Feature Requests

[benboeck]

Hello, thank you for this great tool, absolutely love it and have been looking for a good desktop firewall for linux for a long time.

I would really appreciate the following features; I think I remember reading about some of those but cannot find it again; @Northern-Lights or somebody else, did you by chance already implement any of these and would be willing to push them?

• Statistics: allow sorting in the tables. Implement a good sort for IPs so they are sorted correctly.
• The host statistics tab should include the IP(s).
• In the popup dialog to add a rule, it would be great to have the following additional options:
  • Add rule for combination of process and port (e.g., the mail client may talk to SMTP but not every port, it should ask you again for IMAPS and so on). This should also be the default - don't encourage "any" firewall rules.
  • When adding a rule through the dialog, I think it is misleading that it says "for this process" when in reality it is for this executable as the rule still applies even if the process is ended and a new one is spawned ("executable" is also not perfect as links such as /usr//bin/java are resolved) - do you have a more concise description?
  • Between "for this session" and "for this process" (which should be renamed, see before) I am missing an option to only allow access for this process instance. This means the rule applies to the running, say, Firefox instance but if you close and reopen it, it would ask you again.
  • The temporary rules could be removed once the process instance (combination of PID, executable name and maybe command line arguments - just to be sure) ceases to exist
• It would be great to be able to see the command line arguments of processes, both in statistics and in the dialog popup.
• It would be great to be able to list the saved and temporary rules in a statistics tab (bonus, allow removal).
• SSL/TLS certificate statistics might also be an interesting new statistics tab.

Do you have any questions, additions or other feature requests? Thanks, Ben

[Northern-Lights]

I have not worked on any of these, but I would be interested in putting something together for more granular handling of the rules (e.g. distinguishing between process and file, and targeting protocols, as you described.)

[gustavo-iniguez-goya]

Do you have any questions, additions or other feature requests?

Statistics dialog:

• Allow to see dropped connections by clicking on the "Dropped" label.
• Right click on a row to edit the rule applied to that connection.
• Right click on a row to quickly allow/deny a connection, process, address, host, port or user (depending on which tab you have active).
• Allow to start/stop the daemon from the UI.
• Allow to list and edit applied rules.
• Allow to edit the working mode (default timeout, actio and duration).

Statistics: allow sorting in the tables.

Basic sorting added here #264

[gustavo-iniguez-goya]

hey @evilsocket , what do you think of these feature requests? I think I can contribute to some of them and improve the GUI a little bit.

[gustavo-iniguez-goya]

With latest version https://github.com/evilsocket/opensnitch/releases :

The host statistics tab should include the IP(s).

You can see them by double clicking on the host.

In the popup dialog to add a rule, it would be great to have the following additional options: Add rule for combination of process and port (e.g., the mail client may talk to SMTP but not every port, it should ask you again for IMAPS and so on). This should also be the default - don't encourage "any" firewall rules.

Added.

When adding a rule through the dialog, I think it is misleading that it says "for this process" when in reality it is for this executable as the rule still applies even if the process is ended and a new one is spawned ("executable" is also not perfect as links such as /usr//bin/java are resolved) - do you have a more concise description?

Fixed.

Between "for this session" and "for this process" (which should be renamed, see before) I am missing an option to only allow access for this process instance. This means the rule applies to the running, say, Firefox instance but if you close and reopen it, it would ask you again.

Well, mmm, I recently added a new operator process.id (PID..) which could be used for this purpose.

The temporary rules could be removed once the process instance (combination of PID, executable name and maybe command line arguments - just to be sure) ceases to exist

It would be great to be able to see the command line arguments of processes, both in statistics and in the dialog popup.

Fixed (I think)

It would be great to be able to list the saved and temporary rules in a statistics tab (bonus, allow removal).

WIP. My idea:

On the one hand, I find useful to allow or deny something temporary and later edit the rule. But on the other hand, it's true that sometimes you may want to just delete a rule after apply it..

SSL/TLS certificate statistics might also be an interesting new statistics tab.

Simone started experimenting with this. There's a branch with some code, and I updated it a little bit (local branch). Probably we could use an external package which could ease the task.

[gustavo-iniguez-goya]

many if not all the features requested have been added. Thank you!