[HN Gopher] OpenSnitch is a GNU/Linux port of the Little Snitch ...
___________________________________________________________________
OpenSnitch is a GNU/Linux port of the Little Snitch application
firewall
Author : btdmaster
Score : 84 points
Date : 2022-06-25 15:51 UTC (7 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| a-dub wrote:
| i want a cable modem + oss router/outbound firewall/egress logger
| all in one device. does such a thing exist?
| gerdesj wrote:
| I've been a pfSense fan for something like 15 years. I run
| something like 50-60 of them around the country (UK). In my
| office is a 2 node CARP beastie with six WANs and 12 NICs each
| (Dell R310s) and quite a lot of cabling. At home I have an APU4
| humming away in the attic. I have a full IPv4 and 6 stack
| running and more VPNs than you can shake a stick at. The docs:
| https://docs.netgate.com/pfsense/en/latest/index.html are
| excellent.
|
| Slap on the pfblocker-ng package and you effectively have a
| souped up Pi-Hole in the router too. My TV at home has stopped
| showing adverts for certain streaming channels which is nice.
|
| There are certain strong feelings against Netgate (nee Electric
| Sheep Fencing) which may or may not be justified. You have
| Opnsense as an alternative option - it's a very well thought of
| fork of pfSense.
| nathants wrote:
| 1. get linux router on lan or linux vpn on wan.
|
| 2. install opensnitch or similar on 1.
|
| 3. route all traffic through 1.
|
| 4. figure out how to deal with rule management and new
| connection requests from 1 to wherever is most convenient for
| you.
| elesiuta wrote:
| I've kinda been keeping an eye on firewalla [0] since it looks
| pretty simple and probably good enough for home use? If anyone
| has any experience with it, or has looked into how good/useful
| the security of it is I'd love to hear it.
|
| There's also pfsense [1] and OPNsense [2] which are more geared
| towards business users, and personally not worth the effort for
| me to maintain at home, so I haven't looked into them as much.
|
| [0] https://firewalla.com/
|
| [1] https://www.pfsense.org/products/
|
| [2] https://shop.opnsense.com/product-categorie/hardware-
| applian...
| macinjosh wrote:
| OpenWRT
| lapser wrote:
| There is also eBPFSnitch, though it hasn't been updated in a
| while. It uses eBPF for packet filtering.
|
| https://github.com/harporoeder/ebpfsnitch
| emrtuerthjnu wrote:
| it hasn't been updated because the ebpf module from it landed
| in opensnitch
|
| https://github.com/evilsocket/opensnitch/tree/master/ebpf_pr...
| squarefoot wrote:
| How does it compare to Bubblewrap? I tried it to test Windows
| software that I don't trust under WINE and it worked, but a few
| times the sandboxed program wouldn't work although it would when
| run under a non networked machine, so I thought the sandboxing
| was also affecting Unix sockets, that is, IPC.
|
| Command used was: "bwrap --bind / / --dev /dev --unshare-net --
| exe_name"
| nathants wrote:
| this is a really great project.
|
| if you haven't heard of libnetfilterqueue, this is what it's for.
| it's really good. tremendous thanks to the author for introducing
| me to it via this project.
|
| the main problem with libnetfilterqueue is that it doesn't have
| pid information. you have to look that up in /proc or via a
| hashmap maintained by ebpf. either method has issues.
|
| an unexplored alternative, afaik, is seccomp with userspace
| filtering[1]. then you get pid information and direct control of
| syscalls. this may still need to be paired with libnetfilterqueue
| depending on implementation.
|
| 1. https://lwn.net/Articles/756233/
| metadat wrote:
| This looks great, but is there a TUI or headless mode?
|
| I don't really like GUIs in my Linux, setting up VNC is such a
| pain.
| rubyn00bie wrote:
| I think the whole point of LittleSnitch/OpenSnitch is the GUI.
| I feel like this is sort of a descendant of (or rather inspired
| by) a piece of software from long ago called "ZoneAlarm" for
| Windows. I mention this because I primarily used it before I
| could code or knew about the "system"; which, also happened to
| be when I was pirating a lot of software (high school). You
| should be able to accomplish most all of this, and more, from
| the command line already. `netstat` alone would probably get
| you most of the way there.
| heresie-dabord wrote:
| You can use lsof in Linux to show connexions:
|
| lsof -i -n -P | grep "\\\\-\>" | awk '{a[\$1"_p"\$2]++;}END{
| for (it in a){print it,a[it]}}' | sort -nr -k2,2
|
| This project uses conky to display the current connexions:
|
| https://github.com/viviparous/plonky/blob/main/plonky.pl
| metadat wrote:
| ZoneAlarm, now there is something I haven't thought about in
| nearly two decades!!! (since HS or early uni)
|
| Netstat _sort of_ fills this niche, but not without a lot of
| manual toil on behalf of the operator. In general, Linux and
| the apps in the ecosystem are much more well-behaved with
| regard to "wtf is this traffic" compared to macOS or
| Windows.
|
| Trust is great and all but visibility is better. Linux is
| still dicey to correlate traffic with a particular app,
| especially if the connection is/was shortlived.
| elesiuta wrote:
| > Linux is still dicey to correlate traffic with a
| particular app, especially if the connection is/was
| shortlived.
|
| This is has become a lot easier and more reliable to do now
| with BPF [0].
|
| I also used the same approach to create a somewhat user-
| friendly TUI and web dashboard for it [1]. It is also able
| to hash the executable (even if it was shortlived).
|
| [0] https://www.gcardone.net/2020-07-31-per-process-
| bandwidth-mo...
|
| [1] https://github.com/elesiuta/picosnitch
| nathants wrote:
| ebpf used in this way is typically nonblocking. it drops
| data instead of blocking. for a firewall, that's
| potentially bad.
|
| can ebpf operate in a blocking manner while making
| drop/allow decisions on packets WITH reliable access to
| the callers pid and argv?
| elesiuta wrote:
| > for a firewall, that's potentially bad
|
| I wasn't talking about using it as a firewall, just a
| connection/bandwidth monitor that correlates traffic with
| a particular app.
| nathants wrote:
| bandwidth monitor use case seems like a perfect fit, and
| the occasional missed packet wouldn't be an issue.
|
| picosnitch looks really cool! i've rss subscribed to its
| github commits.
| elesiuta wrote:
| Thanks! Also I used lost_cb [0] to detect if a packet or
| connection (with security_socket_connect) was missed
| between the BPF and Python parts, but is it possible for
| the BPF program to miss either entirely without
| triggering that callback?
|
| If so (without a kernel vulnerability which should be a
| given) I'd like to have it mentioned under the
| limitations section for picosnitch so others can be aware
| as well.
|
| [0] https://github.com/iovisor/bcc/blob/master/docs/refer
| ence_gu...
| nathants wrote:
| i don't think so. i think exactly what you've documented
| is the case. if the callback can't keep up with the data
| before the ringbuffer overflows, data is lost. in that
| case, the solution is to increase the size of the
| ringbuffer, giving the callback a larger window to keep
| up with incoming data bursts.
|
| in the end there are only two ways to handle this: drop
| data or block. for a bandwidth monitor, i'd choose drop.
| for a firewall, i'd choose block.
|
| i use bpftrace to monitor docker filesystem access in a
| similar way[1]. i also increase the ringbuffer size until
| i stop seeing lost data.
|
| 1. https://github.com/nathants/docker-trace#files
| metadat wrote:
| Very cool! I also found it recently submitted to HN:
| https://news.ycombinator.com/item?id=31160863
| nathants wrote:
| i use a kind of tui. it is actually a gui, pops up fullscreen.
| you can't click it though, just keypress interaction.
|
| i agree with you. especially if i'm filtering all traffic, i
| need to be able to y/n quickly and easily.
|
| https://github.com/nathants/tinysnitch#demo
| gerdesj wrote:
| Take a look into rustdesk the server ie self hosting bit has
| been recently open sourced. It's basically Teamviewer but
| faster and rock solid so far. Some features are missing but the
| basics are there. I'm going to be dumping our TV account quite
| soon.
|
| The missing piece was remote installing the client on Windows
| en mass to be able to be able to switch to root errr
| Administrator. TV allows you to pass Windows creds through to
| remote install itself but rustdesk can't yet or that might
| become an "enterprise feature". However Ansible can manage a
| WinRM enabled Windows box with Kerb and encryption over http
| and no client install. You can switch on WinRM via a GPO.
|
| Getting some bits of Ansible working on Arch and certain other
| bleeding edge distros might involve pip install --update
| pycrypto (and/or) pykerberos. Python 3.10 deprecated something
| in a rather cryptic way, that I'm sure was jolly important but
| broke quite a lot of things important to a Linux sporting
| sysadmin in a Windows world.
| metadat wrote:
| Yes, recently submitted (
| https://news.ycombinator.com/item?id=31456007 ) and IIRC, the
| verdict was it's a bit shady and sketchy on the security
| front. Unfortunate.
