evilsocket / opensnitch Goto Github PK

Hi,

Quick suggestion:

OpenSnitch currently marks connections with value 1 in opensnitch/snitch.py#L90. As this is a pretty standard value used commonly in examples and in iptables configurations it might be a good idea to flag with a more uniquely identifying value to prevent unwanted interaction with pre-existing rulesets.

Marks can be hexadecimal up to 32 bits (via http://ipset.netfilter.org/iptables-extensions.man.html) so it should be rather easy to find a unique identifier for OpenSnitch.

Hi,

Here is a missing dep (at least for latest ubuntu): python-gtk2.
I'm a bit surprised since python-qt4 is listed in the deps.

opensnitch cannot find processes for certain connections on my machine for example that is multicast of kodi and ntp query to different servers. I run Debian sid with systemd so this might not happen on other machines. Btw netstat and ss do show process owners as kodi and ntpd so I didn''t pass through code yet to see how you guys are getting the process names, but it doesn't work for some udp outgoing connections.
[2017-05-09 17:30:30,898] (WARNING) Could not find process for udp connection 10.21.35.100:47628 -> 239.255.255.250:1900 [2017-05-09 17:31:57,012] (WARNING) Could not find process for udp connection 10.21.35.100:123 -> 5.39.80.28:123

Hi,

I've tested opensnitch this morning on Linux Mint 18.1 (Kernel: x86_64 Linux 4.4.0-78-generic) which is based on Debian and Ubuntu (LTS).

I just had to apt install libpcap-dev to pass the install.

Then I started the opensnitch deamon & gui, it discovered a lot of my connections and I started to set rules until opensnitch-qt popups stop appearing.

I tryed it, for example after allowing git , I managed to use git & clone repos. Good.

But then I tryed to apt update and this was blocked by opensnitch.

After killing the deamon, apt update was working.

Any idea ?

We will probably want a service file for the OpenSnitch daemon running as root, though access to the user DBUS_SESSION_BUS_ADDRESS variable becomes an issue.

Any thoughts?

It works briliantly, something I did love from WinXP time with few good Firewalls i did use that did ask you for every app/connection with allow/disallow.

The only problem for now is that even if you have app whitelisted it still will be blocked until you clear all prompts.

Way to reproduce:

1. run opensnitch
2. use for example ssh to connect to server - whitelist ssh app
   2.a try if it's working, no more promots
3. use different app not whitelisted that will show opensnitch allow/deny prompt
4. try to connect to ssh without closing the opensnitch prompt

Expected output: you are still allowed to connect to ssh
Actual result: ssh is blocked until all prompts are closed.

Why does it matter?
For example you are trying to connect to your PC remotly

• you are AFK and there is some random app that did try to connect somewhere
• all new connections are blocked
• you try to connect to server and you can't because:
  a) remote access app does a connection back (eg. dns query or actual reverse connection) an is delayed (blocked)
  b) remote access app got disconnected (for example network error) and try to reconnect but is delayed (blocked)

$ sudo opensnitch
[2017-05-04 20:51:03,858] (INFO) Using rules database from /home/kolorafa/opensnitch.db
[2017-05-04 20:51:03,858] (INFO) OpenSnitch v0.0.2 running with pid 28879.
[2017-05-04 20:51:03,874] (INFO) Enabling ProcMon ...
[2017-05-04 20:51:03,880] (INFO) ProcMon running ...

Overall gread job!

Hello, tried this on Gentoo, emerged all the dependencies, installation goes OK. But I cannot start opensnitch due to an error:

Traceback (most recent call last):
  File "/usr/bin/opensnitch", line 4, in <module>
    __import__('pkg_resources').run_script('opensnitch==0.0.2', 'opensnitch')
  File "/usr/lib64/python3.5/site-packages/pkg_resources/__init__.py", line 738, in run_script
    self.require(requires)[0].run_script(script_name, ns)
  File "/usr/lib64/python3.5/site-packages/pkg_resources/__init__.py", line 1499, in run_script
    exec(code, namespace, namespace)
  File "/usr/lib64/python3.5/site-packages/opensnitch-0.0.2-py3.5.egg/EGG-INFO/scripts/opensnitch", line 69, in <module>
    from opensnitch.snitch import Snitch
  File "/usr/lib64/python3.5/site-packages/opensnitch-0.0.2-py3.5.egg/opensnitch/snitch.py", line 20, in <module>
    from netfilterqueue import NetfilterQueue
ImportError: /usr/lib64/python3.5/site-packages/NetfilterQueue-0.8.1-py3.5-linux-x86_64.egg/netfilterqueue.cpython-35m-x86_64-linux-gnu.so: undefined symbol: PyString_FromStringAndSize`

Trying to install on Lubuntu VM just to see how opensnitch looks. There was a lack of libcap-dev dependency detection, which I easily resolved, but which needs fixing, and then this mystery.

