Not able to allow udp port via firewall GUI

evilsocket / opensnitch

OpenSnitch is a GNU/Linux interactive application firewall inspired by Little Snitch.

GNU General Public License v3.0

9.92k stars 490 forks source link

Not able to allow udp port via firewall GUI #731

Closed pizzadude closed 1 year ago

pizzadude commented 1 year ago

After the Fedora 36 kernel upgrade to 5.19.4, I had to use Opensnitch's built in firewall GUI (the one pictured below) to allow wireguard ports, otherwise my VPN wouldn't connect (even after allowing it via a normal rule). But the thing is, the VPN I use also uses wireguard over UDP, and the GUI has no way that I know of of setting a custom port with udp, even if I put "51820 (udp)" it still sets it as tcp in system-fw.json. I worked around the issue by manually editing system-fw.json and changing "tcp" to "udp"

Opensnitch version is 1.6.0-rc2

pizzadude commented 1 year ago

I did some research and found out that Wireguard uses UDP by default, so the default config in system-fw.json to allow the Wireguard port via TCP is incorrect.

Regardless, I think the firewall GUI should allow specifying the protocol.

gustavo-iniguez-goya commented 1 year ago

you're right. I added more options to the "New rule" dialog, but I haven't published the changes yet. The problem is that in order to support "complex" rules (ex.: iifname "eth0" saddr 192.168.1.2 daddr 192.168.1.1.234 dport 22 accept) we need to create dynamically some of the options (statement, protocol, operator and value), so I need to work on it a little bit more.

gustavo-iniguez-goya commented 1 year ago

ok, I'm making progress on this feature. Hopefully I'll have it ready for the next week.

pizzadude commented 1 year ago

Nice :)

gustavo-iniguez-goya commented 1 year ago

Now you can configure almost all the options allowed by the daemon. https://github.com/evilsocket/opensnitch/wiki/System-rules

Besides configuring the protocol now you can configure "complex" rules. Please @pizzadude , if you have time take a look at it, see if it works, and specially if it's easy/intuitive to use. I haven't tested it on Fedora... (yet)

Some notes:

You can add and remove expressions (tcp dport 123). If you want to "insert" a new expression between 2, you have to select the expression after you want to add it.
When deleting a expression, clicking on the [ - ] button deletes the expressions that is selected.

Finally this is done!

TODO: quotas, limits, log's options (log level, etc).

pizzadude commented 1 year ago

Hi, I tested it, and it works fine! Thank you very much! :) The only problem is I can't seem to delete rules I've already added with the gui.

gustavo-iniguez-goya commented 1 year ago

select a rule from the list of rules, and press the Delete key. I'll add a contextual menu like the one of the app rules, to delete rules easily.

pizzadude commented 1 year ago

Nevermind, I didn't notice the "system rules" part of the rules page.