Application firewall suggestions

General system Applications
21

you shook the cobwebs off…I did used to obsess about this stuff…great great examples.

Bink it’s a lifetime (Win and Linux) of browser Extension use that always had me on edge. I was so suspicious of some of their behavior I’d quit something despite its popularity. I would LOVE to see that traffic snorted out those little bast****. I think that’s a big attack vector like the new firmware viruses but extesions hide in plain sight.

Would love to see extension traffic.

1 Like
22

It’s a good point.

With the exception of those bundled with a browser, I only vary rarely install a browser extension and even then, it’s only installed temporarily. When preparing a website design for a client, I might do a full-page screenshot (longer than the visible window), and use an extension to do it, but that’s the only one that comes to mind in recent years.

1 Like
23

you don’t trust them either.
would one of these app firewalls detect a specific extension (keepassXC password extension for example) calling out that was part of a browser? Or would it all be disguised as vague ‘browser traffic’ I wonder.
Maybe rhetorical? maybe depends on tool used perhaps.

25

I only know opensnitch and portmaster. What are the alternatives existing nowadays?

EDIT: Yes, of course pi-hole and the Rust alternative crab-hole and now I see SafeLine. Very interesting.

26

Just looked at SafeLine. This is for web applications.

27

@dalto
I apologize this thread (the idea of an app firewall) excited the he** out of me. I like this stuff.

Question: what have you learned in the last 24 hrs with this tool?

28

Today I tested Portmaster and learned that it was absolutely not the right tool for me.

3 Likes
29

12 posts were split to a new topic: Firejail configuration discussion

30

Portmaster is a solid option for application-level filtering.

31

Would be interested to hear how your testing goes… :grin:

1 Like
32

I have been using opensnitch.

It seems to do what I need.

I haven’t yet found any real alternative.

1 Like
33

Are you using it on your laptop or pc or on a dedicated server?

EDIT: My usecase would be to use it on my laptop.

34

I am using it on my main desktop. I don’t think it would have much applicability on a server.

I definitely think it is worth trying out, even if you only keep it for a few days, you will learn some things.

A couple of pointers I would give people are:

  • When you first install it, it will need some attention at first since every application will be requesting permissions. Once you have the rules in place, it becomes a non-issue
  • Change the default duration to “forever” in settings to make life easier
  • I had to install the ebpf module from AUR to make smb connections work
  • If you find something not working and you don’t know why take a quick peek in your rules list to see if a temporary block rules has been added. Once in a while, I would not notice/see the popup and would end up with traffic being blocked. Especially for terminal applications where my attention was fully on the terminal at the time.
2 Likes
35

I also started to take a look at it and I decided to install it on my laptop. My experiences were the same: have a closer look in the beginning and yes, ebpf module was required. forever duration makes much sense.

1 Like
36

@dalto, you helped me to setup a killswitch for my vpn with ufw rules here.

ufw status verbose 
Status: active
Logging: on (medium)
Default: deny (incoming), deny (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
Anywhere                   ALLOW OUT   Anywhere on tun0          
192.168.50.1               ALLOW OUT   Anywhere                  
1194/udp                   ALLOW OUT   Anywhere                  
Anywhere/ipv6              DENY OUT    Anywhere/ipv6

Do I need to enable the firewall in OpenSnitch as well?

448×506 20.3 KB

37

The purpose is different here. Your ufw rules ensure your traffic all flows over the VPN.

Opensnitch is watching what various applications are doing. For example, you might want to not allow a given application to send certain traffic over your VPN.

1 Like
38

Alright, I think I understand. It will give me the possibility to fine tune more on the application level what traffics go out over VPN. Is that right?

39

Yes, exactly.

1 Like
40

Sounds like you stuck with Opensnitch? I notice when you go to install the “opensnitch-ebpf-module” package it has a dependency for ‘linux-header’. Any concern here if you use LTS or Zen kernels?

I did test Portmaster, but then had to stop and disable my unbound.service, and let Portmaster take over DNS Resolution (which I am not a fan of).

Also even if you stop and disable the portmaster.service, it has a portmaster notification process which always runs in the background.

For other reading this thread there is a great little Portmaster Introduction series here:

https://www.youtube.com/playlist?list=PLy66R1jud_abP64KuRBSobSWZcZvqEwSm

There is also a nice wiki with documentation:

41

Yes. It isn’t perfect but it gets the job done and I couldn’t find anything better.

I am not using the linux kernel and I have not seen any issues. The package only builds 3 files:

opensnitch-ebpf-module /usr/lib/opensnitchd/ebpf/opensnitch-dns.o
opensnitch-ebpf-module /usr/lib/opensnitchd/ebpf/opensnitch-procs.o
opensnitch-ebpf-module /usr/lib/opensnitchd/ebpf/opensnitch.o

Yeah, I tested it but there were too many issues for me. There is the gating of some features behind a subscription and also the constant reminder in the UI that I am not subscribed.

Additionally, it basically “does what it does”. The ability to control it or only use certain parts of it was not available. Like you, I wasn’t willing to hand over control of my DNS.