-
-
Notifications
You must be signed in to change notification settings - Fork 512
block lists
Starting from version 1.4.0rc1, you can block or allow lists of domains.
Since version 1.5.0rc1 you can also use lists of IPs, network ranges and domains with regular expressions.
Use this feature to block system-wide ads, trackers, or malware domains. You can also use it to limit the domains to which an application can connect to, or for blocking IPs by country.
Use cases:
Supported list stypes
Important note: This feature may not work if your system uses systemd-resolved
to resolve domains. Compiling opensnitch-dns.c
eBPF module may help to workaround this problem. If blocklists don't work, change your nameserver in /etc/resolv.conf
to 1.1.1.1, 9.9.9.9, etc... and see if it works.
- If you use systemd-resolved, remember to allow it connect only to your DNS nameservers (1.1.1.1, 9.9.9.9, etc), port 53.
-
Create a new rule:
000-block-domains
- Take into account that rules are checked in alphabetical order.
-
Check
[x] Enable
,[x] Priority
,Duration: always
,(*) Reject
,[x] To this list of domains
- Download list of domains of ads to block (choose any directory you wish):
~ $ sudo mkdir /media/ads-list/
~ $ sudo chown USER:USER /media/ads-list/ # replace USER with your user
~ $ wget https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt -O /media/ads-list/ads-and-tracking-extended.txt
Note: be sure that the files have an extension (.dat, .txt, .list, etc...). Don't drop files without extension into the directory
- Visit any website, and filter by the name of the rule
000-block-domains
or double click on the rule name from the Rules tab. You can visitblock-test.developerdan.com
which is included in the above list.
We'll create 2 rules:
- one for allow connections from an app to a limited number of domains.
- another one for deny everything from that app.
- Create 2 rules:
000-allow-app
,001-deny-all-from-app
-
000-allow-app
:
Inside /media/app/
write a file (allowlist.txt
for example) with a list of domains the app can connect to in hosts format:
127.0.0.1 xxx.domain.com
Note: be sure that the file has an extension (.dat, .txt, .list, etc...).
Remember that you may need to add the domain without the subdomains (domain.com
, xxx.domain.com
, etc)
-
001-deny-all-from-app
:
- It must be in hosts format:
# this is a comment, it's ignored
# https://www.github.developerdan.com/hosts/
0.0.0.0 www.domain.com
127.0.0.1 www.domain.com
- one regular expression per line:
# https://raw.githubusercontent.com/mmotti/pihole-regex/master/whitelist.list
adtrack(er|ing)?[0-9]*[_.-]
^analytics?[_.-]
^pixel?[-.]
^stat(s|istics)?[0-9]*[_.-]
Note: if you add a domain without regex to this type of list, it'll match everything for that domain: google.com will match clients6.google.com, docs.google.com, etc.
Note: Sometimes regular expressions can be too generic, so they may block too much domains. You can go to Rules tab -> double click on the rule, and see what domains the rule has matched, and refine the list accordingly.
Warning: This lists must be small (~500 items). Using it with huge lists will lead to important performance penalty (#866).
Here's a playground you can use to test regular expressions: https://go.dev/play/p/JzQCeNH4OH1
- One per line: IPs
# https://iplists.firehol.org/
6.7.8.9
9.8.7.6
You can use these lists for exmple for GeoIP blocking: https://www.ipdeny.com/ipblocks/
Nets:
# https://iplists.firehol.org/
1.0.1.0/24
1.2.3.0/16
- Lines started with # are ignored. Write comments always on a new line, not after a domain.
- The domains
local
,localhost
,localhost.localdomain
andbroadcasthost
are ignored. - Whenever you save the file to disk, OpenSnitch will reload the list.
- If you select more than one type of lists on the same rule, bear in mind that the connections you intend to filter must match ALL lists read more.
- OpenSnitch doesn't refresh periodically the list loaded, but you can do it with this script: update_adlists.sh
-
Give it execution permissions:
chmod +x update_adlists.sh
-
Edit the script, and modify the adsDir path to point to the directory where you want to save the lists.
-
Add the script to your user's crontab (in this example, the script will be executed every day at 11am, 17pm and 23pm):
$ crontab -e 0 11,17,23 * * * /home/ga/utils/opensnitch/update_adlists.sh
-
When you define a blocklist/allowlist rule, the directory choosen is monitored for changes. If you delete, add or modify a file under that directory, the lists will be reloaded. You'd see these logs in /var/log/opensnitchd.log
:
[2022-03-31 23:58:19] INF clearing domains lists: 2 - /etc/opensnitchd/allowlists/regexp
[2022-03-31 23:58:19] DBG Loading regexp list: /etc/opensnitchd/allowlists/regexp/allow-re.txt, size: 72
[2022-03-31 23:58:19] INF 2 regexps loaded, /etc/opensnitchd/allowlists/regexp/allow-re.txt
[2022-03-31 23:58:19] INF 2 lists loaded, 2 domains, 0 duplicated
In order to verify why a domain matched a list, set LogLevel to DEBUG under Preferences -> Nodes, and monitor the log file /var/log/opensnitchd.log:
tail -f /var/log/opensnitchd.log | grep "list match" -A 1
[2023-03-02 00:28:26] DBG Regexp list match: pixel.abandonedaction.com, ^pixels?[-.]
[2023-03-02 00:28:26] DBG ✘ /lib/systemd/systemd-resolved -> 56143:192.168.1.103 => pixel.abandonedaction.com (172.17.0.3):53 (000-a-pihole-regexp)
(for regexp lists, the last part of the log is the regexp that matched the domain -> ^pixels?[-.])
This feature may not work if your system uses systemd-resolved
to resolve domains. Compiling opensnitch-dns.c
eBPF module may help to workaround this problem.
If blocklists still don't work:
- allow systemd-resolved to connect only to port 53 and 127.0.0.1 + your DNS nameservers.
- or stop systemd-resolved:
systemctl stop systemd-resolved
- and change your nameserver in
/etc/resolv.conf
to 1.1.1.1, 9.9.9.9, etc... and see if it works. A simple telnet to an entry of the list should be blocked and logged accordingly.
- or stop systemd-resolved:
See this issue #646 for more information.
Video tutorials:
opensnitch-1hosts.webm
opensnitch-1hosts-1.webm
Lists of ads, trackers, malware domains, etc that you can use:
https://github.com/badmojr/1Hosts
https://filterlists.com/ (filter by Syntaxis: hosts)
https://www.github.developerdan.com/hosts/
https://github.com/StevenBlack/hosts
https://pgl.yoyo.org/adservers/
Collections of Threat Intel feeds (by hash, IPs, domains, and more):
Please help us make this wiki better.
How to submit changes: https://github.com/evilsocket/opensnitch/blob/wiki/README.md
- Installation
- Getting started
- Configuration
- Compilation
- GUI translations
- FAQs and common errors
- Examples OpenSnitch in action