I've tried to use it extensively (as an interactive firewall). However there are just some problems (that are not the fault of OpenSnitch) that I'm not even sure that are even solvable.
For example, supposed I run `curl` on the terminal, I can either always decide on a case-by-case basis to allow it thru, or I'm required to whitelist it permanently.
Once I've whitelisted generic tools like `curl` or `wget`, then the floodgates are really open, since any malware that have compromised my machine can just use `curl` or `wget` to get to the internet without hitting the firewall.
I’ve found that by using subdomain wildcards and/or subnets, I build up a stable set of rules pretty quickly and then only have to review requests to new endpoints once in awhile.
To me, the peace of mind knowing that I’ll be prompted to allow new access is worth the initial hassle. And once the habit is built, it’s pretty easy to manage.
Editing to add: I also use expiring rules regularly. Maybe I trust an installer and want to let it do its thing. So I open it up with a rule for the executable expiring in the near future (options include: forever, until reboot, for the next 30s, for the next 5 mins, etc). This can drastically simplify some tasks if there are a large number of endpoints for some reason and avoids leaving a hole open permanently.
Might be the same but what if you allow all curl/wget traffic for 'dev' user, but continue to flag any traffic for 'normal' user
for dev work run 'su -c curl … dev'
But if malicious program in normal user space is running, then app firewall flags curl and wget use appropriately.
It would be annoying to input password every time so maybe setup PAM to use yubikey or biometric? Also make sure this user cannot login and does not have a password.
This sounds rather silly. If this is really a concern, then "curl" or "wget" can be renamed. I use an application level firewall on mobile and I do not "whitelist" names of programs, I "whitelist" access to certain domain names/IP addresses by certain programs.
The easiest way to stop programs/malware from phoning home IME is to deny access to DNS. I have been doing this for decades and it still works flawlessly. "99%" of the time programs/malware that phone home rely on DNS, not "hard-coded" IP addresses. And it is quite easy for me to detect the rare case of a program/malware that does not need DNS.
With DNS I "whitelist" certain domain names. In fact today I do not even use a locally-served zone file with the IP addresses I need (the whitelist); a forward proxy handles the domain to IP address mapping, the whitelist loaded by the proxy is a text file, like a zone file but simpler.
I wonder if there's a way to configure it so that when the parent cmd is a trusted command (say, a bash/zsh owned by the user), it could let the curl command through and otherwise block it. But yeah, that seems like a bit of a hassle.
> However there are just some problems (that are not the fault of OpenSnitch) that I'm not even sure that are even solvable.
Those problems are solvable. Some "big" EDRs, which happen to work in a similar way, allow to declare the parent/child relationship of the executables to block, i.e. it should be possible to declare that if "curl" is spawned, and if by walking the parent list we encounter a process called "/usr/bin/trusted", then allow this curl invocation. This action would allow running "curl" from bash scripts, as long as the bash script has "/usr/bin/trusted" as a parent.
Or be ok with filtering HTTP/TLS traffic based on the domain only, as that part isn't encrypted (the SNI [Server Name Indication]). OpenSnitch should be able to allow/disallow based on that, rather than having to decrypt the TLS part.
a sudo like wrapper for this could be pretty cool.
still will capture when processes unexpectedly try to connect to the network for the first time and there is some value in that. even if the popups aren't great.
I switched from Qubes OS to Fedora+Flatpak+Opensnitch. Couldn't make it to run Wayland on my hybrid GPU system (Nvidia). QubesOS drained battery very quickly and since graphics is afaik software rendered, I've gotten into problems in watching HD videos (e. g. a lot of dropped frames on Youtube).
> It doesn’t pin to PID? What if I rename a program to something that has been whitelisted?
That's a valid question. It should allow/disallow executables by hashing the executable file (not even the device id + inode), not by comparing the paths. Also pinning the PID also isn't good, since pid is temporary.
It's the filter configured per user, or is it system-wide? I know you can filter per-user with IP tables and whatever the newer one is, but I haven't dug that deep into open snitch. Maybe a single trusted user account without a login that you could su into? I wonder if you could also whitelist a VM process and spin up single-use VM sandboxes to use when you want to do a bunch of work like that.
Definitely a minor hassle to set up compared to just saying yes or no to permissions, but it's not complicated, if it works.
This is what finally got me over to NixOS. In the past when I've used application firewalls its a lot of set up that often breaks on updates changing paths or I have to redo it all whenever I move to a new computer. Just tons and tons of churn and wasted effort.
