System firewall rules not working

[Am0g-us]

Please, check the FAQ and Known Problems pages before creating the bug report:
https://github.com/evilsocket/opensnitch/wiki/FAQs
https://github.com/evilsocket/opensnitch/wiki/Known-problems

Describe the bug
The system firewall settings does not work properly

Include the following information:

• OpenSnitch version. 1.6.0rc5.r69.9f71c15-1
• OS: [e.g. Debian GNU/Linux, ArchLinux, Slackware, ...] Arch
• Version [e.g. Buster, 10.3, 20.04]
• Window Manager: [e.g. GNOME Shell, KDE, enlightenment, i3wm, ...] KDE
• Kernel version: Linux Super0 6.3.4-273-tkg-cfs-llvm TypeError: pkt_callback() takes exactly 2 arguments (3 given) #1 SMP TKG Wed, 24 May 2023 20:03:12 +0000 x86_64 GNU/Linux

To Reproduce

Steps to reproduce the behavior:

1. Enable system firewall
2. Set inbound to deny
3. Make rule for port
4. I cannot accept connections on the selected port.

Screenshots

Additional context
The screenshot shows the created rule. I cannot accept connections on these ports. I am also attaching all the nft rules in the system. This is one rule as an example, all the others don't work either

table inet filter {
chain input {
type filter hook input priority filter; policy accept;
udp sport 16804 accept
tcp sport 16804 accept
tcp dport 1599 udp dport 1599 tcp sport 1599 udp sport 1599 accept
tcp dport 55555 udp dport 55555 accept
tcp dport { 22067, 22070 } accept
udp dport 16804 tcp dport 16804 accept
udp sport 53 queue flags bypass to 0
}

chain forward {
type filter hook forward priority filter; policy accept;
}

chain output {
type filter hook output priority filter; policy accept;
}
}
table inet nat {
chain filter-prerouting {
type filter hook prerouting priority filter; policy accept;
}

chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
}

chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
}

chain input {
type nat hook input priority 100; policy accept;
}

chain output {
type nat hook output priority 100; policy accept;
}
}
table inet mangle {
chain output {
type filter hook output priority mangle; policy accept;
icmp type { echo-reply, echo-request } accept
icmpv6 type { echo-request, echo-reply } accept
ct state related,new queue flags bypass to 0
}

chain prerouting {
type filter hook prerouting priority mangle; policy accept;
}

chain postrouting {
type filter hook postrouting priority mangle; policy accept;
}

chain forward {
type filter hook forward priority mangle; policy accept;
ct state new queue flags bypass to 0
}
}
# Warning: table ip mangle is managed by iptables-nft, do not touch!
table ip mangle {
chain POSTROUTING {
type filter hook postrouting priority mangle; policy accept;
tcp dport 443 xt match "connbytes" meta mark & 0x40000000 != 0x40000000 xt match "set" counter packets 229841 bytes 31726164 xttarget "NFQUEUE"
tcp dport 80 meta mark & 0x40000000 != 0x40000000 xt match "set" counter packets 43201 bytes 20608013 xt target "NFQUEUE"
}
}
# Warning: table ip nat is managed by iptables-nft, do not touch!
table ip nat {
chain DOCKER {
iifname "docker0" counter packets 0 bytes 0 return
iifname "br-004ee673b012" counter packets 0 bytes 0 return
}

chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 100 bytes 13216 xt target "MASQUERADE"
oifname != "br-004ee673b012" ip saddr 172.18.0.0/16 counter packets 68 bytes 9380 xt target "MASQUERADE"
}

chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
xt match "addrtype" counter packets 18094997 bytes 2429299342 jump DOCKER
}

chain OUTPUT {
type nat hook output priority -100; policy accept;
ip daddr != 127.0.0.0/8 xt match "addrtype" counter packets 46 bytes 5516 jump DOCKER
}
}
# Warning: table ip filter is managed by iptables-nft, do not touch!
table ip filter {
chain DOCKER {
}

chain DOCKER-ISOLATION-STAGE-1 {
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
iifname "br-004ee673b012" oifname != "br-004ee673b012" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
counter packets 0 bytes 0 return
}

chain DOCKER-ISOLATION-STAGE-2 {
oifname "docker0" counter packets 0 bytes 0 drop
oifname "br-004ee673b012" counter packets 0 bytes 0 drop
counter packets 0 bytes 0 return
}

chain FORWARD {
type filter hook forward priority filter; policy accept;
counter packets 0 bytes 0 jump DOCKER-USER
counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-1
oifname "docker0" xt match "conntrack" counter packets 0 bytes 0 accept
oifname "docker0" counter packets 0 bytes 0 jump DOCKER
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept
iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
oifname "br-004ee673b012" xt match "conntrack" counter packets 0 bytes 0 accept
oifname "br-004ee673b012" counter packets 0 bytes 0 jump DOCKER
iifname "br-004ee673b012" oifname != "br-004ee673b012" counter packets 0 bytes 0 accept
iifname "br-004ee673b012" oifname "br-004ee673b012" counter packets 0 bytes 0 accept
}

chain DOCKER-USER {
counter packets 0 bytes 0 return
}
}

[gustavo-iniguez-goya]

Hi @Am0g-us ,

Set inbound to deny

but according to the rules posted it's set to accept:

table inet filter {
 chain input {
  type filter hook input priority filter; policy accept;

Anyway, I'd suggest you to perform a test with another port and host, for example:

Open a local port with netcat, and verify that you can connect: nc -l -p 55555 -> from another computer (or VM): telnet 1.2.3.4 55555

Then:

1. Set inbound policy to Deny
2. Verify that it's set to Deny (policy drop): $ sudo nft list table inet filter, and that the telnet to 55555 no longer works from the other computer.
3. Add a new rule to allow tcp destination port 55555, and try again.

I also would suggest to stop the dockers containers, and any other service, to be sure that only opensnitch rules are present.
Don't forget to verify that those ports (22067, 22070) are listening on the host (I know I know... I had to say it, just in case... :) )

[Am0g-us]

Nft after set to deny

table inet filter {
chain input {
type filter hook input priority filter; policy drop;
udp sport 16804 accept
tcp sport 16804 accept
tcp dport 1599 udp dport 1599 tcp sport 1599 udp sport 1599 accept
tcp dport 55555 udp dport 55555 accept
tcp dport { 22067, 22070 } accept
udp dport 16804 tcp dport 16804 accept
iifname "lo" accept
ct state established,related accept
udp sport 53 queue flags bypass to 0
}

chain forward {
type filter hook forward priority filter; policy accept;
}

chain output {
type filter hook output priority filter; policy accept;
}
}
table inet nat {
chain filter-prerouting {
type filter hook prerouting priority filter; policy accept;
}

chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
}

chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
}

chain input {
type nat hook input priority 100; policy accept;
}

chain output {
type nat hook output priority 100; policy accept;
}
}
table inet mangle {
chain output {
type filter hook output priority mangle; policy accept;
icmp type { echo-reply, echo-request } accept
icmpv6 type { echo-request, echo-reply } accept
ct state related,new queue flags bypass to 0
}

chain prerouting {
type filter hook prerouting priority mangle; policy accept;
}

chain postrouting {
type filter hook postrouting priority mangle; policy accept;
}

chain forward {
type filter hook forward priority mangle; policy accept;
ct state new queue flags bypass to 0
}
}
# Warning: table ip mangle is managed by iptables-nft, do not touch!
table ip mangle {
chain POSTROUTING {
type filter hook postrouting priority mangle; policy accept;
tcp dport 443 xt match "connbytes" meta mark & 0x40000000 != 0x40000000 xt match "set" counter packets 236330 bytes 33188057 xt target "NFQUEUE"
tcp dport 80 meta mark & 0x40000000 != 0x40000000 xt match "set" counter packets 7231115 bytes 442431910 xt target "NFQUEUE"
}
}
# Warning: table ip nat is managed by iptables-nft, do not touch!
table ip nat {
chain DOCKER {
iifname "docker0" counter packets 0 bytes 0 return
iifname "br-004ee673b012" counter packets 0 bytes 0 return
}

chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 102 bytes 13488 xt target "MASQUERADE"
oifname != "br-004ee673b012" ip saddr 172.18.0.0/16 counter packets 70 bytes 9652 xt target "MASQUERADE"
}

chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
xt match "addrtype" counter packets 19481011 bytes 2591082678 jump DOCKER
}

chain OUTPUT {
type nat hook output priority -100; policy accept;
ip daddr != 127.0.0.0/8 xt match "addrtype" counter packets 47 bytes 5644 jump DOCKER
}
}
# Warning: table ip filter is managed by iptables-nft, do not touch!
table ip filter {
chain DOCKER {
}

chain DOCKER-ISOLATION-STAGE-1 {
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
iifname "br-004ee673b012" oifname != "br-004ee673b012" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
counter packets 5 bytes 5644 return
}

chain DOCKER-ISOLATION-STAGE-2 {
oifname "docker0" counter packets 0 bytes 0 drop
oifname "br-004ee673b012" counter packets 0 bytes 0 drop
counter packets 0 bytes 0 return
}

chain FORWARD {
type filter hook forward priority filter; policy accept;
counter packets 5 bytes 5644 jump DOCKER-USER
counter packets 5 bytes 5644 jump DOCKER-ISOLATION-STAGE-1
oifname "docker0" xt match "conntrack" counter packets 0 bytes 0 accept
oifname "docker0" counter packets 0 bytes 0 jump DOCKER
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept
iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
oifname "br-004ee673b012" xt match "conntrack" counter packets 0 bytes 0 accept
oifname "br-004ee673b012" counter packets 0 bytes 0 jump DOCKER
iifname "br-004ee673b012" oifname != "br-004ee673b012" counter packets 0 bytes 0 accept
iifname "br-004ee673b012" oifname "br-004ee673b012" counter packets 0 bytes 0 accept
}

chain DOCKER-USER {
counter packets 5 bytes 5644 return
}
}

And i cannot access my ports (55555, 16804, 1599)
When i set default input to allow, i can access this ports outside

[gustavo-iniguez-goya]

mmmh, remove these rules please:

udp sport 16804 accept
tcp sport 16804 accept
tcp dport 1599 udp dport 1599 tcp sport 1599 udp sport 1599 accept
tcp dport 55555 udp dport 55555 accept
tcp dport { 22067, 22070 } accept
udp dport 16804 tcp dport 16804 accept

And add a new rule via Firewall -> New rule with these parameters:
DPORT == 16804, TCP
DIRECTION: IN
ACCEPT

If the port is not TCP use UDP, but only add 1 rule of DST PORT.

