Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Geo-IP Rules #485

Open
jaggzh opened this issue Aug 29, 2021 · 10 comments
Open

Geo-IP Rules #485

jaggzh opened this issue Aug 29, 2021 · 10 comments

Comments

@jaggzh
Copy link

jaggzh commented Aug 29, 2021

Hello! Beautiful project. Visit my facebook.
Kidding.

Okay, so this isn't a bug, but an idea. I thought it might be valuable to be able to set rules where the connection was allowed/denied based on a GeoIP lookup of the IP. In this manner we could, for instance, restrict a connection to be only within ones own country. It would of course only be as reliable as the geoip library used (ex. libgeoip), and it could be built with other options (if there are other geoip libs).
@impredicative
Copy link

What this is effectively asking for is an IP lists-based firewall, with auto-updated lists. Are there any other preexisting Linux tools for it?

@gustavo-iniguez-goya
Copy link
Collaborator

Visit my facebook.

🤣

No idea @impredicative . There're scripts [0] to add lists [1] of IPs using ipset [2]

I think that blocking IPs by geolocation shouldn't part of the core. It could be added as a plugin (we don't support plugins at the moment..) or by adding a new type of "lists rules": lists.ips (both IPs and network ranges)

opensnitch/daemon/rule/operator.go

Line 51 in 041cf45

OpDomainsLists = Operand("lists.domains")

It would be straight forward. The only thing is that there're no support yet for automatic updates of lists of domains (or IPs). You'd have to update them with a script for now, and you could use any type of list: grouped by geolocation, spam, etc.

  1. https://github.com/trick77/ipset-blacklist
  2. https://iplists.firehol.org/
  3. https://ipset.netfilter.org/

@ashvinlobo
Copy link

Hi...i reccomend using CSF Firewall with ipset option enabled and using ipsets using Maxmind geolite2 database.

@gustavo-iniguez-goya gustavo-iniguez-goya added this to the 1.5.0 milestone Sep 15, 2021
@Ph0rk0z
Copy link

Ph0rk0z commented Sep 16, 2021

As long as it doesn't pull in a geoclue dependency or something. I generally remove geoIP packages from my os as there is very little control over them.

@jaggzh
Copy link
Author

jaggzh commented Sep 16, 2021 via email

@gustavo-iniguez-goya
Copy link
Collaborator

For now there won't be any third-party dependencies. There will be 3 new options to load from a directory lists of IPs, net ranges and domains with regular expressions, but you'll have to download and update them.

@jaggzh
Copy link
Author

jaggzh commented Sep 16, 2021 via email

@gustavo-iniguez-goya
Copy link
Collaborator

hmm, I see. Well, maybe you could have two rules:

  • 000-allow-tor:
    [x] precedence, [x] From this executable: /usr/bin/tor, [x] To this IP/Network: 1.2.3.4/16

Where 1.2.3.4 is the network range of the IPs you want to allow .

  • 999-deny-tor
    [x] From this executable: /usr/bin/tor , [x] Action: Deny

I don't know how Tor will respond to these restrictions, but I guess that it'll keep trying until it finds an IP that can connect to.

gustavo-iniguez-goya added a commit that referenced this issue Sep 17, 2021
@gustavo-iniguez-goya
rules: added more lists types to block/allow
3b6c041 
- Added lists of IPs and network ranges. One per line. Blank lines or
  lines that start with # are ignored.
- Added lists of domains with regular expressions. One per line.
  Blank lines or lines that start with # are ignored.

Until now you could use regular expressions with the fields
"To this host" or "To this IP", to match multiple domains or IPs.
But if you wanted to use more than 2-3 domains or IPs it was not really
user friendly.

Hopefully we'll be a little more versatile to cover use cases like #461
and #485.
@jaggzh
Copy link
Author

jaggzh commented Oct 31, 2021

What about a generalized system, which doesn't have any specific dependencies, but can hand off the connection to an external binary/script specified by the user, with some spec for how that app communicates the result information? Then a tor-opensnitch-eval.sh script could be used.

(Again, blacklists aren't going to work here -- the user doesn't maintain a list of IPs/nets -- it gives an IP to geoiplookup/libgeoip and gets a city/state/country back (or whatever)). Allowing an arbitrary external script does mean the user would have to maintain the criteria within their own script, though, but the method would work.

Consequently, this is effectively a plugin-type of system, except with this method it will tend to offload configuration into the external scripts, instead of actually "plugging in". For example, an external script probably doesn't have a way of adding config options to opensnitch['s ui] for the user to choose from, nor a way to hook events itself, or access anything other than what it's provided by opensnitch outright.

@gustavo-iniguez-goya gustavo-iniguez-goya removed this from the 1.5.0 milestone Jan 29, 2022
@gustavo-iniguez-goya
Copy link
Collaborator

For future reference this could be achived by using (for example) maxmind GeoIP DB. Available on Debian Sid. I haven't checked out t if it's available on other distros though, and I'm also not aware of other similar DBs.

It could be added as a plugin (calling external scripts or not), or as a new type of lists. The user could define a new rule where they could select which countries to allow or deny, globally or per application.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@impredicative @gustavo-iniguez-goya @jaggzh @Ph0rk0z @ashvinlobo