By integrating with the package manager that hasn't been an issue. Once I got through the initial work of setting up my whitelists I just have a little bit of effort each time I add a new package to my nix configs. If I don't want to take on the effort of adding a whitelist to my nix config, I can just add a temporary whitelist that lasts until the next reboot.
It was a steep learning curve and a lot of work, but now its a breeze to maintain.
I tend to put all the random grab bags rules needed for basic functionality in the opensnitch.nix module. If a package needed rules it gets a module and they go in there. Check the signal.nix module for a good example
This is great for catching sloppy apps that make an excessive number of connections. Thunderbird, I’m looking at you.
I like it, but it has a small annoyance in that the temporary rules that have expired don’t get deleted or marked in the interface. So I have to restart the gui once in a while to clear them.
Actually the new Thunderbird people are not taking lots of patches and fixes for even things like security and mail corruption issues. And privacy definitely doesn't seem to be anything they are interested in. I gave up and just send them over to Betterbird, which is what I use now anyway, since I don't want my mail corrupted.
As was mentioned in the thread you linked, use 'baseurl' instead of 'metalink' in the repo definitions (in /etc/yum.repos.d) and set the update server to whichever mirror you like.
There's even a helpful example in each Fedora repo that you can use as a template.
I have heard good things about this one. But i think this one of those no root firewalls that uses the vpn, so I figure this means I can't use a VPN at the same time.
An alternative android root only option is afwall+ which allows blocking on lte, WiFi, lan, and VPN separately, and script access to iptables. Not sure how actively developed it is, but it seems to work ok.
*edit: Seems to still be active, open source, and available on fdroid too.
Netguard is fantastic, although it takes a while to get a safe setup working. I'm blocking traffic by default and get to see all the blocked connection attempts - the extent to which apps transmit data to various parties is depressing. Netguard should be a standard OS feature.
I didn't want to pay without testing the features first, so I have rebuilt the app (it is opensource) with Pro enabled, so I guess that's an option if you want to avoid payment. Updates are a problem then though. Once I tested it I gladly paid (more than requested) to support the development. I never got around to reinstalling it though, so I'm still on an older version.
NetGuard is simply awesome. The piece of mind when I know which servers the apps are contacting, and being able to block their access to the net by default, is just great. The rules could be made a bit more easily adjustable (it would be nice if I could block `*.firebaseinstallations.googleapis.com` everywhere, even if other traffic is allowed for the app), but I'm just nitpicking now. Highly recommend it.
"You can get all current and future NetGuard pro features (including updates) without Google Play services for the GitHub or F-Droid version by a one time donation of € 0.10 or more. If you donate 7 euros or more, you can activate the pro features on all Android devices you personally own, else you can activate the pro features one time only."
Sadly all real firewalls need root. I was using AFWall+ for a long time it has neat controls for every app to allow or deny Wifi, Cell or LAN (if you have). It is a iptables/nftables frontend so you can customize the rules to your heart's content: https://github.com/ukanth/afwall
Works from Android 2+
Without root only VPN solutions like Adguard are available.
EDIT: if you want neat stats: Glasswire has an Android version. I have only used the beta so I have no idea about its current state. Might be worth checking out though.
I really like Rethink DNS.
I have learned many things from watching it (such as I think Signal is compromised by some five-eyes "crossing the border" fuckery.)
OpenSnitch prompts you when there's network activity. So if random app makes a telemetry call or something, you get the option to white/greylist that connection with granularity, like OK to make a connection to that address from this executable etc, or always OK to this address, and with duration options like once/for 15 seconds, until reboot etc. Once you get over the hurdle of whitelisting the apps you use and trust, it's actually pretty nice and gives you good insight into what your apps/games are doing you otherwise wouldn't have known about.
Readit News
For example, supposed I run `curl` on the terminal, I can either always decide on a case-by-case basis to allow it thru, or I'm required to whitelist it permanently. Once I've whitelisted generic tools like `curl` or `wget`, then the floodgates are really open, since any malware that have compromised my machine can just use `curl` or `wget` to get to the internet without hitting the firewall.
To me, the peace of mind knowing that I’ll be prompted to allow new access is worth the initial hassle. And once the habit is built, it’s pretty easy to manage.
Editing to add: I also use expiring rules regularly. Maybe I trust an installer and want to let it do its thing. So I open it up with a rule for the executable expiring in the near future (options include: forever, until reboot, for the next 30s, for the next 5 mins, etc). This can drastically simplify some tasks if there are a large number of endpoints for some reason and avoids leaving a hole open permanently.
for dev work run 'su -c curl … dev'
But if malicious program in normal user space is running, then app firewall flags curl and wget use appropriately.
