UBports Robot Logo UBports Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    Can I use opensnitch?

    Scheduled Pinned Locked Moved Solved Support
    5 Posts 2 Posters 420 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      AighaeZ1
      last edited by

      Hey everyone,

      Is there a way to use opensnitch? I tried installing it on Libertine but it failed starting because some QT dependencies where missing. Besides, it might not work anyway since it would run in the sandbox?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • A
        AighaeZ1
        last edited by AighaeZ1

        To get a similar functionally like opensnitch I ended up doing this.

        I enabled the firewall ufw:

        sudo ufw enable

        I created a text file with the ip ranges of Canonical, Cloudflare and Digital Ocean:

        162.213.32.0/24
162.213.34.0/24
162.213.35.0/24
185.125.188.0/23
185.125.190.0/24
194.169.254.0/24
91.189.89.0/24
91.189.91.0/24
91.189.95.0/24
2001:67c:1560::/48
2001:67c:1561::/48
2001:67c:1562::/48
2620:2d:4000::/48
2620:2d:4001::/48
2620:2d:4002::/48
2620:2d:4003::/48
173.245.48.0/20
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
141.101.64.0/18
108.162.192.0/18
190.93.240.0/20
188.114.96.0/20
197.234.240.0/22
198.41.128.0/17
162.158.0.0/15
104.16.0.0/13
104.24.0.0/14
172.64.0.0/13
131.0.72.0/22
2400:cb00::/32
2606:4700::/32
2803:f800::/32
2405:b500::/32
2405:8100::/32
2a06:98c0::/29
2c0f:f248::/32
103.253.144.0/22
104.131.0.0/18
104.131.128.0/20
104.131.144.0/20
104.131.160.0/20
104.131.176.0/20
104.131.192.0/19
104.131.224.0/19
104.131.64.0/18
104.236.0.0/18
2400:6180:100::/40
2400:6180:10::/48
2400:6180::/48
2604:a880:1::/48
2604:a880:2::/48
2604:a880:3::/48
2604:a880:400::/48
2604:a880:4::/48
2604:a880::/48
2604:a880:800::/48

        Finally, I added all these rules to ufw:

        while read line; do sudo ufw deny out from any to $line; done < ip-ranges-canonical-cloudflare.txt

        You can check if it worked like this:

        sudo ufw status

        Please note: Updates and automatically setting the time, probably GPS won't work anymore because they go through these IPs. Also websites that use Cloudflare won't work, obviously.

        When you need any of this simply turn off the firewall:

        sudo ufw disable

        If you'd like to see details of what the firewall does, you can use this:

        journalctl | grep '\[UFW '
        arubislanderA 1 Reply Last reply Reply Quote 0
        • A
          AighaeZ1
          last edited by

          Ok, I did some more digging: I installed tcptrack to see if I could get outside of the sandbox. Didn't work so opensnitch wouldn't work either even if I would get it installed.

          1 Reply Last reply Reply Quote 0
          • A AighaeZ1 has marked this topic as solved on
          • A
            AighaeZ1
            last edited by AighaeZ1

            To get a similar functionally like opensnitch I ended up doing this.

            I enabled the firewall ufw:

            sudo ufw enable

            I created a text file with the ip ranges of Canonical, Cloudflare and Digital Ocean:

            162.213.32.0/24
162.213.34.0/24
162.213.35.0/24
185.125.188.0/23
185.125.190.0/24
194.169.254.0/24
91.189.89.0/24
91.189.91.0/24
91.189.95.0/24
2001:67c:1560::/48
2001:67c:1561::/48
2001:67c:1562::/48
2620:2d:4000::/48
2620:2d:4001::/48
2620:2d:4002::/48
2620:2d:4003::/48
173.245.48.0/20
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
141.101.64.0/18
108.162.192.0/18
190.93.240.0/20
188.114.96.0/20
197.234.240.0/22
198.41.128.0/17
162.158.0.0/15
104.16.0.0/13
104.24.0.0/14
172.64.0.0/13
131.0.72.0/22
2400:cb00::/32
2606:4700::/32
2803:f800::/32
2405:b500::/32
2405:8100::/32
2a06:98c0::/29
2c0f:f248::/32
103.253.144.0/22
104.131.0.0/18
104.131.128.0/20
104.131.144.0/20
104.131.160.0/20
104.131.176.0/20
104.131.192.0/19
104.131.224.0/19
104.131.64.0/18
104.236.0.0/18
2400:6180:100::/40
2400:6180:10::/48
2400:6180::/48
2604:a880:1::/48
2604:a880:2::/48
2604:a880:3::/48
2604:a880:400::/48
2604:a880:4::/48
2604:a880::/48
2604:a880:800::/48

            Finally, I added all these rules to ufw:

            while read line; do sudo ufw deny out from any to $line; done < ip-ranges-canonical-cloudflare.txt

            You can check if it worked like this:

            sudo ufw status

            Please note: Updates and automatically setting the time, probably GPS won't work anymore because they go through these IPs. Also websites that use Cloudflare won't work, obviously.

            When you need any of this simply turn off the firewall:

            sudo ufw disable

            If you'd like to see details of what the firewall does, you can use this:

            journalctl | grep '\[UFW '
            arubislanderA 1 Reply Last reply Reply Quote 0
            • arubislanderA arubislander has marked this topic as unsolved on
            • arubislanderA arubislander has marked this topic as solved on
            • arubislanderA
              arubislander @AighaeZ1
              last edited by arubislander

              @AighaeZ1 Thank you for this post. Your answer can easily be adapted for other IP ranges that a user might want to have blocked.

              Does the firewall remain enabled after a reboot?

              πŸ‡¦πŸ‡Ό πŸ‡³πŸ‡± πŸ‡ΊπŸ‡Έ πŸ‡ͺπŸ‡Έ
              Happily running Ubuntu Touch
              Google Pixel 3a (20.04 DEV)
              JingPad (20.04 DEV)
              Meizu Pro 5 (16.04 DEV)

              1 Reply Last reply Reply Quote 0
              • A
                AighaeZ1
                last edited by

                Yes, the firewall stays active after rebooting.

                I've also checked if the firewall was perhaps circumvented by looking at the NAT log of my router. No entry, so it seems to work.

                Another idea might be: If you, say, currently need Cloudflare for surfing the net, then you could enable just these IP ranges by making a separate text file and running this command:

                while read line; do sudo ufw allow out from any to $line; done < ip-ranges-cloudflare.txt

                I only changed in the first script "deny" to "allow".

                These would be the IP ranges:

                173.245.48.0/20
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
141.101.64.0/18
108.162.192.0/18
190.93.240.0/20
188.114.96.0/20
197.234.240.0/22
198.41.128.0/17
162.158.0.0/15
104.16.0.0/13
104.24.0.0/14
172.64.0.0/13
131.0.72.0/22
2400:cb00::/32
2606:4700::/32
2803:f800::/32
2405:b500::/32
2405:8100::/32
2a06:98c0::/29
2c0f:f248::/32
                1 Reply Last reply Reply Quote 0
                • First post
                  Last post