Open opk12 opened 1 month ago
Essentially, the ask is to support port-numbers for domain rules?
Trusting a domain should not allow the port 80, if the Universal rule to forbid port 80 is enabled.
We've implemented this in v055l
. Please test and let us know.
Supporting port numbers for domain rules.
We are in two minds about supporting this. There are no technical issues here but just that enforcing a domain name rule with no port number will have to behave drastically differently than when specified with a port number[^g], which might confuse users.
[^g]: Port numbers are not known at domain name resolution time and hence these rules would always have to be applied at connection time (unlike other block / deny domain rules which are applied at DNS resolution time).
We've implemented this in v055l. Please test and let us know.
Thank you very much. I will update as soon as it lands on F-droid.
Supporting port numbers for domain rules.
I wrote this for completeness while bug-reporting, but I do not need this personally. I was thinking in general about any users that potentially relied on the domain rule allowing port 80 and now (since v055l) will have no way to access port 80.
We are in two minds about supporting this. There are no technical issues here but just that enforcing a domain name rule with no port number will have to behave drastically differently than when specified with a port number, which might confuse users.
OpenSnitch has one single list of rules (screenshot 1). A rule can provide an IP, and/or domain, and/or port, and/or app, ...
Although the name sounds like "allow google.com" for ease of reading, the rule is a generic predicate (operator_data
) over the properties of interest (column operator_operand
) and the editing window allows to mix properties (screenshot 2; JSON in the last line in screenshot 3). For example, I can mix IP and domain. I think it's a matter of time before the user requests for Rethink reach that point.
It seems that OpenSnitch has already encountered the problem that similar-looking things behave differently, but I do not know how they deal with it exactly. For Rethink, maybe one list of rules, and a colored badge on each rule, to self-identify as "triggered at the DNS level" vs connection level.
Thanks.
I think it's a matter of time before the user requests for Rethink reach that point.
true, but there's a laundry list of things (enough to keep us busy for 2 years) already left to work on before this particular power-user feature should get implemented? (:
I updated to v0.5.5L from F-droid and rebooted the phone. I set Fennec to Isolated, but unfortunately I can still browse HTTP-only websites that I add to the trust list. I double-checked that the Universal rule is set. I am on Samsung Android 7.1.
This also applies to the IP address: Fennec can connect to my home PC (where I run nc -l 80
or python3 -m http.server
) if I add the IP address to the trust list, without typing :80
.
I set Fennec to Isolated, but unfortunately I can still browse HTTP-only websites that I add to the trust list. I double-checked that the Universal rule is set. I am on Samsung Android 7.1.
Sorry, we undid the change in v055l
as we broke the fundamental precedence rule we set for prior versions, which is, domain rules always override IP rules (as some vocally angry users reminded us).
We're thinking of either bringing in domain:port
rule or explicit priority numbers for rules (like in Open Snitch).
I cannot block port 80 while trusting a domain. Also, a trust rule for
my_domain_here.com:80
seems ineffective, but the GUI accepts it.+
button and type a rule formy_domain_here.com:80
.What about changing the logic to block the port 80 even if there is a trust rule? Then the app could introduce support for the syntax
domain.com:80
, to whitelist the port.