Opensnitch for Parental Controls #448

ERLindeman · 2021-06-29T19:32:36Z

ERLindeman
Jun 29, 2021

I'm aware this probably wasn't the intended use case of OpenSnitch,. but I've found it to be the only available linux firewall that can easily and accurately filter both programs and domains. I've browsed the doc and help threads thoroughly, and have not found an answer to these questions:

How can I ensure that internet traffic is not allowed without opensnitch running
How can I block all traffic from any package that is not currently installed (without prompting, i.e. prevent security measures added to chrome from being bypassed by installing firefox.)

If this isn't the proper place for this discussion, let me know and I will move it. If not, any and all help would be greatly appreciated.

Answered by gustavo-iniguez-goya

Jun 30, 2021

Hi @ERLindeman ,

How can I ensure that internet traffic is not allowed without opensnitch running

You'll have to rely on another app, like ufw, firewalld, or a custom script. Once we're not running we delete our rules, but if there's enough demand for lockdown the system, we could add it as a new feature (like running a post-exit script).

The custom script could be something like this:
monitor-opensnitch.sh

#!/bin/bash

function dropeverything()
{
    iptables -P OUTPUT DROP
}

function allowtraffic()
{
    iptables -P OUTPUT ACCEPT
}

if pgrep opensnitchd &>/dev/null; then
    echo "opensnitchd running"
    allowtraffic
else
    echo "opensnitchd not running"
    dropeverything
fi

chm…

View full answer

gustavo-iniguez-goya · 2021-06-30T22:31:23Z

gustavo-iniguez-goya
Jun 30, 2021
Collaborator

Hi @ERLindeman ,

How can I ensure that internet traffic is not allowed without opensnitch running

You'll have to rely on another app, like ufw, firewalld, or a custom script. Once we're not running we delete our rules, but if there's enough demand for lockdown the system, we could add it as a new feature (like running a post-exit script).

The custom script could be something like this:
monitor-opensnitch.sh

#!/bin/bash

function dropeverything()
{
    iptables -P OUTPUT DROP
}

function allowtraffic()
{
    iptables -P OUTPUT ACCEPT
}

if pgrep opensnitchd &>/dev/null; then
    echo "opensnitchd running"
    allowtraffic
else
    echo "opensnitchd not running"
    dropeverything
fi

chmod a+x monitor-opensnitch.sh

Add a new cron task to run the script every minute:

# cat /etc/cron.d/opensnitch
SHELL=/bin/bash
PATH=/usr/sbin:/sbin:/usr/bin
1-59 * * * * root /path/to/monitor-opensnitch.sh

How can I block all traffic from any package that is not currently installed (without prompting, i.e. prevent security measures added to chrome from being bypassed by installing firefox.)

If I understand you correctly:

mark [x] Disable pop-ups, only display an alert, and set DefaultAction to deny:

Then if you create a rule for example to allow chrome, the rest of packages regardless if they're installed or not will be blocked. A small alert will still be displayed, informing that an application has been blocked.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Opensnitch for Parental Controls #448

{{title}}

Replies: 1 comment

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Select a reply

Opensnitch for Parental Controls #448

ERLindeman Jun 29, 2021

Replies: 1 comment

gustavo-iniguez-goya Jun 30, 2021 Collaborator

ERLindeman
Jun 29, 2021

gustavo-iniguez-goya
Jun 30, 2021
Collaborator