evilsocket
[Feature Request] Filter forwarded traffic
Summary:
OpenSnitch works quite well testing host-based firewalls. I currently have setup where opensnitchd runs on the client device, and opensnitch-ui is run on the "router".
However, it would be useful to just run both opensnitchd and opensnitch-ui on the router, and have it filter the traffic of multiple client device on a LAN with the same ruleset.
Would this be out of scope for the project?
hi @ciandonovan ,
You can configure opensnitch to intercept forwarded traffic by enabling this fw rule: https://github.com/evilsocket/opensnitch/blob/5877e6c6d0299f04cfb90064bc21139002c2c4b1/daemon/system-fw.json#L220
But I'm not sure if I understand the use case. If the daemon is running on different machines, it'll intercept the outbound connections, and send all the requests/nework activity to the GUI ("router").
If the daemon is running on the router, then yes, you would have to enable the fw rule to intercept the forwarded traffic (we have a limitation there if I'm remember correctly).
If the machines where the daemon is running have containers (k8s, docker), then you would also have to enable the fw rule to intercept the forwarded traffic from the containers to the host (it's not perfect but it works).
The forward configuration you provided solves that use-case. I'm guessing that option is not exposed in the GUI?
I was shoehorning OpenSnitch into testing a domain - whitelist ruleset for an enterprise deployment. Worked well enough, except OpenSnitch does "reverse-DNS" through caching DNS query responses and local resolver integration (I think), which doesn't catch everything.
Couldn't find any proper solution on Linux surprisingly, and have since moved to OpnSense which is more suited to my particular use-case. Its method is to take a list of domain aliases, and simply re-query them every 5 minutes or so, and cache all the A/AAAA records to be used in the firewall rulesets.
Still a big fan of OpenSnitch, runs on my personal machine :)
I'm currently evaluating opensnitch for a very similar usecase: Instead of/in addition to running the daemon on each host, I'd like to run the daemon(s) at several strategic places e.g. home network routers and vpn servers to be able to intercept all (forwarded and nat) traffic flowing through from a multitude of different machines (and operating systems). The daemons shall be controlled from a central entity via opensnitch-ui. The architecture of opensnitch actually seems perfectly suitable for this kind of operation!
The forward rule should already work.
Can you give me a hint how the rule for intercepting source nat SNAT traffic could look like?
Hi @MEschenbacher ,
Interesting use-case! It'd be something like: nft add rule inet nat postrouting queue num 0
or you can add it to the fw config:
{
"Name": "postrouting",
"Table": "nat",
"Family": "inet",
"Priority": "",
"Type": "natsource",
"Hook": "postrouting",
"Policy": "accept",
"Rules": [
{
"Table": "",
"Chain": "",
"UUID": "5637eb4c-f553-11ef-8000-247703cb069c",
"Enabled": true,
"Position": "0",
"Description": "postrouting queue num 0",
"Parameters": "",
"Expressions": [
{
"Statement": {
"Op": "==",
"Name": "oifname",
"Values": [
{
"Key": "wlp3s0",
"Value": ""
}
]
}
}
],
"Target": "queue",
"TargetParameters": "num 0"
}
]
}
out of curiosity, why intercepting traffic in that chain?