Am I using Opensnitch correctly?

Hello World,

I’m just wondering if I’m using OpenSnitch correctly to block stuff, like in the example in the pic below?
Or should I delete acc.exe and just leave the path(like the pop-up window suggests), in which case if there are multiple .exe files in that folder would they all get blocked?

Also if the path has a directory with spaces in it’s name do I need to encase it in “” like you would when using a path command in the console?

Thank you.

Why is this question so hard? I asked here, on the Opensnitch reddit, on the Opensnitch github, and nothing, not 1 single reply anywhere… :sob: :sob:
Am I not asking it correctly or what’s the matter?

Lots of info here on how to properly use and understand it…

1 Like

Ok, I read through all that, didn’t answer my questions at all, didn’t even slightly touch upon them as a matter of fact… :frowning:

Probably because no one knows. This is my first time coming across this post. I use OpenSnitch on and off, but this is the kind of thing where I have to ask. Does it matter? Seems like trial and error will solve this real fast.

Try and find out. Then report back. Anyone else who has the same question will then know the answer. I have never once considered any of that when I used it. The only thing I ask myself is does the thing I don’t want to connect to the internet still connect to the internet. If no then it worked. If yes, then I should try something else like some of the suggestions you were asking about.

I don’t mean to sound mean, but sometimes you gotta troubleshoot. Funny enough when you do it enough times. You will find yourself being one of the people answering questions on forums like this.

No problem, I don’t consider that mean, but obviously I did that mate and it made no difference. :woozy_face:
That is why I am asking, cause I tried with the .exe in there, without it, with “”, without “”, and nothing seemed to affect it…

The only thing that had any effect was a pop-up that Opensnitch offered automatically at one point about some wine component trying to connect to some ubi.com place(ip, server, whatever you call it), but my messing with the .exe did nothing.

And sadly with certain apps/games I don’t wanna rely on Opensnitch(maybe, hopefully) offering my a pop-up like that, instead I want to be able to add deny to the app/game before I ever/even launch it for the first time.

You see my predicament now? :pleading_face:

Yeah, I didn’t get by your original post that you tried all of those things and it wasn’t working. It came off to me that you were asking out of curiosity. My bad.

1 Like

While I’m not exactly sure about blocking wine applications with OpenSnitch. There is a way to block internet from wine applications on the command line that I use successfully. Would that suffice?

As long as it blocks just that app and doesn’t break anything else(like Lutris needing to update stuff and whatnot) sure, I can give it a try, thank you.

But I wanna point out that that would just be stopgap measure and in the end I surely would like to get Opensnitch working cause I’ve always used an application firewall and learned to rely on that and would really like to continue using one…

That is probably how you block wine apps then.

Perhaps you can look at what the existing rules that did work successfully look like and try to mimic those.

Well then my solution should work then. Here is an example of what I use for say elden ring.
unshare -n -r wine start /unix '/Installs/ELDEN RING/Game/eldenring.exe'

This will launch the game with no internet connection. The unshare command should already be available on your system. Normally I edit the .desktop application and replace the Exec= line with the above style command, so I don’t have to do it constantly or use the command line to launch the game.
This also satisfies the requirement of not needing to launch the game first.

Edit: Didn’t explain what unshare flags do.
-n - will create a new network name space. By default this will block the internet connection because it has no network settings configured yet.
-r - is used to map the current user & group ownership to the new namespace.

I have no clue about opensnitch, but regarding this question I have a comment

Another method to handle white space in filenames is to escape the white space with a backslash:

"name with white space" = name\ with\ white\ space

I believe this is better suited to enter such names into GUI dialogs.

Nope, first of all it shows me the pop-up when it/if it ever feels like it, instead of immediately when I first launch the game. Second of all the only reason I recognized it and clicked deny is because I recognized what it was trying to connect to ubi.com beeing quite obvious, but I don’t know the domains for every app/game under the sun… :frowning:

Well I tried, sadly your way seems to have some issues, for example it didn’t launch Mangohud that always gets enabled automatically when launching a game from within Lutris, gave an error, console output below if you are curoius.
And that got me thinking, what other settings don’t get applied when runing a game like that?
For example specifically for AC Rogue I have to enable an option in Lutris otherwise I have some annoying audio issues from time to time.

