evilsocket / opensnitch Goto Github PK
View Code? Open in Web Editor NEWOpenSnitch is a GNU/Linux interactive application firewall inspired by Little Snitch.
License: GNU General Public License v3.0
OpenSnitch is a GNU/Linux interactive application firewall inspired by Little Snitch.
License: GNU General Public License v3.0
[2017-04-20 13:08:55,017] (WARNING) Could not find process for udp connection 172.18.115.120:123 -> 91.189.91.157:123
[2017-04-20 13:08:55,017] (WARNING) Could not detect process for connection.
[2017-04-20 13:08:55,044] (WARNING) Could not find process for tcp connection 172.18.115.120:38052 -> 216.58.192.14:80
[2017-04-20 13:08:55,045] (WARNING) Could not detect process for connection.
[2017-04-20 13:08:55,105] (WARNING) Could not find process for udp connection 172.18.115.120:52695 -> 239.255.255.250:1900
[2017-04-20 13:08:55,105] (WARNING) Could not detect process for connection.
Seems like additional ways of linking a packet to a process should be investigated.
Hello,
I must be missing something in the install instructions:
Using:
sudo apt-get install build-essential python-dev python-setuptools libnetfilter-queue-dev python-pyqt5
does not result in an opensnitch
directory to cd
into. Can't seem to find any opensnitch
command on my machine after issuing these commands.
Advice?
Thanks
Just gave a try on Ubuntu 14.04, and not much Python knowledge.
Promising project, but after install, didn't run.
FWIW, this happened:
(could be unrelated to opensnitch, but as a lambda user, I don't know what steps I should take).
$> sudo opensnitch
Traceback (most recent call last):
File "/usr/local/bin/opensnitch", line 5, in <module>
pkg_resources.run_script('opensnitch==0.0.2', 'opensnitch')
File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 528, in run_script
self.require(requires)[0].run_script(script_name, ns)
File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 1394, in run_script
execfile(script_filename, namespace, namespace)
File "/usr/local/lib/python2.7/dist-packages/opensnitch-0.0.2-py2.7.egg/EGG-INFO/scripts/opensnitch", line 43, in <module>
mpl.rcParams['backend'] = 'Qt5Agg'
File "/usr/lib/pymodules/python2.7/matplotlib/__init__.py", line 808, in __setitem__
cval = self.validate[key](val)
File "/usr/lib/pymodules/python2.7/matplotlib/rcsetup.py", line 146, in validate_backend
return _validate_standard_backends(s)
File "/usr/lib/pymodules/python2.7/matplotlib/rcsetup.py", line 57, in __call__
% (self.key, s, self.valid.values()))
ValueError: Unrecognized backend string "qt5agg": valid strings are ['pdf', 'pgf', 'Qt4Agg', 'GTK', 'GTKAgg', 'ps', 'agg', 'cairo', 'MacOSX', 'GTKCairo', 'WXAgg', 'template', 'TkAgg', 'GTK3Cairo', 'GTK3Agg', 'svg', 'WebAgg', 'CocoaAgg', 'emf', 'gdk', 'WX']
opensnitch cannot find processes for certain connections on my machine for example that is multicast of kodi and ntp query to different servers. I run Debian sid with systemd so this might not happen on other machines. Btw netstat and ss do show process owners as kodi and ntpd so I didn''t pass through code yet to see how you guys are getting the process names, but it doesn't work for some udp outgoing connections.
[2017-05-09 17:30:30,898] (WARNING) Could not find process for udp connection 10.21.35.100:47628 -> 239.255.255.250:1900 [2017-05-09 17:31:57,012] (WARNING) Could not find process for udp connection 10.21.35.100:123 -> 5.39.80.28:123
Hi,
I've tested opensnitch this morning on Linux Mint 18.1 (Kernel: x86_64 Linux 4.4.0-78-generic) which is based on Debian and Ubuntu (LTS).
I just had to apt install libpcap-dev
to pass the install.
Then I started the opensnitch deamon & gui, it discovered a lot of my connections and I started to set rules until opensnitch-qt popups stop appearing.
I tryed it, for example after allowing git , I managed to use git & clone repos. Good.
But then I tryed to apt update
and this was blocked by opensnitch.
After killing the deamon, apt update
was working.
Any idea ?
When I fire up opensnitch, I immediately get a long stream of endless warnings due to opensnitch not finding a process for a specific connection (in my case a UDP connection to localhost), like so:
[2017-04-27 12:13:45,488] (WARNING) Could not find process for udp connection 127.0.0.1:XXXXX -> 127.0.0.1:XXXX
[2017-04-27 12:13:45,498] (WARNING) Could not find process for udp connection 127.0.0.1:XXXXX -> 127.0.0.1:XXXX
The warnings are repeated forever, unless opensnitch process is killed.
Suggest instead to prompt the user after X identical warnings, to verify whether they want to silent the warning (forever, once, etc), to make it easier to test.
Looks like opensnitch fails to catch some processes PIDs.
[2017-05-03 09:08:05,470] (INFO) Using rules database from /home/tx/opensnitch.db
[2017-05-03 09:08:05,801] (INFO) OpenSnitch v0.0.2 running with pid 31270.
[2017-05-03 09:08:06,128] (INFO) Enabling ProcMon ...
[2017-05-03 09:08:06,141] (INFO) ProcMon running ...
[2017-05-03 09:08:47,665] (WARNING) Could not find process for tcp connection 192.168.1.22:33092 -> 192.168.1.1:445
[2017-05-03 09:08:47,821] (WARNING) Could not find process for tcp connection 192.168.1.22:33094 -> 192.168.1.1:445
[2017-05-03 09:08:48,004] (WARNING) Could not find process for tcp connection 192.168.1.22:33096 -> 192.168.1.1:445
[2017-05-03 09:08:48,187] (ERROR) Exception on packet callback:
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/opensnitch-0.0.2-py2.7.egg/opensnitch/snitch.py", line 74, in pkt_callback
conn = Connection( self.procmon, data )
File "/usr/local/lib/python2.7/dist-packages/opensnitch-0.0.2-py2.7.egg/opensnitch/connection.py", line 56, in __init__
self.proto )
File "/usr/local/lib/python2.7/dist-packages/opensnitch-0.0.2-py2.7.egg/opensnitch/proc.py", line 33, in get_pid_by_connection
appname = procmon.get_app_name(pid)
File "/usr/local/lib/python2.7/dist-packages/opensnitch-0.0.2-py2.7.egg/opensnitch/procmon.py", line 84, in get_app_name
pid = int(pid)
TypeError: int() argument must be a string or a number, not 'NoneType'
[2017-05-03 09:08:53,996] (WARNING) Could not find process for udp connection 192.168.1.1:53 -> 192.168.1.22:55795
[2017-05-03 09:08:59,239] (WARNING) Could not find process for udp connection 192.168.1.1:53 -> 192.168.1.22:46391
[2017-05-03 09:09:07,602] (WARNING) Could not find process for udp connection 192.168.1.1:53 -> 192.168.1.22:58040
[2017-05-03 09:09:08,920] (WARNING) Could not find process for udp connection 192.168.1.1:53 -> 192.168.1.22:34962
[2017-05-03 09:09:48,584] (ERROR) Exception on packet callback:
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/opensnitch-0.0.2-py2.7.egg/opensnitch/snitch.py", line 74, in pkt_callback
conn = Connection( self.procmon, data )
File "/usr/local/lib/python2.7/dist-packages/opensnitch-0.0.2-py2.7.egg/opensnitch/connection.py", line 56, in __init__
self.proto )
File "/usr/local/lib/python2.7/dist-packages/opensnitch-0.0.2-py2.7.egg/opensnitch/proc.py", line 33, in get_pid_by_connection
appname = procmon.get_app_name(pid)
File "/usr/local/lib/python2.7/dist-packages/opensnitch-0.0.2-py2.7.egg/opensnitch/procmon.py", line 84, in get_app_name
pid = int(pid)
TypeError: int() argument must be a string or a number, not 'NoneType'
Not sure if these are normal or not:
[2017-04-18 06:01:18,298] (ERROR) Error while parsing DNS response:
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/opensnitch-0.0.1a1-py2.7.egg/opensnitch/dns.py", line 40, in add_response
hostname = packet[0][i].rrname
File "/usr/local/lib/python2.7/dist-packages/scapy-2.3.3-py2.7.egg/scapy/packet.py", line 817, in __getitem__
raise IndexError("Layer [%s] not found" % lname)
IndexError: Layer [13] not found
[2017-04-18 06:01:19,783] (ERROR) Error while parsing DNS response:
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/opensnitch-0.0.1a1-py2.7.egg/opensnitch/dns.py", line 40, in add_response
hostname = packet[0][i].rrname
File "/usr/local/lib/python2.7/dist-packages/scapy-2.3.3-py2.7.egg/scapy/packet.py", line 817, in __getitem__
raise IndexError("Layer [%s] not found" % lname)
IndexError: Layer [13] not found
[2017-04-18 06:01:19,784] (ERROR) Error while parsing DNS response:
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/opensnitch-0.0.1a1-py2.7.egg/opensnitch/dns.py", line 40, in add_response
hostname = packet[0][i].rrname
File "/usr/local/lib/python2.7/dist-packages/scapy-2.3.3-py2.7.egg/scapy/packet.py", line 817, in __getitem__
raise IndexError("Layer [%s] not found" % lname)
IndexError: Layer [13] not found
[2017-04-18 06:01:19,913] (ERROR) Error while parsing DNS response:
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/opensnitch-0.0.1a1-py2.7.egg/opensnitch/dns.py", line 40, in add_response
hostname = packet[0][i].rrname
File "/usr/local/lib/python2.7/dist-packages/scapy-2.3.3-py2.7.egg/scapy/packet.py", line 817, in __getitem__
raise IndexError("Layer [%s] not found" % lname)
IndexError: Layer [6] not found
[2017-04-18 06:01:19,914] (ERROR) Error while parsing DNS response:
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/opensnitch-0.0.1a1-py2.7.egg/opensnitch/dns.py", line 40, in add_response
hostname = packet[0][i].rrname
File "/usr/local/lib/python2.7/dist-packages/scapy-2.3.3-py2.7.egg/scapy/packet.py", line 817, in __getitem__
raise IndexError("Layer [%s] not found" % lname)
IndexError: Layer [6] not found
Thanks...this is one thing that has always been missing from linux!
This might be a long-term feature request, but it is perhaps useful to have a bug to track it.
Hi,
Here is a missing dep (at least for latest ubuntu): python-gtk2.
I'm a bit surprised since python-qt4 is listed in the deps.
not sure how to help you debug this atm.
We can use the amazing Linux feature capabilities!
The only tricky bit is that the iptables CLI command is being called so ambient capabilities would have to be used.
Currently opensnitch would have to use:
Obviously this is blocked by #20 since without this you would have to set the capabilites for the Python interpreter.
Followed setup instructions in Python 3.5.3 on Ubuntu 17.04 and get the following output when I run it:
WARNING: No route found for IPv6 destination :: (no default route?). This affects only IPv6
Traceback (most recent call last):
File "/usr/local/bin/opensnitch", line 4, in <module>
__import__('pkg_resources').run_script('opensnitch==0.0.2', 'opensnitch')
File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 739, in run_script
self.require(requires)[0].run_script(script_name, ns)
File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 1494, in run_script
exec(code, namespace, namespace)
File "/usr/local/lib/python3.5/dist-packages/opensnitch-0.0.2-py3.5.egg/EGG-INFO/scripts/opensnitch", line 46, in <module>
(options, args) = parser.parse_args()
TypeError: 'Namespace' object is not iterable
I also tried running it from the bin
directory with sudo python3 opensnitch
which gives basically the same result:
WARNING: No route found for IPv6 destination :: (no default route?). This affects only IPv6
Traceback (most recent call last):
File "opensnitch", line 46, in <module>
(options, args) = parser.parse_args()
TypeError: 'Namespace' object is not iterable
Any help or advice would be appreciated - I'd really like to try this thing. =)
With current iptables rules packets that don't fit in the netfilter queue are automatically accepted. I think that the default should be exactly opposite, or at least configurable, for serious use.
E.g. the following happens on my test system even if I don't respond to the UI. Obviously it's possible to open new connections even faster:
for n in `seq 1 10000`; do echo wat | nc localhost 1234 & done
karol@omoikane karol% nc -k -l 1234
wat
wat
wat
wat
wat
...
Important bug labeling connection as forever and clicking allow continue prompting you for the same ip all the time. Ways to reproduce:
first of all remove all references for firefox in opensnitch.db with sqlitebrowser.
start not whitlelisted app for example firefox without proxy
then start a ssh connection somewhere which is not blocked which is improvement login via ssh.
return back to the firefox prompt and check billion dns prompts that appear no matter if you click forever and allow.
click it thousand times it still ain't gonna disappear.
Currently, opensnitch is using /proc/self/cmdline
and /proc/self/comm
, but they can easily be manipulated by a malicious application, and thus shouldn't be trusted.
if you do not have installed and python3-dev installed then you will have the error of missing the Python3 header.
Processing psutil-5.2.2.tar.gz
Writing /tmp/easy_install-59px_39p/psutil-5.2.2/setup.cfg
Running psutil-5.2.2/setup.py -q bdist_egg --dist-dir /tmp/easy_install-59px_39p/psutil-5.2.2/egg-dist-tmp-qo3h6u85
warning: manifest_maker: MANIFEST.in, line 14: 'recursive-include' expects <dir> <pattern1> <pattern2> ...
warning: no previously-included files matching '*' found under directory 'docs/_build'
warning: no previously-included files matching '*' found under directory '.ci'
psutil/_psutil_linux.c:12:20: fatal error: Python.h: No such file or directory
#include <Python.h>
^
compilation terminated.
So installing the python3-dev should be prerequisite because without it you will get an error if you have only python2 installed and still in the README says use command python setup.py install which by default if you have python2 as default just generate error:
python setup.py build Traceback (most recent call last): File "setup.py", line 26, in <module> sys.version_info[0])) RuntimeError: Unsupported python version "2"
its a minor issue but I will update the README with those two deps and change the cli install line into the python3 setup.py install
This should fix #22 (not sure, might need more adjusting), plays nice with wayland and a whole bunch of other things
Hello, tried this on Gentoo, emerged all the dependencies, installation goes OK. But I cannot start opensnitch due to an error:
Traceback (most recent call last):
File "/usr/bin/opensnitch", line 4, in <module>
__import__('pkg_resources').run_script('opensnitch==0.0.2', 'opensnitch')
File "/usr/lib64/python3.5/site-packages/pkg_resources/__init__.py", line 738, in run_script
self.require(requires)[0].run_script(script_name, ns)
File "/usr/lib64/python3.5/site-packages/pkg_resources/__init__.py", line 1499, in run_script
exec(code, namespace, namespace)
File "/usr/lib64/python3.5/site-packages/opensnitch-0.0.2-py3.5.egg/EGG-INFO/scripts/opensnitch", line 69, in <module>
from opensnitch.snitch import Snitch
File "/usr/lib64/python3.5/site-packages/opensnitch-0.0.2-py3.5.egg/opensnitch/snitch.py", line 20, in <module>
from netfilterqueue import NetfilterQueue
ImportError: /usr/lib64/python3.5/site-packages/NetfilterQueue-0.8.1-py3.5-linux-x86_64.egg/netfilterqueue.cpython-35m-x86_64-linux-gnu.so: undefined symbol: PyString_FromStringAndSize`
Running an X application as root destroys any shred of security the Linux desktop might otherwise have. A root-privileged daemon and an unprivileged user interface talking across a Unix socket or some other form of IPC would be far more reasonable for a security application.
Current install instructions are:
sudo apt-get install build-essential python-dev python-setuptools libnetfilter-queue-dev python-qt4
cd opensnitch
sudo python setup.py install
The line
cd opensnitch
Makes me think I'm supposed to change into a directory. Cuz, that's what it's doing.
So, I believe it's missing the following line to git clone the repo:
git clone https://github.com/evilsocket/opensnitch.git
Right?
Have a fresh Ubuntu 17.04 install, it wanted this in addition to the base for opensnitch
apt install python3-dev
apt install libcap-dev
Those worked fine, but even after apt install libnfnetlink-dev I have the following problem:
python3 setup.py install
running install
running bdist_egg
running egg_info
writing requirements to opensnitch.egg-info/requires.txt
writing opensnitch.egg-info/PKG-INFO
writing dependency_links to opensnitch.egg-info/dependency_links.txt
writing top-level names to opensnitch.egg-info/top_level.txt
reading manifest file 'opensnitch.egg-info/SOURCES.txt'
reading manifest template 'MANIFEST.in'
warning: no previously-included files found matching '*.pyc'
warning: no previously-included files found matching '.DS_Store'
warning: no previously-included files found matching '.gitignore'
warning: no files found matching 'distribute_setup.py'
writing manifest file 'opensnitch.egg-info/SOURCES.txt'
installing library code to build/bdist.linux-x86_64/egg
running install_lib
running build_py
creating build/bdist.linux-x86_64/egg
creating build/bdist.linux-x86_64/egg/opensnitch
copying build/lib/opensnitch/rule.py -> build/bdist.linux-x86_64/egg/opensnitch
copying build/lib/opensnitch/procmon.py -> build/bdist.linux-x86_64/egg/opensnitch
copying build/lib/opensnitch/snitch.py -> build/bdist.linux-x86_64/egg/opensnitch
creating build/bdist.linux-x86_64/egg/opensnitch/ui
copying build/lib/opensnitch/ui/app.py -> build/bdist.linux-x86_64/egg/opensnitch/ui
copying build/lib/opensnitch/ui/helpers.py -> build/bdist.linux-x86_64/egg/opensnitch/ui
copying build/lib/opensnitch/ui/init.py -> build/bdist.linux-x86_64/egg/opensnitch/ui
copying build/lib/opensnitch/ui/dbus.py -> build/bdist.linux-x86_64/egg/opensnitch/ui
copying build/lib/opensnitch/ui/dialog.py -> build/bdist.linux-x86_64/egg/opensnitch/ui
copying build/lib/opensnitch/ui/desktop_parser.py -> build/bdist.linux-x86_64/egg/opensnitch/ui
creating build/bdist.linux-x86_64/egg/opensnitch/ui/resources
copying build/lib/opensnitch/ui/resources/dialog_hi.ui -> build/bdist.linux-x86_64/egg/opensnitch/ui/resources
copying build/lib/opensnitch/ui/resources/init.py -> build/bdist.linux-x86_64/egg/opensnitch/ui/resources
copying build/lib/opensnitch/ui/resources/dialog.ui -> build/bdist.linux-x86_64/egg/opensnitch/ui/resources
copying build/lib/opensnitch/proc.py -> build/bdist.linux-x86_64/egg/opensnitch
copying build/lib/opensnitch/dbus_service.py -> build/bdist.linux-x86_64/egg/opensnitch
copying build/lib/opensnitch/version.py -> build/bdist.linux-x86_64/egg/opensnitch
copying build/lib/opensnitch/init.py -> build/bdist.linux-x86_64/egg/opensnitch
copying build/lib/opensnitch/iptables.py -> build/bdist.linux-x86_64/egg/opensnitch
copying build/lib/opensnitch/connection.py -> build/bdist.linux-x86_64/egg/opensnitch
copying build/lib/opensnitch/dns.py -> build/bdist.linux-x86_64/egg/opensnitch
byte-compiling build/bdist.linux-x86_64/egg/opensnitch/rule.py to rule.cpython-35.pyc
byte-compiling build/bdist.linux-x86_64/egg/opensnitch/procmon.py to procmon.cpython-35.pyc
byte-compiling build/bdist.linux-x86_64/egg/opensnitch/snitch.py to snitch.cpython-35.pyc
byte-compiling build/bdist.linux-x86_64/egg/opensnitch/ui/app.py to app.cpython-35.pyc
byte-compiling build/bdist.linux-x86_64/egg/opensnitch/ui/helpers.py to helpers.cpython-35.pyc
byte-compiling build/bdist.linux-x86_64/egg/opensnitch/ui/init.py to init.cpython-35.pyc
byte-compiling build/bdist.linux-x86_64/egg/opensnitch/ui/dbus.py to dbus.cpython-35.pyc
byte-compiling build/bdist.linux-x86_64/egg/opensnitch/ui/dialog.py to dialog.cpython-35.pyc
byte-compiling build/bdist.linux-x86_64/egg/opensnitch/ui/desktop_parser.py to desktop_parser.cpython-35.pyc
byte-compiling build/bdist.linux-x86_64/egg/opensnitch/ui/resources/init.py to init.cpython-35.pyc
byte-compiling build/bdist.linux-x86_64/egg/opensnitch/proc.py to proc.cpython-35.pyc
byte-compiling build/bdist.linux-x86_64/egg/opensnitch/dbus_service.py to dbus_service.cpython-35.pyc
byte-compiling build/bdist.linux-x86_64/egg/opensnitch/version.py to version.cpython-35.pyc
byte-compiling build/bdist.linux-x86_64/egg/opensnitch/init.py to init.cpython-35.pyc
byte-compiling build/bdist.linux-x86_64/egg/opensnitch/iptables.py to iptables.cpython-35.pyc
byte-compiling build/bdist.linux-x86_64/egg/opensnitch/connection.py to connection.cpython-35.pyc
byte-compiling build/bdist.linux-x86_64/egg/opensnitch/dns.py to dns.cpython-35.pyc
creating build/bdist.linux-x86_64/egg/EGG-INFO
installing scripts to build/bdist.linux-x86_64/egg/EGG-INFO/scripts
running install_scripts
running build_scripts
creating build/bdist.linux-x86_64/egg/EGG-INFO/scripts
copying build/scripts-3.5/opensnitch-qt -> build/bdist.linux-x86_64/egg/EGG-INFO/scripts
copying build/scripts-3.5/opensnitchd -> build/bdist.linux-x86_64/egg/EGG-INFO/scripts
changing mode of build/bdist.linux-x86_64/egg/EGG-INFO/scripts/opensnitch-qt to 755
changing mode of build/bdist.linux-x86_64/egg/EGG-INFO/scripts/opensnitchd to 755
copying opensnitch.egg-info/PKG-INFO -> build/bdist.linux-x86_64/egg/EGG-INFO
copying opensnitch.egg-info/SOURCES.txt -> build/bdist.linux-x86_64/egg/EGG-INFO
copying opensnitch.egg-info/dependency_links.txt -> build/bdist.linux-x86_64/egg/EGG-INFO
copying opensnitch.egg-info/not-zip-safe -> build/bdist.linux-x86_64/egg/EGG-INFO
copying opensnitch.egg-info/requires.txt -> build/bdist.linux-x86_64/egg/EGG-INFO
copying opensnitch.egg-info/top_level.txt -> build/bdist.linux-x86_64/egg/EGG-INFO
creating 'dist/opensnitch-0.0.2-py3.5.egg' and adding 'build/bdist.linux-x86_64/egg' to it
removing 'build/bdist.linux-x86_64/egg' (and everything under it)
Processing opensnitch-0.0.2-py3.5.egg
removing '/usr/local/lib/python3.5/dist-packages/opensnitch-0.0.2-py3.5.egg' (and everything under it)
creating /usr/local/lib/python3.5/dist-packages/opensnitch-0.0.2-py3.5.egg
Extracting opensnitch-0.0.2-py3.5.egg to /usr/local/lib/python3.5/dist-packages
opensnitch 0.0.2 is already the active version in easy-install.pth
Installing opensnitch-qt script to /usr/local/bin
Installing opensnitchd script to /usr/local/bin
Installed /usr/local/lib/python3.5/dist-packages/opensnitch-0.0.2-py3.5.egg
Processing dependencies for opensnitch==0.0.2
Searching for NetfilterQueue
Reading https://pypi.python.org/simple/NetfilterQueue/
Downloading https://pypi.python.org/packages/39/c4/8f73f70442aa4094b3c37876c96cddad2c3e74c058f6cd9cb017d37ffac0/NetfilterQueue-0.8.1.tar.gz#md5=ea2c262d6a571cb5ecdaed1bbb0da2b4
Best match: NetfilterQueue 0.8.1
Processing NetfilterQueue-0.8.1.tar.gz
Writing /tmp/easy_install-rbue5v9n/NetfilterQueue-0.8.1/setup.cfg
Running NetfilterQueue-0.8.1/setup.py -q bdist_egg --dist-dir /tmp/easy_install-rbue5v9n/NetfilterQueue-0.8.1/egg-dist-tmp-gk___dia
netfilterqueue.c:439:54: fatal error: libnetfilter_queue/linux_nfnetlink_queue.h: No such file or directory
#include "libnetfilter_queue/linux_nfnetlink_queue.h"
^
compilation terminated.
error: Setup script exited with error: command 'x86_64-linux-gnu-gcc' failed with exit status 1
resizing of QT pop-up window with the exec command of the process do not work. So the pop resize but not the content in it and usually whole area is covered with the name of the process and its arguments got from the exec line and that in case of chromium or Java based applications or IDE's like eclipse or pycharm will not allow you to see the IP where is trying to connect nor the port to which is trying to connect. I dunno that might be just QT issue or missing some library, but at least on my i3wm resizing of the window with the prompt do not resize text in it. So that is one nasty issue that I would like to see whether is confirmed on different DE's or wm's and it should be fixed so that we can always see the IP its trying to connect to and port. I'm attaching a picture of for example chromium run without TOR it makes a lot of connections but I can't see any of the IP's because window space is taken by the process name and passed arguments.
Xubuntu - 4.9.20-040920-generic
sudo -HE opensnitchd
WARNING: No route found for IPv6 destination :: (no default route?). This affects only IPv6
Traceback (most recent call last):
File "/usr/local/bin/opensnitchd", line 4, in
import('pkg_resources').run_script('opensnitch==0.0.2', 'opensnitchd')
File "/usr/lib/python3/dist-packages/pkg_resources/init.py", line 744, in run_script
self.require(requires)[0].run_script(script_name, ns)
File "/usr/lib/python3/dist-packages/pkg_resources/init.py", line 1499, in run_script
exec(code, namespace, namespace)
File "/usr/local/lib/python3.5/dist-packages/opensnitch-0.0.2-py3.5.egg/EGG-INFO/scripts/opensnitchd", line 38, in
from opensnitch.snitch import Snitch
File "/usr/local/lib/python3.5/dist-packages/opensnitch-0.0.2-py3.5.egg/opensnitch/snitch.py", line 31, in
from opensnitch.iptables import IPTCRules
File "/usr/local/lib/python3.5/dist-packages/opensnitch-0.0.2-py3.5.egg/opensnitch/iptables.py", line 19, in
import iptc
File "/usr/local/lib/python3.5/dist-packages/python_iptables-0.12.0-py3.5-linux-x86_64.egg/iptc/init.py", line 10, in
from iptc.ip4tc import (is_table_available, Table, Chain, Rule, Match, Target,
File "/usr/local/lib/python3.5/dist-packages/python_iptables-0.12.0-py3.5-linux-x86_64.egg/iptc/ip4tc.py", line 13, in
from .xtables import (XT_INV_PROTO, NFPROTO_IPV4, XTablesError, xtables,
File "/usr/local/lib/python3.5/dist-packages/python_iptables-0.12.0-py3.5-linux-x86_64.egg/iptc/xtables.py", line 812, in
raise XTablesError("can't find directory with extensions; "
iptc.xtables.XTablesError: can't find directory with extensions; please set XTABLES_LIBDIR
Hope this project isn't re-inventing Douane. If not any argument on why prefer this?
Adding arguments into the sqlitedb would be much better then storing just name because if you are running multiple firefox profiles like me. For example one running thru TOR other goes without proxy you still have their rules stored the rules for the same application which is not good.
For example if you run version of firefox with TOR you want to make sure that you don't have DNS leaks like it was happening in 45-46-47 and now esr version. Basically the remote DNS should work and you shouldn't have leaks and requests for local dns servers. I used an opensnitch to find that bug in firefox-esr. So basically once you give permission that is stored like forever permission to one profile like in this case firefox that goes without proxy you are actually giving permission to that same version of firefox to connect to those IP's even if it runs through TOR or VPN.
That is pretty bad for any application that use network and can have multiple profiles some that use proxifiying and some that don't the issue appear.
I know that some of the entries than would be pretty long like eclipse related or anything that start with java and many arguments but its still better that way then to have arguments removed from stored path even if they are properly displayed on the prompt.
I suggest this as the enhancement and ask anyone of you to share a thoughts about it especially @evilsocket @adisbladis
trying to install opensnitch in Ubuntu 16.04.
Installed dependencies as per the readme > cd to opensnitch>sudo python setup.py install
I get back the following;
Traceback (most recent call last):
File "setup.py", line 26, in
sys.version_info[0]))
RuntimeError: Unsupported python version "2"
python 3 is installed.
Thanks,
Doug
Hello,
I would like to suggest that Opensnitch should be more keyboard friendly. As it is, it is possible to use the keyboard to take actions, but it's a bit cubersome to do so. So, my suggestion is the following:
Improve coloring/contrast of the selected button (As it is, it's hard to see if it's the "Allow" or "Deny" that's selected.
Move the "Take this action" dropdown to buttons; Instead of having a dropdown with "Once", "Until quit" and "Forever", I would suggest having them side by side, all visible at the same time;
Bind keys to all the options; For example, the numbers "1,2,3" could be shortcuts to "Once", "Until quit" and "Forever", respectively. The "w", "b", "d" and "a" could be shortcuts to "Whitelist app", "block app", "deny" and "allow", respectiviely.
Sorry if this is cherry-picking and I know there's much more important stuff to do, but I believe this could improve Opensnitch.
Hi,
Great work. Can by any means we can monitor application level bandwidth i.e incoming/outgoing data per second ?
Hey there.
I am trying to run opensnitch on arch linux with GNOME 3.24.1. i got it working so far, but the GUI is not coming up :/
What i did:
git clone [email protected]:evilsocket/opensnitch.git
cd opensnitch
sudo python2 setup.py install
sudo opensnitch
And the log looks like this:
[2017-04-30 18:55:28,087] (INFO) Using rules database from /home/lerentis/opensnitch.db
[2017-04-30 18:55:28,088] (INFO) OpenSnitch v0.0.2 running with pid 22126.
[2017-04-30 18:55:28,402] (INFO) Enabling ProcMon ...
[2017-04-30 18:55:28,417] (INFO) ProcMon running ...
X Error: BadAccess (attempt to access private resource denied) 10
Extension: 130 (MIT-SHM)
Minor opcode: 1 (X_ShmAttach)
Resource id: 0x13f
X Error: BadShmSeg (invalid shared segment parameter) 128
Extension: 130 (MIT-SHM)
Minor opcode: 5 (X_ShmCreatePixmap)
Resource id: 0x500000c
X Error: BadDrawable (invalid Pixmap or Window parameter) 9
Major opcode: 62 (X_CopyArea)
Resource id: 0x500000d
Am i missing a package here? i tried to find all alternatives for arch for the packages that were mentioned in the readme for ubuntu.
I love the idea behind open snitch btw (:
Trying to install on Lubuntu VM just to see how opensnitch looks. There was a lack of libcap-dev dependency detection, which I easily resolved, but which needs fixing, and then this mystery.
./opensnitchd
WARNING: No route found for IPv6 destination :: (no default route?). This affects only IPv6
Traceback (most recent call last):
File "./opensnitchd", line 38, in
from opensnitch.snitch import Snitch
File "/usr/local/lib/python3.5/dist-packages/opensnitch-0.0.2-py3.5.egg/opensnitch/snitch.py", line 31, in
from opensnitch.iptables import IPTCRules
File "/usr/local/lib/python3.5/dist-packages/opensnitch-0.0.2-py3.5.egg/opensnitch/iptables.py", line 19, in
import iptc
File "/usr/local/lib/python3.5/dist-packages/python_iptables-0.12.0-py3.5-linux-x86_64.egg/iptc/init.py", line 10, in
from iptc.ip4tc import (is_table_available, Table, Chain, Rule, Match, Target,
File "/usr/local/lib/python3.5/dist-packages/python_iptables-0.12.0-py3.5-linux-x86_64.egg/iptc/ip4tc.py", line 13, in
from .xtables import (XT_INV_PROTO, NFPROTO_IPV4, XTablesError, xtables,
File "/usr/local/lib/python3.5/dist-packages/python_iptables-0.12.0-py3.5-linux-x86_64.egg/iptc/xtables.py", line 812, in
raise XTablesError("can't find directory with extensions; "
iptc.xtables.XTablesError: can't find directory with extensions; please set XTABLES_LIBDIR
A quick Google brings up this solution
And this is the right incantation for Lubuntu
cat >> ~/.bashrc
export XTABLES_LIBDIR=/usr/lib/x86_64-linux-gnu/xtables/
ctrl-d
Once this is resolved, I get the following error, and I think this is a bit past my Python debugging skills.