[Am0g-us]

I removed and setup separated rules. And i can accept connections outside

table inet filter {
chain input {
type filter hook input priority filter; policy drop;
udp dport 55555 accept
tcp dport 55555 accept
iifname "lo" accept
ct state established,related accept
udp sport 53 queue flags bypass to 0
}

chain forward {
type filter hook forward priority filter; policy accept;
}

chain output {
type filter hook output priority filter; policy accept;
}
}
table inet nat {
chain filter-prerouting {
type filter hook prerouting priority filter; policy accept;
}

chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
}

chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
}

chain input {
type nat hook input priority 100; policy accept;
}

chain output {
type nat hook output priority 100; policy accept;
}
}
table inet mangle {
chain output {
type filter hook output priority mangle; policy accept;
icmp type { echo-reply, echo-request } accept
icmpv6 type { echo-request, echo-reply } accept
ct state related,new queue flags bypass to 0
}

chain prerouting {
type filter hook prerouting priority mangle; policy accept;
}

chain postrouting {
type filter hook postrouting priority mangle; policy accept;
}

chain forward {
type filter hook forward priority mangle; policy accept;
ct state new queue flags bypass to 0
}
}
# Warning: table ip mangle is managed by iptables-nft, do not touch!
table ip mangle {
chain POSTROUTING {
type filter hook postrouting priority mangle; policy accept;
tcp dport 443 xt match "connbytes" meta mark & 0x40000000 != 0x40000000 xt match "set" counter packets 245913 bytes 35187686 xt target "NFQUEUE"
tcp dport 80 meta mark & 0x40000000 != 0x40000000 xt match "set" counter packets 7246522 bytes 457027381 xt target "NFQUEUE"
}
}
# Warning: table ip nat is managed by iptables-nft, do not touch!
table ip nat {
chain DOCKER {
iifname "docker0" counter packets 0 bytes 0 return
iifname "br-004ee673b012" counter packets 0 bytes 0 return
}

chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 141 bytes 18386 xt target "MASQUERADE"
oifname != "br-004ee673b012" ip saddr 172.18.0.0/16 counter packets 88 bytes 12032 xt target "MASQUERADE"
}

chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
xt match "addrtype" counter packets 22763371 bytes 2986850488 jump DOCKER
}

chain OUTPUT {
type nat hook output priority -100; policy accept;
ip daddr != 127.0.0.0/8 xt match "addrtype" counter packets 70 bytes 8402 jump DOCKER
}
}
# Warning: table ip filter is managed by iptables-nft, do not touch!
table ip filter {
chain DOCKER {
}

chain DOCKER-ISOLATION-STAGE-1 {
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
iifname "br-004ee673b012" oifname != "br-004ee673b012" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
counter packets 1400 bytes 1229100 return
}

chain DOCKER-ISOLATION-STAGE-2 {
oifname "docker0" counter packets 0 bytes 0 drop
oifname "br-004ee673b012" counter packets 0 bytes 0 drop
counter packets 0 bytes 0 return
}

chain FORWARD {
type filter hook forward priority filter; policy accept;
counter packets 1400 bytes 1229100 jump DOCKER-USER
counter packets 1400 bytes 1229100 jump DOCKER-ISOLATION-STAGE-1
oifname "docker0" xt match "conntrack" counter packets 0 bytes 0 accept
oifname "docker0" counter packets 0 bytes 0 jump DOCKER
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept
iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
oifname "br-004ee673b012" xt match "conntrack" counter packets 0 bytes 0 accept
oifname "br-004ee673b012" counter packets 0 bytes 0 jump DOCKER
iifname "br-004ee673b012" oifname != "br-004ee673b012" counter packets 0 bytes 0 accept
iifname "br-004ee673b012" oifname "br-004ee673b012" counter packets 0 bytes 0 accept
}

chain DOCKER-USER {
counter packets 1400 bytes 1229100 return
}
}

[gustavo-iniguez-goya]

great! did you try it with the other ports?

[Am0g-us]

If I create a rule for tcp and udp at the same time, I cannot accept connections. If I create separate rules for tcp and udp, I can accept connections

[gustavo-iniguez-goya]

Ok! For now you'll have to do it in this way. Adding a rule for both udp and tcp on the same rule is not supported.

I'll investigate how to do it.

[gustavo-iniguez-goya]

I've added the option to allow ports by TCP+UDP.

Thank you for reporting this!