UBports Robot Logo UBports Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    Can I use opensnitch?

    Scheduled Pinned Locked Moved Solved Support
    5 Posts 2 Posters 801 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      AighaeZ1
      last edited by

      Hey everyone,

      Is there a way to use opensnitch? I tried installing it on Libertine but it failed starting because some QT dependencies where missing. Besides, it might not work anyway since it would run in the sandbox?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • A Offline
        AighaeZ1
        last edited by AighaeZ1

        To get a similar functionally like opensnitch I ended up doing this.

        I enabled the firewall ufw:

        sudo ufw enable

        I created a text file with the ip ranges of Canonical, Cloudflare and Digital Ocean:

        162.213.32.0/24
162.213.34.0/24
162.213.35.0/24
185.125.188.0/23
185.125.190.0/24
194.169.254.0/24
91.189.89.0/24
91.189.91.0/24
91.189.95.0/24
2001:67c:1560::/48
2001:67c:1561::/48
2001:67c:1562::/48
2620:2d:4000::/48
2620:2d:4001::/48
2620:2d:4002::/48
2620:2d:4003::/48
173.245.48.0/20
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
141.101.64.0/18
108.162.192.0/18
190.93.240.0/20
188.114.96.0/20
197.234.240.0/22
198.41.128.0/17
162.158.0.0/15
104.16.0.0/13
104.24.0.0/14
172.64.0.0/13
131.0.72.0/22
2400:cb00::/32
2606:4700::/32
2803:f800::/32
2405:b500::/32
2405:8100::/32
2a06:98c0::/29
2c0f:f248::/32
103.253.144.0/22
104.131.0.0/18
104.131.128.0/20
104.131.144.0/20
104.131.160.0/20
104.131.176.0/20
104.131.192.0/19
104.131.224.0/19
104.131.64.0/18
104.236.0.0/18
2400:6180:100::/40
2400:6180:10::/48
2400:6180::/48
2604:a880:1::/48
2604:a880:2::/48
2604:a880:3::/48
2604:a880:400::/48
2604:a880:4::/48
2604:a880::/48
2604:a880:800::/48

        Finally, I added all these rules to ufw:

        while read line; do sudo ufw deny out from any to $line; done < ip-ranges-canonical-cloudflare.txt

        You can check if it worked like this:

        sudo ufw status

        Please note: Updates and automatically setting the time, probably GPS won't work anymore because they go through these IPs. Also websites that use Cloudflare won't work, obviously.

        When you need any of this simply turn off the firewall:

        sudo ufw disable

        If you'd like to see details of what the firewall does, you can use this:

        journalctl | grep '\[UFW '
        arubislanderA 1 Reply Last reply Reply Quote 0
        • A Offline
          AighaeZ1
          last edited by

          Ok, I did some more digging: I installed tcptrack to see if I could get outside of the sandbox. Didn't work so opensnitch wouldn't work either even if I would get it installed.

          1 Reply Last reply Reply Quote 0
          • A AighaeZ1 has marked this topic as solved on
          • A Offline
            AighaeZ1
            last edited by AighaeZ1

            To get a similar functionally like opensnitch I ended up doing this.

            I enabled the firewall ufw:

            sudo ufw enable

            I created a text file with the ip ranges of Canonical, Cloudflare and Digital Ocean:

            162.213.32.0/24
162.213.34.0/24
162.213.35.0/24
185.125.188.0/23
185.125.190.0/24
194.169.254.0/24
91.189.89.0/24
91.189.91.0/24
91.189.95.0/24
2001:67c:1560::/48
2001:67c:1561::/48
2001:67c:1562::/48
2620:2d:4000::/48
2620:2d:4001::/48
2620:2d:4002::/48
2620:2d:4003::/48
173.245.48.0/20
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
141.101.64.0/18
108.162.192.0/18
190.93.240.0/20
188.114.96.0/20
197.234.240.0/22
198.41.128.0/17
162.158.0.0/15
104.16.0.0/13
104.24.0.0/14
172.64.0.0/13
131.0.72.0/22
2400:cb00::/32
2606:4700::/32
2803:f800::/32
2405:b500::/32
2405:8100::/32
2a06:98c0::/29
2c0f:f248::/32
103.253.144.0/22
104.131.0.0/18
104.131.128.0/20
104.131.144.0/20
104.131.160.0/20
104.131.176.0/20
104.131.192.0/19
104.131.224.0/19
104.131.64.0/18
104.236.0.0/18
2400:6180:100::/40
2400:6180:10::/48
2400:6180::/48
2604:a880:1::/48
2604:a880:2::/48
2604:a880:3::/48
2604:a880:400::/48
2604:a880:4::/48
2604:a880::/48
2604:a880:800::/48

            Finally, I added all these rules to ufw:

            while read line; do sudo ufw deny out from any to $line; done < ip-ranges-canonical-cloudflare.txt

            You can check if it worked like this:

            sudo ufw status

            Please note: Updates and automatically setting the time, probably GPS won't work anymore because they go through these IPs. Also websites that use Cloudflare won't work, obviously.

            When you need any of this simply turn off the firewall:

            sudo ufw disable

            If you'd like to see details of what the firewall does, you can use this:

            journalctl | grep '\[UFW '
            arubislanderA 1 Reply Last reply Reply Quote 0
            • arubislanderA arubislander has marked this topic as unsolved on
            • arubislanderA arubislander has marked this topic as solved on
            • arubislanderA Offline
              arubislander @AighaeZ1
              last edited by arubislander

              @AighaeZ1 Thank you for this post. Your answer can easily be adapted for other IP ranges that a user might want to have blocked.

              Does the firewall remain enabled after a reboot?

              πŸ‡¦πŸ‡Ό πŸ‡³πŸ‡± πŸ‡ΊπŸ‡Έ πŸ‡ͺπŸ‡Έ
              Happily running Ubuntu Touch
              JingPad (24.04-1.x daily)
              OnePlus Nord N10 5G (24.04-2.x daily)
              PinePhone OG (20.04)
              Meizu Pro 5 (16.04 DEV)

              1 Reply Last reply Reply Quote 0
              • A Offline
                AighaeZ1
                last edited by

                Yes, the firewall stays active after rebooting.

                I've also checked if the firewall was perhaps circumvented by looking at the NAT log of my router. No entry, so it seems to work.

                Another idea might be: If you, say, currently need Cloudflare for surfing the net, then you could enable just these IP ranges by making a separate text file and running this command:

                while read line; do sudo ufw allow out from any to $line; done < ip-ranges-cloudflare.txt

                I only changed in the first script "deny" to "allow".

                These would be the IP ranges:

                173.245.48.0/20
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
141.101.64.0/18
108.162.192.0/18
190.93.240.0/20
188.114.96.0/20
197.234.240.0/22
198.41.128.0/17
162.158.0.0/15
104.16.0.0/13
104.24.0.0/14
172.64.0.0/13
131.0.72.0/22
2400:cb00::/32
2606:4700::/32
2803:f800::/32
2405:b500::/32
2405:8100::/32
2a06:98c0::/29
2c0f:f248::/32
                1 Reply Last reply Reply Quote 0

                Hello! It looks like you're interested in this conversation, but you don't have an account yet.

                Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.

                With your input, this post could be even better πŸ’—

                Register Login
                • First post
                  Last post