Skip to content

Rules editor

Jump to bottom
Gustavo Iñiguez Goia edited this page Nov 11, 2020 · 10 revisions

Rules can be edited from the GUI, by clicking on the name of the rule:

image

image

(Since v1.2.0, all rules comparison are case-insensitive by the default for destination host, process path and process arguments.)

Parameters

[x] Enable - Enables or disables the rule.

[x] Priority - Indicates that this rule has precedence over the rest.

[x] Case sensitive - Make the comparison case-sensitive for ALL fields.

[x] Duration - Always writes the rule to disk.

Each field can be literal or a regex expression.

Some examples:

  • Filtering by multiple ports:

    [x] To this port: ^(53|80|443)$

    targets ports 53 OR 80 OR 443.

    [x] To this port: ^555[12345]$

    targets ports 5551, 5552, 5553, 5554 OR 5555.

  • Filtering by an exact domain, and nothing else: [x] To this host: github.com (will match only github.com, not www.github.com, etc)

  • Filtering by a domain and its subdomains: [x] To this host: .*\.github.com

  • Filtering an executable path:

    [x] From this executable: /usr/bin/python3

    (warning: /usr/bin/python3.6/3.7/3.8/etc won't match this rule)

  • Allow common system commands:

    Name: 000-allow-system-cmds
Action: Allow
[x] Priority rule
[x] From this executable: ^(/usr/sbin/ntpd|/lib/systemd/systemd-timesyncd|/usr/bin/xbrlapi|/usr/bin/dirmngr)$
[x] To this port: ^(53|123)$
[x] From this User ID: ^(0|115|118)$

  • Blocking connections made by executables launched from /tmp:

    Action:                   Deny
[x] From this executable: /tmp/.*

  • Filtering an executable path with regexp, for example any python binary in /usr/bin/:

    [x] From this executable: ^/usr/bin/python[0-9\.]*$

    Case insensitive rules:

    [x] From this executable: (?i:.*ping)

  • Filtering LAN IPs or multiple ranges: ^(127..|172..|192.168..|10..)$

See these issues for some discussions and more examples: #17, #31, #73

Note: Don't use "," to specify domains, IPs, etc. It's not supported. For example this won't work (it could be added if you complain loud enough):

[x] To this host: www.example.org, www.test.me

Python regular expression documentation

Golang regular expression documentation

Golang regular expression syntax

Note: Golang does not support Perl syntax (like (?!...))

However you can use negated chars classes. For example, block all outgoing connections, except those to localhost:

[x] Action: deny

[x] To this destination IP: [^:127.0.0.1:]

Unconditionally blocking lists

As of v1.0.0rc10 there's no support for blocking or allowing connections ignoring the rest of the rules (see #36).

But you can achieve it using iptables:

  • Allow ICMP: iptables -t mangle -I OUTPUT -p icmp -j ACCEPT

  • Allow localhost connections: iptables -t mangle -I OUTPUT -d 127.0.0.1 -j ACCEPT

Note on allowing all connections to localhost:

While it might be seem obvious to allow everything to localhost, be aware that you might want to allow only certain connections/programs:

https://github.com/gustavo-iniguez-goya/opensnitch/wiki/OpenSnitch-in-action

  1. Installation
  2. Getting started
    1. Events window
    2. Process monitor dialog
  3. Configuration
    1. Monitor method: audit
    2. Rules
    3. Rules editor
    4. System rules
  4. Compilation
    1. Cross-compilation for arm
    2. Building packages with pbuilder
  5. GUI translations
    1. Adding, updating and installing translations
  6. FAQs and common errors
    1. Known problems
    2. FAQs
    3. Why OpenSnitch does not intercept application XXX
  7. Examples OpenSnitch in action
Clone this wiki locally