Skip to content

Rules editor

Jump to bottom
Gustavo Iñiguez Goia edited this page Oct 20, 2020 · 10 revisions

Rules can be edited from the GUI, by clicking on the name of the rule:

image

image

Each field can be literal or a regex expression.

Since 19/10/2020, all rules comparison are case-insensitive for destination host, process path and process arguments.

Some examples:

  • Filtering by several ports using this regex:

    [x] To this port: ^(53|80|443)$

    targets ports 53 OR 80 OR 443.

    [x] To this port: ^555[12345]$

    targets ports 5551, 5552, 5553, 5554 OR 5555.

  • Filtering an exact domain, and nothing else: [x] To this host: github.com

  • Filtering a domain and its subdomains: [x] To this host: .*\.github.com

  • Filtering an executable path:

    [x] From this executable: /usr/bin/python3

    (/usr/bin/python3.6/3.7/3.8/etc won't match this rule)

  • Blocking connections made by executables launched from /tmp:

    Action: Deny

    [x] From this executable: /tmp/.*

  • Filtering an executable path with regexp, for example any python binary in /usr/bin/:

    [x] From this executable: /usr/bin/python[0-9\.]*$

    Case insensitive rules:

    [x] From this executable: (?i:.*ping)

  • Filter LAN IPs or multiple ranges: ^(127..|172..|192.168..|10..)$

See these issues for some discussions: #17, #31, #73

Note: Don't use , to specify domains, IPs, etc. It's not supported. For example this won't work:

[x] To this host: www.example.org, www.test.me

Python regular expression documentation

Golang regular expression documentation

Golang regular expression syntax

Note: Golang does not support Perl syntax (like (?!...))

However you can use negated chars classes. For example, block all outgoing connections, except those to localhost:

[x] Action: deny

[x] To this destination IP: [^:127.0.0.1:]

Unconditionally blocking lists

As of v1.0.0rc10 there's no support for blocking or allowing connections ignoring the rest of the rules (see #36).

But you can achieve it using iptables:

  • Allow ICMP: iptables -t mangle -I OUTPUT -p icmp -j ACCEPT

  • Allow localhost connections: iptables -t mangle -I OUTPUT -d 127.0.0.1 -j ACCEPT

Note on allowing all connections to localhost:

While it might be seem obvious to allow everything to localhost, be aware that you might want to allow only certain connections/programs:

https://github.com/gustavo-iniguez-goya/opensnitch/wiki/OpenSnitch-in-action

  1. Installation
  2. Getting started
    1. Events window
    2. Process monitor dialog
  3. Configuration
    1. Monitor method: audit
    2. Rules
    3. Rules editor
    4. System rules
  4. Compilation
    1. Cross-compilation for arm
    2. Building packages with pbuilder
  5. GUI translations
    1. Adding, updating and installing translations
  6. FAQs and common errors
    1. Known problems
    2. FAQs
    3. Why OpenSnitch does not intercept application XXX
  7. Examples OpenSnitch in action
Clone this wiki locally