OpenSnitch: Difference between revisions

(3 intermediate revisions by one other user not shown)

Line 3:

== Installation ==

Add following line to your system configuration to install and enable OpenSnitch

Add the following line to your system configuration to install and enable OpenSnitch:

Line 9:

</syntaxhighlight>

OpenSnitch will start blocking ~~connctions~~ as soon the client application <code>opensnitch-ui</code> is connected. For [[Home-Manager]] users, you can automatically start it in the background with the following configuration

OpenSnitch will start blocking connections as soon as the client application <code>opensnitch-ui</code> is connected. For [[Home Manager]] users, you can automatically start it in the background with the following configuration:

Line 17:

</syntaxhighlight>

Using this minimal and default configuration, an application which tries to connect to the outside network will be blocked. You'll see a popup window asking to grant or deny connectivity for the specific application.

Using this minimal and default configuration, an application which tries to connect to the outside network will be blocked. You'll see a popup window asking you to grant or deny connectivity for the specific application.

== Configuration ==

~~{{Note|Parts of this instruction and module~~ are ~~not yet stable~~ and will be ~~available in the upcoming NixOS 23.05 release~~.}}

You can preconfigure which connections are allowed or blocked by default. The following rules will allow internet connectivity for the binaries <code>systemd-resolved</code> and <code>systemd-timesyncd</code>. All other connection requests will be blocked and require a manual exception.

You can preconfigure which connections are allowed or blocked by default. Following rules will allow internet connectivity for the binaries <code>systemd-resolved</code> and <code>systemd-timesyncd</code>. All other connection requests will be blocked and require an manual exception.

<syntaxhighlight lang="nix" line="1">services.opensnitch = {

enable = true;

rules = {

services.opensnitch = {

systemd-timesyncd = {

enable = true;

created = "2018-04-07T14:13:27.903996051+02:00";

rules = {

name = "systemd-timesyncd";

systemd-timesyncd = {

enabled = true;

name = "systemd-timesyncd";

action = "allow";

enabled = true;

duration = "always";

action = "allow";

operator = {

duration = "always";

type ="simple";

operator = {

sensitive = false;

type ="simple";

operand = "process.path";

sensitive = false;

data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-timesyncd";

operand = "process.path";

data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-timesyncd";

};

systemd-resolved = {

};

name = "systemd-resolved";

systemd-resolved = {

enabled = true;

created = "2018-04-07T14:13:27.903996051+02:00";

action = "allow";

name = "systemd-resolved";

duration = "always";

enabled = true;

operator = {

action = "allow";

type ="simple";

duration = "always";

sensitive = false;

operator = {

operand = "process.path";

type ="simple";

data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-resolved";

sensitive = false;

};

operand = "process.path";

data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-resolved";

};

</syntaxhighlight>

};</syntaxhighlight>

Please refer [https://github.com/evilsocket/opensnitch/wiki/Rules upstream documentation] for configuration syntax and additional examples.

Please refer to the [https://github.com/evilsocket/opensnitch/wiki/Rules upstream documentation] for configuration syntax and additional examples.

[[Category:Applications]]

[[Category:Security]]

@@ Line 3: / Line 3: @@
 == Installation ==
-Add following line to your system configuration to install and enable OpenSnitch
+Add the following line to your system configuration to install and enable OpenSnitch:
 <syntaxhighlight lang="nix">
@@ Line 9: / Line 9: @@
 </syntaxhighlight>
-OpenSnitch will start blocking connctions as soon the client application <code>opensnitch-ui</code> is connected. For [[Home-Manager]] users, you can automatically start it in the background with the following configuration
+OpenSnitch will start blocking connections as soon as the client application <code>opensnitch-ui</code> is connected. For [[Home Manager]] users, you can automatically start it in the background with the following configuration:
 <syntaxhighlight lang="nix">
@@ Line 17: / Line 17: @@
 </syntaxhighlight>
-Using this minimal and default configuration, an application which tries to connect to the outside network will be blocked. You'll see a popup window asking to grant or deny connectivity for the specific application.
+Using this minimal and default configuration, an application which tries to connect to the outside network will be blocked. You'll see a popup window asking you to grant or deny connectivity for the specific application.
 == Configuration ==
-{{Note|Parts of this instruction and module are not yet stable and will be available in the upcoming NixOS 23.05 release.}}
+You can preconfigure which connections are allowed or blocked by default. The following rules will allow internet connectivity for the binaries <code>systemd-resolved</code> and <code>systemd-timesyncd</code>. All other connection requests will be blocked and require a manual exception.
-You can preconfigure which connections are allowed or blocked by default. Following rules will allow internet connectivity for the binaries <code>systemd-resolved</code> and <code>systemd-timesyncd</code>. All other connection requests will be blocked and require an manual exception.
+<syntaxhighlight lang="nix" line="1">services.opensnitch = {
+  enable = true;
-<syntaxhighlight lang="nix">
+  rules = {
-  services.opensnitch = {
+    systemd-timesyncd = {
-    enable = true;
+      created = "2018-04-07T14:13:27.903996051+02:00";
-    rules = {
+      name = "systemd-timesyncd";
-      systemd-timesyncd = {
+      enabled = true;
-        name = "systemd-timesyncd";
+      action = "allow";
-        enabled = true;
+      duration = "always";
-        action = "allow";
+      operator = {
-        duration = "always";
+        type ="simple";
-        operator = {
+        sensitive = false;
-          type ="simple";
+        operand = "process.path";
-          sensitive = false;
+        data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-timesyncd";
-          operand = "process.path";
-          data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-timesyncd";
-        };
        };
-      systemd-resolved = {
+    };
-        name = "systemd-resolved";
+    systemd-resolved = {
-        enabled = true;
+      created = "2018-04-07T14:13:27.903996051+02:00";
-        action = "allow";
+      name = "systemd-resolved";
-        duration = "always";
+      enabled = true;
-        operator = {
+      action = "allow";
-          type ="simple";
+      duration = "always";
-          sensitive = false;
+      operator = {
-          operand = "process.path";
+        type ="simple";
-          data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-resolved";
+        sensitive = false;
-        };
+        operand = "process.path";
+        data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-resolved";
        };
      };
    };
-</syntaxhighlight>
+};</syntaxhighlight>
-Please refer [https://github.com/evilsocket/opensnitch/wiki/Rules upstream documentation] for configuration syntax and additional examples.
+Please refer to the [https://github.com/evilsocket/opensnitch/wiki/Rules upstream documentation] for configuration syntax and additional examples.
 [[Category:Applications]]
 [[Category:Security]]