（评论）

（评论）
(comments)

原始链接: https://news.ycombinator.com/item?id=41209688

用户多年来一直使用防火墙应用程序 OpenSnitch 来监视和控制系统内的网络流量。他们发现它对于他们的一般生产力、开发、实验、游戏和本地人工智能活动很有用。更新规则只需最少的努力（每周更新几条规则），通常需要不到 30 秒。尽管由于软件的变化可能需要偶尔更新，但他们发现该过程很简单，几乎所有规则都已配置。可以根据源地址、目的地址、时长等具体参数设置白名单或灰名单设置。这使用户无需持续监控即可深入了解其应用程序的网络行为。初始设置可能需要一些时间，但在养成习惯后，用户会发现它是第二天性，并且有助于了解哪些应用程序在其预期功能之外进行通信。

I've tried to use it extensively (as an interactive firewall). However there are just some problems (that are not the fault of OpenSnitch) that I'm not even sure that are even solvable.

For example, supposed I run `curl` on the terminal, I can either always decide on a case-by-case basis to allow it thru, or I'm required to whitelist it permanently. Once I've whitelisted generic tools like `curl` or `wget`, then the floodgates are really open, since any malware that have compromised my machine can just use `curl` or `wget` to get to the internet without hitting the firewall.

I’ve found that by using subdomain wildcards and/or subnets, I build up a stable set of rules pretty quickly and then only have to review requests to new endpoints once in awhile.

To me, the peace of mind knowing that I’ll be prompted to allow new access is worth the initial hassle. And once the habit is built, it’s pretty easy to manage.

Editing to add: I also use expiring rules regularly. Maybe I trust an installer and want to let it do its thing. So I open it up with a rule for the executable expiring in the near future (options include: forever, until reboot, for the next 30s, for the next 5 mins, etc). This can drastically simplify some tasks if there are a large number of endpoints for some reason and avoids leaving a hole open permanently.

Sounds like that varies widely by person/use case. I’ve been using this software for a couple years at this point. I don’t have to update rules all that often (usually a few rules/week), and when I do, it’s usually a 10-30 second detour. The only time it takes more work is if I don’t know why something is trying to connect. But that’s exactly the scenario I’m targeting, i.e. calling attention to the weird looking connections.

My use cases are general productivity, development on side projects and a variety of software experiments, gaming, and some local AI stuff.

I also don’t see this as a ton of work. Rules are 99% pre-configured for you and all you have to do is choose the scope and duration of the rule and whether to reject or allow.

I’ll admit it’s annoying once in awhile if there’s a major update to software that spawns a bunch of new rules, but once I get past the feeling of being annoyed, it’s really an extremely simple and quick process.

Really have to emphasize the habit creation part. After I stuck with it for a few weeks, it became second nature and I stopped getting annoyed for the most part. I consider this a worthwhile habit to build if you’re trying lots of code/libraries and want to know what’s phoning where.

In terms of time spent, that amounts to about one minute per week for me right now. Sometimes less.

The user experience is streamlined, and adding rules involves responding to a dialog that automatically pops up when a connection is attempted. UX is key here and this would be a very different story if you had to go into a separate rule management interface every time.

Regarding paranoia, I don’t see it that way. Supply chain attacks are alive and well, and if you’re running other people’s code on a regular basis, this is a low cost precautionary measure. I totally recognize that not everyone has the same risk profile or tolerance.

I have found it makes me less paranoid, which is good.

In using it for a while, I have only found a few pieces of software trying to access places I don't expect and don't approve of (quite a few more that I do expect, but don't approve of). And none of them seemed to be actively malicious, just misbehaved or poorly configured.

  > I don’t have to update rules all that often (usually a few rules/week)

I think that we have different definitions of "all that often". Even twice a week would be too often for me.

Genuinely curious: how/why does that seem too often? I truly don’t understand. Have you seen the user experience and what’s involved?

How do you feel about other common permission prompts, e.g. location, microphone, camera, share your screen, run as privileged user, etc? I appreciate being asked about those things and I put this in a similar category.

  > Genuinely curious: how/why does that seem too often?

I want to work, not manage my work station.

I don't mind configuring things, my dotfiles are the product of 25 years of tweaking. But having to tweak anything multiple times per day is not going to help me work, it is going to hinder my work.

I highly recommend you look at the UX before drawing any conclusions in that case, because what you’re describing does not resemble the OpenSnitch UX.

The experience is much closer to the other common permission prompts I mentioned which is why I asked how you feel about them.

As a fellow multi-decade dotfile tweaker, that experience isn’t comparable and is not a good model for judging this tool.

