OpenSnitch: Difference between revisions
imported>Onny mNo edit summary |
imported>Onny m Syntax cleanup |
||
| (One intermediate revision by the same user not shown) | |||
| Line 20: | Line 20: | ||
== Configuration == | == Configuration == | ||
You can preconfigure which connections are allowed or blocked by default. Following rules will allow internet connectivity for the binaries <code>systemd-resolved</code> and <code>systemd-timesyncd</code>. All other connection requests will be blocked and require an manual exception. | You can preconfigure which connections are allowed or blocked by default. Following rules will allow internet connectivity for the binaries <code>systemd-resolved</code> and <code>systemd-timesyncd</code>. All other connection requests will be blocked and require an manual exception. | ||
<syntaxhighlight lang="nix"> | <syntaxhighlight lang="nix"> | ||
services.opensnitch = { | |||
enable = true; | |||
rules = { | |||
systemd-timesyncd = { | |||
name = "systemd-timesyncd"; | |||
enabled = true; | |||
action = "allow"; | |||
duration = "always"; | |||
operator = { | |||
type ="simple"; | |||
sensitive = false; | |||
operand = "process.path"; | |||
data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-timesyncd"; | |||
}; | }; | ||
}; | |||
systemd-resolved = { | |||
name = "systemd-resolved"; | |||
enabled = true; | |||
action = "allow"; | |||
duration = "always"; | |||
operator = { | |||
type ="simple"; | |||
sensitive = false; | |||
operand = "process.path"; | |||
data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-resolved"; | |||
}; | }; | ||
}; | }; | ||
}; | }; | ||
}; | |||
</syntaxhighlight> | </syntaxhighlight> | ||
Latest revision as of 07:54, 13 August 2023
Opensnitch is a configurable inbound and outbound firewall with support for configurable rules by application, port, host, etc.
Installation
Add following line to your system configuration to install and enable OpenSnitch
services.opensnitch.enable = true;
OpenSnitch will start blocking connctions as soon the client application opensnitch-ui is connected. For Home Manager users, you can automatically start it in the background with the following configuration
home-manager.users.myuser = {
services.opensnitch-ui.enable = true;
};
Using this minimal and default configuration, an application which tries to connect to the outside network will be blocked. You'll see a popup window asking to grant or deny connectivity for the specific application.
Configuration
You can preconfigure which connections are allowed or blocked by default. Following rules will allow internet connectivity for the binaries systemd-resolved and systemd-timesyncd. All other connection requests will be blocked and require an manual exception.
services.opensnitch = {
enable = true;
rules = {
systemd-timesyncd = {
name = "systemd-timesyncd";
enabled = true;
action = "allow";
duration = "always";
operator = {
type ="simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-timesyncd";
};
};
systemd-resolved = {
name = "systemd-resolved";
enabled = true;
action = "allow";
duration = "always";
operator = {
type ="simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-resolved";
};
};
};
};
Please refer upstream documentation for configuration syntax and additional examples.