OpenSnitch is a GNU/Linux port of the Little Snitch application firewall.

OpenSnitch是Little Snitch应用防火墙的GNU / Linux端口。

Requirements

要求

You’ll need a GNU/Linux distribution with iptablesNFQUEUE and ftrace kernel support.

你需要一个GNU / Linux发行版iptables,NFQUEUE和ftrace内核支持。

Install

安装

sudo apt-get install build-essential python3-dev python3-setuptools libnetfilter-queue-dev python3-pyqt5 python3-gi python3-dbus python3-pyinotify
cd opensnitch
sudo python3 setup.py install

Run

运行

sudo -HE opensnitchd
opensnitch-qt

Known Issues / Future Improvements

已知问题/未来的改进

Before opening an issue, keep in mind that the current implementation is just an experiment to see the doability of the project, future improvements of OpenSnitch will include:

打开一个问题之前,请记住,当前的实现只是一个实验,看看该项目的doability,OpenSnitch未来改进将包括:

Split the project into opensnitchdopensnitch-ui and opensnitch-ruleman:

拆分项目进入opensnitchdopensnitch-uiopensnitch-ruleman

  • opensnitchd will be a (C++ ? TBD) daemon, running as root with the main logic. It’ll fix this.
  • opensnitch-ui python (?) UI running as normal user, getting the daemon messages. Will fix this.
  • opensnitch-ruleman python (?) UI for rule editing.

 

  • opensnitchd将是一个(C ++?TBD)守护进程,以root身份运行主逻辑。它会解决这个问题
  • opensnitch-uipython(?)UI作为普通用户运行,获取守护进程消息。将解决这个
  • opensnitch-ruleman 用于规则编辑的python(?)UI。

How Does It Work

如何工作

OpenSnitch is an application level firewall, meaning then while running, it will detect and alert the user for every outgoing connection applications he’s running are creating. This can be extremely effective to detect and block unwanted connections on your system that might be caused by a security breach, causing data exfiltration to be much harder for an attacker. In order to do that, OpenSnitch relies on NFQUEUE, an iptables target/extension which allows an userland software to intercept IP packets and either ALLOW or DROP them, once started it’ll install the following iptables rules:

OpenSnitch是一个应用级别的防火墙,这意味着在运行时,它会检测并警告用户他正在运行的每个传出的连接应用程序正在创建。这可以非常有效地检测和阻止系统上可能由安全漏洞引起的不必要的连接从而导致攻击者的数据泄露更难。为了做到这一点,OpenSnitch依靠NFQUEUE,一个iptables目标/扩展,它允许用户空间的软件拦截的IP数据包,要么ALLOW或者DROP他们,一旦启动,它会安装以下的iptables规则:

OUTPUT -t mangle -m conntrack --ctstate NEW -j NFQUEUE --queue-num 0 --queue-bypass

This will use conntrack iptables extension to pass all newly created connection packets to NFQUEUE number 0 (the one OpenSnitch is listening on), and then:

这将使用conntrackiptables扩展将所有新创建的连接数据包传递给NFQUEUE号0(OpenSnitch正在侦听的),然后:

INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass

This will also redirect DNS queries to OpenSnitch, allowing the software to perform and IP -> hostname resolution without performing active DNS queries itself.

这也将重定向DNS查询到OpenSnitch,允许软件执行和IP – >主机名解析,而不执行活动的DNS查询本身。

Once a new connection is detected, the software relies on the ftrace kernel extension in order to track which PID (therefore which process) is creating the connection.
If ftrace is not available for your kernel, OpenSnitch will fallback using the /proc filesystem, even if this method will also work, it’s vulnerable to application path manipulation as described in this issue, therefore it’s highly suggested to run OpenSnitch on a ftrace enabled kernel.

一旦检测到新的连接,软件依赖于ftrace内核扩展,以便跟踪哪个PID(因此哪个进程)正在创建连接。如果ftrace不适用于你的内核,OpenSnitch将回退到使用的/proc文件系统,即使这种方法也将工作,因为它是脆弱的应用程序路径的操作在这个问题上描述的,因此我们强烈建议在ftrace启用内核上运行OpenSnitch

                                  下载OpenSnitch

LEAVE A REPLY

Please enter your comment!
Please enter your name here

14 − 5 =