search

sandboxie-plus / Sandboxie

Sandboxie Plus & Classic
https://Sandboxie-Plus.com
GNU General Public License v3.0
13.73k stars 1.53k forks source link

[Feature] Domain to firewall #3712

Open MickgClone opened 7 months ago

MickgClone commented 7 months ago

Is your feature request related to a problem or use case?

First off, apologies if this has been typed about before but I didn't see anything in the issues page when using the search function. Anyways, on to what I would use the feature for. I have a box that is cut off from the internet but needs access sometimes to github.com or unity.bepinex.dev to download necessary files. I don't want to allow any application to the internet except if it needs to install some libs or something. When doing stuff with BepInEx, it's merged with the application so you can't just only allow the BepInEx program through so it becomes necessary to figure out what the domains IP's are so you can allow it to connect to the domain it wants to connect to.

Describe the solution you'd like

I don't know everything so this is just assumptions but was wondering if there was a way so that you could add domains to a list in the firewall section so that it will add the IP addresses automatically to the firewall. Of course, in a way it won't cause strain to the domains.

Describe alternatives you've considered

Maybe it would be a better solution to somehow have it separated instead of just the firewall section as to make sure users can still edit the firewall but have the domains added on top of the firewall as well...? Not sure. Sorry if this is a strange request. My current solution was to get a python script and make it put the IP's in my clipboard so I could paste it into the firewall. That is working for now but this feature seems like it would be nice to have.

MickgClone commented 7 months ago

I came back to this and was thinking about deleting it but I do see a thumbs up so maybe I'll leave it up for now. I haven't really messed with Sandboxie in a while but just now got around to using MelonLoader again and realized this may not be as simple as I think it is. Like, how would you even do it for websites like github.com, which has many IPs. I do know that contacting unity.bepinex.dev does work since I'm using that python script I talked about before but idk how to contact github.com with this method.

xsmolasses commented 7 months ago

Sandboxie-Next (Insider Program) introduces SOCKS5 forwarding support, so at some point I should look into what can be done with various third-party socks proxy software in respect to domain & address access control, specifically whitelisting.

Like, how would you even do it for websites like github.com, which has many IPs.

Tell me about it. I've only rhetoric for now, as this is no solution:

# gist.github.com
NetworkAccess=chrome.exe,Allow;Port=443;Address=20.248.137.48;Protocol=TCP

# api.github.com
NetworkAccess=chrome.exe,Allow;Port=443;Address=20.248.137.49;Protocol=TCP

# avatars.githubusercontent.com
NetworkAccess=chrome.exe,Allow;Port=443;Address=185.199.108.133,185.199.109.133,185.199.110.133,185.199.111.133;Protocol=TCP

# github.githubassets.com
NetworkAccess=chrome.exe,Allow;Port=443;Address=185.199.108.154,185.199.109.154,185.199.110.154,185.199.111.154;Protocol=TCP

# alive.github.com
#  live.github.com
NetworkAccess=chrome.exe,Allow;Port=443;Address=140.82.112.25,140.82.114.26,140.82.113.26,140.82.114.25,140.82.112.26,140.82.113.25;Protocol=TCP

# codeload.github.com
NetworkAccess=chrome.exe,Allow;Port=443;Address=20.248.137.55;Protocol=TCP
MickgClone commented 7 months ago

@xsmolasses I'm not gonna lie when I say I'm not the smartest around but I think I could figure out doing proxy stuff if that's what it took to allow/block domains. of course, I would prefer an easier method tho. I don't get python so I was trying to wrangle a script out of an AI and it worked but it didn't matter too much in the end since... you know... github.com. I'm glad I saw your example tho as I didn't know you could comment in there or maybe I'm miss-reading that.

I guess I'm just surprised someone thumbs-up this because I thought it was a weird request. I'm just trying to find a way to allow/block domains but I thought this was a good idea as it keeps it as IPs for the firewall. Sadly, it ain't that simple.

xsmolasses commented 7 months ago

doing proxy stuff if that's what it took to allow/block domains.

To save everyone time, 3proxy seemed best bet, an open-source, full complement of proxy stuff, and to bring about a solution to our needs..., it came close but no cigar. As I will briefly outline or allude to integration being the missing characteristic tying Domains and IPs together, as asynchronously as they come, in the effort to resolutely filter if leaks to numerical addresses is of any concern. Indeed, we shouldn't have to "socksify" and tunnel into burrows to achieve total domain focus, whitelisting; implicit in, is blacklisting all other addresses, but we don't want to omit any specificity to our rules.

I guess I'm just surprised someone thumbs-up this because I thought it was a weird request. I'm just trying to find a way to allow/block domains but I thought this was a good idea as it keeps it as IPs for the firewall. Sadly, it ain't that simple.

The sole reason I procured an Advanced tier Patreon sub - to request access to one work-in-progress (doesn't always function) feature in particular:

# block individual domain (would probably return an NXDOMAIN)
NetworkDnsFilter=yahoo.com

# block all (no exceptions - rule specificity, pretty please)
NetworkDnsFilter=*

# redirect (not a chained forward: returns the static record)
NetworkDnsFilter=yahoo.com:1.1.1.1
# 1.1.1.1 is a website too

# keep setting but disable (must reopen Sandbox or process ?)
NetworkDnsFilterDisabled=yahoo.com:1.0.0.1

We would need a "caching" DNS [as part of this] Filter, which creates NetworkAccess rules on the fly (not committed to ini) that greenlights in real time those IPs belonging to domains; have NetworkAccess setting accept domain in renamed IP field.

DavidXanatos commented 7 months ago

I think its quite usefull, and not to difficult to add, with the DNS filter in the insider build the sbiedll.dll is aware of all IP's which are being resolved hence it could internally whitelist them.

MickgClone commented 7 months ago

@DavidXanatos First off, I wanna thank you for this program. It has been pretty nice to use as a way to block applications to the world. As I said before, I don't have the biggest knowledge when it comes to networking stuff but I just wanted a way to block/allow domains without having to do it by manually entering it in. I'm not sure if my... uh... "method" for that would make sense but I guess it's related to what y'all are currently doing.

I personally don't really mind how it's done as long as it has the ability to block/allow domains in a somewhat easy-to-understand(?) manner. I'm not sure what is possible and not but it does seem like there is work that is happening in the background for a DNS filter and I'm just glad for that. It does seem like people do want a DNS filter but I'm just surprised I couldn't quickly find someone requesting the feature. Maybe I wasn't looking hard enough tho. I don't usually hang out in here.

Again, thank you for all the work you put into this program!