Connections are always allowed after 5 seconds (GUI DefaultAction: Reject) #1017
Comments
|
Hi @markozajc ! What's the Default Action of the daemon? GUI -> Preferences -> Node -> Default Action If it's Allow, change it to Deny please and try to reproduce it again. |
|
Hi! My default action is already set to deny. |
|
ok, I guess you'll have a rule to allow the DNS resolver (systemd-resolved, dnsmasq, ..). Please, modify it to allow connections only to port 53 + the DNS nameservers. |
|
I have done that, and curl still makes the request successfully. I don't see any successful requests in the events tab of the UI when that happens. |
|
I have tried disabling all of my rules, and the same thing happens. |
|
ok, then set LogLevel to DEBUG under Preferences->Nodes empty the log file: Let's see if we can see with the logs what's going on. |
|
Here are the logs: |
|
I see that there're 3 attempts to connect to zajc.eu.org: which suggests me that the connection attempts are being blocked while there's a pop-up displayed. That's correct. But while trying to reproduce this behaviour on a clean install, I've noticed that when the pop-up is automatically closed emiting a verdict, there's a log like this one in the log: but these logs are not present in your log. Could you launch the GUI from a terminal, to see if there's any error when emiting a verdict? Also, there should be a rule under tab Rules -> Applications to block curl, do you have it? Any temporary rule (any rule which Duration is not "foreever") should appear under Rules -> Applications -> Temporary |
|
I tried running the GUI in the terminal, and there were no logs when this happens. Additionally, the pop-up doesn't close at all when this happens, but I have "Default timeout" set to 100. No rule appears until either 100 seconds elapse (for the pop-up timeout) or I click accept/reject. |
|
That's the expected behaviour then. The pop-up is closed when it reaches the timeout. ok, I've managed to reproduce this behaviour:
If I set default-config.json DefaultAction to allow it works as expected, it applies the DefaultAction configured on the GUI while the GUI is running. If the GUI is not running, and default-config.json DefaultAction is "deny", it also works as expected. Could you confirm this? |
|
Correct, if the GUI is not running curl fails, meaning DefaultAction is applied correctly. |
|
great, could you change these lines in /usr/lib/python3/dist-packages/opensnitch/service.py: opensnitch/ui/opensnitch/service.py Lines 658 to 661 in 57838e8 by: if _default_action == Config.ACTION_ALLOW_IDX
temp_cfg['DefaultAction'] = Config.ACTION_ALLOW
else:
temp_cfg['DefaultAction'] = Config.ACTION_DENYAnd confirm that it works as expected? When selecting on the GUI Reject as the default action it was not applying the correct verdict. |
gustavo-iniguez-goya
changed the title
|
I have applied the change and the bug is fixed. Curl now correctly fails to get a response if I don't interact with the pop-up, and if I accept it (even past the 5 second mark), the request succeeds normally. Thanks! |
|
thank you very much for reporting this error @markozajc ! I'll publish new GUI packages in the follwing days. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Opensnitch UI shows a pop-up asking for the action to take whenever the intercepted request doesn't match a rule. Regardless of my "Default timeout" and "Default options" settings, connections are let through if I don't reject or accept them in the popup.
gifine.mp4
If I reject it before 5 seconds elapse, the connection fails as expected
gifine2.mp4
Include the following information:
Linux dell 6.4.0-2-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.4.4-3 (2023-08-08) x86_64 GNU/LinuxTo Reproduce
Describe in detail as much as you can what happened.
Steps to reproduce the behavior:
Expected behavior (optional)
The connection should not be accepted without accepting it in the popup first.
Additional context
The connection is not shown in the logs until I click something in the popup. If I click "Reject", it's shown as rejected in the logs, even if it wasn't actually rejected.
The text was updated successfully, but these errors were encountered: