Skip to content

Rules examples

Jump to bottom
wiki auto updater edited this page Feb 5, 2022 · 6 revisions

Prioritize rules

Rules are checked in alphabetical order, so the first step is to name the rules accordingly:

000-allow-very-important-rule
001-allow-not-so-important-rule

The second step is to check the box [x] Priority of a rule.

Rules with Action: Deny or rules with the box Priority checked will take precedence over the others.

Block ads, tracking or malware domains globally

https://github.com/evilsocket/opensnitch/wiki/block-lists

Blocking connections from an executable, allowing only a few domains

https://github.com/evilsocket/opensnitch/wiki/block-lists

Filtering connections by multiple ports

[x] To this port: ^(53|80|443)$

targets ports 53 OR 80 OR 443.

[x] To this port: ^555[12345]$

targets ports 5551, 5552, 5553, 5554 OR 5555.

Filtering connections by an exact domain, and nothing else

[x] To this host: github.com (will match only github.com, not www.github.com, etc)

Filtering connections by a domain and its subdomains

[x] To this host: .*\.github.com

Filtering connections by an executable path

[x] From this executable: /usr/bin/python3

(warning: /usr/bin/python3.6/3.7/3.8/etc won't match this rule)

Allowing or denying Appimages

[x] From this executable: ^(/tmp/.mount_Archiv[0-9A-Za-z]+/.*)$

Allow common system commands

Name: 000-allow-system-cmds
Action: Allow
[x] Priority rule
[x] From this executable: ^(/usr/sbin/ntpd|/lib/systemd/systemd-timesyncd|/usr/bin/xbrlapi|/usr/bin/dirmngr)$
[x] To this port: ^(53|123)$
[x] From this User ID: ^(0|115|118)$

Blocking connections made by executables launched from /tmp

Action:                   Deny
[x] From this executable: /tmp/.*

Filtering an executable path with regexp, for example any python binary in /usr/bin/

[x] From this executable: ^/usr/bin/python[0-9\.]*$

Filtering python scripts (applicable to java and others interpreters)

The general recommendation is to either allow or deny by Command line or better, by Process path + Command line:

image

If you allow python3, you'll allow ANY python3 script, so be careful. This is also true for other interpreted languages, like Java, Ruby, Perl and others.

https://github.com/evilsocket/opensnitch/discussions/612#discussioncomment-2116878

Filtering LAN IPs or multiple ranges

^(127\..*|172\..*|192.168\..*|10\..*)$

See these issues for some discussions and more examples: #17, #31, #73

Note: Don't use "," to specify domains, IPs, etc. It's not supported. For example this won't work (it could be added if you complain loud enough):

[x] To this host: www.example.org, www.test.me

Please help us make this wiki better.

How to submit changes: https://github.com/evilsocket/opensnitch/blob/wiki/README.md

  1. Installation
    1. Dependencies and how it works
  2. Getting started
    1. Events window
      1. Themes
    2. Process monitor dialog
    3. Pop-up dialogs
  3. Configuration
    1. Monitor method: audit
    2. Monitor method: eBPF
    3. Rules
      1. Best practices
    4. Rules editor
      1. Rules examples
    5. System rules
      1. System rules legacy
    6. Block lists, ads|malware|...
    7. Nodes
      1. Authentication
      2. Configuration examples
      3. Generating TLS certificates
    8. SIEM integration
      1. Grafana + Loki + Promtail
      2. ElasticSearch + LogStash + Kibana
  4. Compilation
    1. Cross-compilation for arm
    2. Building packages with pbuilder
  5. GUI translations
    1. Adding, updating and installing translations
  6. FAQs and common errors
    1. Known problems
      1. GUI known problems
      2. daemon known problems
      3. General
    2. FAQs
    3. Why OpenSnitch does not intercept application XXX
  7. Examples OpenSnitch in action
Clone this wiki locally