./opensnitchd
WARNING: No route found for IPv6 destination :: (no default route?). This affects only IPv6
Traceback (most recent call last):
File "./opensnitchd", line 77, in
raise RuntimeError('DBUS_SESSION_BUS_ADDRESS not set')
RuntimeError: DBUS_SESSION_BUS_ADDRESS not set
I'm very excited by a Linux port of Little Snitch, willing to do whatever in terms of testing on various distros, just not sure how to proceed here.
cannot do ping command while opensnitch is active, your version in @evilsocket repo. In mine it works fine but my lack improvement of non blocking connections.
ways to reproduce start opensnitch run it open some apps allow some rules and then try pinging google.com for example or even IP not a fqdn.
Hi,
one feature from LS i've always admired was to allow port regardless of host for time-range (or forever).
Would it be possible for example allow Unbound (local instance) to use port 53 udp+tcp regardless of remote host?
Cheers!
opensnitch by default do not use iptables to setup rules but only /root/opensnitch.db for storing the rules.
That makes it works fine with other firewall software but also make rules harder to be read its not to hard they can be read with sqlitebrowser but also there is no manpage so for example verdict is not defined is for every single app whitelisted or not allowed once or forever 0.
Can you please provide at least simple manpage so that we know what we can tweak with which effect?
Also running X apps with root privileges is dangerous.
If you install and start firewalld, you can set a zone for each connection in NetworkManager. It would be very nice if it was possible to use them for filtering (allowing an application only in one zone for example).
As far as I understand, NetworkManager use D-Bus to communicate the zone of the connection with firewalld.
$ sudo env PYTHONPATH=. ./bin/opensnitch --log-file=opensnitch4.log
/usr/lib/python2.7/dist-packages/gtk-2.0/gtk/__init__.py:127: RuntimeWarning: PyOS_InputHook is not available for interactive use of PyGTK
set_interactive(1)
Ubuntu 17.04, Linux 4.10.11
Experimentally it seems to mean "$ACTION just this connection" or "... every connection" from this process. There could be some middle ground, eg. always allowing port 53 to my expected DNS resolvers while still requiring intervention for other connections.
It works briliantly, something I did love from WinXP time with few good Firewalls i did use that did ask you for every app/connection with allow/disallow.
The only problem for now is that even if you have app whitelisted it still will be blocked until you clear all prompts.
Way to reproduce:
Expected output: you are still allowed to connect to ssh
Actual result: ssh is blocked until all prompts are closed.
Why does it matter?
For example you are trying to connect to your PC remotly
$ sudo opensnitch
[2017-05-04 20:51:03,858] (INFO) Using rules database from /home/kolorafa/opensnitch.db
[2017-05-04 20:51:03,858] (INFO) OpenSnitch v0.0.2 running with pid 28879.
[2017-05-04 20:51:03,874] (INFO) Enabling ProcMon ...
[2017-05-04 20:51:03,880] (INFO) ProcMon running ...
Overall gread job!
I got this when running the application in console.
TypeError: int() argument must be a string or a number, not 'NoneType'
[2017-05-02 09:55:58,248] (ERROR) Exception on packet callback:
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/opensnitch-0.0.2-py2.7.egg/opensnitch/snitch.py", line 74, in pkt_callback
conn = Connection( self.procmon, data )
File "/usr/local/lib/python2.7/dist-packages/opensnitch-0.0.2-py2.7.egg/opensnitch/connection.py", line 56, in __init__
self.proto )
File "/usr/local/lib/python2.7/dist-packages/opensnitch-0.0.2-py2.7.egg/opensnitch/proc.py", line 33, in get_pid_by_connection
appname = procmon.get_app_name(pid)
File "/usr/local/lib/python2.7/dist-packages/opensnitch-0.0.2-py2.7.egg/opensnitch/procmon.py", line 84, in get_app_name
pid = int(pid)
TypeError: int() argument must be a string or a number, not 'NoneType'
The Qt mainloop blocks and intercepts Ctrl-C.
This means Ctrl-C does not lead to the application being terminated.
This was always the case. This issue has just been amplified now that the Qt mainloop is always running.
I'm really impressed with Opensnitch so far. I've used Lil' Snitch for 5-6 years very happily. I've moved from OS X to Ubuntu and Debian fully a few weeks ago.
I'm curious what are the future plans for Opensnitch? I've been using it for a few days and so far so good.
It would be great to see future development. I'm interested in contributing.
Well done on a good start!
Would prevent duplicate rules as seen in this screenshot of an opensnitch db.
Hi,
Quick suggestion:
OpenSnitch currently marks connections with value 1
in opensnitch/snitch.py#L90
. As this is a pretty standard value used commonly in examples and in iptables configurations it might be a good idea to flag with a more uniquely identifying value to prevent unwanted interaction with pre-existing rulesets.
Marks can be hexadecimal up to 32 bits (via http://ipset.netfilter.org/iptables-extensions.man.html) so it should be rather easy to find a unique identifier for OpenSnitch.
If the process initiating the connection has access to the user's X11 session, it can simply whitelist itself either before or after attempting to connect. If OpenSnitch stops the process before displaying the prompt, the application can still have whitelisted itself ahead of time.
Managed to build opensnitch
on Ubuntu 16.04 after the recent python3 fixes.
Seems like instructions still needs python3
instead of python
in README.md setup.py
line.
Now getting runtime exception on start:
$ sudo opensnitch
[2017-05-09 08:40:14,469] (INFO) Using rules database from /home/user/opensnitch.db
Traceback (most recent call last):
File "/usr/local/bin/opensnitch", line 4, in <module>
__import__('pkg_resources').run_script('opensnitch==0.0.2', 'opensnitch')
File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 719, in run_script
self.require(requires)[0].run_script(script_name, ns)
File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 1504, in run_script
exec(code, namespace, namespace)
File "/usr/local/lib/python3.5/dist-packages/opensnitch-0.0.2-py3.5.egg/EGG-INFO/scripts/opensnitch", line 76, in <module>
main()
File "/usr/local/lib/python3.5/dist-packages/opensnitch-0.0.2-py3.5.egg/EGG-INFO/scripts/opensnitch", line 63, in main
snitch = Snitch()
File "/usr/local/lib/python3.5/dist-packages/opensnitch-0.0.2-py3.5.egg/opensnitch/snitch.py", line 50, in __init__
self.desktop_parser = LinuxDesktopParser()
File "/usr/local/lib/python3.5/dist-packages/opensnitch-0.0.2-py3.5.egg/opensnitch/app.py", line 49, in __init__
self.populate_app(desktop_file)
File "/usr/local/lib/python3.5/dist-packages/opensnitch-0.0.2-py3.5.egg/opensnitch/app.py", line 55, in populate_app
parser.read(desktop_path)
File "/usr/lib/python3.5/configparser.py", line 696, in read
self._read(fp, filename)
File "/usr/lib/python3.5/configparser.py", line 1012, in _read
for lineno, line in enumerate(fp, start=1):
File "/usr/lib/python3.5/encodings/ascii.py", line 26, in decode
return codecs.ascii_decode(input, self.errors)[0]
UnicodeDecodeError: 'ascii' codec can't decode byte 0xe0 in position 758: ordinal not in range(128)
Add an option to poll for PTR and whois information
After Simone's last fix (thanks for fixing so quickly!)
Looks like we're almost there...
$ sudo opensnitch
[2017-05-09 10:44:21,812] (INFO) Using rules database from /home/user/opensnitch.db
Traceback (most recent call last):
File "/usr/local/bin/opensnitch", line 4, in <module>
__import__('pkg_resources').run_script('opensnitch==0.0.2', 'opensnitch')
File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 719, in run_script
self.require(requires)[0].run_script(script_name, ns)
File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 1504, in run_script
exec(code, namespace, namespace)
File "/usr/local/lib/python3.5/dist-packages/opensnitch-0.0.2-py3.5.egg/EGG-INFO/scripts/opensnitch", line 76, in <module>
main()
File "/usr/local/lib/python3.5/dist-packages/opensnitch-0.0.2-py3.5.egg/EGG-INFO/scripts/opensnitch", line 63, in main
snitch = Snitch()
File "/usr/local/lib/python3.5/dist-packages/opensnitch-0.0.2-py3.5.egg/opensnitch/snitch.py", line 50, in __init__
self.desktop_parser = LinuxDesktopParser()
File "/usr/local/lib/python3.5/dist-packages/opensnitch-0.0.2-py3.5.egg/opensnitch/app.py", line 49, in __init__
self.populate_app(desktop_file)
File "/usr/local/lib/python3.5/dist-packages/opensnitch-0.0.2-py3.5.egg/opensnitch/app.py", line 55, in populate_app
parser.read(desktop_path, 'utf8')
File "/usr/lib/python3.5/configparser.py", line 696, in read
self._read(fp, filename)
File "/usr/lib/python3.5/configparser.py", line 1089, in _read
fpname, lineno)
configparser.DuplicateOptionError: While reading from '/usr/share/applications/pidgin.desktop' [line 12]: option 'x-messagingmenu-useschatsection' in section 'Desktop Entry' already exists
This seems to be a bug in the original pidgin config file (/usr/share/applications/pidgin.desktop
) which indeed has a duplicate entry. It would be nice if we could make configparser only emit a warning/error and not abort in this case (add try/except around it?)
After deleting the duplicate entry, and retrying I get the daemon running.
Thanks for all the fixes!
Ubuntu 16.04, Python 2.7.12
sudo opensnitch
[2017-04-18 09:04:14,973] (INFO) OpenSnitch v0.0.1a1 running with pid 18943.
callback failure !
TypeError: pkt_callback() takes exactly 2 arguments (3 given)
callback failure !
TypeError: pkt_callback() takes exactly 2 arguments (3 given)
callback failure !
TypeError: pkt_callback() takes exactly 2 arguments (3 given)
callback failure !
TypeError: pkt_callback() takes exactly 2 arguments (3 given)
callback failure !
TypeError: pkt_callback() takes exactly 2 arguments (3 given)
callback failure !
TypeError: pkt_callback() takes exactly 2 arguments (3 given)
callback failure !
TypeError: pkt_callback() takes exactly 2 arguments (3 given)
callback failure !
TypeError: pkt_callback() takes exactly 2 arguments (3 given)
callback failure !
TypeError: pkt_callback() takes exactly 2 arguments (3 given)
callback failure !
TypeError: pkt_callback() takes exactly 2 arguments (3 given)
callback failure !
TypeError: pkt_callback() takes exactly 2 arguments (3 given)
callback failure !
TypeError: pkt_callback() takes exactly 2 arguments (3 given)
^C[2017-04-18 09:04:28,121] (INFO) Quitting ...
We will probably want a service file for the OpenSnitch daemon running as root, though access to the user DBUS_SESSION_BUS_ADDRESS variable becomes an issue.
Any thoughts?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.