Added a helper to easily allow inbound connections, just by selecting
the port where a service is listening on.
Especially useful when the inbound policy is drop and you want to allow a
service (ssh, nfs, etc).
It's a good practice to filter by command line + process path (and
others parameters), to limit what an application can do.
Thus, if the user selects "from this command line", and the command
launched is not an absolute path to the binary, we'll create a rule
to filter by process path + process cmdline.
Added more options to filter connections by packets' metainformation.
Added: uid, gid, l4proto, protocol and priority.
+ When filtering connections by in/out interface, list the available
interfaces in the system, only if the selected node is local.
Added more options to match connections against packets metainformation:
skuid, skgid, l4proto, protocol
Fixed setting mark on packets via meta (although it results in an error
-> [invalid type]).
- Allow to set quotas on connections.
(For example: drop packets if transmitted bytes to port 443 and
ip 1.2.3.4 is over 1GB.)
- Allow to configure log levels.
- Better errors when adding/editing rules.
If the table family where we're adding a daddr/saddr is inet, we need to
specify the protocol of the IP being added.
Otherwise, listing the rules they appear as:
@nh,128,32 3232235777 accept
instead of: daddr 192.168.1.111 accept
seen here: #704
Up until now we detected automatically if a rule was a regular
expression. But if the path or cmdline of a process had certain
characters (backslash), it was not easy to autodetect it, because the
backslash in particular is sent and received encoded (\\).
With this change the user will have to mark manually if the
path/cmdline of a process is a regular expression or no.
Closes#706
- Get cmdline arguments from kernel along with the absolute path to the
binary.
If the cmdline has more than 20 arguments, or one of the arguments is
longer than 256 bytes, get it from ProcFS.
- Improved stopping ebpf monitor method.
- TOP_EU_US_Ads_Trackers_HOST list is no longer available, and the new
list is not in hosts format.
- curben malware list moved to malware-filter.gitlab.io
- some improvements
Closes#695
Added option to reject new connections from the pop-ups:
- Configurable from the preferences, Default Action option.
- By default there're 2 buttons as always: Deny - Allow
- If the Default Action is Reject: Reject - Allow
- The Deny button now has an activable menu, from where you can select
non-default options (ex: reject connections while the Default Action
is Allow/Deny).
Closes#613#571
Improved process detections by monitoring new processes execution.
It allow us to know the path of a process before a socket is opened.
Closes#617
Other improvements:
- If we fail to retrieve the path of a process, then we'll use the comm
name of the connection/process.
- Better kernel connections detection.
- If debugfs is not loaded, we'll try to mount it, to allow to use
eBPF monitor method.
Future work (help wanted):
- Extract command line arguments from the kernel (sys_execve, or mm
struct).
- Monitor other functions (execveat, clone*, fork, etc).
- Send these events to the server (GUI), and display all the commands
an application has executed.
When loading and setting the query limit configured, it was causing to
fire an unwanted combobox event, resulting in a DB query without limits,
which in turns with a lot of events was causing slowdowns when displaying
the events window.
