1.40rc2 not letting through ICMP #455
Comments
Thank you for the detailed information @byReqz ! It really helps to analyze the problems. I think that opensnitch is using nftables, which was added recently, but the system-fw rules haven't been adapted to work with nftables yet. Could you verify that you have opensnitch firewall ruless added to nftables? |
|
Hi, yeah there are opensnitch-filter and opensnitch-magle for IPv4 and 6. |
|
ok, unfortunately nftables system-fw.json feature is not ready yet, finished but it needs more work. This rule should allow ICMP traffic: |
|
Thanks for your answer but it doesn't seem to work.
|
|
I am having the same issue on When reverted back to 1.3.6, ICMP works as expected (is allowed through) |
|
For now if the firewall in use is nftables and the DefaultAction is deny ICMP will be blocked. I'm making progress to allow to configure nftables system firewall so we can allow it and configure other rules. In your case @sonsu, what's the output of |
|
I have the same issue in the latest opensnitch version in Fedora 34. Unless I disable the daemon completely, I can't ping anything. "nft insert rule opensnitch-mangle output icmp type { echo-request,echo-reply } accept" does not solve the issue, unfortunately. iptables -V |
|
debian 10 |
|
Having the same issue here on Arch Linux latest using opensnitch-git from the AUR. I am using iptables-nft. Output of Output of All ICMP requests do trigger an alert but even if I click allow the ping response is not there. Other devices on my LAN are able to ping my IP just fine but my desktop cannot ping any IPs at all (even |
|
debian 10 |
Before this change, we tried to determine what firewall to use based on the version of iptables (if -V legacy -> nftables, otherwise iptables). This caused problems (#455), and as there's no support yet for nftables system firewall rules, it can't be configured to workaround these errors. Now the default firewall to use will be iptables. If it's not available (installed), can't be used or the configuration option is empty/missing, we'll use nftables.
|
I changed how the firewall type to use is determined. By default we'll use iptables, that way we can use system-fw.json to add rules (to allow icmp for example). If someone needs to use nftables, then they can use |
Works, but not persistent. And, here is how I made it persist on Arch too (This is my own solution, many ways discussed with developer before to no avail).
in
Then
|
|
Still doesn't work for me on a Mint 20.2 with iptables. My default for iptables is iptables-legacy, if that matters. When I use nft it fails, too: Probably because of missing tables. I created the mangle table and it only complained about the DNS nftables rule. Is there a default set I should import? |
|
Be sure that the item "Firewall": "iptables" exists in /etc/opensnitchd/default-config.json , and restart the daemon (service opensntich restart) |
|
I did and also pulled a fresh copy of that file. I purge everything and will try again tomorrow. :) |
|
I too am having this problem on Arch Linux, using iptables |
|
hey @seonwoolee , thank you for reporting this. problem found. Will fix it soon. |
|
In the meantime I forgot to post my test results. They were negative obviously. :) Thanks for looking into it! |
what is the name of this console client what is on the screen? |
|
It's not my screenshot (I replied to an existing comment).
BTW, It's a zsh shell custom theme (I guess it's powerlevel10k). Basically, they're shell scripts to customize shell prompt for the awesome ZSH shell.
…
>
> Works, but not persistent.
>
>
what is the name of this console client what is on the screen?
—
You are receiving this because you commented.
Reply to this email directly, > view it on GitHub <#455 (comment)>> , or > unsubscribe <https://github.com/notifications/unsubscribe-auth/AIPC4MNPSXS2R2GHMYZPSMTT6P4UDANCNFSM5AJN3L7A>> .
Triage notifications on the go with GitHub Mobile for > iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>> or > Android <https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email>> .
|
- The firewall rules defined in /etc/opensnitchd/system-fw.json take precedence over the interception rules, but we were inserting the interception rules before the system's ones. With this change #455 should be fixed. - On the other hand, the DefaultAction was not being applied correctly in all cases. As of today the DefaultAction is applied in 2 scenarios: * When the daemon is connected to the GUI and the user doesn't answer a pop-up. * When the daemon is not connected to the GUI. However as we don't parse all network protocols, even if the GUI is connected we may end up parsing a connection and don't know what to do with it. In this case the DefaultAction was always Deny. Now in the above scenario, i.e.: when the GUI is connected but we can't parse a connection, we'll apply the DefaultAction configured by the user.
|
@molitona @andryyy @seonwoolee could you test latest change to see if the ICMP works again (i.e.: if the rules defined in /etc/opensnitchd/system-fw.json take precedence over the interception ones). I've also realized that we're denying connections that we can't parse, unconditionally, ignoring what was defined in the configuration. |
|
Is it possible to create deb packages? I would try and compile if not. :) Sorry... |
|
Sure, no problem, here you have: |
|
Can confirm it works. Thanks for providing the package! |
|
Thank you @andryyy ! |
|
After cleanbuilding 1.40rc4 it seems to work fine now, even without adjusting any config files. |
Hi,
ive been using the -git version from the AUR for ages but since the update to 1.40rc2 yesterday, no pings are getting through.
To Reproduce:
It stops working as soon as you install 1.40rc2 for me. The "stable" 1.3.6 works fine. Also works when the FW is turned off (obviously).
Post error logs:
The log on debug mode does not mention anything about the connections but shows everything else fine. Nping and Ping ICMP probes just time out on local and on remote hosts without any answers.
Expected behavior (optional)
ICMP not being touched by opensnitch.
Screenshots
no errors present
OS (please complete the following information):
Additional context
Clean building the Package did not help. /etc/opensnitchd/system-fw.json (which allows ICMP) is present but doesnt seem to be used.
The text was updated successfully, but these errors were encountered: