Closed pizzadude closed 1 year ago
I did some research and found out that Wireguard uses UDP by default, so the default config in system-fw.json to allow the Wireguard port via TCP is incorrect.
Regardless, I think the firewall GUI should allow specifying the protocol.
you're right. I added more options to the "New rule" dialog, but I haven't published the changes yet. The problem is that in order to support "complex" rules (ex.: iifname "eth0" saddr 192.168.1.2 daddr 192.168.1.1.234 dport 22 accept) we need to create dynamically some of the options (statement, protocol, operator and value), so I need to work on it a little bit more.
ok, I'm making progress on this feature. Hopefully I'll have it ready for the next week.
Nice :)
Now you can configure almost all the options allowed by the daemon. https://github.com/evilsocket/opensnitch/wiki/System-rules
Besides configuring the protocol now you can configure "complex" rules. Please @pizzadude , if you have time take a look at it, see if it works, and specially if it's easy/intuitive to use. I haven't tested it on Fedora... (yet)
Some notes:
Finally this is done!
TODO: quotas, limits, log's options (log level, etc).
Hi, I tested it, and it works fine! Thank you very much! :) The only problem is I can't seem to delete rules I've already added with the gui.
select a rule from the list of rules, and press the Delete key. I'll add a contextual menu like the one of the app rules, to delete rules easily.
Nevermind, I didn't notice the "system rules" part of the rules page.
After the Fedora 36 kernel upgrade to 5.19.4, I had to use Opensnitch's built in firewall GUI (the one pictured below) to allow wireguard ports, otherwise my VPN wouldn't connect (even after allowing it via a normal rule). But the thing is, the VPN I use also uses wireguard over UDP, and the GUI has no way that I know of of setting a custom port with udp, even if I put "51820 (udp)" it still sets it as tcp in system-fw.json. I worked around the issue by manually editing system-fw.json and changing "tcp" to "udp"
Opensnitch version is 1.6.0-rc2