search

evilsocket / opensnitch

OpenSnitch is a GNU/Linux interactive application firewall inspired by Little Snitch.
GNU General Public License v3.0
9.86k stars 488 forks source link

[Feature Request] Option to ignore (allow) loopback traffic #965

Open WinterSnowfall opened 1 year ago

WinterSnowfall commented 1 year ago

Summary:

Problem:

A lot of applications will depend on loopback traffic being unhindered and other firewalls, such as ufw for example, will not filter loopback traffic at all by default.

Background:

I've recently started using opensnitch and have noticed various applications would either time out after long intervals or hang completely if loopback traffic was blocked. This also happened with mate-session (I use MATE as my desktop environment).

I came across this wiki page: https://github.com/evilsocket/opensnitch/wiki/Known-problems#general , which was helpful. However, the provided fix is only partial. Besides IPv4 loopback, some applications (as is the case of mate-session, apparently) will depend on IPv6 loopback being unfiltered (ergo ::1/128) in order to behave properly.

Suggestion:

While I have a background in networking and was able to figure it out, the default behavior can arguably be quite confusing to regular users. Loopback traffic is not usually considered a security risk, nor should it be hindered unless otherwise specified (if a user insists).

I suggest having a global config option for enabling loopback traffic filtering and to leave it disabled/off by default, since most users will have no interest to act on loopback traffic.

Switching the default action to allow traffic when the UI is not connected (as suggested in the Wiki article linked above) is not a good solution IMHO, since security-conscious users would want to whitelist traffic themselves and make sure nothing gets through otherwise.

gustavo-iniguez-goya commented 1 year ago

Hi @WinterSnowfall ,

You're right , this is a problem on some Desktop Environments. The easiest would be to add a predefined system fw rule as we already have for ICMP, and then let the users decide if disable it or not.

Another option I've considered is to add an application rule for common apps that work on localhost (/usr/bin/xbrlapi, /usr/bin/dirmngr) and keep updating it based on users' feedback, but I don't know if there's any way to use these apps to exfiltrate data in some way...

WinterSnowfall commented 1 year ago

I think maintaining such a list would be nothing short of a nightmare (you really can't account for everything people will use). The first option sounds better and is more or less what I was suggesting, I guess.

drws commented 10 months ago

Another option is that user is asked during the installation whether to allow loopback connections. If this is considered a similar dialog could also ask the user whether to enable OpenSnitch service right away or not.