Using opensnitch and nftables. · evilsocket/opensnitch · Discussion #1201 (original) (raw)
hi @BobSquarePants ,
Is opensnitch available soon enough after boot to catch the undesirable ?
I think so. The daemon is launched in multi-user stage, before the network is available.
so is such rule still make sense while using opensnitch ?
? what could be the risks doing so ?
Yeah, if you want to lock down the system it makes sense. The risks are that you might block legit connections.
In order to use DROP as the default outbound policy, you'll need a rule to allow established connections:~ $ sudo nft add rule inet mangle output ct state new accept
That way, opensnitch will prompt you to allow NEW outbound connections, and that rule will allow the next packets of those allowed connections.
The ruleset should be as follow:
~ $ sudo nft list ruleset table inet mangle { chain output { type route hook output priority mangle; policy drop; meta l4proto != tcp ct state related,new queue flags bypass to 0 tcp flags & (fin | syn | rst | ack) == syn queue flags bypass to 0 ct state established,related accept } }
You can also configure it in /etc/opensnitchd/system-fw.json, under this line:
{
"Table": "",
"Chain": "",
"UUID": "fb34f6da-5d72-1234-ae8a-61e1c21bb003",
"Enabled": true,
"Position": "0",
"Description": "allow established connections",
"Parameters": "",
"Expressions": [
{
"Statement": {
"Op": "==",
"Name": "ct",
"Values": [
{
"Key": "state",
"Value": "related,established"
}
]
}
}
],
"Target": "accept",
"TargetParameters": ""
},The option in the GUI to configure the default outbound policy is disabled, because I didn't investigate at the time why it was not working.
But if everything works with this rule, maybe we can let the users configure it.