haven't defined any rule, for example: { "PriorityRules": { "out": { "allow": [ ], "deny": [ ] } } }
2020-07-25 21:23:53 +02:00
log.Error("Error while running DNS firewall rule: %s", err)
Merge branch 'priority-rules' into main Added option to let the users define iptables rules. The system rules are added in the file /etc/opensnitchd/system-fw.json with this format: ``` { "SystemRules": [ { "Rule": { "Description": "Allow pptp VPN", "Table": "mangle", "Chain": "OUTPUT", "Parameters": "-p gre", "Target": "ACCEPT", "TargetParameters": "" } } ] } ``` On the mangle table, OUTPUT chain, these rules are added before the NFQUEUE interception rule, so any rule you add there bypasses the interception. Useful to allow traffic you don't want to intercept. This feature solves in some way the issue some users have connecting to VPNs when the Default Action configured in the daemon is Deny. For example: - OpenVPN when keepalive is configured and ICMP is used. - PPTP because the GRE routing protocol is blocked. - probably others like IPSEC. (regarding WireGuard, as far as I can tell it works just fine, see #61). closes #47
2020-11-13 00:14:39 +01:00
} else if err = QueueConnections(true, true, queueNum); err != nil {
added priority rules to bypass/extend interception In some scenarios (#47) may be useful to have a set of rules handled from OpenSnitch, although you can accomplish it with other software (ufw,...). This rules will sit just above default intercetion, so if you want to allow or deny something, just place it here. These priority rules are defined in /etc/opensnitchd/fw.json, with the following format (example): { "PriorityRules": { "out": { "allow": [ ], "deny": [ "-m conntrack --ctstate INVALID", "-p tcp ! --syn -m conntrack --ctstate NEW" ] } } } The structure must exist even if you haven't defined any rule, for example: { "PriorityRules": { "out": { "allow": [ ], "deny": [ ] } } }
2020-07-25 21:23:53 +02:00
log.Fatal("Error while running conntrack firewall rule: %s", err)
Merge branch 'priority-rules' into main Added option to let the users define iptables rules. The system rules are added in the file /etc/opensnitchd/system-fw.json with this format: ``` { "SystemRules": [ { "Rule": { "Description": "Allow pptp VPN", "Table": "mangle", "Chain": "OUTPUT", "Parameters": "-p gre", "Target": "ACCEPT", "TargetParameters": "" } } ] } ``` On the mangle table, OUTPUT chain, these rules are added before the NFQUEUE interception rule, so any rule you add there bypasses the interception. Useful to allow traffic you don't want to intercept. This feature solves in some way the issue some users have connecting to VPNs when the Default Action configured in the daemon is Deny. For example: - OpenVPN when keepalive is configured and ICMP is used. - PPTP because the GRE routing protocol is blocked. - probably others like IPSEC. (regarding WireGuard, as far as I can tell it works just fine, see #61). closes #47
2020-11-13 00:14:39 +01:00
} else if err = DropMarked(true, true); err != nil {
added priority rules to bypass/extend interception In some scenarios (#47) may be useful to have a set of rules handled from OpenSnitch, although you can accomplish it with other software (ufw,...). This rules will sit just above default intercetion, so if you want to allow or deny something, just place it here. These priority rules are defined in /etc/opensnitchd/fw.json, with the following format (example): { "PriorityRules": { "out": { "allow": [ ], "deny": [ "-m conntrack --ctstate INVALID", "-p tcp ! --syn -m conntrack --ctstate NEW" ] } } } The structure must exist even if you haven't defined any rule, for example: { "PriorityRules": { "out": { "allow": [ ], "deny": [ ] } } }
2020-07-25 21:23:53 +02:00
log.Fatal("Error while running drop firewall rule: %s", err)
}
}
Allow to change settings from the UI (1/2) We start receiving notifications from the UI, which allow us to change configurations and perform actions on the daemon. The concept of Node has also been introduced, which identifies every daemon (client) connected to the UI (server). These options has been added: - Enable/Disable firewall interception (for all nodes) - Change daemons (clients) configuration. globally or per node. - Change prompt dialog options. We have fixed some bugs along the way: - Close audit client connection gracefully. - Exclude our own connections from being intercepted. - Better handling of client connection status with the UI. We probably has also introduced some other bugs (not listed here).
2020-04-19 20:13:31 +02:00
// Stop deletes the firewall rules, allowing network traffic.
func Stop(qNum *int) {
if running == false {
return
}
if qNum != nil {
queueNum = *qNum
}
Merge branch 'priority-rules' into main Added option to let the users define iptables rules. The system rules are added in the file /etc/opensnitchd/system-fw.json with this format: ``` { "SystemRules": [ { "Rule": { "Description": "Allow pptp VPN", "Table": "mangle", "Chain": "OUTPUT", "Parameters": "-p gre", "Target": "ACCEPT", "TargetParameters": "" } } ] } ``` On the mangle table, OUTPUT chain, these rules are added before the NFQUEUE interception rule, so any rule you add there bypasses the interception. Useful to allow traffic you don't want to intercept. This feature solves in some way the issue some users have connecting to VPNs when the Default Action configured in the daemon is Deny. For example: - OpenVPN when keepalive is configured and ICMP is used. - PPTP because the GRE routing protocol is blocked. - probably others like IPSEC. (regarding WireGuard, as far as I can tell it works just fine, see #61). closes #47
2020-11-13 00:14:39 +01:00
configWatcher.Close()
Allow to change settings from the UI (1/2) We start receiving notifications from the UI, which allow us to change configurations and perform actions on the daemon. The concept of Node has also been introduced, which identifies every daemon (client) connected to the UI (server). These options has been added: - Enable/Disable firewall interception (for all nodes) - Change daemons (clients) configuration. globally or per node. - Change prompt dialog options. We have fixed some bugs along the way: - Close audit client connection gracefully. - Exclude our own connections from being intercepted. - Better handling of client connection status with the UI. We probably has also introduced some other bugs (not listed here).
2020-04-19 20:13:31 +02:00
StopCheckingRules()
fixed exception if system-fw.json doesn't exist closes #88
2020-11-15 00:53:13 +01:00
CleanRules(log.GetLogLevel() == log.DEBUG)
Allow to change settings from the UI (1/2) We start receiving notifications from the UI, which allow us to change configurations and perform actions on the daemon. The concept of Node has also been introduced, which identifies every daemon (client) connected to the UI (server). These options has been added: - Enable/Disable firewall interception (for all nodes) - Change daemons (clients) configuration. globally or per node. - Change prompt dialog options. We have fixed some bugs along the way: - Close audit client connection gracefully. - Exclude our own connections from being intercepted. - Better handling of client connection status with the UI. We probably has also introduced some other bugs (not listed here).
2020-04-19 20:13:31 +02:00
running = false
}
// Init inserts the firewall rules.
func Init(qNum *int) {
if running {
return
}
if qNum != nil {
queueNum = *qNum
}
added priority rules to bypass/extend interception In some scenarios (#47) may be useful to have a set of rules handled from OpenSnitch, although you can accomplish it with other software (ufw,...). This rules will sit just above default intercetion, so if you want to allow or deny something, just place it here. These priority rules are defined in /etc/opensnitchd/fw.json, with the following format (example): { "PriorityRules": { "out": { "allow": [ ], "deny": [ "-m conntrack --ctstate INVALID", "-p tcp ! --syn -m conntrack --ctstate NEW" ] } } } The structure must exist even if you haven't defined any rule, for example: { "PriorityRules": { "out": { "allow": [ ], "deny": [ ] } } }
2020-07-25 21:23:53 +02:00
insertRules()
Allow to change settings from the UI (1/2) We start receiving notifications from the UI, which allow us to change configurations and perform actions on the daemon. The concept of Node has also been introduced, which identifies every daemon (client) connected to the UI (server). These options has been added: - Enable/Disable firewall interception (for all nodes) - Change daemons (clients) configuration. globally or per node. - Change prompt dialog options. We have fixed some bugs along the way: - Close audit client connection gracefully. - Exclude our own connections from being intercepted. - Better handling of client connection status with the UI. We probably has also introduced some other bugs (not listed here).
2020-04-19 20:13:31 +02:00
added priority rules to bypass/extend interception In some scenarios (#47) may be useful to have a set of rules handled from OpenSnitch, although you can accomplish it with other software (ufw,...). This rules will sit just above default intercetion, so if you want to allow or deny something, just place it here. These priority rules are defined in /etc/opensnitchd/fw.json, with the following format (example): { "PriorityRules": { "out": { "allow": [ ], "deny": [ "-m conntrack --ctstate INVALID", "-p tcp ! --syn -m conntrack --ctstate NEW" ] } } } The structure must exist even if you haven't defined any rule, for example: { "PriorityRules": { "out": { "allow": [ ], "deny": [ ] } } }
2020-07-25 21:23:53 +02:00
if watcher, err := fsnotify.NewWatcher(); err == nil {
configWatcher = watcher
Allow to change settings from the UI (1/2) We start receiving notifications from the UI, which allow us to change configurations and perform actions on the daemon. The concept of Node has also been introduced, which identifies every daemon (client) connected to the UI (server). These options has been added: - Enable/Disable firewall interception (for all nodes) - Change daemons (clients) configuration. globally or per node. - Change prompt dialog options. We have fixed some bugs along the way: - Close audit client connection gracefully. - Exclude our own connections from being intercepted. - Better handling of client connection status with the UI. We probably has also introduced some other bugs (not listed here).
2020-04-19 20:13:31 +02:00
}
added priority rules to bypass/extend interception In some scenarios (#47) may be useful to have a set of rules handled from OpenSnitch, although you can accomplish it with other software (ufw,...). This rules will sit just above default intercetion, so if you want to allow or deny something, just place it here. These priority rules are defined in /etc/opensnitchd/fw.json, with the following format (example): { "PriorityRules": { "out": { "allow": [ ], "deny": [ "-m conntrack --ctstate INVALID", "-p tcp ! --syn -m conntrack --ctstate NEW" ] } } } The structure must exist even if you haven't defined any rule, for example: { "PriorityRules": { "out": { "allow": [ ], "deny": [ ] } } }
2020-07-25 21:23:53 +02:00
loadDiskConfiguration(false)
fixed exception if system-fw.json doesn't exist closes #88
2020-11-15 00:53:13 +01:00
go StartCheckingRules()
Allow to change settings from the UI (1/2) We start receiving notifications from the UI, which allow us to change configurations and perform actions on the daemon. The concept of Node has also been introduced, which identifies every daemon (client) connected to the UI (server). These options has been added: - Enable/Disable firewall interception (for all nodes) - Change daemons (clients) configuration. globally or per node. - Change prompt dialog options. We have fixed some bugs along the way: - Close audit client connection gracefully. - Exclude our own connections from being intercepted. - Better handling of client connection status with the UI. We probably has also introduced some other bugs (not listed here).
2020-04-19 20:13:31 +02:00
running = true
}
Reference in a new issue Copy permalink