It would be annoying to input password every time so maybe setup PAM to use yubikey or biometric? Also make sure this user cannot login and does not have a password.
The easiest way to stop programs/malware from phoning home IME is to deny access to DNS. I have been doing this for decades and it still works flawlessly. "99%" of the time programs/malware that phone home rely on DNS, not "hard-coded" IP addresses. And it is quite easy for me to detect the rare case of a program/malware that does not need DNS.
With DNS I "whitelist" certain domain names. In fact today I do not even use a locally-served zone file with the IP addresses I need (the whitelist); a forward proxy handles the domain to IP address mapping, the whitelist loaded by the proxy is a text file, like a zone file but simpler.
> However there are just some problems (that are not the fault of OpenSnitch) that I'm not even sure that are even solvable.
Those problems are solvable. Some "big" EDRs, which happen to work in a similar way, allow to declare the parent/child relationship of the executables to block, i.e. it should be possible to declare that if "curl" is spawned, and if by walking the parent list we encounter a process called "/usr/bin/trusted", then allow this curl invocation. This action would allow running "curl" from bash scripts, as long as the bash script has "/usr/bin/trusted" as a parent.
still will capture when processes unexpectedly try to connect to the network for the first time and there is some value in that. even if the popups aren't great.
> It doesn’t pin to PID? What if I rename a program to something that has been whitelisted?
That's a valid question. It should allow/disallow executables by hashing the executable file (not even the device id + inode), not by comparing the paths. Also pinning the PID also isn't good, since pid is temporary.
- allow a specific parent structure, e.g. when the python interpreter is invoked by a different parent command
- allow a specific process ID temporarily until the process is killed (both with allowing/disallowing child processes)
- allow a specific target port range for games, and not only a specific port in the rulesets.
...because I feel that 99% of the annoying dialogues could have been avoided with this.
Definitely a minor hassle to set up compared to just saying yes or no to permissions, but it's not complicated, if it works.
Deleted Comment
By integrating with the package manager that hasn't been an issue. Once I got through the initial work of setting up my whitelists I just have a little bit of effort each time I add a new package to my nix configs. If I don't want to take on the effort of adding a whitelist to my nix config, I can just add a temporary whitelist that lasts until the next reboot.
It was a steep learning curve and a lot of work, but now its a breeze to maintain.
I tend to put all the random grab bags rules needed for basic functionality in the opensnitch.nix module. If a package needed rules it gets a module and they go in there. Check the signal.nix module for a good example
I like it, but it has a small annoyance in that the temporary rules that have expired don’t get deleted or marked in the interface. So I have to restart the gui once in a while to clear them.
https://news.ycombinator.com/item?id=41124755
Could just let it, but would prefer not to.
There's even a helpful example in each Fedora repo that you can use as a template.
Good luck.
containerA: all outbound traffic allowed
containerB: no outbound traffic allowed, except to reply to a client
containerC: may only reach out to updates.example.com
Is this just per-container iptables? I could wedge iptables into existing images but it seems like a lot of work.
Or maybe something with iptables on the host?
[1] https://netguard.me
An alternative android root only option is afwall+ which allows blocking on lte, WiFi, lan, and VPN separately, and script access to iptables. Not sure how actively developed it is, but it seems to work ok.
*edit: Seems to still be active, open source, and available on fdroid too.
https://github.com/ukanth/afwall
NetGuard is simply awesome. The piece of mind when I know which servers the apps are contacting, and being able to block their access to the net by default, is just great. The rules could be made a bit more easily adjustable (it would be nice if I could block `*.firebaseinstallations.googleapis.com` everywhere, even if other traffic is allowed for the app), but I'm just nitpicking now. Highly recommend it.
"You can get all current and future NetGuard pro features (including updates) without Google Play services for the GitHub or F-Droid version by a one time donation of € 0.10 or more. If you donate 7 euros or more, you can activate the pro features on all Android devices you personally own, else you can activate the pro features one time only."
Without root only VPN solutions like Adguard are available.
EDIT: if you want neat stats: Glasswire has an Android version. I have only used the beta so I have no idea about its current state. Might be worth checking out though.
> Sadly all real firewalls need root
What do you mean by a "real" firewall? It is very much possible to build a userspace firewall in Android using the VPN APIs.
On Android, ROMs like GrapheneOS, Lineage, and CalyxOS have firewalls built-in.
> Glasswire has an Android version
Note though, Glasswire was recently acquired by another company: https://archive.is/KW2R3
Switched to it from NetGuard mentioned above.
Doesn't stop direct IP connections, but it's good enough.
I also have the CLI installed on OpnSense so DoH is enforced for all devices on my LAN as well.