OpenSnitch makes programs unusable, even OFFLINE ones.

[alexholox]

This issue is branched in 2 issues: how having it active causes no connection requiring programs to freeze on boot, and how my rules behave so weirdly I have to keep the firewall disabled if I, literally, want to be able to use my PC.

First of all, openSUSE Leap 15.3, latest stable version of opensnitch. My settings are: Default action: deny, default duration: forever and default target: bye executable. Anything else is unmarked.

For some reason offline programs won't run if opensnitch is open until waiting many minutes. I open LibreOffice... it will never load and keep stalled. But if I disable the firewall, it immediately start! I have tested it multiple times and I always get the same result. Not only that one: Wine and any program opened with it will absolutely refuse to load, too. There is a long list of programs, so know it's not specific to one program or exclusive but a global program.

The weird thing is, all frozen programs will open with extreme delay, like 2-5 minutes after being opened. So it's not that they will never open, is that they freeze on startup and take extremely long to load, way longer than if firewall if disabled. Because with no firewall, they open immediately! This is related to opensnitch 1000%.

The second is derivative from it... Even if I add rules to allow that program to connect, opensnitch automatically creates more rules and more rules, and if I allow all them, it creates a new one... and so going on. Due to this, managing exceptions is absolutely unbearable, because that rules will affect connection too. Every day I allow Firefox to connect. The next day, it runs no more. Because a new rule has been created to prevent it. And even if I allow a new rule it doesn't matter: they multiply and multiply, and the only efficient option is to totally shut the firewall down... I can't stand it anymore. I want something like simplewall which was for Windows, where just marking the executable TOTALLY blocked or allowed EVERYTHING if you configured it to do so. Instead of creating thousand rules for a same program, it created an universal rule with every single connection derivated from it... now, I have 20 rules only to run Firefox and the number grows each day and to be able to acces internet, every day I have to search the new rule and mark it as allowed. Incredibly impractical. The same goes for installing software from SUSE repositories, YaST and the line command have both so many rules I literally can't detect all of them, and if I did I would still need to mark every single one as allowed...

I need a solution. I literally can't use the firewall because it won't allow me to basically use my PC and this needs a solution. Please, help, I don't know what to do to make opensnitch stable and also how to group all rules for a specific program to prevent my massive mess I have right now. Many thanks in advance.

[gustavo-iniguez-goya]

Hi @alexholox ,

My settings are: Default action: deny, default duration: forever and default target: bye executable.

is this the daemon or GUI configuration? If it's daemon's, set DefaultDuration to "once".

I have 20 rules only to run Firefox

That's not normal at all, usually when Firefox wants to establish a connetion for the first time, the default configuration will create a rule for the absolute path of the executable, so there should only be one rule.

The only reason that could explain that behaviour is if you were launching Firefox as an AppImage. Could you post the Firefox rules please?

Clearly you're very upset and I'm sorry for that, we don't cause problems on purpose :] so let's try to figure out why it's not working on your system.

I'll install and use it on OpenSuse 15.3 to see if I can reproduce the issue.

[gustavo-iniguez-goya]

Installed v1.4.0rc2 on OpenSuse 15.3, opened firefox and allowed it with the default settings:

This is the rule that is created:

And this is the details view of the rule, where you can see all the connections that matched this rule:

It's only creating one rule in my case (default OpenSuse 15.3 installation), that matches correctly all the connections initiated by firefox. The other processes that established connections were NetworkManager and ncsd, and the rules created for them worked also fine as expected.

So let's see if we can debug what's going on on your system.

[alexholox]

is this the daemon or GUI configuration? If it's daemon's, set DefaultDuration to "once".

GUI. No idea how t do with the daemon.

Firefox has less than other examples: https://postimg.cc/2bMF2L0d

However, look at the rules to something like Tor: https://postimg.cc/BP5LHjkn

And FreeTube: https://postimg.cc/MvP1zFkP

To name a few. Almost every app follows a rule mess like that. Also look at the date: they are being created incredibly close in time... None of them are AppImages.

Clearly you're very upset and I'm sorry for that, we don't cause problems on purpose :] so let's try to figure out why it's not working on your system.

Don't worry. It's clearly system problem.

And this is the details view of the rule, where you can see all the connections that matched this rule:

This is not what it's created in my case at all. It creates all connections matched as individual rules, and never a global rule. And not only that, it also creates new rules over time. Should I reinstall?

[gustavo-iniguez-goya]

Thank you for the screenshots Alex, it gives me some clues.

What's the Default Target value in the UI -> Preferences ? If it's "by command line" change it to "by executable". According to the name of the Tor rules, it seems that the Default Target is "by command line".

Please, double click on one of the Tor rules, click on edit and post a screenshot of the rule. I need to view the fields of the rule. It's strange because the version 1.3.6 has been tested a lot and we haven't had an issue like this.

