[Bug] Not blocking internet access if opensnitch isn't running #884
Comments
|
I have grpcio 1.50.0 and grpcio-tools 1.50.0 and it works fine with those, can you try that version? |
|
Besides trying @pizzadude's suggestion, please, be sure that the value DefaultAction is set to "deny" in You can also try a simple test:
Any of the commands should fail. If they don't, please, post the log file /var/log/opensnitchd.log |
Just set DefaultAction to deny in /etc/opensnitchd/default-config.json. If with that option set to deny apps can still connect to the internet, please, drop a comment with an example and how to reproduce it, and we'll review it.
I've been reviewing this problem, and the option works fine. But it's a bit confusing, and i'm not sure what's the right thing to do here. With daemon
So the question is: GUI's Preferences->Nodes->DefaultAction should reflect the daemon's DefaultAction being used (this is how it works right now), or the one saved in /etc/opensnitchd/default-config.json? This behaviour was changed here f5bb478 because of this #489 And probably this behaviour should be documented on the wiki. |
|
Ok, I'll modify the behaviour as follow: Daemon not connected to the GUI:
Daemon connected to the GUI:
At least this way the user will clearly see that daemon's DefaultAction is set to |
- On the very first install, or if the GUI's settings.conf file was not created, GUI's DefaultAction item was not configured properly. - Now when the daemon is not connected to the GUI, it'll use the DefaultAction configured in /etc/opensnitchd/default-config.json - When the daemon is connected to the GUI, the GUI will reconfigure daemon's DefaultAction value when the one defined by the GUI. In this case the value defined in default-config.json is not modified, it'll only be valid while it's connected to the GUI. Now when opening Preferences->Nodes, it'll display daemon's DefaultAction defined in the file default-config.json file, which is the default action applied when the daemon is not connected to the GUI. Related: #884 , #896
|
closing due to lack of feedback |
Nfqueue bypass option skips the enqueue of packets to userspace if no application is listening to the queue. https://wiki.nftables.org/wiki-nftables/index.php/Queueing_to_userspace If this flag is not specified, and for example the daemon dies unexpectedly, all the outbound traffic will be blocked. Up until now we've been using this flag by default not to block network traffic if the daemon dies or is killed for some reason. But some users want to use precisely this behaviour (#884, #1183, #1201). Now you can configure it, to block connections if the daemon unexpectedly dies. The option is on by default in the configuration (QueueBypass: true). If this item is not present in the daemon config file, then it'll be false.
If the app crashes or even from a delay in launching at boot, all apps are allowed internet access until opensnitch is opened again, which could open up security issues.
i was also looking around in settings and found an option which seemed to do this:
but it didn't work, not sure if this is a bug, or if the option does something else
OS: fedora
Version. 1.6.0 (latest as of now)
potentially related to the bug: couldn't install
grpcio==1.16.1with pip as mentioned in the install guide as it gave segmentation fault's, i instead installed the newest version with pip.The text was updated successfully, but these errors were encountered: