UBports Robot Logo UBports Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    Can I use opensnitch?

    Scheduled Pinned Locked Moved Solved Support
    5 Posts 2 Posters 483 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
      Reply
      • Reply as topic
      Log in to reply
      This topic has been deleted. Only users with topic management privileges can see it.
      • A Offline
        AighaeZ1
        last edited by

        Hey everyone,

        Is there a way to use opensnitch? I tried installing it on Libertine but it failed starting because some QT dependencies where missing. Besides, it might not work anyway since it would run in the sandbox?

        Thanks!

        1 Reply Last reply Reply Quote 0
        • A Offline
          AighaeZ1
          last edited by AighaeZ1

          To get a similar functionally like opensnitch I ended up doing this.

          I enabled the firewall ufw:

          sudo ufw enable

          I created a text file with the ip ranges of Canonical, Cloudflare and Digital Ocean:

          162.213.32.0/24
162.213.34.0/24
162.213.35.0/24
185.125.188.0/23
185.125.190.0/24
194.169.254.0/24
91.189.89.0/24
91.189.91.0/24
91.189.95.0/24
2001:67c:1560::/48
2001:67c:1561::/48
2001:67c:1562::/48
2620:2d:4000::/48
2620:2d:4001::/48
2620:2d:4002::/48
2620:2d:4003::/48
173.245.48.0/20
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
141.101.64.0/18
108.162.192.0/18
190.93.240.0/20
188.114.96.0/20
197.234.240.0/22
198.41.128.0/17
162.158.0.0/15
104.16.0.0/13
104.24.0.0/14
172.64.0.0/13
131.0.72.0/22
2400:cb00::/32
2606:4700::/32
2803:f800::/32
2405:b500::/32
2405:8100::/32
2a06:98c0::/29
2c0f:f248::/32
103.253.144.0/22
104.131.0.0/18
104.131.128.0/20
104.131.144.0/20
104.131.160.0/20
104.131.176.0/20
104.131.192.0/19
104.131.224.0/19
104.131.64.0/18
104.236.0.0/18
2400:6180:100::/40
2400:6180:10::/48
2400:6180::/48
2604:a880:1::/48
2604:a880:2::/48
2604:a880:3::/48
2604:a880:400::/48
2604:a880:4::/48
2604:a880::/48
2604:a880:800::/48

          Finally, I added all these rules to ufw:

          while read line; do sudo ufw deny out from any to $line; done < ip-ranges-canonical-cloudflare.txt

          You can check if it worked like this:

          sudo ufw status

          Please note: Updates and automatically setting the time, probably GPS won't work anymore because they go through these IPs. Also websites that use Cloudflare won't work, obviously.

          When you need any of this simply turn off the firewall:

          sudo ufw disable

          If you'd like to see details of what the firewall does, you can use this:

          journalctl | grep '\[UFW '
          arubislanderA 1 Reply Last reply Reply Quote 0
          • A Offline
            AighaeZ1
            last edited by

            Ok, I did some more digging: I installed tcptrack to see if I could get outside of the sandbox. Didn't work so opensnitch wouldn't work either even if I would get it installed.

            1 Reply Last reply Reply Quote 0
            • A AighaeZ1 has marked this topic as solved on
            • A Offline
              AighaeZ1
              last edited by AighaeZ1

              To get a similar functionally like opensnitch I ended up doing this.

              I enabled the firewall ufw:

              sudo ufw enable

              I created a text file with the ip ranges of Canonical, Cloudflare and Digital Ocean:

              162.213.32.0/24
162.213.34.0/24
162.213.35.0/24
185.125.188.0/23
185.125.190.0/24
194.169.254.0/24
91.189.89.0/24
91.189.91.0/24
91.189.95.0/24
2001:67c:1560::/48
2001:67c:1561::/48
2001:67c:1562::/48
2620:2d:4000::/48
2620:2d:4001::/48
2620:2d:4002::/48
2620:2d:4003::/48
173.245.48.0/20
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
141.101.64.0/18
108.162.192.0/18
190.93.240.0/20
188.114.96.0/20
197.234.240.0/22
198.41.128.0/17
162.158.0.0/15
104.16.0.0/13
104.24.0.0/14
172.64.0.0/13
131.0.72.0/22
2400:cb00::/32
2606:4700::/32
2803:f800::/32
2405:b500::/32
2405:8100::/32
2a06:98c0::/29
2c0f:f248::/32
103.253.144.0/22
104.131.0.0/18
104.131.128.0/20
104.131.144.0/20
104.131.160.0/20
104.131.176.0/20
104.131.192.0/19
104.131.224.0/19
104.131.64.0/18
104.236.0.0/18
2400:6180:100::/40
2400:6180:10::/48
2400:6180::/48
2604:a880:1::/48
2604:a880:2::/48
2604:a880:3::/48
2604:a880:400::/48
2604:a880:4::/48
2604:a880::/48
2604:a880:800::/48

              Finally, I added all these rules to ufw:

              while read line; do sudo ufw deny out from any to $line; done < ip-ranges-canonical-cloudflare.txt

              You can check if it worked like this:

              sudo ufw status

              Please note: Updates and automatically setting the time, probably GPS won't work anymore because they go through these IPs. Also websites that use Cloudflare won't work, obviously.

              When you need any of this simply turn off the firewall:

              sudo ufw disable

              If you'd like to see details of what the firewall does, you can use this:

              journalctl | grep '\[UFW '
              arubislanderA 1 Reply Last reply Reply Quote 0
              • arubislanderA arubislander has marked this topic as unsolved on
              • arubislanderA arubislander has marked this topic as solved on
              • arubislanderA Offline
                arubislander @AighaeZ1
                last edited by arubislander

                @AighaeZ1 Thank you for this post. Your answer can easily be adapted for other IP ranges that a user might want to have blocked.

                Does the firewall remain enabled after a reboot?

                πŸ‡¦πŸ‡Ό πŸ‡³πŸ‡± πŸ‡ΊπŸ‡Έ πŸ‡ͺπŸ‡Έ
                Happily running Ubuntu Touch
                Google Pixel 3a (20.04 DEV)
                JingPad (24.04 preview)
                Meizu Pro 5 (16.04 DEV)

                1 Reply Last reply Reply Quote 0
                • A Offline
                  AighaeZ1
                  last edited by

                  Yes, the firewall stays active after rebooting.

                  I've also checked if the firewall was perhaps circumvented by looking at the NAT log of my router. No entry, so it seems to work.

                  Another idea might be: If you, say, currently need Cloudflare for surfing the net, then you could enable just these IP ranges by making a separate text file and running this command:

                  while read line; do sudo ufw allow out from any to $line; done < ip-ranges-cloudflare.txt

                  I only changed in the first script "deny" to "allow".

                  These would be the IP ranges:

                  173.245.48.0/20
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
141.101.64.0/18
108.162.192.0/18
190.93.240.0/20
188.114.96.0/20
197.234.240.0/22
198.41.128.0/17
162.158.0.0/15
104.16.0.0/13
104.24.0.0/14
172.64.0.0/13
131.0.72.0/22
2400:cb00::/32
2606:4700::/32
2803:f800::/32
2405:b500::/32
2405:8100::/32
2a06:98c0::/29
2c0f:f248::/32
                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post