On the other hand, if you could install version v1.4.0rc2 and see if the problem reproduces would also help. https://github.com/evilsocket/opensnitch/releases/tag/v1.4.0-rc.2

[alexholox]

Thank you for the screenshots Alex, it gives me some clues.

What's the Default Target value in the UI -> Preferences ? If it's "by command line" change it to "by executable". According to the name of the Tor rules, it seems that the Default Target is "by command line".

Please, double click on one of the Tor rules, click on edit and post a screenshot of the rule. I need to view the fields of the rule. It's strange because the version 1.3.6 has been tested a lot and we haven't had an issue like this.

On the other hand, if you could install version v1.4.0rc2 and see if the problem reproduces would also help. https://github.com/evilsocket/opensnitch/releases/tag/v1.4.0-rc.2

No it's not. It's set to be by executable, yet happens by line.

Tor rule screenshot: https://postimg.cc/9zCn06kq

I'll try the install alternative when I'm at home again, I have to go.

[gustavo-iniguez-goya]

Thank you @alexholox . It makes no sense to me. Could you install v1.4.0rc2 and see if the problem persists?

[alexholox]

Thank you @alexholox . It makes no sense to me. Could you install v1.4.0rc2 and see if the problem persists?

I both updated and reinstalled with the last version, no changes. Do you know how to delete all the data? Maybe I need to reconfigure from 0.

By the way, it still doesn't allow offline programs like LibreOffice to run while enabled.

[gustavo-iniguez-goya]

Do you know how to delete all the data? Maybe I need to reconfigure from 0.

Yes please, remove it completely and install it again:

$ sudo zypper remove opensnitch opensnitch-ui
$ sudo rm -rf /etc/opensnitchd/
$ rm -rf ~/.config/opensnitch/

Use these packages: https://github.com/evilsocket/opensnitch/releases/download/v1.4.0-rc.3/opensnitch-ui-1.4.0rc3-1.fc29.noarch.rpm https://github.com/evilsocket/opensnitch/releases/download/v1.4.0-rc.3/opensnitch-1.4.0rc3-1.x86_64.rpm

[alexholox]

Fortunately the "rule horror" is solved after total deletion and reinstall. Now no rule multiplies. The only problem is AppImages still create a rule each time they are opened.

There is another problem. Offline apps like LibreOffice are still frozen if tried to open while firewall is active. They don't even make a connection, there is literally no rule for any of them, but there is something that causes them to freeze even if they are 100% offline...

[gustavo-iniguez-goya]

Fortunately the "rule horror" is solved after total deletion and reinstall.

Yes!

The only problem is AppImages still create a rule each time they are opened.

Try adding a rule to filter by this regexp: [x] From this executable: ^(/tmp/.mount_Archiv[0-9A-Za-z]+/.*)$

I don't know if the pattern '/tmp/.mount_Archiv.*` is always like that.

Offline apps like LibreOffice are still frozen if tried to open while firewall is active. They don't even make a connection, there is literally no rule for any of them, but there is something that causes them to freeze even if they are 100% offline...

I'll try to reproduce this problem.

If you can set LogLevel to DEBUG and post the log /var/log/opensnitchd.log when the problem occurs, can help to debug it.

[gustavo-iniguez-goya]

it seems that libreoffice connects to localhost on port 631, for use the printing service:

That could be a reason for the delay opening libreoffice apps. Add a rule to allow everything to localhost, IPv4 and IPv6, and try again. Anyways, it should intercept the connection and ask you to allow or deny it, as in my case.

[alexholox]

That could be a reason for the delay opening libreoffice apps. Add a rule to allow everything to localhost, IPv4 and IPv6, and try again. Anyways, it should intercept the connection and ask you to allow or deny it, as in my case.

I don't get that rule intercepted and does not appear on my rule list... How can I write such a rule? I'm using this because it automated the process and I don't know anything about writing them myself, so I need a bit of help.

Also, where is the option to add rules, in which tab?

[gustavo-iniguez-goya]

uh, ok, sorry. Click on this button

And add this rule:

Name: 000-allow-localhost
[x] Enable
[x] Priority rule
(*) Allow
Duration: always
[x] To this IP / Network: ^(127\.0\.0\.1|::1)$

Once added, double click on it to open the details view, and launch libreoffice to see if there's any connections logged.

In any case, please, set "Default log level" to DEBUG (Preferences -> Nodes), launch libreoffice, and after n amount of time copy /var/log/opensnitchd.log to your $HOME, and post the log file to the issue in order to analyze it.

Thank you!

[alexholox]

Once added, double click on it to open the details view, and launch libreoffice to see if there's any connections logged.

