OpenSnitch: Difference between revisions

From NixOS Wiki
imported>Onny
Remove unstable note
imported>Onny
m Syntax cleanup
 
Line 24: Line 24:


<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
  services.opensnitch = {
services.opensnitch = {
    enable = true;
  enable = true;
    rules = {
  rules = {
      systemd-timesyncd = {
    systemd-timesyncd = {
        name = "systemd-timesyncd";
      name = "systemd-timesyncd";
        enabled = true;
      enabled = true;
        action = "allow";
      action = "allow";
        duration = "always";
      duration = "always";
        operator = {
      operator = {
          type ="simple";
        type ="simple";
          sensitive = false;
        sensitive = false;
          operand = "process.path";
        operand = "process.path";
          data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-timesyncd";
        data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-timesyncd";
        };
       };
       };
      systemd-resolved = {
    };
        name = "systemd-resolved";
    systemd-resolved = {
        enabled = true;
      name = "systemd-resolved";
        action = "allow";
      enabled = true;
        duration = "always";
      action = "allow";
        operator = {
      duration = "always";
          type ="simple";
      operator = {
          sensitive = false;
        type ="simple";
          operand = "process.path";
        sensitive = false;
          data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-resolved";
        operand = "process.path";
        };
        data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-resolved";
       };
       };
     };
     };
   };
   };
};
</syntaxhighlight>
</syntaxhighlight>



Latest revision as of 07:54, 13 August 2023

Opensnitch is a configurable inbound and outbound firewall with support for configurable rules by application, port, host, etc.

Installation

Add following line to your system configuration to install and enable OpenSnitch

services.opensnitch.enable = true;

OpenSnitch will start blocking connctions as soon the client application opensnitch-ui is connected. For Home Manager users, you can automatically start it in the background with the following configuration

home-manager.users.myuser = {
  services.opensnitch-ui.enable = true;
};

Using this minimal and default configuration, an application which tries to connect to the outside network will be blocked. You'll see a popup window asking to grant or deny connectivity for the specific application.

Configuration

You can preconfigure which connections are allowed or blocked by default. Following rules will allow internet connectivity for the binaries systemd-resolved and systemd-timesyncd. All other connection requests will be blocked and require an manual exception.

services.opensnitch = {
  enable = true;
  rules = {
    systemd-timesyncd = {
      name = "systemd-timesyncd";
      enabled = true;
      action = "allow";
      duration = "always";
      operator = {
        type ="simple";
        sensitive = false;
        operand = "process.path";
        data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-timesyncd";
      };
    };
    systemd-resolved = {
      name = "systemd-resolved";
      enabled = true;
      action = "allow";
      duration = "always";
      operator = {
        type ="simple";
        sensitive = false;
        operand = "process.path";
        data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-resolved";
      };
    };
  };
};

Please refer upstream documentation for configuration syntax and additional examples.