Closed phil294 closed 3 years ago
thank you @phil294 , reproduced. I'll fix it soon.
In any case, what were you trying to achieve with that rule? I mean, 127.0.0.0/8 is the same than ^127.0.0.0, no? any IP in the network range will start with 127, so there's no need to use a regexp.
thank you @phil294 , reproduced. I'll fix it soon.
In any case, what was you trying to achieve with that rule? I mean, 127.0.0.0/8 is the same than ^127.0.0.0, no? any IP in the network range will start with 127, so there's no need to use a regexp.
Nice, thank you! The above IP addresses did not really mean anything. What I was trying to achieve was to allow all traffic from a process except for local IPs where I want to be asked. That's what I need regexp for. Dont yet know how to do this:
Allow
IP: *NOT* ^(127\.0\..*|192\.168\..*|::1)$
But I havent looked into it any further. Except for the docs:
However you can use negated chars classes. For example, block all outgoing connections, except those to localhost:
[x] Action: deny [x] To this destination IP: [^:127.0.0.1:]
Are you sure about that? This regex only matches one single character that is not in 1270:.
, I think, and the rule would also allow for an IP like 123.456.789.1
.
ah, I see. mm, I think that we don't support this scenario at the moment. There's no way to negate a field like !127.0.0.1, or that you be asked when a certain rule matches a connection.
Maybe you can filter by port, for example if the connections you want to allow usually goes through the ports 80 and 443:
000-allow-my-program
Action: Allow
to this port: ^(80|443)$
then, you'll be prompted to allow/deny any other connection.
Are you sure about that? This regex only matches one single character that is not in 1270:., I think, and the rule would also allow for an IP like 123.456.789.1.
I tested it long time ago and as far as I can remember it worked, but can't tell you for sure now if it works.
oops, I've realized that there's an error when a regexp is used on the dst ip/network field. I'll fixed that as well.
@phil294 I think both issues are fixed. I don't know if the manjaro package maintainer pulls latest changes from this repo, or if it only packages our releases. So if you can't or don't want to compile it, you'll have to wait to test it.
I consider this issue fixed. Thank you for reporting it!
Hello,
Describe the bug I was just getting to use opensnitch (it's awesome) and tried various rules, when "Status" in the UI somehow started saying "not running" even though the service was active.
opensnitchd
crashes and is not recoverable via UI.To Reproduce All via UI:
(127.0.0.0/8 can be found in the dropdown defaults)
/etc/opensnitchd/rules/deny-network-127-0-0-0-8.json
now exists as expected/etc/opensnitchd/rules/deny-network-127-0-0-0-8.json
is modified on diskinterface conversion: interface {} is net.IP, not string
)Post error logs:
journalctl -u opensnitchd
:If the daemon doesn't start:
/var/log/opensnitchd.log
Expected behavior (optional) The reason for all this is probably (?) that the updated regex IP needs to be written as
operator.operand
dest.ip
but is instead saved asdest.network
.OS (please complete the following information):