This is very weird, there are no connections logged to that rule! What more should I try? Is the connection merely local?

I have a similar problem for the program Lutris. I understand Steam requires check so I disanle it when I play there but when in comes to downloaded GOG titles which require no connection, why opensnitch prevents Lutris from launching anything? It takes too long and there is no reason... and when I look at the events log it looks like it tries to connect to lutris.net. Why does it need it? The title is merely offline!!!!!

I tell this because the program still launches, but takes really long to do so. If it can, I suspect there is a way to launch it quick and connection is not necessary. Any way to open programs at normal speed with firewall enabled?

It doesn't seem to be local at least in my case, otherwise logs would have shown it, I guess...

[gustavo-iniguez-goya]

This is very weird, there are no connections logged to that rule! What more should I try? Is the connection merely local?

Well, maybe there're no connections to localhost. You can test it by connecting with telnet to localhost: $ telnet 127.0.0.1 22 (even if there're no process listening on port 22 the connection should be logged).

The issues with Lutris and libreoffice:

please, set "Default log level" to DEBUG (Preferences -> Nodes), launch libreoffice, and after n amount of time copy /var/log/opensnitchd.log to your $HOME, and post the log file to the issue in order to analyze it.

You can empty the log, close libreoffice/lutris/whatever, and open it again. If we're delaying the execution of programs for some reason, there should be connections logged to the log.

• close lutris/libreoffice
• on one terminal:

  $ sudo su
  # > /var/log/opensnitchd.log
  # tail -f /var/log/opensnitchd.log

• launch libreoffice/lutris
• see if there're connections logged to disk when launching the apps.

[alexholox]

Well, maybe there're no connections to localhost. You can test it by connecting with telnet to localhost: $ telnet 127.0.0.1 22 (even if there're no process listening on port 22 the connection should be logged).

Sorry is this a command or a rule? If a rule, is that the name, and enough to check? If a command, it says no command exist with this name.

You can empty the log, close libreoffice/lutris/whatever, and open it again. If we're delaying the execution of programs for some reason, there should be connections logged to the log.

Not only the log is empty: now LO will never run even with firewall disabled. I firmly believe there is no way out.

I suggest I do a complete Linux reinstall. Maybe I have to delete everything to cause my PC run like a normal computer instead of this unique bugs... This is my specific PC issue 1000%.

If not, let's track an origin point for all problems as a whole and work over it. The core is offline apps won't open, logs don't work and no local connection is logged. And the last rule to allow all connections does nothing in my case, and I don't know why. This info needs to have a common point, there could be something bigger.

[alexholox]

$ sudo su

> /var/log/opensnitchd.log

tail -f /var/log/opensnitchd.log

Please, tell me what did I just run. Since I ran this command my PC showed extremely unusual behavior. LibreOffice, literally, can't be opened anymore even after a reinstall and profile deletion, and Lutris literally uninstalled itself. I promise I'm not making it up.

EDIT: not only that. This command affected OpenSnitch in a really weird way. The program is blocking all traffic until I end the process. It's installed but I can't access or configure it. There is no taskbar icon, settings for it and searching it results in nothing. I went to YaST and version numbers are RED!!! What is this command??? It's like if someone cursed my PC!!! I will reinstall but I am afraid.

EDIT 2: LO can be opened again because I performed a rollback on the system. I am literally afraid of downloading opensnitch again.

[gustavo-iniguez-goya]

sorry @alexholox , but the command tail -f /var/log/opensnitchd.log does nothing harmful. It just opens a text file. You can also open it with gedit or your preferred text editor.

Maybe opensnitch is incompatible in your system for whatever reason, so maybe it's not a bad idea to uninstall it after all.

Anyway, thank you for your patience!

[alexholox]

After long time I decided I couldn't take it anymore. It literally prevents me from using the PC. But recently I need to use a program for reasons out to my control which is notorious for its data collection, and I need to block it from everything...

If I request a SUSE specific version of opensnitch, even if you don't update it over time, would I be requesting too much? Or, a variant which has no access to local connection.

Thanks in advance.

[gustavo-iniguez-goya]

Usually when I encounter this kind of problems on customers I request a remote session to debug the issue myself. I don't know if you'd be willing to this but I think it'd be the fastest way of solve the problem. At least to know exactly what's going on.

Anyway, drop me a private email (in Spanish if you prefer) in order to keep investigating this issue and providing you a customized version or schedule a remote session.

[Techtonictools]

In regards to the app launching problem, I too hit that where it took a super long time to open but it was reproducing just with tor-browser in debian bullseye so far (I don't have many apps yet).

I created rules as suggested to open up the localhost for ipv4 and another rule to open up localhost for ipv6. After doing that, tor launches fine and the launch delay problem is gone.

[gustavo-iniguez-goya]

closing due to lock of information.