Comments (5)
MarkoShiva
commented on June 4, 2024
That is not the best practice to do on linux with DNS servers because you want to set your nameservers DNS servers to those you want. Once you have allow forever or until quit then it will allow every connection thru that port to the two or three nameservers you have listed in /etc/resolv.conf
Now its not really smart to use ISP nameservers that is why some people use Google Public DNS servers like 8.8.8.8 and 8.8.4.4 and Level3 servers for example 4.2.2.3
If you are smarter then that then you will use OpenNIC servers or some other custom servers. You can also have a master DNS server on your local machine via Berkeley Internet Name Domain server. So there are some reasons why wouldn't want to do that for domain server for example then you couldn't check dns leak.
For unbound, I guess you meant any application to use that port freely you can setup restrictive outgoing IPtables rules and allow any outgoing traffic through that port.
This might not answer your question but I still do think that whole point of opensnitch is to discover host or ip address to which some local outgoing connection is made.
you can btw edit manually also the sqlite database, it not recommended probably except for deleting accidental wrong decisions. if you know the path to the application and which port and ip address it should be allowed to use you can change it by hand. Opensnitch is good because without MAC and without too restrictive iptables rules gives you granular control over the services that make outgoing connections.
from opensnitch.
smarek
commented on June 4, 2024
Well not really, if I use any application with local resolv.conf set to external IP address, I have to allow every application connection to port 53 to remote host. But I like that, I only want all applications to use local dns server, and the local dns server to be the only one allowed to comm with remote IP addresses on port 53.
And yes, I respect the point of opensnitch, but I'd also like it to serve as user-application-network-firewall, similar to LS. And if I want to, ie. accept thunderbird to talk to ports with smtps/submission/pop3s/imaps, but other ports to be notified of, this now requires multiple manual confirmation on IP address, that is assigned from pool of addresses belonging to certain dns a/aaaa record, thus effectively confusing me (without visible dns name or PTR record), instead of helping me to understand and secure my environment.
from opensnitch.
MarkoShiva
commented on June 4, 2024
Well point noted it would be a useful feature to enable certain ports to
be accessible by certain apps for certain amount of time but not by all
apps because that would make a security hole in firewall.
Anyway good idea.
from opensnitch.
smarek
commented on June 4, 2024
@in1t3r also to get back to my original idea, If I enable my local dns server to use port 53, I later on find out, which applications do not honor system settings of resolv.conf or use completely own dns resolver.
That can be applicable to more, ie. which applications do not honor, or do not fully use system set proxy server (if maybe there are requests done outside of the proxy/vpn, which is quite interesting security concern).
from opensnitch.
devmalick
commented on June 4, 2024
port range should be simplify
like : 80 - 500 or 80:500 regular expression is difficult to figure out
from opensnitch.
Related Issues (20)
- Log flooded with: ERR [eBPF events #1] error: unexpected EOF HOT 10
- [Feature Request] Add "ADD RULE" button in Allow/Deny connection dialog
- [Feature Request] Add Zoom option to the UI Preferences HOT 1
- [Feature Request] WorldMap realtime connections HOT 1
- keeps dropping Ethernet connection HOT 4
- Cannot Load Deamon - opensnitchd.service does not exist HOT 5
- [Feature Request] systemd commands in release notes HOT 1
- GetInfo() path can't be read HOT 3
- [Feature Request] Support matching by user name (not just user ID) and/or cgroup name
- Fedora Silverblue -- opensnitchd -check-requirements --> ERR /proc/config.gz not found HOT 2
- [Feature Request] default rule naming and columns
- Add a rules 'import' and 'export' option to the APT package. HOT 1
- opensnitch.io does not host project site any more HOT 4
- Upgraded from Ubuntu 20 to 22.04.4, Opensnitch UI not opening HOT 2
- Uninitialized firewall and logger causing SIGSEGV on master branch (c3bbb92) HOT 3
- incompatibility with python 3.12 HOT 1
- opensnitch UI crashes when deleting a rule HOT 3
- Windows OS Daemon HOT 1
- GUI Not opening on Fedora 40 HOT 1
- arm64 support: eBPF monitoring mode HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from opensnitch.