Closed NRGLine4Sec closed 1 year ago
I agree @NRGLine4Sec :+1: I'm not sure about identify the network interface by MAC address though. Provided that the MAC address may be randomized, maybe it'd have more sense to offer both options: by MAC and network device interface.
Feature added. I've only added to filter by network interface name, but we can add to filter by MAC address and type of network interface (loopback, pointtopoint(vpn), ..)
Nice ! Thanks a lot @gustavo-iniguez-goya Any new rc soon with this new feature ?
Yes, the "system" firewall (i.e.: ability to add, view and edit nftables rules) is "finished", so there will be a new rc soon.
Sometimes it can be useful to allow certain connections from certain programs or to restrict the access of certain programs according to the interface used.
@NRGLine4Sec could you write an example in a little bit more detail? In order to test ir properly.
I was giving it a thought, and as we keep adding features we may end up with multiple rules for the same application (more than we already have):
If there's a use case where we have more than 2 rules for the same application, it'd be useful to allow to group them. It'd appear on the left panel of the Rules tab, under Application rules.
Hi @gustavo-iniguez-goya Sorry for the delay. One example : SMB. In one network (connected with the "work interface" USB dock) I want to allow some connexion on port 445 but on another network (connected with the "home interface" Ethernet) I don't need SMB at all, so I want to block all SMB connexions. Another example is a cron task that synchronize some directory with rsyncd that I don't want to allow on the the "work interface" USB dock (because of conflict IP). Currently, I have a "dirty" workaround for this, but with an OpenSnitch rule, I can be sure that the synchronization will not be attempted on the wrong server. I agree with you that it should be possible to group some rules, it would greatly facilitate the readability of rules. I want to thank you once again for your work on this project, it is really impressive !
Hi @gustavo-iniguez-goya
It could be interesting to add the possibility to filter connections by the network interface (identified by MAC address). Sometimes it can be useful to allow certain connections from certain programs or to restrict the access of certain programs according to the interface used. A concrete use case is the use of a PC that is sometimes used in the company premises (connected to a USB dock that has an Ethernet adapter) and sometimes at home in teleworking on the Ethernet port or in WIFI.
I think we can just add a new filtering option in the Network part of the configuration view of a rule below "To this IP / Network" :![Screenshot-20220819145041-522x311](https://user-images.githubusercontent.com/26851996/185623355-84786710-a6b3-47b2-b3d7-43dbe4a64b86.png)
What do you think about this ?