- Added options to configure authentication type and certs from the
preferences dialog.
- Reorganize code a little bit to displaya message when restarting the
GUI is needed.
Allow to cypher channel communications with certificates.
There are 3 authentication types: simple, tls-simple and tls-mutual.
- 'simple' wont't cypher communications.
- 'tls-simple' uses a server key and certificate for the server, and a
common CA certificate or the server certificate to authenticate all
nodes.
- 'tls-mutual' uses a server key and certificate for the server, and a
client key and certificate per node.
There are 2 options to verify how gRPC validates credentials:
- SkipVerify: https://pkg.go.dev/crypto/tls#Config
- ClientAuthType: https://pkg.go.dev/crypto/tls#ClientAuthType
Example configuration:
"Server": {
"Address": "127.0.0.1:12345",
"Authentication": {
"Type": "tls-simple",
"TLSOptions": {
"CACert": "/etc/opensnitchd/auth/ca-cert.pem",
"ServerCert": "/etc/opensnitchd/auth/server-cert.pem",
"ClientCert": "/etc/opensnitchd/auth/client-cert.pem",
"ClientKey": "/etc/opensnitchd/auth/client-key.pem",
"SkipVerify": false,
"ClientAuthType": "req-and-verify-cert"
}
}
}
More info: https://github.com/evilsocket/opensnitch/wiki/Nodes
- Use Message util.
Maybe it'd be better to display a desktop notification for a more
better experience, or a dialog box if notify2 is not installed.
- Translate warning message.
* require pyxdg
* extend xdg, introduce autostart
* use xdg_current_desktop from opensnitch.utils.xdg
* control autostart in tray
* dont use pkill anymore
* check if os-ui is already running
* don't require pyxdg (for now)
* simplify xdg_current_desktop
* do not use pyxdg (for now), use some code from there
* update autostart status when menu is open
* fix possible SameFileError
There have been some issues (#673) informing that the notifications
timeout were not working on KDE.
On 843412d I wrote that the timeout unit is millisecond, as stated on
the docs here:
https://notify2.readthedocs.io/en/latest/#notify2.Notification.set_timeout
But after some trial and error:
- set_timeout() units are in seconds, at least for KDE 5.26.3, Xfce
4.18 and GNOME 43.
- not specifying the timeout with set_timeout() lets the Desktop
Environment handle the timeout for us, from their respective
preferences window.
So at least now there're some DEs where the notifications are closed as
expected.
- Previously we only supported multiple ICMP types on the same rule
by adding multiple keys:
Key: type
Value: echo-request
Key: type
Value: echo-reply
Now it's possible to specify them using ',':
Key: type
Value: echo-request,echo-reply
- Validate ICMP types before adding them.
* There was a situation where the details of an app rule was not being
displayed correctly:
- on the tab rules select any system fw rule.
- go to the Events tab
- double click on the Rule column to view the details.
- instead of the app rules details, the list of system fw rules was
displayed.
* On the other hand, when going back from the details view, the list of
rules was not being refreshed correctly.
In this situation now we select the Application rules view.
make it more nftables style:
ip daddr 127.0.0.1 tcp dport 53 accept
instead of:
ip daddr == 127.0.0.1 tcp dport == 53 accept
It'll be easier to translate our rules to nftables rules in this way.
- Fixed setting the protocol of a dport/sport statement.
- Fixed translating ports to service name, and back (/etc/service).
- Enable Save button when modifying the description of a rule.
Now you can add rules to allow multiple protocols.
For example you can add a rule to allow dport/sport for both TCP
and UDP.
There're two options to allow a port:
Statement {
Name: tcp
Values:
Key: dport
Value: 1234
}
Statement {
Name: meta
Values:
Key: l4proto
Value: tcp,udp
Key: dport
Value: 1234
}
Closes#951.
The helper dialog to allow inbound connections to a port was adding a
rule to source port, instead of destination port.
The source port is needed to allow the traffic of a *local service"
when the inbound policy is set to Deny.
* i18n: initial support for Finnish
* i18n: add Finnish translations for rules
* i18n: add Finnish translations for rules
* i18n: translated using Weblate (Finnish)
Currently translated at 99.6% (516 of 518 strings)
Translation: Open Source/opensnitch
* i18n: finalize Finnish translations
* i18n: run Finnish translations through lrelease
---------
Co-authored-by: Toni Lähdekorpi <toni.lahdekorpi@neuvo.ai>
- When changing a policy, disable it until we receive a response.
Maybe we should even delay it a little bit more.
- When editing a fw rule, disable the Save button if the user didn't
change any field.
