search

evilsocket / opensnitch

OpenSnitch is a GNU/Linux interactive application firewall inspired by Little Snitch.
GNU General Public License v3.0
10.96k stars 511 forks source link

[Feature Request] Filter forwarded traffic #1175

Open ciandonovan opened 3 months ago

ciandonovan commented 3 months ago

Summary:

OpenSnitch works quite well testing host-based firewalls. I currently have setup where opensnitchd runs on the client device, and opensnitch-ui is run on the "router".

However, it would be useful to just run both opensnitchd and opensnitch-ui on the router, and have it filter the traffic of multiple client device on a LAN with the same ruleset.

Would this be out of scope for the project?

gustavo-iniguez-goya commented 2 months ago

hi @ciandonovan ,

You can configure opensnitch to intercept forwarded traffic by enabling this fw rule: https://github.com/evilsocket/opensnitch/blob/5877e6c6d0299f04cfb90064bc21139002c2c4b1/daemon/system-fw.json#L220

But I'm not sure if I understand the use case. If the daemon is running on different machines, it'll intercept the outbound connections, and send all the requests/nework activity to the GUI ("router").

If the daemon is running on the router, then yes, you would have to enable the fw rule to intercept the forwarded traffic (we have a limitation there if I'm remember correctly).

If the machines where the daemon is running have containers (k8s, docker), then you would also have to enable the fw rule to intercept the forwarded traffic from the containers to the host (it's not perfect but it works).

ciandonovan commented 2 months ago

The forward configuration you provided solves that use-case. I'm guessing that option is not exposed in the GUI?

I was shoehorning OpenSnitch into testing a domain - whitelist ruleset for an enterprise deployment. Worked well enough, except OpenSnitch does "reverse-DNS" through caching DNS query responses and local resolver integration (I think), which doesn't catch everything.

Couldn't find any proper solution on Linux surprisingly, and have since moved to OpnSense which is more suited to my particular use-case. Its method is to take a list of domain aliases, and simply re-query them every 5 minutes or so, and cache all the A/AAAA records to be used in the firewall rulesets.

Still a big fan of OpenSnitch, runs on my personal machine :)