[Bug] Not blocking internet access if opensnitch isn't running

[t3dium]

If the app crashes or even from a delay in launching at boot, all apps are allowed internet access until opensnitch is opened again, which could open up security issues.

i was also looking around in settings and found an option which seemed to do this: but it didn't work, not sure if this is a bug, or if the option does something else

OS: fedora Version. 1.6.0 (latest as of now)

potentially related to the bug: couldn't install grpcio==1.16.1 with pip as mentioned in the install guide as it gave segmentation fault's, i instead installed the newest version with pip.

[pizzadude]

I have grpcio 1.50.0 and grpcio-tools 1.50.0 and it works fine with those, can you try that version?

[gustavo-iniguez-goya]

Besides trying @pizzadude's suggestion, please, be sure that the value DefaultAction is set to "deny" in /etc/opensnitchd/default-config.json

You can also try a simple test:

• with DefaultAction set to deny in /etc/opensnitchd/default-config.json
• set LogLevel to 0
• close the GUI
• launch telnet github.com 443 or curl http://deb.deban.org or wget https://github.com

Any of the commands should fail. If they don't, please, post the log file /var/log/opensnitchd.log

[gustavo-iniguez-goya]

If the app crashes or even from a delay in launching at boot, all apps are allowed internet access until opensnitch is opened again, which could open up security issues.

Just set DefaultAction to deny in /etc/opensnitchd/default-config.json. If with that option set to deny apps can still connect to the internet, please, drop a comment with an example and how to reproduce it, and we'll review it.

but it didn't work, not sure if this is a bug, or if the option does something else

I've been reviewing this problem, and the option works fine. But it's a bit confusing, and i'm not sure what's the right thing to do here.

With daemon DefaultAction: allow and GUI DefaultAction: deny:

• The daemon connects to the GUI and sends its configuration (default-config.json -> Action: allow)
• The GUI saves the configuration of the daemon in memory, and reconfigures daemon's DefaultAction to deny (because GUI's DefaultAction is deny)
  • Daemon's DefaultAction is only reconfigured in memory, it's not saved to disk.
• When opening the GUI Preferences, daemon's DefaultAction is set to deny, and that's how it's working while it's running, but /etc/opensnitchd/default-config.json DefaultAction is set to allow. So:
  • ^ This may cause some confusion.
  • While the GUI is running the daemon should not allow outbound connections by default. It'll prompt you to deny/allow connections anyway, but if you decide not to use pop-ups it should apply GUI's DefaultAction.

So the question is: GUI's Preferences->Nodes->DefaultAction should reflect the daemon's DefaultAction being used (this is how it works right now), or the one saved in /etc/opensnitchd/default-config.json?

This behaviour was changed here https://github.com/evilsocket/opensnitch/commit/f5bb478c998530193ab3661727d126d184a29402 because of this #489

And probably this behaviour should be documented on the wiki.

[gustavo-iniguez-goya]

Ok, I'll modify the behaviour as follow:

Daemon not connected to the GUI:

• Use the DefaultAction defined in /etc/opensnitchd/default-config.json

Daemon connected to the GUI:

• Use GUI's DefaultAction (by default Deny):
  1. For pop-ups
  2. Reconfigure daemon's DefaultAction while it's connected to the GUI. On disconnecting use daemon's DefaultAction.
• Don't modify nodes' DefaultAction value and save it as is, so it's displayed correctly on Preferences->Nodes.

At least this way the user will clearly see that daemon's DefaultAction is set to allow by default (related #896).

[gustavo-iniguez-goya]

closing due to lack of feedback