OpenSnitch: Difference between revisions

Opensnitch is a configurable inbound and outbound firewall with support for configurable rules by application, port, host, etc.

Installation

Add following line to your system configuration to install and enable OpenSnitch

services.opensnitch.enable = true;

OpenSnitch will start blocking connctions as soon the client application opensnitch-ui is connected. For Home Manager users, you can automatically start it in the background with the following configuration

home-manager.users.myuser = {
  services.opensnitch-ui.enable = true;
};

Using this minimal and default configuration, an application which tries to connect to the outside network will be blocked. You'll see a popup window asking to grant or deny connectivity for the specific application.

Configuration

You can preconfigure which connections are allowed or blocked by default. Following rules will allow internet connectivity for the binaries systemd-resolved and systemd-timesyncd. All other connection requests will be blocked and require an manual exception.

  services.opensnitch = {
    enable = true;
    rules = {
      systemd-timesyncd = {
        name = "systemd-timesyncd";
        enabled = true;
        action = "allow";
        duration = "always";
        operator = {
          type ="simple";
          sensitive = false;
          operand = "process.path";
          data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-timesyncd";
        };
      };
      systemd-resolved = {
        name = "systemd-resolved";
        enabled = true;
        action = "allow";
        duration = "always";
        operator = {
          type ="simple";
          sensitive = false;
          operand = "process.path";
          data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-resolved";
        };
      };
    };
  };

Please refer upstream documentation for configuration syntax and additional examples.