search

evilsocket / opensnitch

OpenSnitch is a GNU/Linux interactive application firewall inspired by Little Snitch.
GNU General Public License v3.0
9.92k stars 490 forks source link

[Feature Request] Add the ability to filter connections by the network interface #726

Closed NRGLine4Sec closed 1 year ago

NRGLine4Sec commented 1 year ago

Hi @gustavo-iniguez-goya

It could be interesting to add the possibility to filter connections by the network interface (identified by MAC address). Sometimes it can be useful to allow certain connections from certain programs or to restrict the access of certain programs according to the interface used. A concrete use case is the use of a PC that is sometimes used in the company premises (connected to a USB dock that has an Ethernet adapter) and sometimes at home in teleworking on the Ethernet port or in WIFI.

I think we can just add a new filtering option in the Network part of the configuration view of a rule below "To this IP / Network" : Screenshot-20220819145041-522x311

What do you think about this ?

gustavo-iniguez-goya commented 1 year ago

I agree @NRGLine4Sec :+1: I'm not sure about identify the network interface by MAC address though. Provided that the MAC address may be randomized, maybe it'd have more sense to offer both options: by MAC and network device interface.

gustavo-iniguez-goya commented 1 year ago

Feature added. I've only added to filter by network interface name, but we can add to filter by MAC address and type of network interface (loopback, pointtopoint(vpn), ..)

NRGLine4Sec commented 1 year ago

Nice ! Thanks a lot @gustavo-iniguez-goya Any new rc soon with this new feature ?

gustavo-iniguez-goya commented 1 year ago

Yes, the "system" firewall (i.e.: ability to add, view and edit nftables rules) is "finished", so there will be a new rc soon.

gustavo-iniguez-goya commented 1 year ago

Sometimes it can be useful to allow certain connections from certain programs or to restrict the access of certain programs according to the interface used.

@NRGLine4Sec could you write an example in a little bit more detail? In order to test ir properly.

I was giving it a thought, and as we keep adding features we may end up with multiple rules for the same application (more than we already have):

If there's a use case where we have more than 2 rules for the same application, it'd be useful to allow to group them. It'd appear on the left panel of the Rules tab, under Application rules.

NRGLine4Sec commented 1 year ago

Hi @gustavo-iniguez-goya Sorry for the delay. One example : SMB. In one network (connected with the "work interface" USB dock) I want to allow some connexion on port 445 but on another network (connected with the "home interface" Ethernet) I don't need SMB at all, so I want to block all SMB connexions. Another example is a cron task that synchronize some directory with rsyncd that I don't want to allow on the the "work interface" USB dock (because of conflict IP). Currently, I have a "dirty" workaround for this, but with an OpenSnitch rule, I can be sure that the synchronization will not be attempted on the wrong server. I agree with you that it should be possible to group some rules, it would greatly facilitate the readability of rules. I want to thank you once again for your work on this project, it is really impressive !