Worth a shot! The first few days are by far the worst while all of the existing connections are accounted for, but things calm down quickly.

One thing I wished I knew sooner was that the square [+] button on the rule dialog opens more fields on the form for editing.

This makes it super easy to create a single wildcard rule e.g. when timesyncd tries to hit an ntp server for the first time, I expand the autogenerated rule that pops up to include all subdomains like *.ntp.domain.tld so I don’t have to keep creating rules for the other ntp servers. I’ve gotten more efficient over time this way.

Might be the same but what if you allow all curl/wget traffic for 'dev' user, but continue to flag any traffic for 'normal' user

for dev work run 'su -c curl … dev'

But if malicious program in normal user space is running, then app firewall flags curl and wget use appropriately.

It would be annoying to input password every time so maybe setup PAM to use yubikey or biometric? Also make sure this user cannot login and does not have a password.

This sounds rather silly. If this is really a concern, then "curl" or "wget" can be renamed. I use an application level firewall on mobile and I do not "whitelist" names of programs, I "whitelist" access to certain domain names/IP addresses by certain programs.

The easiest way to stop programs/malware from phoning home IME is to deny access to DNS. I have been doing this for decades and it still works flawlessly. "99%" of the time programs/malware that phone home rely on DNS, not "hard-coded" IP addresses. And it is quite easy for me to detect the rare case of a program/malware that does not need DNS.

With DNS I "whitelist" certain domain names. In fact today I do not even use a locally-served zone file with the IP addresses I need (the whitelist); a forward proxy handles the domain to IP address mapping, the whitelist loaded by the proxy is a text file, like a zone file but simpler.

I wonder if there's a way to configure it so that when the parent cmd is a trusted command (say, a bash/zsh owned by the user), it could let the curl command through and otherwise block it. But yeah, that seems like a bit of a hassle.

The bash command line wouldn't be the same as the one launched by your terminal, though. But yes, I’m sure there are myriad exploits around something like that.

What could work instead is something where you run a command like `opensnitch-context dev` and it would talk to the running daemon to do proper authentication ("do you want to allow this context to be used?") and then hopefully some other magic (cgroups?) to know if the processes are part of that context even if they are sparse/nested child processes.

Or be ok with filtering HTTP/TLS traffic based on the domain only, as that part isn't encrypted (the SNI [Server Name Indication]). OpenSnitch should be able to allow/disallow based on that, rather than having to decrypt the TLS part.

a sudo like wrapper for this could be pretty cool.

still will capture when processes unexpectedly try to connect to the network for the first time and there is some value in that. even if the popups aren't great.

I'm early in my Linux journey. Would it be a good approach to symlink bash to some new name, say, snitch, then do

   snitch -c "curl blah.blah"

Is there a better way without writing code?

I wish OpenSnitch had a temporary allow feature for things like:

- allow a specific parent structure, e.g. when the python interpreter is invoked by a different parent command

- allow a specific process ID temporarily until the process is killed (both with allowing/disallowing child processes)

- allow a specific target port range for games, and not only a specific port in the rulesets.

...because I feel that 99% of the annoying dialogues could have been avoided with this.

It's the filter configured per user, or is it system-wide? I know you can filter per-user with IP tables and whatever the newer one is, but I haven't dug that deep into open snitch. Maybe a single trusted user account without a login that you could su into? I wonder if you could also whitelist a VM process and spin up single-use VM sandboxes to use when you want to do a bunch of work like that.

Definitely a minor hassle to set up compared to just saying yes or no to permissions, but it's not complicated, if it works.

I switched from Qubes OS to Fedora+Flatpak+Opensnitch. Couldn't make it to run Wayland on my hybrid GPU system (Nvidia). QubesOS drained battery very quickly and since graphics is afaik software rendered, I've gotten into problems in watching HD videos (e. g. a lot of dropped frames on Youtube).

This is what finally got me over to NixOS. In the past when I've used application firewalls its a lot of set up that often breaks on updates changing paths or I have to redo it all whenever I move to a new computer. Just tons and tons of churn and wasted effort.

By integrating with the package manager that hasn't been an issue. Once I got through the initial work of setting up my whitelists I just have a little bit of effort each time I add a new package to my nix configs. If I don't want to take on the effort of adding a whitelist to my nix config, I can just add a temporary whitelist that lasts until the next reboot.

It was a steep learning curve and a lot of work, but now its a breeze to maintain.

I'd love something sorta like this but for Docker containers running APIs or web services. Like:

containerA: all outbound traffic allowed

containerB: no outbound traffic allowed, except to reply to a client

containerC: may only reach out to updates.example.com

Is this just per-container iptables? I could wedge iptables into existing images but it seems like a lot of work.

Or maybe something with iptables on the host?

I have heard good things about this one. But i think this one of those no root firewalls that uses the vpn, so I figure this means I can't use a VPN at the same time.

An alternative android root only option is afwall+ which allows blocking on lte, WiFi, lan, and VPN separately, and script access to iptables. Not sure how actively developed it is, but it seems to work ok.

*edit: Seems to still be active, open source, and available on fdroid too.

https://github.com/ukanth/afwall

Netguard is fantastic, although it takes a while to get a safe setup working. I'm blocking traffic by default and get to see all the blocked connection attempts - the extent to which apps transmit data to various parties is depressing. Netguard should be a standard OS feature.

"Small payment" is an understatement :)

"You can get all current and future NetGuard pro features (including updates) without Google Play services for the GitHub or F-Droid version by a one time donation of € 0.10 or more. If you donate 7 euros or more, you can activate the pro features on all Android devices you personally own, else you can activate the pro features one time only."

Sadly all real firewalls need root. I was using AFWall+ for a long time it has neat controls for every app to allow or deny Wifi, Cell or LAN (if you have). It is a iptables/nftables frontend so you can customize the rules to your heart's content: https://github.com/ukanth/afwall Works from Android 2+

Without root only VPN solutions like Adguard are available.

EDIT: if you want neat stats: Glasswire has an Android version. I have only used the beta so I have no idea about its current state. Might be worth checking out though.

ex-AOSP and rethink dns+firewall dev here

> Sadly all real firewalls need root

What do you mean by a "real" firewall? It is very much possible to build a userspace firewall in Android using the VPN APIs.

On Android, ROMs like GrapheneOS, Lineage, and CalyxOS have firewalls built-in.

> Glasswire has an Android version

Note though, Glasswire was recently acquired by another company: https://archive.is/KW2R3

I thought parts of the Android OS can by-pass the VPN so the firewall becomes ineffective against blocking Google, OEMs, and others that have root. Wouldn't the VPN API being used as a firewall also prevent one to use a VPN client at the same time?

> Note though, Glasswire was recently acquired by another company

Ah that's why the premium stuff is now free. I was wondering. Let's hope it's not the first sign of enshittification.

> What do you mean by a "real" firewall?

In my experience the "block all non VPN traffic" options in Android don't work reliably. iptables does however.

It's a sad state that you cannot even set a static IPv6 on Android without root.

I agree with the first sentence. I cannot even begin to comprehend what semantics you were trying to convey with the second sentence however. I am also lacking all context to be able to understand (compromised in what sense, by whom and to what degree? which border? what is "fuckery" defined as?).

I appreciate you trying to add to the discussion but in this case you leave me with way more questions than I started out with which I personally perceive as an unwanted mental overhead.

My non-root solution is to use NextDNS or ControlD with "private DNS" (DNS over TLS).

Doesn't stop direct IP connections, but it's good enough.

I also have the CLI installed on OpnSense so DoH is enforced for all devices on my LAN as well.

OpenSnitch prompts you when there's network activity. So if random app makes a telemetry call or something, you get the option to white/greylist that connection with granularity, like OK to make a connection to that address from this executable etc, or always OK to this address, and with duration options like once/for 15 seconds, until reboot etc. Once you get over the hurdle of whitelisting the apps you use and trust, it's actually pretty nice and gives you good insight into what your apps/games are doing you otherwise wouldn't have known about.

This is great for catching sloppy apps that make an excessive number of connections. Thunderbird, I’m looking at you.

I like it, but it has a small annoyance in that the temporary rules that have expired don’t get deleted or marked in the interface. So I have to restart the gui once in a while to clear them.

I also feel the same way re: UX polish. I haven't bought little snitch yet, but was kind of wondering if I even needed to. I've already got a pihole on my tailnet that blocks a fair amount of things, and then ublock origin on firefox to boot. If LS were only like $20 I'd probably just buy it for the pleasing graphs, but otherwise I'm not sure what extra value it adds. There's probably a usecase for it given the other things I have, but perhaps I'm not the target audience.

Is there any plan to port this to MacOS? I use Little Snitch (which this is obviously influenced by) for a while, but really prefer open source (for reasons unrelated to payment).

Researching every connection is painstaking at first across various operating systems but a tool like this really helps you get familiar with what is normal and what is not.

（评论） (comments)

（评论）
(comments)