From: Gustavo Iñiguez Goya Date: Mon, 6 Mar 2023 11:37:24 +0000 (+0100) Subject: opensnitch (1.5.8.1-1) unstable; urgency=medium X-Git-Tag: archive/raspbian/1.6.9-3+rpi1~1^2^2 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=c348758d00ad5887c52055f2a23f07c3d5d4c12e;p=opensnitch.git opensnitch (1.5.8.1-1) unstable; urgency=medium * New upstream release. * Upload sponsored by Petter Reinholdtsen. [dgit import unpatched opensnitch 1.5.8.1-1] --- c348758d00ad5887c52055f2a23f07c3d5d4c12e diff --cc debian/changelog index d231c03,0000000..5acbeb1 mode 100644,000000..100644 --- a/debian/changelog +++ b/debian/changelog @@@ -1,233 -1,0 +1,326 @@@ ++opensnitch (1.5.8.1-1) unstable; urgency=medium ++ ++ * New upstream release. ++ * Upload sponsored by Petter Reinholdtsen. ++ ++ -- Gustavo Iñiguez Goya Mon, 06 Mar 2023 12:37:24 +0100 ++ ++opensnitch (1.5.8-2) unstable; urgency=medium ++ ++ * Upload to unstable. ++ * Upload sponsored by Petter Reinholdtsen. ++ ++ -- Gustavo Iñiguez Goya Tue, 21 Feb 2023 21:26:21 +0100 ++ ++opensnitch (1.5.8-1) experimental; urgency=medium ++ ++ * New upstream release. ++ ++ [ Gustavo Iñiguez Goia ] ++ * ui: added 64x64 icon. ++ * Added missing entry for GUI manual page. ++ * Updated appstream Summary field. ++ * Removed ftrace dependency from d/control. ++ * ui: updated appstream Summary field. ++ * Updated d/control Description. ++ ++ [ Petter Reinholdtsen ] ++ * Added appstream content rating, no restrictions. ++ * Corrected appstream icon name. ++ * Documented appstream metadata license in d/copyright. ++ * Place manual pages in correct packages. ++ ++ * Upload sponsored by Petter Reinholdtsen. ++ ++ -- Gustavo Iñiguez Goya Sun, 19 Feb 2023 10:26:46 +0100 ++ ++opensnitch (1.5.7-3) experimental; urgency=medium ++ ++ [ Gustavo Iñiguez Goia ] ++ * fixed /etc/xdg/autostart/ link ++ ++ * Upload sponsored by Petter Reinholdtsen. ++ ++ -- Gustavo Iñiguez Goya Wed, 15 Feb 2023 22:41:19 +0100 ++ ++opensnitch (1.5.7-2) experimental; urgency=medium ++ ++ [ Gustavo Iñiguez Goia ] ++ * added opensnitchd manual page ++ * added new manual page, updated opensnitchd.1 ++ * improved debian/tests/ ++ ++ * Upload sponsored by Petter Reinholdtsen. ++ ++ -- Gustavo Iñiguez Goya Mon, 13 Feb 2023 12:43:19 +0100 ++ ++opensnitch (1.5.7-1) unstable; urgency=medium ++ ++ * New upstream release ++ ++ [ Gustavo Iñiguez Goia ] ++ * Set test-fw-rules.sh as flaky. ++ * Make test-fw-rules.sh more verbose. ++ ++ [ Petter Reinholdtsen ] ++ * Fixed typo in nb comment of desktop file. ++ * Added appstream desktop category to metadata XML. ++ ++ * Upload sponsored by Petter Reinholdtsen. ++ ++ -- Gustavo Iñiguez Goya Fri, 10 Feb 2023 13:28:23 +0100 ++ ++opensnitch (1.5.6-1) unstable; urgency=medium ++ ++ * New upstream release ++ ++ [ Gustavo Iñiguez Goia ] ++ * tests: removed Architecture: restriction ++ * changed Maintainer: field to team+pkg-go ++ * added new test ++ * added Uploaders field ++ * updated Vcs* fields ++ ++ [ Petter Reinholdtsen ] ++ * Added Debian package relation between opensnitch and ++ python3-opensnitch-ui. ++ * Handle autopkgtest scripts differently, as they have different ++ requirements. ++ ++ * Upload sponsored by Petter Reinholdtsen. ++ ++ -- Gustavo Iñiguez Goya Tue, 07 Feb 2023 21:29:48 +0100 ++ +opensnitch (1.5.5-1) unstable; urgency=medium + + * New upstream release. + * Bump Standards-Version to 4.6.2. + * Upload sponsored by Petter Reinholdtsen. + + -- Gustavo Iñiguez Goya Wed, 01 Feb 2023 22:37:12 +0100 + +opensnitch (1.5.4-1) unstable; urgency=high + + * New upstream release. (Closes: #1030115) + * debian/control: + - Updated packages description. + - Removed debconf and whiptail|dialog dependencies. + - Added xdg-user-dirs, gtk-update-icon-cache dependencies. + - Point Vcs-Git field to the 1.5.0 branch. + * debian/postinst: + - Fixed opensnitch_ui.desktop installation. + - Fixed updating icons cache. + * debian/postrm: + - Fixed removing opensnitch_ui.desktop + * debian/tests/: + - Added autopkgtests. + * Upload sponsored by Petter Reinholdtsen. + + -- Gustavo Iñiguez Goya Tue, 31 Jan 2023 23:48:58 +0100 + +opensnitch (1.5.3-1) unstable; urgency=medium + + * Added debian/upstream/metadata. + * Updated Homepage url. + * Updated Copyright years. + + -- Gustavo-Iniguez-Goya Sun, 22 Jan 2023 21:30:45 +0100 + +opensnitch (1.5.2.1-1) unstable; urgency=medium + + * Initial release. (Closes: #909567) + + -- Gustavo-Iniguez-Goya Fri, 20 Jan 2023 22:26:40 +0000 + +opensnitch (1.5.2-1) unstable; urgency=medium + + * try to mount debugfs on boot up + + -- gustavo-iniguez-goya Wed, 27 Jul 2022 17:29:33 +0200 + +opensnitch (1.5.1-1) unstable; urgency=medium + + * Better eBPF cache. + * Fixed error resolving domains to localhost. + * Fixed error deleting our nftables rules. + + -- gustavo-iniguez-goya Fri, 25 Feb 2022 01:21:38 +0100 + +opensnitch (1.5.0-1) unstable; urgency=medium + + * New release. + * Added Reject option. + * New lists types to block ads/malware/... + * Better connections interception. + * Better VPNs handling. + * Bug fixes. + + -- gustavo-iniguez-goya Fri, 28 Jan 2022 23:20:38 +0100 + +opensnitch (1.5.0~rc2-1) unstable; urgency=medium + + * Better connections interception. + * Improvements. + + -- gustavo-iniguez-goya Sun, 16 Jan 2022 23:15:12 +0100 + +opensnitch (1.5.0~rc1-1) unstable; urgency=medium + + * New features. + + -- gustavo-iniguez-goya Thu, 07 Oct 2021 14:57:35 +0200 + +opensnitch (1.4.0-1) unstable; urgency=medium + + * final release. + + -- gustavo-iniguez-goya Fri, 27 Aug 2021 13:33:07 +0200 + +opensnitch (1.4.0~rc4-1) unstable; urgency=medium + + * Bug fix release. + + -- gustavo-iniguez-goya Wed, 11 Aug 2021 15:17:49 +0200 + +opensnitch (1.4.0~rc3-1) unstable; urgency=medium + + * Bug fix release. + + -- gustavo-iniguez-goya Fri, 16 Jul 2021 23:28:52 +0200 + +opensnitch (1.4.0~rc2-1) unstable; urgency=medium + + * Added eBPF support. + * Fixes and improvements. + + -- gustavo-iniguez-goya Fri, 07 May 2021 01:08:02 +0200 + +opensnitch (1.4.0~rc-1) unstable; urgency=medium + + * Bug fix and improvements release. + + -- gustavo-iniguez-goya Thu, 25 Mar 2021 01:02:31 +0100 + +opensnitch (1.3.6-1) unstable; urgency=medium + + * Bug fix and improvements release. + + -- gustavo-iniguez-goya Wed, 10 Feb 2021 10:17:43 +0100 + +opensnitch (1.3.5-1) unstable; urgency=medium + + * Bug fix and improvements release. + + -- gustavo-iniguez-goya Mon, 11 Jan 2021 18:01:53 +0100 + +opensnitch (1.3.0-1) unstable; urgency=medium + + * Fixed how we check rules + * Fixed cpu spike after disable interception. + * Fixed cleaning up fw rules on exit. + * make regexp rules case-insensitive by default + * allow to filter by dst network. + + -- gustavo-iniguez-goya Wed, 16 Dec 2020 01:15:03 +0100 + +opensnitch (1.3.0~rc-1) unstable; urgency=medium + + * Non-maintainer upload. + + -- gustavo-iniguez-goya Fri, 13 Nov 2020 00:51:34 +0100 + +opensnitch (1.2.0-1) unstable; urgency=medium + + * Fixed memleaks. + * Sort rules by name + * Added priority field to rules. + * Other fixes + + -- gustavo-iniguez-goya Mon, 09 Nov 2020 22:55:13 +0100 + +opensnitch (1.0.1-1) unstable; urgency=medium + + * Fixed app exit when IPv6 is not supported. + * Other fixes. + + -- gustavo-iniguez-goya Thu, 30 Jul 2020 21:56:20 +0200 + +opensnitch (1.0.0-1) unstable; urgency=medium + + * v1.0.0 released. + + -- gustavo-iniguez-goya Thu, 16 Jul 2020 00:19:26 +0200 + +opensnitch (1.0.0rc11-1) unstable; urgency=medium + + * Fixed multiple race conditions. + * Fixed CWD parsing when using audit proc monitor method. + + -- gustavo-iniguez-goya Wed, 24 Jun 2020 00:10:38 +0200 + +opensnitch (1.0.0rc10-1) unstable; urgency=medium + + * Fixed checking UID functions availability. + * Improved process path parsing. + * Fixed applying config from the UI. + * Fixed default log level. + * Gather CWD and process environment vars. + * Increase default timeout when asking for a rule. + + -- gustavo-iniguez-goya Sat, 13 Jun 2020 18:45:02 +0200 + +opensnitch (1.0.0rc9-1) unstable; urgency=medium + + * Ignore malformed rules from loading. + * Allow to modify and add rules from the UI. + + -- gustavo-iniguez-goya Sun, 17 May 2020 18:18:24 +0200 + +opensnitch (1.0.0rc8) unstable; urgency=medium + + * Allow to change settings from the UI. + * Improved connection handling with the UI. + + -- gustavo-iniguez-goya Wed, 29 Apr 2020 21:52:27 +0200 + +opensnitch (1.0.0rc7-1) unstable; urgency=medium + + * Stability, performance and realiability improvements. + + -- gustavo-iniguez-goya Sun, 12 Apr 2020 23:25:41 +0200 + +opensnitch (1.0.0rc6-1) unstable; urgency=medium + + * Fixed iptables rules deletion. + * Improved PIDs cache. + * Added audit process monitoring method. + * Added logrotate file. + * Added default configuration file. + + -- gustavo-iniguez-goya Sun, 08 Mar 2020 20:47:58 +0100 + +opensnitch (1.0.0rc-5) unstable; urgency=medium + + * Fixed netlink socket querying. + * Added check to reload firewall rules if missing. + + -- gustavo-iniguez-goya Mon, 24 Feb 2020 19:55:06 +0100 + +opensnitch (1.0.0rc-3) unstable; urgency=medium + + * @see: https://github.com/gustavo-iniguez-goya/opensnitch/releases + + -- gustavo-iniguez-goya Tue, 18 Feb 2020 10:09:45 +0100 + +opensnitch (1.0.0rc-2) unstable; urgency=medium + + * UI minor changes + * Expand deb package compatibility. + + -- gustavo-iniguez-goya Wed, 05 Feb 2020 21:50:20 +0100 + +opensnitch (1.0.0rc-1) unstable; urgency=medium + + * Initial release + + -- gustavo-iniguez-goya Fri, 22 Nov 2019 01:14:08 +0100 diff --cc debian/control index f67967b,0000000..2ae6b71 mode 100644,000000..100644 --- a/debian/control +++ b/debian/control @@@ -1,95 -1,0 +1,93 @@@ +Source: opensnitch - Maintainer: Gustavo Iñiguez Goya ++Maintainer: Debian Go Packaging Team ++Uploaders: Gustavo Iñiguez Goya +Section: devel - Testsuite: autopkgtest-pkg-go +Priority: optional +Build-Depends: + debhelper-compat (= 11), + dh-golang, + dh-python, + golang-any, - golang-github-evilsocket-ftrace-dev, + golang-github-fsnotify-fsnotify-dev, + golang-github-google-gopacket-dev, + golang-github-google-nftables-dev, + golang-github-iovisor-gobpf-dev, + golang-github-vishvananda-netlink-dev, + golang-golang-x-net-dev, + golang-google-grpc-dev, + golang-goprotobuf-dev, + libmnl-dev, + libnetfilter-queue-dev, + pkg-config, + protoc-gen-go-grpc, + pyqt5-dev-tools, + qttools5-dev-tools, + python3-all, + python3-grpc-tools, + python3-setuptools +Standards-Version: 4.6.2 - Vcs-Browser: https://github.com/evilsocket/opensnitch - Vcs-Git: https://github.com/evilsocket/opensnitch.git -b 1.5.0 ++Vcs-Browser: https://salsa.debian.org/go-team/packages/opensnitch ++Vcs-Git: https://salsa.debian.org/go-team/packages/opensnitch.git +Homepage: https://github.com/evilsocket/opensnitch +Rules-Requires-Root: no +XS-Go-Import-Path: github.com/evilsocket/opensnitch + +Package: opensnitch +Section: net +Architecture: any +Depends: + ${misc:Depends}, + ${shlibs:Depends}, +Recommends: python3-opensnitch-ui +Built-Using: ${misc:Built-Using} +Description: GNU/Linux interactive application firewall - OpenSnitch is a GNU/Linux firewall application. + Whenever a program makes a connection, it'll prompt the user to allow or deny + it. + . + The user can decide if block the outgoing connection based on properties of + the connection: by port, by uid, by dst ip, by program or a combination + of them. + . + These rules can last forever, until the app restart or just one time. + . + The GUI allows the user to view live outgoing connections, as well as search + by process, user, host or port. + . + OpenSnitch can also work as a system-wide domains blocker, by using lists + of domains, list of IPs or list of regular expressions. + + +Package: python3-opensnitch-ui +Architecture: all +Section: net +Depends: + ${misc:Depends}, + ${shlibs:Depends}, + libqt5sql5-sqlite, + python3-grpcio, + python3-notify2, + python3-pyinotify, + python3-pyqt5, + python3-pyqt5.qtsql, + python3-setuptools, + python3-six, + python3-slugify, + python3:any, + xdg-user-dirs, + gtk-update-icon-cache +Recommends: + python3-pyasn +Suggests: opensnitch +Description: GNU/Linux interactive application firewall GUI + opensnitch-ui is a GUI for opensnitch written in Python. + It allows the user to view live outgoing connections, as well as search + for details of the intercepted connections. + . + The user can decide if block outgoing connections based on properties of + the connection: by port, by uid, by dst ip, by program or a combination + of them. + . + These rules can last forever, until restart the daemon or just one time. + . + OpenSnitch can also work as a system-wide domains blocker, by using lists + of domains, list of IPs or list of regular expressions. diff --cc debian/copyright index a867271,0000000..7054f76 mode 100644,000000..100644 --- a/debian/copyright +++ b/debian/copyright @@@ -1,32 -1,0 +1,203 @@@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Source: https://github.com/evilsocket/opensnitch +Upstream-Contact: Gustavo Iñiguez Goia +Upstream-Name: opensnitch +Files-Excluded: + Godeps/_workspace + +Files: * +Copyright: + 2017-2018 evilsocket + 2019-2023 Gustavo Iñiguez Goia +Comment: Debian packaging is licensed under the same terms as upstream +License: GPL-3.0+ + This program is free software; you can redistribute it + and/or modify it under the terms of the GNU General Public + License as published by the Free Software Foundation; either + version 3 of the License, or (at your option) any later + version. + . + This program is distributed in the hope that it will be + useful, but WITHOUT ANY WARRANTY; without even the implied + warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + PURPOSE. See the GNU General Public License for more + details. + . + You should have received a copy of the GNU General Public + License along with this program. If not, If not, see + http://www.gnu.org/licenses/. + . + On Debian systems, the full text of the GNU General Public + License version 3 can be found in the file + '/usr/share/common-licenses/GPL-3'. ++ ++Files: ui/resources/io.github.evilsocket.opensnitch.appdata.xml ++Copyright: ++ 2023 Gustavo Iñiguez Goia ++License: FTL ++ The FreeType Project LICENSE ++ ---------------------------- ++ . ++ 2006-Jan-27 ++ . ++ Copyright 1996-2002, 2006 by ++ David Turner, Robert Wilhelm, and Werner Lemberg ++ . ++ . ++ . ++ Introduction ++ ============ ++ . ++ The FreeType Project is distributed in several archive packages; ++ some of them may contain, in addition to the FreeType font engine, ++ various tools and contributions which rely on, or relate to, the ++ FreeType Project. ++ . ++ This license applies to all files found in such packages, and ++ which do not fall under their own explicit license. The license ++ affects thus the FreeType font engine, the test programs, ++ documentation and makefiles, at the very least. ++ . ++ This license was inspired by the BSD, Artistic, and IJG ++ (Independent JPEG Group) licenses, which all encourage inclusion ++ and use of free software in commercial and freeware products ++ alike. As a consequence, its main points are that: ++ . ++ o We don't promise that this software works. However, we will be ++ interested in any kind of bug reports. (`as is' distribution) ++ . ++ o You can use this software for whatever you want, in parts or ++ full form, without having to pay us. (`royalty-free' usage) ++ . ++ o You may not pretend that you wrote this software. If you use ++ it, or only parts of it, in a program, you must acknowledge ++ somewhere in your documentation that you have used the ++ FreeType code. (`credits') ++ . ++ We specifically permit and encourage the inclusion of this ++ software, with or without modifications, in commercial products. ++ We disclaim all warranties covering The FreeType Project and ++ assume no liability related to The FreeType Project. ++ . ++ . ++ Finally, many people asked us for a preferred form for a ++ credit/disclaimer to use in compliance with this license. We thus ++ encourage you to use the following text: ++ . ++ """ ++ Portions of this software are copyright © The FreeType ++ Project (www.freetype.org). All rights reserved. ++ """ ++ . ++ Please replace with the value from the FreeType version you ++ actually use. ++ . ++ . ++ Legal Terms ++ =========== ++ . ++ 0. Definitions ++ -------------- ++ . ++ Throughout this license, the terms `package', `FreeType Project', ++ and `FreeType archive' refer to the set of files originally ++ distributed by the authors (David Turner, Robert Wilhelm, and ++ Werner Lemberg) as the `FreeType Project', be they named as alpha, ++ beta or final release. ++ . ++ `You' refers to the licensee, or person using the project, where ++ `using' is a generic term including compiling the project's source ++ code as well as linking it to form a `program' or `executable'. ++ This program is referred to as `a program using the FreeType ++ engine'. ++ . ++ This license applies to all files distributed in the original ++ FreeType Project, including all source code, binaries and ++ documentation, unless otherwise stated in the file in its ++ original, unmodified form as distributed in the original archive. ++ If you are unsure whether or not a particular file is covered by ++ this license, you must contact us to verify this. ++ . ++ The FreeType Project is copyright (C) 1996-2000 by David Turner, ++ Robert Wilhelm, and Werner Lemberg. All rights reserved except as ++ specified below. ++ . ++ 1. No Warranty ++ -------------- ++ . ++ THE FREETYPE PROJECT IS PROVIDED `AS IS' WITHOUT WARRANTY OF ANY ++ KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, ++ WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ PURPOSE. IN NO EVENT WILL ANY OF THE AUTHORS OR COPYRIGHT HOLDERS ++ BE LIABLE FOR ANY DAMAGES CAUSED BY THE USE OR THE INABILITY TO ++ USE, OF THE FREETYPE PROJECT. ++ . ++ 2. Redistribution ++ ----------------- ++ . ++ This license grants a worldwide, royalty-free, perpetual and ++ irrevocable right and license to use, execute, perform, compile, ++ display, copy, create derivative works of, distribute and ++ sublicense the FreeType Project (in both source and object code ++ forms) and derivative works thereof for any purpose; and to ++ authorize others to exercise some or all of the rights granted ++ herein, subject to the following conditions: ++ . ++ o Redistribution of source code must retain this license file ++ (`FTL.TXT') unaltered; any additions, deletions or changes to ++ the original files must be clearly indicated in accompanying ++ documentation. The copyright notices of the unaltered, ++ original files must be preserved in all copies of source ++ files. ++ . ++ o Redistribution in binary form must provide a disclaimer that ++ states that the software is based in part of the work of the ++ FreeType Team, in the distribution documentation. We also ++ encourage you to put an URL to the FreeType web page in your ++ documentation, though this isn't mandatory. ++ . ++ These conditions apply to any software derived from or based on ++ the FreeType Project, not just the unmodified files. If you use ++ our work, you must acknowledge us. However, no fee need be paid ++ to us. ++ . ++ 3. Advertising ++ -------------- ++ . ++ Neither the FreeType authors and contributors nor you shall use ++ the name of the other for commercial, advertising, or promotional ++ purposes without specific prior written permission. ++ . ++ We suggest, but do not require, that you use one or more of the ++ following phrases to refer to this software in your documentation ++ or advertising materials: `FreeType Project', `FreeType Engine', ++ `FreeType library', or `FreeType Distribution'. ++ . ++ As you have not signed this license, you are not required to ++ accept it. However, as the FreeType Project is copyrighted ++ material, only this license, or another one contracted with the ++ authors, grants you the right to use, distribute, and modify it. ++ Therefore, by using, distributing, or modifying the FreeType ++ Project, you indicate that you understand and accept all the terms ++ of this license. ++ . ++ 4. Contacts ++ ----------- ++ . ++ There are two mailing lists related to FreeType: ++ . ++ o freetype@nongnu.org ++ . ++ Discusses general use and applications of FreeType, as well as ++ future and wanted additions to the library and distribution. ++ If you are looking for support, start in this list if you ++ haven't found anything to help you in the documentation. ++ . ++ o freetype-devel@nongnu.org ++ . ++ Discusses bugs, as well as engine internals, design issues, ++ specific licenses, porting, etc. ++ . ++ Our home page can be found at ++ . ++ https://www.freetype.org diff --cc debian/man/opensnitch-ui.1 index 0000000,0000000..cc2befb new file mode 100644 --- /dev/null +++ b/debian/man/opensnitch-ui.1 @@@ -1,0 -1,0 +1,107 @@@ ++.\" Copyright (c) 2023 Gustavo Iñiguez Goya ++.\" All rights reserved. ++.\" ++.\" SPDX-License-Identifier: GPL-3.0-or-later ++.de CW ++.sp ++.in +4n ++.nf ++.ft CW ++.. ++.de CE ++.ft R ++.fi ++.in ++.sp ++.. ++.\" Like .OP, but with ellipsis at the end in order to signify that option ++.\" can be provided multiple times. Based on .OP definition in groff's ++.\" an-ext.tmac. ++.de OM ++. ie \\n(.$-1 \ ++. RI "[\fB\\$1\fP" "\ \\$2" "]...\&" ++. el \ ++. RB "[" "\\$1" "]...\&" ++.. ++.\" Required option. ++.de OR ++. ie \\n(.$-1 \ ++. RI "\fB\\$1\fP" "\ \\$2" ++. el \ ++. BR "\\$1" ++.. ++.TH OPENSNITCH-UI 1 "2023-02-12" "opensnitchd 1.5.6" ++.SH NAME ++opensnitch-ui \- GNU/Linux interactive firewall application ++.SH SYNOPSIS ++.SY opensnitch-ui ++.OP \-\-socket path ++.OP \-\-max-clients num ++.YS ++.SH DESCRIPTION ++.LP ++opensnitch-ui is the OpenSnitch GUI to view events intercepted by the daemon, ++and to manage the rules. ++The GUI is composed of 2 components in the same script: a server and a GUI. ++Once the GUI is launched, an icon will appear on the system tray. ++If the system tray is not available or can't be used, the Events dialog will ++be launched. ++.LP ++The GUI (i.e.: the server) will listen for new connections from daemons. You ++can have the daemon installed on multiple machines, and manage them from a ++centralized GUI. https://github.com/evilsocket/opensnitch/wiki/Nodes ++.LP ++.SH OPTIONS ++.TP ++.BI "\--socket " path ++Specifies the path or network address where the GUI (i.e.: the server) will ++listen on. ++.PP ++ Examples: ++.PP ++ Default: unix:///tmp/osui.sock ++.PP ++ - Listening on a Unix socket: ++ $ opensnitch-ui --socket unix:///tmp/osui.sock ++ * Use unix:///run/user/YOUR_USER_ID/opensnitch/osui.sock for better privacy. ++.PP ++ - Listening on port 50051, all interfaces: ++ $ opensnitch-ui --socket "[::]:50051" ++.TP ++.BI "\--max-clients " num ++Maximum number of clients to allow (default: 10). ++.SH FILES ++.I /home/$USER/.config/opensnitch/ ++.RS ++Path of the GUI configuration. ++.RE ++.SH DIAGNOSTICS ++If something goes wrong, like a crash, launch the GUI from a shell to view debugging messages: ++.LP ++.RS ++$ opensnitch-ui ++.RE ++.SH REPORTING BUGS ++Problems with ++.B opensnitch-ui ++should be reported on github https://github.com/evilsocket/opensnitch/issues ++.UR https://github.com/evilsocket/opensnitch/issues ++.SH "SEE ALSO" ++.PP ++.UR https://github.com/evilsocket/opensnitch ++.B OpenSnitch ++Home Page ++.UE ++.LP ++.SH HISTORY ++.B OpenSnitch ++was originally written by Simone Margaritelli (evilsocket) in 2017-2018. ++.LP ++In 2019, after some time of inactivity, Gustavo Iñiguez Goya started ++contributing, fixing bugs and adding new functionality, with ++the esential help of the community, and valuable contributions from themighty1 and ++calesanz among others. ++.SH AUTHORS ++The complete list of ++.B OpenSnitch ++contributors can be found on https://github.com/evilsocket/opensnitch diff --cc debian/man/opensnitchd.1 index 0000000,0000000..1e92934 new file mode 100644 --- /dev/null +++ b/debian/man/opensnitchd.1 @@@ -1,0 -1,0 +1,177 @@@ ++.\" Copyright (c) 2023 Gustavo Iñiguez Goya ++.\" All rights reserved. ++.\" ++.\" SPDX-License-Identifier: GPL-3.0-or-later ++.de CW ++.sp ++.in +4n ++.nf ++.ft CW ++.. ++.de CE ++.ft R ++.fi ++.in ++.sp ++.. ++.\" Like .OP, but with ellipsis at the end in order to signify that option ++.\" can be provided multiple times. Based on .OP definition in groff's ++.\" an-ext.tmac. ++.de OM ++. ie \\n(.$-1 \ ++. RI "[\fB\\$1\fP" "\ \\$2" "]...\&" ++. el \ ++. RB "[" "\\$1" "]...\&" ++.. ++.\" Required option. ++.de OR ++. ie \\n(.$-1 \ ++. RI "\fB\\$1\fP" "\ \\$2" ++. el \ ++. BR "\\$1" ++.. ++.TH OPENSNITCHD 1 "2023-02-12" "opensnitchd 1.5.6" ++.SH NAME ++opensnitchd \- GNU/Linux interactive firewall application ++.SH SYNOPSIS ++.SY opensnitchd ++.OP \-rules-path path ++.OP \-cpu-profile path ++.OP \-debug ++.OP \-error ++.OP \-warning ++.OP \-important ++.OM \-log-file path ++.OM \-mem-profile path ++.OP \-no-live-reload ++.OM \-process-monitor-method name ++.OM \-queue-num num ++.OM \-ui-socket path ++.OP \-version ++.OM \-workers num ++.YS ++.SH DESCRIPTION ++.LP ++opensnitchd is the OpenSnitch agent that intercepts outbound connections, ++and send them to the server. The server can be a GUI, a TUI, or a ++.I headless ++component to just log the network activity (a SIEM for example). ++By default it'll allow all connections, creating temporal rules for you ++so you can review them later. ++.LP ++.SH OPTIONS ++.TP ++.BI "\-rules-path " path ++Specifies where the rules will be written to. Default "rules". ++.TP ++.BI "\-cpu-profile " path ++A file path where the CPU data for later use will be written. ++.TP ++.BI "\-debug" ++Set LogLevel to DEBUG. ++.TP ++.BI "\-warning" ++Set LogLevel to WARNING. ++.TP ++.BI "\-important" ++Set LogLevel to IMPORTANT. ++.TP ++.BI "\-log-file " path ++A file path where the logs will be written to. This path can be a device file, ++like /dev/stdout to print logs to standard output. ++.TP ++.BI "\-mem-profile " path ++A file path where the memory data will be written once the daemon exits. ++.TP ++.BI "\-no-live-reload" ++By default daemon's rules and configuration is reloaded whenever it changes. ++This option disables this feature. ++.TP ++.BI "\-process-monitor-method " method ++Force process monitor method, overriding what is defined in the configuration. ++Valid methods: ebpf, audit, proc ++.TP ++.BI "\-queue-num " num ++Force to use this netfilter queue num. The default queue number is 0, but if ++it's already used by other software, you can set another queue number here. ++.TP ++.BI "\-ui-socket " path ++Force to use this socket path, instead of the one defined in the configuration. ++The path format is unix:///path/to/socket.sock or ip:port ("127.0.0.1:50051") ++.RS ++(https://github.com/grpc/grpc/blob/master/doc/naming.md) ++.RE ++.TP ++.BI "\-version" ++Prints out daemon version. ++.TP ++.BI "\-workers " num ++Change maximum number of workers to process outbound connections. ++By default 16 workers are launched, but if it's not enough increase this number. ++.SH FILES ++.I /etc/opensnitchd/rules/ ++.RS ++Default daemon directory rules. ++.RE ++.I /etc/opensnitchd/default-config.json ++.RS ++Default daemon configuration. ++.RE ++.I /etc/opensnitchd/system-fw.json ++.RS ++Configuration of system firewall rules (iptables/nftables). ++.TP ++Firewall rules defined here bypasses OpenSnitch interception. Use it to allow VPNs or other services. ++.SH DIAGNOSTICS ++OpenSnitch needs at least one firewall rule to intercept outbound connections: ++.LP ++iptables -t mangle -L OUTPUT | grep NFQUEUE ++.RS ++NFQUEUE all -- anywhere anywhere ctstate NEW,RELATED NFQUEUE num 0 bypass ++.RE ++.LP ++If you suspect that OpenSnitch blocks an application and doesn't prompt you to allow or deny it, ++using the GUI enable the option ++.I [x] Debug invalid connections ++under Preferences -> Nodes. ++Or set the configuration option ++.B InterceptUnknown ++to true. ++.LP ++.I Tip: ++You can also add rules to the file /etc/opensnitchd/system-fw.json, to allow network services without being intercepted by the daemon. ++.LP ++Another way of debugging errors is by launching the daemon from the command line: ++.IP ++.PD 0 ++.IP 1. 4 ++Set LogLevel to DEBUG under Preferences -> Nodes (or LogLevel to 0 in the configuration) ++.IP 2. 4 ++Stop the daemon: systemctl stop opensnitch ++.IP 3. 4 ++Launch it from cli: /usr/bin/opensnitchd -rules-path /etc/opensnitchd/rules/ ++.PD ++.LP ++.SH REPORTING BUGS ++Problems with ++.B opensnitchd ++should be reported on github https://github.com/evilsocket/opensnitch/issues ++.UR https://github.com/evilsocket/opensnitch/issues ++.SH HISTORY ++.B OpenSnitch ++was originally written by Simone Margaritelli (evilsocket) in 2017-2018. ++.LP ++In 2019, after some time of inactivity, Gustavo Iñiguez Goya started ++contributing, fixing bugs and adding new functionality, with ++the esential help of the community, and valuable contributions from themighty1 and ++calesanz among others. ++.SH "SEE ALSO" ++.PP ++.UR https://github.com/evilsocket/opensnitch ++.B OpenSnitch ++Home Page ++.UE ++.SH AUTHORS ++The complete list of ++.B OpenSnitch ++contributors can be found on https://github.com/evilsocket/opensnitch diff --cc debian/opensnitch.manpages index 0000000,0000000..89a1536 new file mode 100644 --- /dev/null +++ b/debian/opensnitch.manpages @@@ -1,0 -1,0 +1,1 @@@ ++debian/man/opensnitchd.1 diff --cc debian/python3-opensnitch-ui.manpages index 0000000,0000000..3392b6a new file mode 100644 --- /dev/null +++ b/debian/python3-opensnitch-ui.manpages @@@ -1,0 -1,0 +1,1 @@@ ++debian/man/opensnitch-ui.1 diff --cc debian/python3-opensnitch-ui.postinst index 0b7ab1e,0000000..dea2517 mode 100755,000000..100755 --- a/debian/python3-opensnitch-ui.postinst +++ b/debian/python3-opensnitch-ui.postinst @@@ -1,18 -1,0 +1,27 @@@ +#!/bin/sh - +set -e + +autostart_by_default() +{ - if [ -f /etc/xdg/autostart -a ! -f /etc/xdg/autostart/opensnitch_ui.desktop ]; then ++ deskfile=/etc/xdg/autostart/opensnitch_ui.desktop ++ if [ -d /etc/xdg/autostart -a ! -h $deskfile -a ! -f $deskfile ]; then + ln -s /usr/share/applications/opensnitch_ui.desktop /etc/xdg/autostart/ + fi +} + - autostart_by_default - +if command -v gtk-update-icon-cache >/dev/null && test -f /usr/share/icons/hicolor/index.theme ; then + gtk-update-icon-cache --quiet /usr/share/icons/hicolor/ +fi + ++case "$1" in ++ configure) ++ # first install ++ if [ -z $2 ]; then ++ autostart_by_default ++ elif dpkg --compare-versions "$2" le "1.5.7-2"; then ++ autostart_by_default ++ fi ++ ;; ++esac ++ +#DEBHELPER# diff --cc debian/python3-opensnitch-ui.postrm index 8189482,0000000..cb17ba5 mode 100755,000000..100755 --- a/debian/python3-opensnitch-ui.postrm +++ b/debian/python3-opensnitch-ui.postrm @@@ -1,15 -1,0 +1,16 @@@ +#!/bin/sh +set -e + +case "$1" in + purge) - if [ -f /etc/xdg/autostart/opensnitch_ui.desktop ];then ++ deskfile=/etc/xdg/autostart/opensnitch_ui.desktop ++ if [ -f $deskfile -o -h $deskfile ];then + rm -f /etc/xdg/autostart/opensnitch_ui.desktop + fi + ;; + remove) - pkill -15 opensnitch-ui || true ++ pkill -15 opensnitch-ui || true + ;; +esac + +#DEBHELPER# diff --cc debian/tests/control index 2ae9569,0000000..40698ed mode 100644,000000..100644 --- a/debian/tests/control +++ b/debian/tests/control @@@ -1,2 -1,0 +1,7 @@@ +Tests: test-resources.sh +Depends: opensnitch ++Restrictions: superficial ++ ++Tests: test-fw-rules.sh ++Depends: iptables, nftables, opensnitch ++Restrictions: needs-root diff --cc debian/tests/test-fw-rules.sh index 0000000,0000000..633c17d new file mode 100755 --- /dev/null +++ b/debian/tests/test-fw-rules.sh @@@ -1,0 -1,0 +1,27 @@@ ++#!/bin/sh ++set -e ++ ++# for some reason, go.exec.LookPath() fails to obtain the path of iptables ++# on the ci environment, even if $PATH is set correctly. ++echo "[+] PATH: $PATH" ++ ++log="/var/log/opensnitchd.log" ++ ++if [ -f /proc/modules ]; then ++ echo "[+] loaded modules:" ++ cat /proc/modules ++fi ++ ++if [ -f $log ]; then ++ echo "[+] opensnitchd log:" ++ cat $log ++fi ++if grep "iptables not available" $log >/dev/null; then ++ echo "[!] iptables not available, falling back to nftables" ++ nft list ruleset | grep "ct state related,new queue flags bypass to 0" ++ echo "[+] Interception rule (nftables): OK" ++else ++ /usr/sbin/iptables -t mangle -L OUTPUT ++ /usr/sbin/iptables -t mangle -L OUTPUT | grep "NFQUEUE.*ctstate NEW,RELATED.*NFQUEUE num.*bypass" ++ echo "[+] Interception rule (iptables): OK" ++fi