[HN Gopher] OpenSnitch is a GNU/Linux port of the Little Snitch ... ___________________________________________________________________ OpenSnitch is a GNU/Linux port of the Little Snitch application firewall Author : btdmaster Score : 84 points Date : 2022-06-25 15:51 UTC (7 hours ago) (HTM) web link (github.com) (TXT) w3m dump (github.com) | a-dub wrote: | i want a cable modem + oss router/outbound firewall/egress logger | all in one device. does such a thing exist? | gerdesj wrote: | I've been a pfSense fan for something like 15 years. I run | something like 50-60 of them around the country (UK). In my | office is a 2 node CARP beastie with six WANs and 12 NICs each | (Dell R310s) and quite a lot of cabling. At home I have an APU4 | humming away in the attic. I have a full IPv4 and 6 stack | running and more VPNs than you can shake a stick at. The docs: | https://docs.netgate.com/pfsense/en/latest/index.html are | excellent. | | Slap on the pfblocker-ng package and you effectively have a | souped up Pi-Hole in the router too. My TV at home has stopped | showing adverts for certain streaming channels which is nice. | | There are certain strong feelings against Netgate (nee Electric | Sheep Fencing) which may or may not be justified. You have | Opnsense as an alternative option - it's a very well thought of | fork of pfSense. | nathants wrote: | 1. get linux router on lan or linux vpn on wan. | | 2. install opensnitch or similar on 1. | | 3. route all traffic through 1. | | 4. figure out how to deal with rule management and new | connection requests from 1 to wherever is most convenient for | you. | elesiuta wrote: | I've kinda been keeping an eye on firewalla [0] since it looks | pretty simple and probably good enough for home use? If anyone | has any experience with it, or has looked into how good/useful | the security of it is I'd love to hear it. | | There's also pfsense [1] and OPNsense [2] which are more geared | towards business users, and personally not worth the effort for | me to maintain at home, so I haven't looked into them as much. | | [0] https://firewalla.com/ | | [1] https://www.pfsense.org/products/ | | [2] https://shop.opnsense.com/product-categorie/hardware- | applian... | macinjosh wrote: | OpenWRT | lapser wrote: | There is also eBPFSnitch, though it hasn't been updated in a | while. It uses eBPF for packet filtering. | | https://github.com/harporoeder/ebpfsnitch | emrtuerthjnu wrote: | it hasn't been updated because the ebpf module from it landed | in opensnitch | | https://github.com/evilsocket/opensnitch/tree/master/ebpf_pr... | squarefoot wrote: | How does it compare to Bubblewrap? I tried it to test Windows | software that I don't trust under WINE and it worked, but a few | times the sandboxed program wouldn't work although it would when | run under a non networked machine, so I thought the sandboxing | was also affecting Unix sockets, that is, IPC. | | Command used was: "bwrap --bind / / --dev /dev --unshare-net -- | exe_name" | nathants wrote: | this is a really great project. | | if you haven't heard of libnetfilterqueue, this is what it's for. | it's really good. tremendous thanks to the author for introducing | me to it via this project. | | the main problem with libnetfilterqueue is that it doesn't have | pid information. you have to look that up in /proc or via a | hashmap maintained by ebpf. either method has issues. | | an unexplored alternative, afaik, is seccomp with userspace | filtering[1]. then you get pid information and direct control of | syscalls. this may still need to be paired with libnetfilterqueue | depending on implementation. | | 1. https://lwn.net/Articles/756233/ | metadat wrote: | This looks great, but is there a TUI or headless mode? | | I don't really like GUIs in my Linux, setting up VNC is such a | pain. | rubyn00bie wrote: | I think the whole point of LittleSnitch/OpenSnitch is the GUI. | I feel like this is sort of a descendant of (or rather inspired | by) a piece of software from long ago called "ZoneAlarm" for | Windows. I mention this because I primarily used it before I | could code or knew about the "system"; which, also happened to | be when I was pirating a lot of software (high school). You | should be able to accomplish most all of this, and more, from | the command line already. `netstat` alone would probably get | you most of the way there. | heresie-dabord wrote: | You can use lsof in Linux to show connexions: | | lsof -i -n -P | grep "\\\\-\>" | awk '{a[\$1"_p"\$2]++;}END{ | for (it in a){print it,a[it]}}' | sort -nr -k2,2 | | This project uses conky to display the current connexions: | | https://github.com/viviparous/plonky/blob/main/plonky.pl | metadat wrote: | ZoneAlarm, now there is something I haven't thought about in | nearly two