But your idea sent me on some other paths, so I did more testing including with steam and another game, and indeed this time it worked. If I added this steam game In Opensnitch with Deny it wouldn’t work at all, just black screen, and with Reject it would launch but with error that it couldn’t connect to steamworks.

The problem is that the executable for this game ends in .64 and not .exe like AC Rogue, is it possible OpenSnitch just ignores .exe files?
I’m unsure what else to try and test it with under Lutris, would something like the windows version of skype work maybe? Gonna try that next, after I eat…

LE: Ups, forgot to add the console output, not sure it matters anymore, but for the sake of completion:

[vikings@VIKINGSKINGDOM ~]$ unshare -n -r wine start /unix /home/vikings/Games/assassins-creed-rogue/ACC.exe
0090:err:hid:udev_bus_init UDEV monitor creation failed
[vikings@VIKINGSKINGDOM ~]$ 0154:fixme:dbghelp:elf_search_auxv can't find symbol in module
[2024-09-16 11:14:35.622] [MANGOHUD] [error] [overlay_params.cpp:647] Unknown option 'io_stats'
[2024-09-16 11:14:35.622] [MANGOHUD] [error] [dbus.cpp:166] Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
0154:fixme:ntdll:NtQuerySystemInformation info_class SYSTEM_PERFORMANCE_INFORMATION
0154:fixme:d3d11:d3d11_device_CheckFeatureSupport Returning fake threading support data.
0154:fixme:d3d11:d3d11_device_CheckFeatureSupport Returning fake threading support data.
0154:fixme:d3d11:d3d11_device_CheckFeatureSupport Returning fake threading support data.
0154:fixme:d3d11:d3d11_device_CheckFeatureSupport Returning fake threading support data.
0154:fixme:d3d11:d3d11_device_CheckFeatureSupport Returning fake threading support data.
0154:fixme:d3d11:d3d11_device_CheckFeatureSupport Returning fake threading support data.
0154:fixme:d3d11:d3d11_device_CheckFeatureSupport Returning fake threading support data.
0154:fixme:d3d11:d3d11_device_CheckFeatureSupport Returning fake threading support data.
0164:fixme:win:RegisterTouchWindow hwnd 0000000000030086, flags 0x2 stub!
0164:fixme:vulkan:NtGdiDdDDIOpenAdapterFromHdc (0x27ff608): stub
0164:fixme:vulkan:NtGdiDdDDIOpenAdapterFromHdc (0x27ff608): stub
0154:fixme:dxgi:wined3d_swapchain_desc_from_dxgi Unhandled mode scaling 0x2.
0154:fixme:dxgi:wined3d_bind_flags_from_dxgi_usage Unhandled DXGI usage 0x40.
0154:fixme:dxgi:dxgi_output_GetDisplayModeList iface 00000000013694C0, format DXGI_FORMAT_R8G8B8A8_UNORM, flags 0x2, mode_count 000000000021F3C8, modes 0000000000000000 partial stub!
0154:fixme:dxgi:dxgi_output_GetDisplayModeList iface 00000000013694C0, format DXGI_FORMAT_R8G8B8A8_UNORM, flags 0x2, mode_count 000000000021F3C8, modes 0000000013E6C030 partial stub!
01c4:fixme:rawinput:NtUserRegisterRawInputDevices Unhandled flags 0x230 for device 0.
01bc:fixme:d3d:state_linepattern_w Setting line patterns is not supported in OpenGL core contexts.
0164:fixme:dxgi:d3d11_swapchain_ResizeBuffers Ignoring flags 0x2.
0164:fixme:thread:NtSetInformationThread ThreadIdealProcessor stub!
0164:fixme:thread:NtSetInformationThread ThreadIdealProcessor stub!
0164:fixme:thread:NtSetInformationThread ThreadIdealProcessor stub!
0164:fixme:thread:NtSetInformationThread ThreadIdealProcessor stub!
0164:fixme:thread:NtSetInformationThread ThreadIdealProcessor stub!
0164:fixme:thread:NtSetInformationThread ThreadIdealProcessor stub!
0154:fixme:msvcrt:__clean_type_info_names_internal (00006FFFFD7E32A8) stub
0154:fixme:msvcrt:__clean_type_info_names_internal (00006FFFFDBD2D60) stub
0x5997dbc924d0:839: Thread id=0164 unix pid=18565 unix tid=18569 state=1
0x5997dbc79540:1: Token id=0.1019 primary=1 impersonation level=-1
0x5997dbc23920:1: Process id=0150 handles=(nil)

K, I’ll keep that in mind, thank you.

Sorry, I don’t use lutris, so I’m not sure of how to integrate stuff with it. Whenever I use mangohud, I just add to the command that I gave you.
Like this:
env MANGOHUD_CONFIG=gpu_temp,vsync=0 unshare -n -r mangohud wine start /unix '/Installs/ELDEN RING/Game/eldenring.exe'

Certainly could be, but I’m unsure since I don’t know the inner workings of OpenSnitch and how it is blocking applications. I’ll need to fire up OpenSnitch and play around with it myself and see if I can get it to do what you are asking.

Have you tried to create a “deny” rule to the host and/or the domains/IPs that a particular application connects to?

For example, If I were to block Freetube to connect to the Invidious instance:

Again, I repeat, I don’t know the domain names for every app/game under the sun, nor do I care to learn/discover them since normally a firewall should just be able to block any and all connection attempts for an app the you select the executable for. :face_with_diagonal_mouth:

Ok then the question becomes, does anyone know a free windows app that uses the internet and is known to work fine in Lutris so I can properly test this then? Cause I tried the win version of skype and it keeps crashing. :frowning:

Well, you asked the question and you seem not to appreciate the answer.

If you are not ready to put in some “work” from your part to make it work as you want it to, then I don’t know how anybody can be of some help.

Also, if you are not satisfy with the way OpenSnitch work, get in touch with its developers or another option would be to finance a developer to make an application tailor-made for you.

Adios and hasta nunca!

PS.
Let it be said, I like neither your tone nor your attitude. We are not here on your payroll. That was it!

You don’t have to get snarky mate. I just don’t think that the correct solution to “I’m having some issues with this firewall” is to “Learn the domains for the millions of apps/games out there”, I also don’t think that a task like that falls under the definition of “some work”…

LE to your edits: I am sorry if you are having a bad day, but please don’t take it out on me. I think I have behaved ok on every topic I made since joining this forum, always beeing courteous and whatnot and trying to explain why I am asking this or that, so I don’t really understand what your problem is with me… :frowning:

1 Like

Alright, I believe I have got it. Been playing around with it for the last few hours and here is what I have come up with.

Step 1: Click on settings.

Step 2: Change Default Target from by executable to by command line.

Step 3: Click create new rule.

Step 4: Check the from this command line box and regular expression box.

Step 5: Inside the box type in the name of the executable. This is capitalization sensitive. Surround the name of the executable with the characters .*. If you know anything about regex. This is a catch all. Also we need to escape the . character in our dot exe file. You do that with a backslash.

The reason why we are using regex is because launchers like steam and lutris are essentially automatically doing the stuff that I told you to do in those commands that I gave you earlier. This creates a lot of command line pollution and noise I reason. Instead we want it to essentially search for this executable in the command line of the program which could easily be dozens or over a hundred words long. Then find the name of the executable we want to block and use that.

Hopefully this helps and the screenshots get the point across. I have had this work for me with multiple games. Specifically I tested Elden Ring and Combat Masters. However, some games that require a network connection. Do outright refuse to launch.

Let me know how this works for you.

P.S. when it comes to mods. YMMV (your mileage may very).

2 Likes

Hey yeah, that worked, by doing what you said AC Rogue behaves exactly like it did when I enable that rule that opensnitch created automatically for that wine component that tried to access ubi.com!! :smiley: :upside_down_face:

I still have to google certain things and learn about them so I can figure out what you are talking about in some places(like that regex thing), but yaay it works, thank you so much! :hugs::hugs::hugs:

Two more questions though:

  1. Is changing default target from executable to command line in the settings gonna effect(eighter in a bad or good way) the rest of the rules that Opensnitch has already created/will continue to create itself automatically? Or does it apply only to rules I manually add myself?
    To my mind it should start to effect everything if it’s set in the preferences of the program(that’s how things usually work) but I figured I’d ask just in case…

  2. Do you mind if I quote your solution in the other places where I asked for help with this matter? Maybe it might help someone else searching the net that doesn’t use/know about this forum?

LE: Actually 3. If the name of the games executable contains spaces I add \ like @mbod said, right? So in our example it would become
.*Combat\ Master\.exe.* correct?