Closed MarkoShiva closed 6 years ago
adisbladis
commented
7 years ago Having a dropdown like the one currently used to select rule save option to select exact or relative match would be great but this should not be the default behaviour in my opinion.
I will run some application with varying flags a lot and I think this may be too much of a nuisance if it becomes the default.
I am open to other opinions though.
ei8fdb
commented
7 years ago hea @in1t3r, @adisbladis
Just so I understand correctly, your saying:
firefox-profile1 <----------> www.website1.com:80 firefox-profile2 <---------tor network---------> www.website2.com:80 firefox-profile3 <---------i2p network---------> www.website3.com:443
"allow firefox www.website1.com:80" "allow firefox www.website2.com:80" "allow firefox www.website3.com:443"
firefox-profile1 <----------> www.website1.com:80 firefox-profile2 <---------tor network---------> www.website2.com:80 firefox-profile3 <---------i2p network---------> www.website3.com:443
"allow firefox-profile1 www.website1.com:80" "allow firefox-profile2 www.website2.com:80" "allow firefox-profile3 www.website3.com:443"
Maybe a silly question - in the case of the Tor-enabled Firefox profile, would it be better for Opensnitch to report on Tor wanting to access website2.com:80?
I can try to do some UI for this once I understand it correctly.
Adding arguments into the sqlitedb would be much better then storing just name because if you are running multiple firefox profiles like me. For example one running thru TOR other goes without proxy you still have their rules stored the rules for the same application which is not good. For example if you run version of firefox with TOR you want to make sure that you don't have DNS leaks like it was happening in 45-46-47 and now esr version. Basically the remote DNS should work and you shouldn't have leaks and requests for local dns servers. I used an opensnitch to find that bug in firefox-esr. So basically once you give permission that is stored like forever permission to one profile like in this case firefox that goes without proxy you are actually giving permission to that same version of firefox to connect to those IP's even if it runs through TOR or VPN.
That is pretty bad for any application that use network and can have multiple profiles some that use proxifiying and some that don't the issue appear. I know that some of the entries than would be pretty long like eclipse related or anything that start with java and many arguments but its still better that way then to have arguments removed from stored path even if they are properly displayed on the prompt.
I suggest this as the enhancement and ask anyone of you to share a thoughts about it especially @evilsocket @adisbladis