decades!!! (since HS or early uni) | | Netstat _sort of_ fills this niche, but not without a lot of | manual toil on behalf of the operator. In general, Linux and | the apps in the ecosystem are much more well-behaved with | regard to "wtf is this traffic" compared to macOS or | Windows. | | Trust is great and all but visibility is better. Linux is | still dicey to correlate traffic with a particular app, | especially if the connection is/was shortlived. | elesiuta wrote: | > Linux is still dicey to correlate traffic with a | particular app, especially if the connection is/was | shortlived. | | This is has become a lot easier and more reliable to do now | with BPF [0]. | | I also used the same approach to create a somewhat user- | friendly TUI and web dashboard for it [1]. It is also able | to hash the executable (even if it was shortlived). | | [0] https://www.gcardone.net/2020-07-31-per-process- | bandwidth-mo... | | [1] https://github.com/elesiuta/picosnitch | nathants wrote: | ebpf used in this way is typically nonblocking. it drops | data instead of blocking. for a firewall, that's | potentially bad. | | can ebpf operate in a blocking manner while making | drop/allow decisions on packets WITH reliable access to | the callers pid and argv? | elesiuta wrote: | > for a firewall, that's potentially bad | | I wasn't talking about using it as a firewall, just a | connection/bandwidth monitor that correlates traffic with | a particular app. | nathants wrote: | bandwidth monitor use case seems like a perfect fit, and | the occasional missed packet wouldn't be an issue. | | picosnitch looks really cool! i've rss subscribed to its | github commits. | elesiuta wrote: | Thanks! Also I used lost_cb [0] to detect if a packet or | connection (with security_socket_connect) was missed | between the BPF and Python parts, but is it possible for | the BPF program to miss either entirely without | triggering that callback? | | If so (without a kernel vulnerability which should be a | given) I'd like to have it mentioned under the | limitations section for picosnitch so others can be aware | as well. | | [0] https://github.com/iovisor/bcc/blob/master/docs/refer | ence_gu... | nathants wrote: | i don't think so. i think exactly what you've documented | is the case. if the callback can't keep up with the data | before the ringbuffer overflows, data is lost. in that | case, the solution is to increase the size of the | ringbuffer, giving the callback a larger window to keep | up with incoming data bursts. | | in the end there are only two ways to handle this: drop | data or block. for a bandwidth monitor, i'd choose drop. | for a firewall, i'd choose block. | | i use bpftrace to monitor docker filesystem access in a | similar way[1]. i also increase the ringbuffer size until | i stop seeing lost data. | | 1. https://github.com/nathants/docker-trace#files | metadat wrote: | Very cool! I also found it recently submitted to HN: | https://news.ycombinator.com/item?id=31160863 | nathants wrote: | i use a kind of tui. it is actually a gui, pops up fullscreen. | you can't click it though, just keypress interaction. | | i agree with you. especially if i'm filtering all traffic, i | need to be able to y/n quickly and easily. | | https://github.com/nathants/tinysnitch#demo | gerdesj wrote: | Take a look into rustdesk the server ie self hosting bit has | been recently open sourced. It's basically Teamviewer but | faster and rock solid so far. Some features are missing but the | basics are there. I'm going to be dumping our TV account quite | soon. | | The missing piece was remote installing the client on Windows | en mass to be able to be able to switch to root errr | Administrator. TV allows you to pass Windows creds through to | remote install itself but rustdesk can't yet or that might | become an "enterprise feature". However Ansible can manage a | WinRM enabled Windows box with Kerb and encryption over http | and no client install. You can switch on WinRM via a GPO. | | Getting some bits of Ansible working on Arch and certain other | bleeding edge distros might involve pip install --update | pycrypto (and/or) pykerberos. Python 3.10 deprecated something | in a rather cryptic way, that I'm sure was jolly important but | broke quite a lot of things important to a Linux sporting | sysadmin in a Windows world. | metadat wrote: | Yes, recently submitted ( | https://news.ycombinator.com/item?id=31456007 ) and IIRC, the | verdict was it's a bit shady and sketchy on the security | front. Unfortunate. | gerdesj wrote: | Take a look into the source. I've only cast a vague eye so | far but it looks like it reuses quite a lot of well | regarded stuff including VNC, so I'll take issue with | "shady and sketchy". | | If you skim read that thread from HN where I also learned | about Rust Desk then there is no consensus about "sketchy". | Searching for the word "security" gets a discussion about | SSL/TLS and some pontificating. | | I'm no real expert on IT security but I do have a Nessus | license and a box to wield it from. I've run quite a few | firewalls from Fortinet, pfSense, Juniper, hand crafted | Linux, <various others>. I have 15 VLANs at home 8) | | In my office I have a pair of Dell S funky devops switches | worth around PS20,000 sat on the bench as I plough through | the 2000 page manual. I've got over the lack of old school | stacking (why do they still have a stack LED indicator?) | They have a LACP mediated VLT domain link running at | 200Gbs-1 (Gb/s) - two physical wires. Now, do I partition | the 100Gb links into four lots of 25Gb because that will | allow more flows. Ok let's look at how this thing is used: | iSCSI for data and VMware. The iSCSI links are 10Gb to the | M series SAN so more links seem indicated. | | I also learned Ansible on Thursday rather rapidly because I | can deploy these beasts with it (they boot Debian and have | Docker installed already, which is adorable!) and | coincidentally, I need a non MS way of getting at Windows | boxes from Linux. Ansible doesn't need a client app. | | It's getting busy in IT. I'm 52 FFS (and absolutely love | it!) | metadat wrote: | The Rust Desk security concern is due to it's not 100% | self-hosted, it uses some kind of TURN or fw hole puncher | which they host and didn't provide the sources for. | | If I'm mistaken please tell me, would love to use it if | it's "safe". | gerdesj wrote: | I've got a self hosted host in my office. When you deploy | a client, you can rename the Windows exe to include the | DNS name and public key of your host and it will then use | them - clever idea. So I don't think you need their | TURN/STUN. I suspect those are simply provided as a | service and nothing more sinister. | | They also provide three or so really low spec jump boxes | to get people up and running if they can't self host - | again, I call that altruism not sinister. | | I will get Wireshark out anyway to check about this stuff | next week. | | You can do your own real due-dil stuff yourself by | browsing around this: | https://github.com/rustdesk/rustdesk - read the issues, | browse the source (read the comments!) get a feel for the | software. | | I'm asserting that it is no worse than anything else. I | can also assert that the binaries that I get on Arch | Linux are probably from the official sources (I checked a | few strings etc). I can't sign off the Windows binaries | but I can assert that I do trust them from their GitHub | repo. | | I can assert things until I'm blue in the face but I | trust rustdesk more than most remote access facilities | for now but I am still kicking the tyres. | Elyra wrote: | Unfortunately without sandboxing, these sorts of tools just add | an extra layer of maintenance to your system for a false sense of | security [1, 2]. | | This can actually be harmful for less experienced Linux users who | may trust something like this to keep them safe for running | random scripts, especially since I see this tool often | recommended for such a use case. | | [1] https://news.ycombinator.com/item?id=22208223 | | [2] https://news.ycombinator.com/item?id=14254679 | Pakdef wrote: | Firewalls have not much to do with running untrusted | executables... You are confused about what a firewall is for | (it's for managing network connections, not prevent virus, | etc)... | GekkePrutser wrote: | It's not just to avoid scripts. Sometimes I just what to | control what a program can do. Eg not call home but connect to | ftp servers I want to use it with. | nathants wrote: | the issue is that libnetfilterqueue doesn't have pid | information, and so that must be looked up or joined to another | data stream at runtime. this can fail. flakes at this point can | be dangerous, and can reduce confidence in the system. they can | also encourage you to add rules at both system and program | level, which is annoying. | | one alternative is to specify rules at system level instead of | program level. that's the approach i ended up landing on[1]. i | wish i had finer granularity, but i'm glad i don't have flakes. | | it's hard to imagine that monitoring network exfil isn't THE | best way to secure any system. at the least, it's an important | and necessary step. | | 1. https://github.com/nathants/tinysnitch | jwilk wrote: | Previous discussions: | | 2017: https://news.ycombinator.com/item?id=14245270 (103 | comments) | | 2020: https://news.ycombinator.com/item?id=22206116 (131 | comments) ___________________________________________________________________ (page generated 2022-06-25 23:00 UTC)