Closed cthulhubuddha closed 1 year ago
Hi @cthulhubuddha ,
I've only reproduced this issue on Ubuntu 16. Could you post the output of $ nft list ruleset
?
Do you have other firewall configured? firewalld or ufw?
Ah, yep, UFW is running. happy to securely send my ruleset somewhere, would prefer not to disclose on a forum. Is opensnitch using ufw and if so if i manually disable the instance i enabled prior to installing opensnitch will that break opensnitch?
you can email me the rules + the log opensnitchd.log: gusi.xx [a] protonmail.com
For now, set Firewall option to "iptables" in /etc/opensnitchd/default-config.json
, that should silence those logs.
Is opensnitch using ufw and if so if i manually disable the instance i enabled prior to installing opensnitch will that break opensnitch?
No, we don't use ufw. if Firewall option is "iptables" we use iptables binary to add the rules, and if it's "nftables" we add the rules directly to the kernel.
A couple of updates in testing back and forth between iptables and nftables. When nftables is used the issues does not occur when the gui is first opened. however, if you disable opensnitch in the gui and then re-enable it, the errors start appearing (again, every 15 seconds).
when using iptables the errors do not occur as expected above. happy to help you troubleshoot it, but it looks like it is not related to the actual problem i am troubleshooting related to the list of domains not working, i'll open a separate issue for that.
Thank you @cthulhubuddha !
if you disable opensnitch in the gui and then re-enable it, the errors start appearing
I'll try to reproduce it this way :+1:
Yes please, open a new issue. Things to look for in the logs regarding the domains list: https://github.com/evilsocket/opensnitch/wiki/block-lists#troubleshooting
If a domain is blocked by a list, it'll be appear in the logs as such:
[2022-12-21 19:18:37] DBG domain list match: geo.yahoo.com, /etc/opensnitchd/blocklists/domains/xxx/1hosts.tx
[2022-12-21 19:18:37] DBG ✘ /usr/lib/firefox-esr/firefox-esr, 33434:192.168.1.101 -> geo.yahoo.com:53 (000-block-domains)
A basic test would be to add www.example.org to a new list: 127.0.0.1 www.example.org
Create a new rule with name: 000-domain-list-test , check [x] Priority rule and [x] Reject, (*) Always
Verify tthat the list has been loaded:
[2022-12-21 19:31:19] INF monitor lists started: /tmp/list
[2022-12-21 19:31:19] INF clearing domains lists: 0 - /tmp/list
[2022-12-21 19:31:19] INF lists monitor stopped
[2022-12-21 19:31:19] DBG Loading domains list: /tmp/list/test-list.txt, size: 26
[2022-12-21 19:31:19] INF 1 domains loaded, /tmp/list/test-list.txt
[2022-12-21 19:31:19] INF 1 lists loaded, 1 domains, 0 duplicated
And see if it's blocked from the command line:
$ curl https://www.example.org
curl: (6) Could not resolve host: www.example.org
opensnitchd.log:
[2022-12-21 19:32:42] DBG new connection udp => 41235:192.168.1.101 -> 9.9.9.9:53 uid: 117
[2022-12-21 19:32:42] DBG [ebpf conn] not in cache, but in execEvents: udp41235192.168.1.1019.9.9.953, 1426481 -> /lib/systemd/systemd-resolved
[2022-12-21 19:32:42] DBG [ebpf conn] adding item to cache: udp41235192.168.1.1019.9.9.953
[2022-12-21 19:32:42] DBG domain list match: www.example.org, /tmp/list/test-list.txt
[2022-12-21 19:32:42] DBG ✘ /lib/systemd/systemd-resolved, 41235:192.168.1.101 -> www.example.org:53 (000-aaa)
(use ping, curl or wget to test it. firefox, chrome and other apps works in a different way)
Also try stopping systemd-resolved and change /etc/resolv.conf nameservers to point to 9.9.9.9, 1.1.1.1, etc. We had problems with systemd-resolved in the past, but as far as I can tell, it seems to work fine now.
if you disable opensnitch in the gui and then re-enable it, the errors start appearing
I'll try to reproduce it this way +1
Reproduced. I'll try to fix it.
ok, I think this issue is fixed. I need to test it on more systems (ubuntu 16), but at least it solves the problem on PopOS! 22 and works as expected on Debian Sid.
Thank you for reporting this problem @cthulhubuddha !
New version released with this fix: https://github.com/evilsocket/opensnitch/releases/tag/v1.6.0-rc.4
PopOS 22.04, Opensnitch 1.6.0-rc.3-1
I am troubleshooting why regex domain lists are not working and have found these log entries appearing every 15 seconds, thinking it may be related. Using GUI for configuring. Issue #688 exists but was never resolved, here's a debug log sample: