search

gustavo-iniguez-goya / opensnitch

OpenSnitch is a GNU/Linux application firewall
GNU General Public License v3.0
394 stars 20 forks source link

Opensnitch/ui/requirements.txt - Modules pip with minimum version required #18

Closed Pain-Patate closed 4 years ago

Pain-Patate commented 4 years ago

Hi ! Thanks you tou contine the future of Opensnitch. I have on question

In your procedure : Installation from sources (https://github.com/gustavo-iniguez-goya/opensnitch/wiki/Installation#installation-from-sources) : " [...] go get github.com/gustavo-iniguez-goya/opensnitch cd $GOPATH/src/github.com/gustavo-iniguez-goya/opensnitch compile && install make [...] opensnitch-ui "

"Make", compile and choice addons pip : grpcio-tools, pyinotify, unicode_slugify, pyqt5 See : https://github.com/gustavo-iniguez-goya/opensnitch/blob/main/ui/requirements.txt

Question ?

Is it important to have the requested versions in this file (requirements.txt) or can we install the latest versions?

I ask this because my system cannot retrieve and install version 5.10.1 for PyQt5.

Thanks to all.

gustavo-iniguez-goya commented 4 years ago

Is it important to have the requested versions in this file (requirements.txt) or can we install the latest versions?

Those versions should be the minimum versions required for the UI to work.

What distribution are you using? As far as I can tell, we're compatible from >= pyqt 5.6. The UI setup/install scripts should be updated.

Pain-Patate commented 4 years ago

Very good, thanks I'm on Armbian, on arm64. I had very very difficul to install Opensnitch on this system. Normally, it's work. I will be back to give a tutorial. (This steps don't work to me : https://github.com/gustavo-iniguez-goya/opensnitch/wiki/Installation#cross-compiling-the-daemon-for-other-architectures-arm)

Question ?

Do possible to modify "requirements.txt" with :

grpcio-tools>=1.10.1 # Minimum version required : 1.10.1 pyinotify>=0.9.6 # Minimum version required : 0.9.6 unicode_slugify>=.1.3 # Minimum version required : 0.1.3 pyqt5>=5.10.1 # Minimum version required : 5.10.1

File "requirements.txt" - https://github.com/gustavo-iniguez-goya/opensnitch/blob/main/ui/requirements.txt

These modifications would prevent the uninstallation of pip modules with the required version, during the installation of Opensnitch (if I don't say errors).

gustavo-iniguez-goya commented 4 years ago

Normally, it's work. I will be back to give a tutorial.

cool!

By the way, did you try to install the UI deb package?

Pain-Patate commented 4 years ago

By the way, did you try to install the UI deb package?

In the past, I had tested on original Github, but I haven't no enough time.

I tried with this command: sudo dpkg -i python3-opensnitch-ui_1.0.0rc8-1_all.deb Do it good ?

gustavo-iniguez-goya commented 4 years ago

yes, you'll need to run after that: apt -f install

Pain-Patate commented 4 years ago

Ok. So, II done : sudo dpkg -i python3-opensnitch-ui_1.0.0rc8-1_all.deb sudo apt-get install -f

And at the end, therminal show : Running setup.py install for unicode-slugify ... done Successfully installed unicode-slugify-0.1.3 unidecode-1.1.1

A Opensnitch icon appeared. But it doesn't work.

I verify he name of pip modules installed, with this command : sudo pip list There aren't pyqt5 and pyinotify. However, they are needed here opensnitch/ui/requirements.txt

These modifications would prevent the uninstallation of pip modules with the required version, during the installation of Opensnitch (if I don't say errors).

gustavo-iniguez-goya commented 4 years ago

Can you launch the UI from a terminal and post here the output?

$ /usr/bin/opensnitch-ui

gustavo-iniguez-goya commented 4 years ago

I'm on Armbian, on arm64. I had very very difficul to install Opensnitch on this system.

By the way, I've compiled the daemon for arm64, I've updated the installation instructions, and I'll try to automate the process to build packages for this architecture (or any other).

Pain-Patate commented 4 years ago

Can you launch the UI from a terminal and post here the output?

$ /usr/bin/opensnitch-ui

bash: usr/bin/opensnitch-ui: No such file or directory

Too, I'm note use Debian but Armbian (Dietpi with LxQt). Maybe I haven't the same package...

gustavo-iniguez-goya commented 4 years ago

bash: usr/bin/opensnitch-ui: No such file or directory

That means that the UI has not been installed. I'll install dietpi to see if I can install it.

On the other hand, I'm progressing in generating deb packages for multiple arquitectures (armhf, arm64, i386, amd64). Could you test this package on arm64 and tell me if ot works?

opensnitch_1.0.0rc8-1_arm64.deb.gz

Pain-Patate commented 4 years ago

bash: usr/bin/opensnitch-ui: No such file or directory

That means that the UI has not been installed. I'll install dietpi to see if I can install it.

On the other hand, I'm progressing in generating deb packages for multiple arquitectures (armhf, arm64, i386, amd64). Could you test this package on arm64 and tell me if ot works?

opensnitch_1.0.0rc8-1_arm64.deb.gz

Very good. I'm ok to test on Armbian, (Dietpi, with Desktop LxQt)

sudo dpkg -i opensnitch_1.0.0rc8-1_arm64.deb # Doesn't work. Terminal ask to install libnetfilter-queue1.

So, I did this : sudo apt-get install libnetfilter-queue1 sudo dpkg -i opensnitch_1.0.0rc8-1_arm64.deb 

(Reading database ... 53321 files and directories currently installed.)
Preparing to unpack opensnitch_1.0.0rc8-1_arm64.deb ...
Unpacking opensnitch (1.0.0rc8-1) over (1.0.0rc8-1) ...
Setting up opensnitch (1.0.0rc8-1) ...
Created symlink /etc/systemd/system/multi-user.target.wants/opensnitch.service → /lib/systemd/system/opensnitch.service.

I use the dietpi-services to add the service : opensnitch. But Opensnitch doesn't work, no icon on start menu, I reboot the system and always no work.

I have a Dietpi who work with Opensnitch and I have manually install with your Github . Here is a tutorial (in summary) of Opensnitch installation on Dietpi, arm64 : 1 – Go installation (langage)v1.14.2 + GIT + Build-essential -- 10 min

2 – Installation of PYTHON v3.8.2 -- 1h30

3 – Update Pip v20.1 -- 5 min sudo python3 -m pip install --upgrade pip

4 – Installation of Qt5 v5.7.1 and QMake v3.0 -- 5min sudo apt -y install qtcreator libqt5dbus5 qttools5-dev && export QT_SELECT=qt5

5 – Installation of PyQt5 v5.14.2 and PyQT5-sip v12.7.2 -- 3h sudo python3 -m pip install pyqt5

6 – Installation of grpcio v1.28.1, grpcio-tools v1.28.1, protobuf v3.11.3, six v1.14.0 -- 2h sudo python3 -m pip install --user grpcio-tools

7 – Final installation - OPENSNITCH -- 1h

The final terminal : ... Succes ... Cannot find file: icon-white.png

In the all tutorial, I believe I set up the installation incorrectly "Go" and maybe "Qt5"

Pain-Patate commented 4 years ago

Coming soon, this weeks, (I Hope), I'm getting my raspberry pi 4. I'll test on it (with Dietpi and Armbian only). Yesss, I can to test Opensnitch on "Duster" version (Dietpi update the system on my hardware. Great)

gustavo-iniguez-goya commented 4 years ago

ok, let us know how it works! :)

Pain-Patate commented 4 years ago

Sorry to the late, i'm received th Rpi 4 a few days ago. Currently, the Dietpi to Rpi 4 is in 32 bits (armhf). Is it possible to have a deb packages in armhf ?

gustavo-iniguez-goya commented 4 years ago

Yes, I'll post an armhf deb ASAP.

gustavo-iniguez-goya commented 4 years ago

Here you have: opensnitch_1.0.0rc9-1_armhf.deb.gz

I haven't tested it, only ensure that it's an arm binary. Let me know if it works.

Pain-Patate commented 4 years ago

sudo dpkg -i opensnitch_1.0.0rc9-1_armhf.deb 

Selecting previously unselected package opensnitch.
(Reading database ... 50295 files and directories currently installed.)
Preparing to unpack opensnitch_1.0.0rc9-1_armhf.deb ...
Unpacking opensnitch (1.0.0rc9-1) ...
Setting up opensnitch (1.0.0rc9-1) ...
Created symlink /etc/systemd/system/multi-user.target.wants/opensnitch.service → /lib/systemd/system/opensnitch.service

sudo systemctl enable opensnitch sudo service opensnitch start sudo opensnitchd 

Starting opensnitch-daemon v1.0.0rc9
[2020-06-09 17:55:24]  INF  Loading rules from /home/dietpi/rules ...
[2020-06-09 17:55:24]  !!!  Path '/home/dietpi/rules' does not exist

I created a folder "rules" in this adress : /home/dietpi sudo opensnitchd 

IMP  Starting opensnitch-daemon v1.0.0rc9
[2020-06-09 17:57:00]  INF  Loading rules from /home/dietpi/rules ...
[2020-06-09 17:57:00]  !!!  Error while running DNS firewall rule: exec: "iptables": executable file not found in $PATH

The service opensnitch don't work.

gustavo-iniguez-goya commented 4 years ago

ok, please, execute the following commands and paste the output:

$ sudo service opensnitch restart
$ pgrep -a opensnitch
$ iptables -t mangle -L OUTPUT
Pain-Patate commented 4 years ago

sudo service opensnitch restart pgrep -a opensnitch ` 3053 /usr/bin/opensnitchd -important -log-file /var/log/opensnitchd.log -rules-path /etc/opensnitchd/rules -ui-socket unix:///tmp/osui.sock`

sudo apt-get install iptables sudo iptables -t mangle -L OUTPUT 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
NFQUEUE    all  --  anywhere             anywhere             ctstate NEW NFQUEUE num 0 bypass

sudo opensnitchd 

[2020-06-10 17:00:31]  IMP  Starting opensnitch-daemon v1.0.0rc9
[2020-06-10 17:00:31]  INF  Loading rules from /home/dietpi/rules ...
[2020-06-10 17:00:31]  WAR  Is opnensitchd already running?
[2020-06-10 17:00:31]  !!!  Error while creating queue #0: Error binding to queue: operation not permitted

sudo service opensnitch stop sudo opensnitchd 

IMP  Starting opensnitch-daemon v1.0.0rc9
[2020-06-10 17:02:42]  INF  Loading rules from /home/dietpi/rules ...
ERROR: path=/usr/sbin/iptables args=[-D INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass] err=exit status 1 out='iptables: Bad rule (does a matching rule exist in that chain?).
'
ERROR: path=/usr/sbin/iptables args=[-D OUTPUT -t mangle -m conntrack --ctstate NEW -j NFQUEUE --queue-num 0 --queue-bypass] err=exit status 1 out='iptables: Bad rule (does a matching rule exist in that chain?).
'
ERROR: path=/usr/sbin/iptables args=[-D OUTPUT -m mark --mark 101285 -j DROP] err=exit status 1 out='iptables: Bad rule (does a matching rule exist in that chain?).

The service opensnitch don't work

gustavo-iniguez-goya commented 4 years ago

The daemon is running fine, see:

$ sudo service opensnitch restart
$ pgrep -a opensnitch

3053 /usr/bin/opensnitchd -important -log-file /var/log/opensnitchd.log -rules-path /etc/opensnitchd/rules -ui-socket unix:///tmp/osui.sock

^ this means that the daemon is running, with PID 3053. if you type tail -f /varlog/opensnitchd.log you'll see activity.

$ sudo iptables -t mangle -L OUTPUT

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
NFQUEUE all -- anywhere anywhere ctstate NEW NFQUEUE num 0 bypass

^ this also means that the iptables rule has been inserted correctly.

You don't have to execute sudo opensnitchd. It'll fail because there's a daemon already running.

If you want to execute manually, you'll have to stop the service and then launch it like this:

$ sudo opensnitch stop
$ /usr/bin/opensnitchd -debug -rules-path /etc/opensnitchd/rules -ui-socket unix:///tmp/osui.sock
Pain-Patate commented 4 years ago

Thanks to you and you help. It looks like the service is starting and is not fully operational. tail -f /var/log/opensnitchd.log 

[2020-06-13 16:53:53]  IMP  Starting opensnitch-daemon v1.0.0rc9

[2020-06-13 16:56:55]  IMP  Got signal: terminated
[2020-06-13 16:56:56]  IMP  Starting opensnitch-daemon v1.0.0rc9

[2020-06-13 17:00:05]  IMP  Got signal: terminated
[2020-06-13 17:00:06]  IMP  Starting opensnitch-daemon v1.0.0rc9

[2020-06-13 17:00:19]  IMP  Got signal: terminated
[2020-06-13 17:00:19]  IMP  Starting opensnitch-daemon v1.0.0rc9

And then, the terminal is blocked. I don't know to open Opensnitch.

Also, sudo opensnitch stop ` sudo: opensnitch: command not found`

sudo opensnitchd stop 

[2020-06-13 17:07:34]  IMP  Starting opensnitch-daemon v1.0.0rc9
[2020-06-13 17:07:34]  INF  Loading rules from /home/dietpi/rules ...
[2020-06-13 17:07:34]  WAR  Is opnensitchd already running?
[2020-06-13 17:07:34]  !!!  Error while creating queue #0: Error binding to queue: operation not permitted
gustavo-iniguez-goya commented 4 years ago

Thank you for the logs!

Ok. Unfortunately than means that the kernel has no support for NFQUEUE, or that the kernel modules are not loaded.

Please, post the output of the following commands: uname -r lsmod | grep nfnetlik lsmod | grep xt_ cat /proc/net/ip_tables_targets cat /proc/net/netfilter/nfnetlink_queue grep NFQUEUE /boot/config-$(uname -r) find /lib/modules/$(uname -r) -name 'nfnetlink*' dpkg -l 'libnetfilter-queue*'

If the find command finds the nfnetlink.ko and nfnetlink_queue.ko files, please, load them as follow: modprobe nfnetlink modprobe nfnetlink_queue modprobe xt_NFQUEUE

And run opensnitch again: service opensnitch restart

gustavo-iniguez-goya commented 4 years ago

I think I've found the problem. I'll post a binary ASAP for you to test.

gustavo-iniguez-goya commented 4 years ago

Please @Pain-Patate , could you copy this binary to /usr/bin, restart the service and try again? opensnitchd.gz

Thank you!

Pain-Patate commented 4 years ago

I put all codes you listed here in the terminal I copied this opensnitchd in /usr/bin service opensnitch stop sudo opensnitchd 

IMP  Starting opensnitch-daemon v1.0.0rc10
[2020-06-14 10:51:40]  INF  Loading rules from /home/dietpi/rules ...
ERROR: path=/usr/sbin/iptables args=[-D INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass] err=exit status 1 out='iptables: Bad rule (does a matching rule exist in that chain?).
'
ERROR: path=/usr/sbin/iptables args=[-D OUTPUT -t mangle -m conntrack --ctstate NEW -j NFQUEUE --queue-num 0 --queue-bypass] err=exit status 1 out='iptables: Bad rule (does a matching rule exist in that chain?).
'
ERROR: path=/usr/sbin/iptables args=[-D OUTPUT -m mark --mark 101285 -j DROP] err=exit status 1 out='iptables: Bad rule (does a matching rule exist in that chain?).
'

If I do this sudo service opensnitch restart tail -f /var/log/opensnitchd.log ` [2020-06-14 10:55:29] IMP Starting opensnitch-daemon v1.0.0rc10`

gustavo-iniguez-goya commented 4 years ago

Great! now it's working as expected. Modify LogLevel value in /etc/opensnitchd/default-config.json to 0 (debug level) in order to see connections detail information.

By the way, always restart the daemon with service opensnitch restart.

Pain-Patate commented 4 years ago

sudo nano /etc/opensnitchd/default-config.json I modified "LogLevel":2 in LogLevel":0 sudo service opensnitch restart tail -f /var/log/opensnitchd.log ` [2020-06-14 14:27:25] DBG new connection tcp => **...** [2020-06-14 14:27:25] DBG [0/1] outgoing connection: `... ...

Yes, it looks like to work. Each page web in my navigator, there are new information in /var/log/opensnitchd.log Can I open Opensnitch to set it up...?

gustavo-iniguez-goya commented 4 years ago

If you have the GUI installed you should be able to view the connections, modify rules, etc..

Pain-Patate commented 4 years ago

Ok, Let's go to install GUI

Pain-Patate commented 4 years ago

Install GUI sudo apt update && sudo apt upgrade sudo dpkg -i python3-opensnitch-ui*.deb; sudo apt -f install At the end of the installation, the terminal displays : 

  The script unidecode is installed in '/usr/local/bin' which is not on PATH.                                                           
  Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.

Is it a problem important ?

I tried Opensnitch annnnnnnnnddd verrry goood, It work.

Thanks you a lot of @gustavo-iniguez-goya Hello to @evilsocket

I have some small display problems, but I'll mention them later in a new topic, because this one is getting big. :-)

gustavo-iniguez-goya commented 4 years ago

superb!

Pain-Patate commented 4 years ago

Yes, it's cool. Also, At the end of the installation, the terminal displays :

  The script unidecode is installed in '/usr/local/bin' which is not on PATH.                                                           
  Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.

Is it a big problem ?

gustavo-iniguez-goya commented 4 years ago

No as far as I can tell.

Pain-Patate commented 4 years ago

Veryy good. I thinck we can to closed this issue with success. I explain a summary to install Opensitch Armh version on Raspberry pi 4 : here

gustavo-iniguez-goya commented 4 years ago

Thank you!!