./opensnitchd
WARNING: No route found for IPv6 destination :: (no default route?). This affects only IPv6
Traceback (most recent call last):
File "./opensnitchd", line 38, in
from opensnitch.snitch import Snitch
File "/usr/local/lib/python3.5/dist-packages/opensnitch-0.0.2-py3.5.egg/opensnitch/snitch.py", line 31, in
from opensnitch.iptables import IPTCRules
File "/usr/local/lib/python3.5/dist-packages/opensnitch-0.0.2-py3.5.egg/opensnitch/iptables.py", line 19, in
import iptc
File "/usr/local/lib/python3.5/dist-packages/python_iptables-0.12.0-py3.5-linux-x86_64.egg/iptc/init.py", line 10, in
from iptc.ip4tc import (is_table_available, Table, Chain, Rule, Match, Target,
File "/usr/local/lib/python3.5/dist-packages/python_iptables-0.12.0-py3.5-linux-x86_64.egg/iptc/ip4tc.py", line 13, in
from .xtables import (XT_INV_PROTO, NFPROTO_IPV4, XTablesError, xtables,
File "/usr/local/lib/python3.5/dist-packages/python_iptables-0.12.0-py3.5-linux-x86_64.egg/iptc/xtables.py", line 812, in
raise XTablesError("can't find directory with extensions; "
iptc.xtables.XTablesError: can't find directory with extensions; please set XTABLES_LIBDIR

A quick Google brings up this solution

ldx/python-iptables#37

And this is the right incantation for Lubuntu

cat >> ~/.bashrc
export XTABLES_LIBDIR=/usr/lib/x86_64-linux-gnu/xtables/
ctrl-d

Once this is resolved, I get the following error, and I think this is a bit past my Python debugging skills.

./opensnitchd
WARNING: No route found for IPv6 destination :: (no default route?). This affects only IPv6
Traceback (most recent call last):
File "./opensnitchd", line 77, in
raise RuntimeError('DBUS_SESSION_BUS_ADDRESS not set')
RuntimeError: DBUS_SESSION_BUS_ADDRESS not set

I'm very excited by a Linux port of Little Snitch, willing to do whatever in terms of testing on various distros, just not sure how to proceed here.

Would prevent duplicate rules as seen in this screenshot of an opensnitch db.

$ sudo env PYTHONPATH=. ./bin/opensnitch --log-file=opensnitch4.log
/usr/lib/python2.7/dist-packages/gtk-2.0/gtk/__init__.py:127: RuntimeWarning: PyOS_InputHook is not available for interactive use of PyGTK
  set_interactive(1)

Ubuntu 17.04, Linux 4.10.11

Hi,

Great work. Can by any means we can monitor application level bandwidth i.e incoming/outgoing data per second ?

This might be a long-term feature request, but it is perhaps useful to have a bug to track it.

If you install and start firewalld, you can set a zone for each connection in NetworkManager. It would be very nice if it was possible to use them for filtering (allowing an application only in one zone for example).
As far as I understand, NetworkManager use D-Bus to communicate the zone of the connection with firewalld.

Currently, opensnitch is using /proc/self/cmdline and /proc/self/comm, but they can easily be manipulated by a malicious application, and thus shouldn't be trusted.

not sure how to help you debug this atm.

if you do not have installed and python3-dev installed then you will have the error of missing the Python3 header.

Processing psutil-5.2.2.tar.gz
Writing /tmp/easy_install-59px_39p/psutil-5.2.2/setup.cfg
Running psutil-5.2.2/setup.py -q bdist_egg --dist-dir /tmp/easy_install-59px_39p/psutil-5.2.2/egg-dist-tmp-qo3h6u85
warning: manifest_maker: MANIFEST.in, line 14: 'recursive-include' expects <dir> <pattern1> <pattern2> ...

warning: no previously-included files matching '*' found under directory 'docs/_build'
warning: no previously-included files matching '*' found under directory '.ci'
psutil/_psutil_linux.c:12:20: fatal error: Python.h: No such file or directory
 #include <Python.h>
                    ^
compilation terminated.

So installing the python3-dev should be prerequisite because without it you will get an error if you have only python2 installed and still in the README says use command python setup.py install which by default if you have python2 as default just generate error:
python setup.py build Traceback (most recent call last): File "setup.py", line 26, in <module> sys.version_info[0])) RuntimeError: Unsupported python version "2"
its a minor issue but I will update the README with those two deps and change the cli install line into the python3 setup.py install

In HiDPI screen resolutions(e.g. 3200x1800) the UI is displayed incorrectly

Xubuntu - 4.9.20-040920-generic

sudo -HE opensnitchd
WARNING: No route found for IPv6 destination :: (no default route?). This affects only IPv6
Traceback (most recent call last):
File "/usr/local/bin/opensnitchd", line 4, in
import('pkg_resources').run_script('opensnitch==0.0.2', 'opensnitchd')
File "/usr/lib/python3/dist-packages/pkg_resources/init.py", line 744, in run_script
self.require(requires)[0].run_script(script_name, ns)
File "/usr/lib/python3/dist-packages/pkg_resources/init.py", line 1499, in run_script
exec(code, namespace, namespace)
File "/usr/local/lib/python3.5/dist-packages/opensnitch-0.0.2-py3.5.egg/EGG-INFO/scripts/opensnitchd", line 38, in
from opensnitch.snitch import Snitch
File "/usr/local/lib/python3.5/dist-packages/opensnitch-0.0.2-py3.5.egg/opensnitch/snitch.py", line 31, in
from opensnitch.iptables import IPTCRules
File "/usr/local/lib/python3.5/dist-packages/opensnitch-0.0.2-py3.5.egg/opensnitch/iptables.py", line 19, in
import iptc
File "/usr/local/lib/python3.5/dist-packages/python_iptables-0.12.0-py3.5-linux-x86_64.egg/iptc/init.py", line 10, in
from iptc.ip4tc import (is_table_available, Table, Chain, Rule, Match, Target,
File "/usr/local/lib/python3.5/dist-packages/python_iptables-0.12.0-py3.5-linux-x86_64.egg/iptc/ip4tc.py", line 13, in
from .xtables import (XT_INV_PROTO, NFPROTO_IPV4, XTablesError, xtables,
File "/usr/local/lib/python3.5/dist-packages/python_iptables-0.12.0-py3.5-linux-x86_64.egg/iptc/xtables.py", line 812, in
raise XTablesError("can't find directory with extensions; "
iptc.xtables.XTablesError: can't find directory with extensions; please set XTABLES_LIBDIR

Hope this project isn't re-inventing Douane. If not any argument on why prefer this?

Adding arguments into the sqlitedb would be much better then storing just name because if you are running multiple firefox profiles like me. For example one running thru TOR other goes without proxy you still have their rules stored the rules for the same application which is not good.
For example if you run version of firefox with TOR you want to make sure that you don't have DNS leaks like it was happening in 45-46-47 and now esr version. Basically the remote DNS should work and you shouldn't have leaks and requests for local dns servers. I used an opensnitch to find that bug in firefox-esr. So basically once you give permission that is stored like forever permission to one profile like in this case firefox that goes without proxy you are actually giving permission to that same version of firefox to connect to those IP's even if it runs through TOR or VPN.

That is pretty bad for any application that use network and can have multiple profiles some that use proxifiying and some that don't the issue appear.
I know that some of the entries than would be pretty long like eclipse related or anything that start with java and many arguments but its still better that way then to have arguments removed from stored path even if they are properly displayed on the prompt.

I suggest this as the enhancement and ask anyone of you to share a thoughts about it especially @evilsocket @adisbladis

If the process initiating the connection has access to the user's X11 session, it can simply whitelist itself either before or after attempting to connect. If OpenSnitch stops the process before displaying the prompt, the application can still have whitelisted itself ahead of time.

resizing of QT pop-up window with the exec command of the process do not work. So the pop resize but not the content in it and usually whole area is covered with the name of the process and its arguments got from the exec line and that in case of chromium or Java based applications or IDE's like eclipse or pycharm will not allow you to see the IP where is trying to connect nor the port to which is trying to connect. I dunno that might be just QT issue or missing some library, but at least on my i3wm resizing of the window with the prompt do not resize text in it. So that is one nasty issue that I would like to see whether is confirmed on different DE's or wm's and it should be fixed so that we can always see the IP its trying to connect to and port. I'm attaching a picture of for example chromium run without TOR it makes a lot of connections but I can't see any of the IP's because window space is taken by the process name and passed arguments.

I got this when running the application in console.

TypeError: int() argument must be a string or a number, not 'NoneType'
[2017-05-02 09:55:58,248] (ERROR) Exception on packet callback:
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/opensnitch-0.0.2-py2.7.egg/opensnitch/snitch.py", line 74, in pkt_callback
    conn = Connection( self.procmon, data )
  File "/usr/local/lib/python2.7/dist-packages/opensnitch-0.0.2-py2.7.egg/opensnitch/connection.py", line 56, in __init__
    self.proto )
  File "/usr/local/lib/python2.7/dist-packages/opensnitch-0.0.2-py2.7.egg/opensnitch/proc.py", line 33, in get_pid_by_connection
    appname = procmon.get_app_name(pid)
  File "/usr/local/lib/python2.7/dist-packages/opensnitch-0.0.2-py2.7.egg/opensnitch/procmon.py", line 84, in get_app_name
    pid = int(pid)
TypeError: int() argument must be a string or a number, not 'NoneType'

Experimentally it seems to mean "$ACTION just this connection" or "... every connection" from this process. There could be some middle ground, eg. always allowing port 53 to my expected DNS resolvers while still requiring intervention for other connections.

The Qt mainloop blocks and intercepts Ctrl-C.
This means Ctrl-C does not lead to the application being terminated.

This was always the case. This issue has just been amplified now that the Qt mainloop is always running.

This should fix #22 (not sure, might need more adjusting), plays nice with wayland and a whole bunch of other things

With current iptables rules packets that don't fit in the netfilter queue are automatically accepted. I think that the default should be exactly opposite, or at least configurable, for serious use.
E.g. the following happens on my test system even if I don't respond to the UI. Obviously it's possible to open new connections even faster:

for n in `seq 1 10000`; do echo wat | nc localhost 1234 & done

karol@omoikane karol% nc -k -l 1234
wat
wat
wat
wat
wat
...

Hey there.
I am trying to run opensnitch on arch linux with GNOME 3.24.1. i got it working so far, but the GUI is not coming up :/
What i did:

git clone [email protected]:evilsocket/opensnitch.git
cd opensnitch
sudo python2 setup.py install
sudo opensnitch

And the log looks like this:

[2017-04-30 18:55:28,087] (INFO) Using rules database from /home/lerentis/opensnitch.db
[2017-04-30 18:55:28,088] (INFO) OpenSnitch v0.0.2 running with pid 22126.
[2017-04-30 18:55:28,402] (INFO) Enabling ProcMon ...
[2017-04-30 18:55:28,417] (INFO) ProcMon running ...
X Error: BadAccess (attempt to access private resource denied) 10
  Extension:    130 (MIT-SHM)
  Minor opcode: 1 (X_ShmAttach)
  Resource id:  0x13f
X Error: BadShmSeg (invalid shared segment parameter) 128
  Extension:    130 (MIT-SHM)
  Minor opcode: 5 (X_ShmCreatePixmap)
  Resource id:  0x500000c
X Error: BadDrawable (invalid Pixmap or Window parameter) 9
  Major opcode: 62 (X_CopyArea)
  Resource id:  0x500000d

Am i missing a package here? i tried to find all alternatives for arch for the packages that were mentioned in the readme for ubuntu.
I love the idea behind open snitch btw (:

I'm really impressed with Opensnitch so far. I've used Lil' Snitch for 5-6 years very happily. I've moved from OS X to Ubuntu and Debian fully a few weeks ago.

I'm curious what are the future plans for Opensnitch? I've been using it for a few days and so far so good.

It would be great to see future development. I'm interested in contributing.

Well done on a good start!

Managed to build opensnitch on Ubuntu 16.04 after the recent python3 fixes.

Seems like instructions still needs python3 instead of python in README.md setup.py line.

Now getting runtime exception on start:

$ sudo opensnitch
[2017-05-09 08:40:14,469] (INFO) Using rules database from /home/user/opensnitch.db
Traceback (most recent call last):
  File "/usr/local/bin/opensnitch", line 4, in <module>
    __import__('pkg_resources').run_script('opensnitch==0.0.2', 'opensnitch')
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 719, in run_script
    self.require(requires)[0].run_script(script_name, ns)
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 1504, in run_script
    exec(code, namespace, namespace)
  File "/usr/local/lib/python3.5/dist-packages/opensnitch-0.0.2-py3.5.egg/EGG-INFO/scripts/opensnitch", line 76, in <module>
    main()
  File "/usr/local/lib/python3.5/dist-packages/opensnitch-0.0.2-py3.5.egg/EGG-INFO/scripts/opensnitch", line 63, in main
    snitch = Snitch()
  File "/usr/local/lib/python3.5/dist-packages/opensnitch-0.0.2-py3.5.egg/opensnitch/snitch.py", line 50, in __init__
    self.desktop_parser = LinuxDesktopParser()
  File "/usr/local/lib/python3.5/dist-packages/opensnitch-0.0.2-py3.5.egg/opensnitch/app.py", line 49, in __init__
    self.populate_app(desktop_file)
  File "/usr/local/lib/python3.5/dist-packages/opensnitch-0.0.2-py3.5.egg/opensnitch/app.py", line 55, in populate_app
    parser.read(desktop_path)
  File "/usr/lib/python3.5/configparser.py", line 696, in read
    self._read(fp, filename)
  File "/usr/lib/python3.5/configparser.py", line 1012, in _read
    for lineno, line in enumerate(fp, start=1):
  File "/usr/lib/python3.5/encodings/ascii.py", line 26, in decode
    return codecs.ascii_decode(input, self.errors)[0]
UnicodeDecodeError: 'ascii' codec can't decode byte 0xe0 in position 758: ordinal not in range(128)

When I fire up opensnitch, I immediately get a long stream of endless warnings due to opensnitch not finding a process for a specific connection (in my case a UDP connection to localhost), like so:

[2017-04-27 12:13:45,488] (WARNING) Could not find process for udp connection 127.0.0.1:XXXXX -> 127.0.0.1:XXXX
[2017-04-27 12:13:45,498] (WARNING) Could not find process for udp connection 127.0.0.1:XXXXX -> 127.0.0.1:XXXX

The warnings are repeated forever, unless opensnitch process is killed.
Suggest instead to prompt the user after X identical warnings, to verify whether they want to silent the warning (forever, once, etc), to make it easier to test.

Ubuntu 16.04, Python 2.7.12

sudo opensnitch

[2017-04-18 09:04:14,973] (INFO) OpenSnitch v0.0.1a1 running with pid 18943.
callback failure !
TypeError: pkt_callback() takes exactly 2 arguments (3 given)
callback failure !
TypeError: pkt_callback() takes exactly 2 arguments (3 given)
callback failure !
TypeError: pkt_callback() takes exactly 2 arguments (3 given)
callback failure !
TypeError: pkt_callback() takes exactly 2 arguments (3 given)
callback failure !
TypeError: pkt_callback() takes exactly 2 arguments (3 given)
callback failure !
TypeError: pkt_callback() takes exactly 2 arguments (3 given)
callback failure !
TypeError: pkt_callback() takes exactly 2 arguments (3 given)
callback failure !
TypeError: pkt_callback() takes exactly 2 arguments (3 given)
callback failure !
TypeError: pkt_callback() takes exactly 2 arguments (3 given)
callback failure !
TypeError: pkt_callback() takes exactly 2 arguments (3 given)
callback failure !
TypeError: pkt_callback() takes exactly 2 arguments (3 given)
callback failure !
TypeError: pkt_callback() takes exactly 2 arguments (3 given)
^C[2017-04-18 09:04:28,121] (INFO) Quitting ...

Add an option to poll for PTR and whois information

Problem

Current install instructions are:

sudo apt-get install build-essential python-dev python-setuptools libnetfilter-queue-dev python-qt4
cd opensnitch
sudo python setup.py install

The line

cd opensnitch

Makes me think I'm supposed to change into a directory. Cuz, that's what it's doing.

Add Git Clone

So, I believe it's missing the following line to git clone the repo:

git clone https://github.com/evilsocket/opensnitch.git

Right?

Just gave a try on Ubuntu 14.04, and not much Python knowledge.
Promising project, but after install, didn't run.
FWIW, this happened:
(could be unrelated to opensnitch, but as a lambda user, I don't know what steps I should take).

$> sudo opensnitch
Traceback (most recent call last):
  File "/usr/local/bin/opensnitch", line 5, in <module>
    pkg_resources.run_script('opensnitch==0.0.2', 'opensnitch')
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 528, in run_script
    self.require(requires)[0].run_script(script_name, ns)
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 1394, in run_script
    execfile(script_filename, namespace, namespace)
  File "/usr/local/lib/python2.7/dist-packages/opensnitch-0.0.2-py2.7.egg/EGG-INFO/scripts/opensnitch", line 43, in <module>
    mpl.rcParams['backend'] = 'Qt5Agg'
  File "/usr/lib/pymodules/python2.7/matplotlib/__init__.py", line 808, in __setitem__
    cval = self.validate[key](val)
  File "/usr/lib/pymodules/python2.7/matplotlib/rcsetup.py", line 146, in validate_backend
    return _validate_standard_backends(s)
  File "/usr/lib/pymodules/python2.7/matplotlib/rcsetup.py", line 57, in __call__
    % (self.key, s, self.valid.values()))
ValueError: Unrecognized backend string "qt5agg": valid strings are ['pdf', 'pgf', 'Qt4Agg', 'GTK', 'GTKAgg', 'ps', 'agg', 'cairo', 'MacOSX', 'GTKCairo', 'WXAgg', 'template', 'TkAgg', 'GTK3Cairo', 'GTK3Agg', 'svg', 'WebAgg', 'CocoaAgg', 'emf', 'gdk', 'WX']

We can use the amazing Linux feature capabilities!

The only tricky bit is that the iptables CLI command is being called so ambient capabilities would have to be used.
Currently opensnitch would have to use:

1. cap_dac_override (to enable ftrace via sysfs)
2. cap_net_admin (nfqueue, iptables)

Obviously this is blocked by #20 since without this you would have to set the capabilites for the Python interpreter.

Looks like opensnitch fails to catch some processes PIDs.

[2017-05-03 09:08:05,470] (INFO) Using rules database from /home/tx/opensnitch.db
[2017-05-03 09:08:05,801] (INFO) OpenSnitch v0.0.2 running with pid 31270.
[2017-05-03 09:08:06,128] (INFO) Enabling ProcMon ...
[2017-05-03 09:08:06,141] (INFO) ProcMon running ...
[2017-05-03 09:08:47,665] (WARNING) Could not find process for tcp connection 192.168.1.22:33092 -> 192.168.1.1:445
[2017-05-03 09:08:47,821] (WARNING) Could not find process for tcp connection 192.168.1.22:33094 -> 192.168.1.1:445
[2017-05-03 09:08:48,004] (WARNING) Could not find process for tcp connection 192.168.1.22:33096 -> 192.168.1.1:445
[2017-05-03 09:08:48,187] (ERROR) Exception on packet callback:
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/opensnitch-0.0.2-py2.7.egg/opensnitch/snitch.py", line 74, in pkt_callback
    conn = Connection( self.procmon, data )
  File "/usr/local/lib/python2.7/dist-packages/opensnitch-0.0.2-py2.7.egg/opensnitch/connection.py", line 56, in __init__
    self.proto )
  File "/usr/local/lib/python2.7/dist-packages/opensnitch-0.0.2-py2.7.egg/opensnitch/proc.py", line 33, in get_pid_by_connection
    appname = procmon.get_app_name(pid)
  File "/usr/local/lib/python2.7/dist-packages/opensnitch-0.0.2-py2.7.egg/opensnitch/procmon.py", line 84, in get_app_name
    pid = int(pid)
TypeError: int() argument must be a string or a number, not 'NoneType'
[2017-05-03 09:08:53,996] (WARNING) Could not find process for udp connection 192.168.1.1:53 -> 192.168.1.22:55795
[2017-05-03 09:08:59,239] (WARNING) Could not find process for udp connection 192.168.1.1:53 -> 192.168.1.22:46391
[2017-05-03 09:09:07,602] (WARNING) Could not find process for udp connection 192.168.1.1:53 -> 192.168.1.22:58040
[2017-05-03 09:09:08,920] (WARNING) Could not find process for udp connection 192.168.1.1:53 -> 192.168.1.22:34962
[2017-05-03 09:09:48,584] (ERROR) Exception on packet callback:
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/opensnitch-0.0.2-py2.7.egg/opensnitch/snitch.py", line 74, in pkt_callback
    conn = Connection( self.procmon, data )
  File "/usr/local/lib/python2.7/dist-packages/opensnitch-0.0.2-py2.7.egg/opensnitch/connection.py", line 56, in __init__
    self.proto )
  File "/usr/local/lib/python2.7/dist-packages/opensnitch-0.0.2-py2.7.egg/opensnitch/proc.py", line 33, in get_pid_by_connection
    appname = procmon.get_app_name(pid)
  File "/usr/local/lib/python2.7/dist-packages/opensnitch-0.0.2-py2.7.egg/opensnitch/procmon.py", line 84, in get_app_name
    pid = int(pid)
TypeError: int() argument must be a string or a number, not 'NoneType'

Followed setup instructions in Python 3.5.3 on Ubuntu 17.04 and get the following output when I run it:

WARNING: No route found for IPv6 destination :: (no default route?). This affects only IPv6
Traceback (most recent call last):
  File "/usr/local/bin/opensnitch", line 4, in <module>
    __import__('pkg_resources').run_script('opensnitch==0.0.2', 'opensnitch')
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 739, in run_script
    self.require(requires)[0].run_script(script_name, ns)
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 1494, in run_script
    exec(code, namespace, namespace)
  File "/usr/local/lib/python3.5/dist-packages/opensnitch-0.0.2-py3.5.egg/EGG-INFO/scripts/opensnitch", line 46, in <module>
    (options, args) = parser.parse_args()
TypeError: 'Namespace' object is not iterable

I also tried running it from the bin directory with sudo python3 opensnitch which gives basically the same result:

WARNING: No route found for IPv6 destination :: (no default route?). This affects only IPv6
Traceback (most recent call last):
  File "opensnitch", line 46, in <module>
    (options, args) = parser.parse_args()
TypeError: 'Namespace' object is not iterable

Any help or advice would be appreciated - I'd really like to try this thing. =)

Have a fresh Ubuntu 17.04 install, it wanted this in addition to the base for opensnitch

apt install python3-dev
apt install libcap-dev

Those worked fine, but even after apt install libnfnetlink-dev I have the following problem:

python3 setup.py install
running install
running bdist_egg
running egg_info
writing requirements to opensnitch.egg-info/requires.txt
writing opensnitch.egg-info/PKG-INFO
writing dependency_links to opensnitch.egg-info/dependency_links.txt
writing top-level names to opensnitch.egg-info/top_level.txt
reading manifest file 'opensnitch.egg-info/SOURCES.txt'
reading manifest template 'MANIFEST.in'
warning: no previously-included files found matching '*.pyc'
warning: no previously-included files found matching '.DS_Store'
warning: no previously-included files found matching '.gitignore'
warning: no files found matching 'distribute_setup.py'
writing manifest file 'opensnitch.egg-info/SOURCES.txt'
installing library code to build/bdist.linux-x86_64/egg
running install_lib
running build_py
creating build/bdist.linux-x86_64/egg
creating build/bdist.linux-x86_64/egg/opensnitch
copying build/lib/opensnitch/rule.py -> build/bdist.linux-x86_64/egg/opensnitch
copying build/lib/opensnitch/procmon.py -> build/bdist.linux-x86_64/egg/opensnitch
copying build/lib/opensnitch/snitch.py -> build/bdist.linux-x86_64/egg/opensnitch
creating build/bdist.linux-x86_64/egg/opensnitch/ui
copying build/lib/opensnitch/ui/app.py -> build/bdist.linux-x86_64/egg/opensnitch/ui
copying build/lib/opensnitch/ui/helpers.py -> build/bdist.linux-x86_64/egg/opensnitch/ui
copying build/lib/opensnitch/ui/init.py -> build/bdist.linux-x86_64/egg/opensnitch/ui
copying build/lib/opensnitch/ui/dbus.py -> build/bdist.linux-x86_64/egg/opensnitch/ui
copying build/lib/opensnitch/ui/dialog.py -> build/bdist.linux-x86_64/egg/opensnitch/ui
copying build/lib/opensnitch/ui/desktop_parser.py -> build/bdist.linux-x86_64/egg/opensnitch/ui
creating build/bdist.linux-x86_64/egg/opensnitch/ui/resources
copying build/lib/opensnitch/ui/resources/dialog_hi.ui -> build/bdist.linux-x86_64/egg/opensnitch/ui/resources
copying build/lib/opensnitch/ui/resources/init.py -> build/bdist.linux-x86_64/egg/opensnitch/ui/resources
copying build/lib/opensnitch/ui/resources/dialog.ui -> build/bdist.linux-x86_64/egg/opensnitch/ui/resources
copying build/lib/opensnitch/proc.py -> build/bdist.linux-x86_64/egg/opensnitch
copying build/lib/opensnitch/dbus_service.py -> build/bdist.linux-x86_64/egg/opensnitch
copying build/lib/opensnitch/version.py -> build/bdist.linux-x86_64/egg/opensnitch
copying build/lib/opensnitch/init.py -> build/bdist.linux-x86_64/egg/opensnitch
copying build/lib/opensnitch/iptables.py -> build/bdist.linux-x86_64/egg/opensnitch
copying build/lib/opensnitch/connection.py -> build/bdist.linux-x86_64/egg/opensnitch
copying build/lib/opensnitch/dns.py -> build/bdist.linux-x86_64/egg/opensnitch
byte-compiling build/bdist.linux-x86_64/egg/opensnitch/rule.py to rule.cpython-35.pyc
byte-compiling build/bdist.linux-x86_64/egg/opensnitch/procmon.py to procmon.cpython-35.pyc
byte-compiling build/bdist.linux-x86_64/egg/opensnitch/snitch.py to snitch.cpython-35.pyc
byte-compiling build/bdist.linux-x86_64/egg/opensnitch/ui/app.py to app.cpython-35.pyc
byte-compiling build/bdist.linux-x86_64/egg/opensnitch/ui/helpers.py to helpers.cpython-35.pyc
byte-compiling build/bdist.linux-x86_64/egg/opensnitch/ui/init.py to init.cpython-35.pyc
byte-compiling build/bdist.linux-x86_64/egg/opensnitch/ui/dbus.py to dbus.cpython-35.pyc
byte-compiling build/bdist.linux-x86_64/egg/opensnitch/ui/dialog.py to dialog.cpython-35.pyc
byte-compiling build/bdist.linux-x86_64/egg/opensnitch/ui/desktop_parser.py to desktop_parser.cpython-35.pyc
byte-compiling build/bdist.linux-x86_64/egg/opensnitch/ui/resources/init.py to init.cpython-35.pyc
byte-compiling build/bdist.linux-x86_64/egg/opensnitch/proc.py to proc.cpython-35.pyc
byte-compiling build/bdist.linux-x86_64/egg/opensnitch/dbus_service.py to dbus_service.cpython-35.pyc
byte-compiling build/bdist.linux-x86_64/egg/opensnitch/version.py to version.cpython-35.pyc
byte-compiling build/bdist.linux-x86_64/egg/opensnitch/init.py to init.cpython-35.pyc
byte-compiling build/bdist.linux-x86_64/egg/opensnitch/iptables.py to iptables.cpython-35.pyc
byte-compiling build/bdist.linux-x86_64/egg/opensnitch/connection.py to connection.cpython-35.pyc
byte-compiling build/bdist.linux-x86_64/egg/opensnitch/dns.py to dns.cpython-35.pyc
creating build/bdist.linux-x86_64/egg/EGG-INFO
installing scripts to build/bdist.linux-x86_64/egg/EGG-INFO/scripts
running install_scripts
running build_scripts
creating build/bdist.linux-x86_64/egg/EGG-INFO/scripts
copying build/scripts-3.5/opensnitch-qt -> build/bdist.linux-x86_64/egg/EGG-INFO/scripts
copying build/scripts-3.5/opensnitchd -> build/bdist.linux-x86_64/egg/EGG-INFO/scripts
changing mode of build/bdist.linux-x86_64/egg/EGG-INFO/scripts/opensnitch-qt to 755
changing mode of build/bdist.linux-x86_64/egg/EGG-INFO/scripts/opensnitchd to 755
copying opensnitch.egg-info/PKG-INFO -> build/bdist.linux-x86_64/egg/EGG-INFO
copying opensnitch.egg-info/SOURCES.txt -> build/bdist.linux-x86_64/egg/EGG-INFO
copying opensnitch.egg-info/dependency_links.txt -> build/bdist.linux-x86_64/egg/EGG-INFO
copying opensnitch.egg-info/not-zip-safe -> build/bdist.linux-x86_64/egg/EGG-INFO
copying opensnitch.egg-info/requires.txt -> build/bdist.linux-x86_64/egg/EGG-INFO
copying opensnitch.egg-info/top_level.txt -> build/bdist.linux-x86_64/egg/EGG-INFO
creating 'dist/opensnitch-0.0.2-py3.5.egg' and adding 'build/bdist.linux-x86_64/egg' to it
removing 'build/bdist.linux-x86_64/egg' (and everything under it)
Processing opensnitch-0.0.2-py3.5.egg
removing '/usr/local/lib/python3.5/dist-packages/opensnitch-0.0.2-py3.5.egg' (and everything under it)
creating /usr/local/lib/python3.5/dist-packages/opensnitch-0.0.2-py3.5.egg
Extracting opensnitch-0.0.2-py3.5.egg to /usr/local/lib/python3.5/dist-packages
opensnitch 0.0.2 is already the active version in easy-install.pth
Installing opensnitch-qt script to /usr/local/bin
Installing opensnitchd script to /usr/local/bin

Installed /usr/local/lib/python3.5/dist-packages/opensnitch-0.0.2-py3.5.egg
Processing dependencies for opensnitch==0.0.2
Searching for NetfilterQueue
Reading https://pypi.python.org/simple/NetfilterQueue/
Downloading https://pypi.python.org/packages/39/c4/8f73f70442aa4094b3c37876c96cddad2c3e74c058f6cd9cb017d37ffac0/NetfilterQueue-0.8.1.tar.gz#md5=ea2c262d6a571cb5ecdaed1bbb0da2b4
Best match: NetfilterQueue 0.8.1
Processing NetfilterQueue-0.8.1.tar.gz
Writing /tmp/easy_install-rbue5v9n/NetfilterQueue-0.8.1/setup.cfg
Running NetfilterQueue-0.8.1/setup.py -q bdist_egg --dist-dir /tmp/easy_install-rbue5v9n/NetfilterQueue-0.8.1/egg-dist-tmp-gk___dia
netfilterqueue.c:439:54: fatal error: libnetfilter_queue/linux_nfnetlink_queue.h: No such file or directory
#include "libnetfilter_queue/linux_nfnetlink_queue.h"
^
compilation terminated.
error: Setup script exited with error: command 'x86_64-linux-gnu-gcc' failed with exit status 1

Important bug labeling connection as forever and clicking allow continue prompting you for the same ip all the time. Ways to reproduce:
first of all remove all references for firefox in opensnitch.db with sqlitebrowser.
start not whitlelisted app for example firefox without proxy
then start a ssh connection somewhere which is not blocked which is improvement login via ssh.
return back to the firefox prompt and check billion dns prompts that appear no matter if you click forever and allow.

click it thousand times it still ain't gonna disappear.

trying to install opensnitch in Ubuntu 16.04.
Installed dependencies as per the readme > cd to opensnitch>sudo python setup.py install
I get back the following;
Traceback (most recent call last):
File "setup.py", line 26, in
sys.version_info[0]))
RuntimeError: Unsupported python version "2"
python 3 is installed.
Thanks,
Doug

Not sure if these are normal or not:

[2017-04-18 06:01:18,298] (ERROR) Error while parsing DNS response:
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/opensnitch-0.0.1a1-py2.7.egg/opensnitch/dns.py", line 40, in add_response
    hostname = packet[0][i].rrname
  File "/usr/local/lib/python2.7/dist-packages/scapy-2.3.3-py2.7.egg/scapy/packet.py", line 817, in __getitem__
    raise IndexError("Layer [%s] not found" % lname)
IndexError: Layer [13] not found
[2017-04-18 06:01:19,783] (ERROR) Error while parsing DNS response:
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/opensnitch-0.0.1a1-py2.7.egg/opensnitch/dns.py", line 40, in add_response
    hostname = packet[0][i].rrname
  File "/usr/local/lib/python2.7/dist-packages/scapy-2.3.3-py2.7.egg/scapy/packet.py", line 817, in __getitem__
    raise IndexError("Layer [%s] not found" % lname)
IndexError: Layer [13] not found
[2017-04-18 06:01:19,784] (ERROR) Error while parsing DNS response:
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/opensnitch-0.0.1a1-py2.7.egg/opensnitch/dns.py", line 40, in add_response
    hostname = packet[0][i].rrname
  File "/usr/local/lib/python2.7/dist-packages/scapy-2.3.3-py2.7.egg/scapy/packet.py", line 817, in __getitem__
    raise IndexError("Layer [%s] not found" % lname)
IndexError: Layer [13] not found
[2017-04-18 06:01:19,913] (ERROR) Error while parsing DNS response:
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/opensnitch-0.0.1a1-py2.7.egg/opensnitch/dns.py", line 40, in add_response
    hostname = packet[0][i].rrname
  File "/usr/local/lib/python2.7/dist-packages/scapy-2.3.3-py2.7.egg/scapy/packet.py", line 817, in __getitem__
    raise IndexError("Layer [%s] not found" % lname)
IndexError: Layer [6] not found
[2017-04-18 06:01:19,914] (ERROR) Error while parsing DNS response:
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/opensnitch-0.0.1a1-py2.7.egg/opensnitch/dns.py", line 40, in add_response
    hostname = packet[0][i].rrname
  File "/usr/local/lib/python2.7/dist-packages/scapy-2.3.3-py2.7.egg/scapy/packet.py", line 817, in __getitem__
    raise IndexError("Layer [%s] not found" % lname)
IndexError: Layer [6] not found

Thanks...this is one thing that has always been missing from linux!

After Simone's last fix (thanks for fixing so quickly!)

Looks like we're almost there...

$ sudo opensnitch
[2017-05-09 10:44:21,812] (INFO) Using rules database from /home/user/opensnitch.db
Traceback (most recent call last):
  File "/usr/local/bin/opensnitch", line 4, in <module>
    __import__('pkg_resources').run_script('opensnitch==0.0.2', 'opensnitch')
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 719, in run_script
    self.require(requires)[0].run_script(script_name, ns)
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 1504, in run_script
    exec(code, namespace, namespace)
  File "/usr/local/lib/python3.5/dist-packages/opensnitch-0.0.2-py3.5.egg/EGG-INFO/scripts/opensnitch", line 76, in <module>
    main()
  File "/usr/local/lib/python3.5/dist-packages/opensnitch-0.0.2-py3.5.egg/EGG-INFO/scripts/opensnitch", line 63, in main
    snitch = Snitch()
  File "/usr/local/lib/python3.5/dist-packages/opensnitch-0.0.2-py3.5.egg/opensnitch/snitch.py", line 50, in __init__
    self.desktop_parser = LinuxDesktopParser()
  File "/usr/local/lib/python3.5/dist-packages/opensnitch-0.0.2-py3.5.egg/opensnitch/app.py", line 49, in __init__
    self.populate_app(desktop_file)
  File "/usr/local/lib/python3.5/dist-packages/opensnitch-0.0.2-py3.5.egg/opensnitch/app.py", line 55, in populate_app
    parser.read(desktop_path, 'utf8')
  File "/usr/lib/python3.5/configparser.py", line 696, in read
    self._read(fp, filename)
  File "/usr/lib/python3.5/configparser.py", line 1089, in _read
    fpname, lineno)
configparser.DuplicateOptionError: While reading from '/usr/share/applications/pidgin.desktop' [line 12]: option 'x-messagingmenu-useschatsection' in section 'Desktop Entry' already exists

This seems to be a bug in the original pidgin config file (/usr/share/applications/pidgin.desktop) which indeed has a duplicate entry. It would be nice if we could make configparser only emit a warning/error and not abort in this case (add try/except around it?)

After deleting the duplicate entry, and retrying I get the daemon running.
Thanks for all the fixes!

Hello,

I would like to suggest that Opensnitch should be more keyboard friendly. As it is, it is possible to use the keyboard to take actions, but it's a bit cubersome to do so. So, my suggestion is the following:

1. Improve coloring/contrast of the selected button (As it is, it's hard to see if it's the "Allow" or "Deny" that's selected.

2. Move the "Take this action" dropdown to buttons; Instead of having a dropdown with "Once", "Until quit" and "Forever", I would suggest having them side by side, all visible at the same time;

3. Bind keys to all the options; For example, the numbers "1,2,3" could be shortcuts to "Once", "Until quit" and "Forever", respectively. The "w", "b", "d" and "a" could be shortcuts to "Whitelist app", "block app", "deny" and "allow", respectiviely.

Sorry if this is cherry-picking and I know there's much more important stuff to do, but I believe this could improve Opensnitch.

Hello,

I must be missing something in the install instructions:

Using:

sudo apt-get install build-essential python-dev python-setuptools libnetfilter-queue-dev python-pyqt5

does not result in an opensnitch directory to cd into. Can't seem to find any opensnitch command on my machine after issuing these commands.

Advice?

Thanks

Running an X application as root destroys any shred of security the Linux desktop might otherwise have. A root-privileged daemon and an unprivileged user interface talking across a Unix socket or some other form of IPC would be far more reasonable for a security application.

Hi,
one feature from LS i've always admired was to allow port regardless of host for time-range (or forever).

Would it be possible for example allow Unbound (local instance) to use port 53 udp+tcp regardless of remote host?

Cheers!

[2017-04-20 13:08:55,017] (WARNING) Could not find process for udp connection 172.18.115.120:123 -> 91.189.91.157:123
[2017-04-20 13:08:55,017] (WARNING) Could not detect process for connection.
[2017-04-20 13:08:55,044] (WARNING) Could not find process for tcp connection 172.18.115.120:38052 -> 216.58.192.14:80
[2017-04-20 13:08:55,045] (WARNING) Could not detect process for connection.
[2017-04-20 13:08:55,105] (WARNING) Could not find process for udp connection 172.18.115.120:52695 -> 239.255.255.250:1900
[2017-04-20 13:08:55,105] (WARNING) Could not detect process for connection.

Seems like additional ways of linking a packet to a process should be investigated.

cannot do ping command while opensnitch is active, your version in @evilsocket repo. In mine it works fine but my lack improvement of non blocking connections.
ways to reproduce start opensnitch run it open some apps allow some rules and then try pinging google.com for example or even IP not a fqdn.

opensnitch by default do not use iptables to setup rules but only /root/opensnitch.db for storing the rules.
That makes it works fine with other firewall software but also make rules harder to be read its not to hard they can be read with sqlitebrowser but also there is no manpage so for example verdict is not defined is for every single app whitelisted or not allowed once or forever 0.
Can you please provide at least simple manpage so that we know what we can tweak with which effect?
Also running X apps with root privileges is dangerous.