Opensnitch doesn't let through ICMP ECHO packets if the UI is running #500
Comments
|
My mistake, for some reason |
|
👍 😉 |
|
@gustavo-iniguez-goya Actually, I'm getting the same issue for my IPv6 tunnel. Is there a known fix or should I reopen the issue. |
|
what's that issue about? ipv6 tunnel == VPN? |
|
The issue is really the same as previously; ICMP ECHO requests getting dropped, but this time for IPv6 only. It's not a VPN tunnel, it's a v4tunnel, with Tunnel Broker as the endpoint provider. |
|
yay, I see. Please, add this block to the system-fw.json file: |
|
Thanks a bunch, you're a real life saver! This did the trick. |
|
For some reason, this only worked half the time. After quite some logging and debugging, I figured out you also need this for a v4tunnel (on the ipv4 chain): "Rule": {
"Description": "Allow icmp",
"Table": "mangle",
"Chain": "OUTPUT",
"Parameters": "-p 41",
"Target": "ACCEPT",
"TargetParameters": ""
} |
|
thank you @markozajc for debugging it! I'll add it to the SystemRules section on the wiki. mmh, I've been testing for a couple of days this change #493 to intercept WireGuard VPNs I'm wondering if the v4tunnel tunnels goes also through iptunnel_xmit() path. If it does you sould be prompted to allow or deny the connection, and you wouldn't need to add the system rule. Could you test this script with bpftrace and let me know if it output anything when you establish the tunnel? If the tunnel is intercepted there should be logs similar to this: |
|
This is what I get on Debian's kernel: |
|
ok, comment out the kprobe for setup_udp_tunnel_sock and try again please. What version of Debian and kernel are you using? |
|
I'm not quite sure what you mean by comment out here. Removing just the while removing the entire I'm on Debian 12/Bookworm/testing with kernel 5.10.0-8-amd64. |
|
ok, try it out with this one instead please. There's only one kprobe for iptunnel_xmit() Anyway, I'll try to setup an IP tunnel at some point. Taking a look at the code of the modules ipip and ip_gre, |
|
This one worked. I get entries like this: (216.66.86.114 is Tunnel Broker's IPv4 endpoint) |
|
yeah! thank you very much. When #493 gets merged we'll be able to ask users to allow or deny the tunnels connections. |
|
oh btw, if you enable in Preferences->Nodes->[x] Debug invalid connections, does opensnitch ask to allow or deny an Outgoing connection? |
|
Nope. I've tried it both without and with the -p 41 rule and it works as-if the option wasn't enabled. |
* Allow to intercept some kernel connections Some connections are initiated from kernel space, like WireGuard VPNs (#454), NFS or SMB connections (#502) and ip tunnels (#500). Note: This feature is complete for x86_64, WIP for aarch64, and not supported for armhf and i386 #513 (comment) More information regarding this change: #493
Greetings! I've encountered a bug in opensnitch that can cause numerious issues, including filesystem hangs for NFS and
generally broken behaviour in anything networked. I have pinpointed it to opensnitch not letting through outbound ICMP ECHO packets, but it only occurs if the UI is running.
Describe the bug
Opensnitch 1.4.0 blocks all ICMP ECHO packets when the UI is running. They do not show up on the log.
To Reproduce
Steps to reproduce the behavior:
Post error logs:
N/A
Expected behavior (optional)
Outbound ICMP ECHO packets aren't filtered.
Screenshots
N/A
OS (please complete the following information):
Linux [hostname] 5.13.0-15.1-liquorix-amd64 #1 ZEN SMP PREEMPT liquorix 5.13-13.1~bookworm (2021-09-08) x86_64 GNU/LinuxAdditional context
This bug was not present in 1.3.6, but stopped working in one of the 1.4.0 RC's (I think it was .3, tell me if you want me to pinpoint it to a specific version).
The text was updated successfully, but these errors were encountered: