updated after opensnitch repo commit 3bb3ae721e

2025-03-04 08:34:40 +01:00 · 2022-05-05 22:57:46 +00:00 · 2022-05-05 22:57:46 +00:00 · f858238371
commit f858238371
parent d9c16fe821
1 changed files with 177 additions and 0 deletions
--- a/System-rules-legacy.md
+++ b/System-rules-legacy.md
@ -0,0 +1,177 @@
+This page describes the firewall configuration format used from version v1.3.0-rc.1 to v1.5.2. This format is deprecated, the new format is described in tail here []()
+
+The file where you can configure system rules is `/etc/opensnitchd/system-fw.json`.
+
+iptables
+---
+
+#### Allowing VPN traffic and other things
+
+If you configure the daemon to deny everything that is not specifically allowed by default, many services will be blocked, [like VPNs](https://github.com/gustavo-iniguez-goya/opensnitch/issues/47).
+
+In order to allow this type of traffic, you can add a rule like this (notice that the **Table** is **mangle**):
+```
+{
+    "SystemRules": [
+        {
+            "Rule": {
+                "Description": "Allow pptp VPNs",
+                "Table": "mangle",
+                "Chain": "OUTPUT",
+                "Parameters": "-p gre",
+                "Target": "ACCEPT",
+                "TargetParameters": ""
+            }
+        }
+    ]
+}
+```
+
+In this case we allow **GRE traffic** (`-p gre`) to allow **PPTP** connections, or you can allow traffic point to point (`-p udp --dport 1194`). Whatever you can do with iptables.
+
+Besides this, some services like **OpenVPN** uses **ICMP** to keep the tunnel up. Needless to say that [ICMP is very important for network communications](https://tools.ietf.org/html/rfc1191):
+
+```json
+{
+    "SystemRules": [
+        {
+            "Rule": {
+                "Description": "Allow OUTPUT ICMP",
+                "Table": "mangle",
+                "Chain": "OUTPUT",
+                "Parameters": "-p icmp",
+                "Target": "ACCEPT",
+                "TargetParameters": ""
+            },
+        },
+        {
+            "Rule": {
+                "Description": "Allow OUTPUT ICMPv6",
+                "Table": "mangle",
+                "Chain": "OUTPUT",
+                "Parameters": "-p ipv6-icmp",
+                "Target": "ACCEPT",
+                "TargetParameters": ""
+            }
+        }
+    ]
+}
+```
+
+(you can allow only _echo_ and `reply`: `-p icmp --icmp-type echo-request`)
+
+Some more examples:
+```json
+{
+    "SystemRules": [
+        {
+            "Rule": {
+                "Description": "",
+                "Table": "mangle",
+                "Chain": "OUTPUT",
+                "Parameters": "-p tcp ! --syn -m conntrack --ctstate NEW",
+                "Target": "DROP",
+                "TargetParameters": ""
+            }
+        },
+        {
+            "Rule": {
+                "Description": "",
+                "Table": "filter",
+                "Chain": "OUTPUT",
+                "Parameters": "-m conntrack --ctstate UNTRACKED,INVALID",
+                "Target": "DROP",
+                "TargetParameters": ""
+            }
+        },
+        {
+            "Rule": {
+                "Description": "",
+                "Table": "mangle",
+                "Chain": "PREROUTING",
+                "Parameters": "-m conntrack --ctstate INVALID,UNTRACKED",
+                "Target": "DROP",
+                "TargetParameters": ""
+            }
+        }
+    ]
+}
+```
+
+Allow nfs connections to mount a remote share:
+```json
+        {
+            "Rule": {
+                "Description": "Allow nfs", 
+                "Table": "mangle",
+                "Chain": "OUTPUT",
+                "Parameters": "-p tcp --dport 2049",
+                "Target": "ACCEPT", 
+                "TargetParameters": ""
+            }
+        }
+```
+
+The list of protocols you can allow or deny are defined in the file `/etc/protocols`
+
+Intercepting connections from containers
+---
+
+In order to intercept connections from containers, you need to select in `Preferences->Nodes->Process monitor method: ebpf`, and add the following rule to `/etc/opensnitchd/system-fw.json`:
+```json
+        {
+            "Rule": {
+                "Enabled": true,
+                "Description": "",
+                "Table": "mangle",
+                "Chain": "FORWARD",
+                "Parameters": "-m conntrack --ctstate NEW",
+                "Target": "NFQUEUE",
+                "TargetParameters": "--queue-num 0 --queue-bypass"
+            }
+        }
+```
+
+nftables
+---
+
+OpenSnitch system rules cannot be used yet with nftables as of v1.4.0, it's scheduled to be added for v1.5.0.
+
+However if you need to use nftables you can combine OpenSnitch interception with the nftables firewall service:
+
+1. Edit `/etc/opensnitchd/default-config.json` and set "Firewall" to "nftables".
+2. Edit `/etc/nftables.conf` and add these rules:
+```
+#!/usr/sbin/nft -f
+
+# docs: https://wiki.nftables.org/wiki-nftables/index.php/Simple_ruleset_for_a_server
+
+# flush ruleset
+
+# inet == ipv4 && ipv6
+
+# the name of the tables and hooks is not random, OpenSnitch adds filter and mangle, and output chains
+table inet filter {
+    chain input {
+        # block by default incoming connections
+        type filter hook input priority filter; policy drop;
+        
+        # allow already established connections
+        ct state { established, related } accept
+        ct state invalid drop
+        
+        # allow ssh
+        # tcp dport { 22 } accept
+    }
+}
+```
+3. Enable nftables service:
+`$ sudo systemctl enable nftables`
+`$ sudo systemctl start nftables`
+
+---
+
+In future versions you will be able to configure these rules from the GUI, but for now you have to add the rules to the file `/etc/opensnitchd/system-fw.json`.
+
+If you need or want a GUI, or you'd like to have more control on the rules, maybe you should try UFW, FwBuilder and the like.
+