In case we're connecting to an IP directly, or if an IP is not resolved,
leave the DstHost field empty and format it appropiately on the UIs.
Otherwise we can't know (easily) if the field DstHost of a connection is
an IP or a domain.
When a new connection is about to be established and the system performs
a dns resolution, we displayed it like this: 9.9.9.9 (www.opensnitch.io)
It added visibility of what was going on, but if you created a rule to
filter by destination host, you were prompted twice to allow firstly the
DNS query, and secondly the TCP connection, which was a bit annoying.
Some users (#5) also asked to display just the domain, so now we only
display the domain name.
Destination host, process path and process arguments are now case
insensitive by default.
There's a new rule operator field (sensitive), to change this behaviour:
```
{
"type": "simple",
"operand": "dest.host",
"sensitive": false,
"data": "opensnitch.io",
"list": null
}
```
Rules without this field will evaluate as false by default.
closes#45
Some systems has the IPV6 protocol disabled, so we failed starting up
with the error "Address family not supported by protocol" (#52).
Now we don't exist even if we can't insert the needed rules, we'll just
log the error.
We must intercept RELATED packets, not only for intercept protocols like
ftp-data, but also to handle connection errors (ICMP errors), like the
ones originated when dis/connecting from a wifi network.
In some scenarios (#47) may be useful to have a set of rules handled from
OpenSnitch, although you can accomplish it with other software (ufw,...).
This rules will sit just above default intercetion, so if you want to
allow or deny something, just place it here.
These priority rules are defined in /etc/opensnitchd/fw.json, with the
following format (example):
{
"PriorityRules": {
"out": {
"allow": [
],
"deny": [
"-m conntrack --ctstate INVALID",
"-p tcp ! --syn -m conntrack --ctstate NEW"
]
}
}
}
The structure must exist even if you haven't defined any rule, for
example:
{
"PriorityRules": {
"out": {
"allow": [
],
"deny": [
]
}
}
}
When the daemon is stopped, we need to close opened netfilter recurses.
Otherwise we can fall into a situation where we leave NFQUEUE queues
opened, which causes opensnitch to not run anymore until system restart
or a manual intervention, because there's a NFQUEUE queue already created
with the same ID.
This is what was happening as a collateral effect of #41.
Current version is stable enough (based on users' feedback) to get it out
of the release candidate state. OpenSnitch works and is usable.
There's a lot of work yet to do, so let's start from a fresh and shiny
release number.
In old libnetfilter_queue libs, we can't know the UID of the packet
because the function nfq_get_uid is not present.
We check it dynamically on run time, but we were doing it wrong, so the
daemon didn't run with old libs.
Thaks to Pain-Patate for reporting it in #18.
Processes paths with spaces were not handled correctly.
If the /proc/<pid>/exe link contained the word "(deleted)",
we deleted that part from the process path. But the way we
did it caused to not handle paths with spaces correctly.
Should fix#24
Denied connections were logged with Warning level.
However if you had a rule that denied a particular noisy connection, it
generated too much logs that didn't add value.
In the future it would be nice to log as warning, denied connections
that do not have a rule created by a user.
Discussion: https://github.com/gustavo-iniguez-goya/opensnitch/issues/10#issuecomment-615854975
(1/2)
We start receiving notifications from the UI, which allow us to change
configurations and perform actions on the daemon.
The concept of Node has also been introduced, which identifies every
daemon (client) connected to the UI (server).
These options has been added:
- Enable/Disable firewall interception (for all nodes)
- Change daemons (clients) configuration. globally or per node.
- Change prompt dialog options.
We have fixed some bugs along the way:
- Close audit client connection gracefully.
- Exclude our own connections from being intercepted.
- Better handling of client connection status with the UI.
We probably has also introduced some other bugs (not listed here).