| gerdesj wrote:
| Take a look into the source. I've only cast a vague eye so
| far but it looks like it reuses quite a lot of well
| regarded stuff including VNC, so I'll take issue with
| "shady and sketchy".
|
| If you skim read that thread from HN where I also learned
| about Rust Desk then there is no consensus about "sketchy".
| Searching for the word "security" gets a discussion about
| SSL/TLS and some pontificating.
|
| I'm no real expert on IT security but I do have a Nessus
| license and a box to wield it from. I've run quite a few
| firewalls from Fortinet, pfSense, Juniper, hand crafted
| Linux, <various others>. I have 15 VLANs at home 8)
|
| In my office I have a pair of Dell S funky devops switches
| worth around PS20,000 sat on the bench as I plough through
| the 2000 page manual. I've got over the lack of old school
| stacking (why do they still have a stack LED indicator?)
| They have a LACP mediated VLT domain link running at
| 200Gbs-1 (Gb/s) - two physical wires. Now, do I partition
| the 100Gb links into four lots of 25Gb because that will
| allow more flows. Ok let's look at how this thing is used:
| iSCSI for data and VMware. The iSCSI links are 10Gb to the
| M series SAN so more links seem indicated.
|
| I also learned Ansible on Thursday rather rapidly because I
| can deploy these beasts with it (they boot Debian and have
| Docker installed already, which is adorable!) and
| coincidentally, I need a non MS way of getting at Windows
| boxes from Linux. Ansible doesn't need a client app.
|
| It's getting busy in IT. I'm 52 FFS (and absolutely love
| it!)
| metadat wrote:
| The Rust Desk security concern is due to it's not 100%
| self-hosted, it uses some kind of TURN or fw hole puncher
| which they host and didn't provide the sources for.
|
| If I'm mistaken please tell me, would love to use it if
| it's "safe".
| gerdesj wrote:
| I've got a self hosted host in my office. When you deploy
| a client, you can rename the Windows exe to include the
| DNS name and public key of your host and it will then use
| them - clever idea. So I don't think you need their
| TURN/STUN. I suspect those are simply provided as a
| service and nothing more sinister.
|
| They also provide three or so really low spec jump boxes
| to get people up and running if they can't self host -
| again, I call that altruism not sinister.
|
| I will get Wireshark out anyway to check about this stuff
| next week.
|
| You can do your own real due-dil stuff yourself by
| browsing around this:
| https://github.com/rustdesk/rustdesk - read the issues,
| browse the source (read the comments!) get a feel for the
| software.
|
| I'm asserting that it is no worse than anything else. I
| can also assert that the binaries that I get on Arch
| Linux are probably from the official sources (I checked a
| few strings etc). I can't sign off the Windows binaries
| but I can assert that I do trust them from their GitHub
| repo.
|
| I can assert things until I'm blue in the face but I
| trust rustdesk more than most remote access facilities
| for now but I am still kicking the tyres.
| Elyra wrote:
| Unfortunately without sandboxing, these sorts of tools just add
| an extra layer of maintenance to your system for a false sense of
| security [1, 2].
|
| This can actually be harmful for less experienced Linux users who
| may trust something like this to keep them safe for running
| random scripts, especially since I see this tool often
| recommended for such a use case.
|
| [1] https://news.ycombinator.com/item?id=22208223
|
| [2] https://news.ycombinator.com/item?id=14254679
| Pakdef wrote:
| Firewalls have not much to do with running untrusted
| executables... You are confused about what a firewall is for
| (it's for managing network connections, not prevent virus,
| etc)...
| GekkePrutser wrote:
| It's not just to avoid scripts. Sometimes I just what to
| control what a program can do. Eg not call home but connect to
| ftp servers I want to use it with.
| nathants wrote:
| the issue is that libnetfilterqueue doesn't have pid
| information, and so that must be looked up or joined to another
| data stream at runtime. this can fail. flakes at this point can
| be dangerous, and can reduce confidence in the system. they can
| also encourage you to add rules at both system and program
| level, which is annoying.
|
| one alternative is to specify rules at system level instead of
| program level. that's the approach i ended up landing on[1]. i
| wish i had finer granularity, but i'm glad i don't have flakes.
|
| it's hard to imagine that monitoring network exfil isn't THE
| best way to secure any system. at the least, it's an important
| and necessary step.
|
| 1. https://github.com/nathants/tinysnitch
| jwilk wrote:
| Previous discussions:
|
| 2017: https://news.ycombinator.com/item?id=14245270 (103
| comments)
|
| 2020: https://news.ycombinator.com/item?id=22206116 (131
| comments)
___________________________________________________________________
(page generated 2022-06-25 23:00 UTC)