OpenSnitch with NFtables

[BobSquarePants]

Hi everyone,
it seem to my NFtables configuration and OpenSntich don't work along pretty well..

Here NFtables (with the rules push by Opensnitch)

table ip6 Tip6 {
	chain chPR {
		type filter hook prerouting priority 0; policy drop;
	}
}

table ip Tip {

	chain chIN {
		type filter hook input priority 0; policy drop;
		ct state established,related accept		
		iif != lo ip daddr 127.0.0.1/8 drop #drop connections to loopback not coming from loopback
		iifname lo accept
		log prefix "IN_Dropped: "
	}
	chain chFW {
		type filter hook forward priority 0; policy drop;
	}
	chain chOUT {
		type filter hook output priority 0; policy drop;
		ip saddr 127.0.0.1 ip daddr 127.0.0.1 accept
		udp dport 53 accept
		tcp dport { 80, 443 } accept #for apt-update deb.devuan.org
		ct state established,related accept
		log prefix "OUT_Dropped: "
	}
}

#from OpenSnitch

table inet mangle {
	chain output {
		type route hook output priority mangle; policy accept;
		ct state related,new queue num 0 bypass
	}
}
table inet filter {
	chain input {
		type filter hook input priority filter; policy accept;
		udp sport 53 queue num 0 bypass
	}
}
table inet nat {
}

Even do if I allow a program with OpenSnitch, it's get stuck by NFtables :/

If I were tottaly deleting my hook output (because it's really only the hoook that matter the chain and tables name are to "organize" our rules.)

to deleted-->

	chain chOUT {
		type filter hook output priority 0; policy drop;
		ip saddr 127.0.0.1 ip daddr 127.0.0.1 accept
		udp dport 53 accept
		tcp dport { 80, 443 } accept #for apt-update deb.devuan.org
		ct state established,related accept
		log prefix "OUT_Dropped: "
	}

Will my output traffic will be only managed by OpenSnitch ? But I'm worry as both input and output are set to policy accept !

Thanks.

[gustavo-iniguez-goya]

I'll reproduce this use case with your config @BobSquarePants . I've been testing and using a similar configuration with ufw/gufw and it worked fine. I was not setting the default policy to drop for the filter-ip-input chain though. I do it with opensnitch -> Firewall -> Default input policy -> DROP.

The default policy for the output chain is not working yet. I hope to keep improving it in the coming weeks.

[gustavo-iniguez-goya]

Tested. It works as expected for me.

Will my output traffic will be only managed by OpenSnitch ? But I'm worry as both input and output are set to policy accept !

output traffic is handled by opensnitch. If you set daemon's DefaultAction to deny, it'll have the same effect than setting it to drop in nftables.
input traffic can set to drop from the GUI, or via the conf /etc/opensnitchd/system-fw.json

Kazam_screencast_00010.webm