dma
dafec55bc7
Fixed bug with prompt rule / saved rule mismatch on SOCKS connects
7 years ago
dma
58b7a4f6a9
Update systemd unit file to install /var/run/fw-daemon/ on start
7 years ago
dma
5a755a04e8
Change path of oz socket
7 years ago
dma
7b5a0ed980
Bug fixes, cleanup, improvement
7 years ago
dma
d2ff760197
Patch up IPC
7 years ago
dma
a65c268dbf
Change default for non-sandboxed connections.
7 years ago
dma
f3f5414fd4
Support for TLSGuard in prompter
7 years ago
dma
9ff74569f3
Add Sandbox to procsnitch Info struct
7 years ago
dma
ae8f6d96ba
Fix rule evaluation of outgoing connections emerging from sandbox proxy ports
7 years ago
dma
d0e5a97a53
Fixing process identification for UDP packets (still WIP)
7 years ago
dma
a89f8118bf
Fix rule parsing, still working on this
7 years ago
dma
e8f5001483
Updated procsnitch
7 years ago
dma
6cdb400d32
Fix bugs related to parsing rules file and saving rules file
7 years ago
User
14e1f99b03
Loosen match on UDP socket lookup (still WIP)
8 years ago
shw
2e7b7debeb
Incorporated TLSGuard and turned it on by default for all outbound SOCKS5 connections.
...
Fixed display of nil IPs (when only hostname is passed via SOCKS5 connect).
8 years ago
shw
f945481c2e
Should solve a (newly introduced) intermittent crash issue with fw-settings.
8 years ago
shw
27d0a4809d
Updated SOCKS5 connection lookup code now correctly identifies originating process.
...
Includes code to read internal proxy state information from (updated) oz-daemon.
8 years ago
shw
acf62b63d1
Changed SOCKS/Tor credential randomization so it only occurs if username and password are empty.
8 years ago
shw
de4f6ac206
SOCKS/Tor credential randomization to force new circuits with each outbound connection.
8 years ago
shw
604c157a7b
Fixed Firewall prompt popup dialog width problem.
8 years ago
shw
515c4eb3ee
Squashed (some) noisy debug output.
8 years ago
shw
0f2b2413ea
Added per-process (ephemeral) rule support.
...
(proc coroner now has support for multiple callbacks)
8 years ago
shw
af874c7395
Added support for AAAA records to DNS cache for IPv6 addressing.
8 years ago
shw
8546f6c416
Working (but not intensively tested) IPv6 support!
8 years ago
shw
5f5042fed4
Very noisy, experimental support for asynchronous multi-rule firewall prompting.
...
Fixed prompted rule removal bug in fw-prompt.
8 years ago
shw
3319802a80
Lots of assorted cleanup.
...
Much better code for detecting if a rule being edited is valid.
fw-prompt window now forces itself to be on top if a rule is pending approval.
Matching by user/uid and group/gid options now visible but not functional.
8 years ago
shw
aba795fa97
Lots of work to establish basic support for approving/denying rules.
...
Updated gotk3 vendor dependency (fixed some bug conditions).
8 years ago
shw
e3833190bf
Created pre-functional replacement GUI for fw-daemon prompter that is independent of gnome-shell.
8 years ago
shw
c3635093fa
Introduced per-process DNS cache segregation for all A records not returned by local resolver.
...
Cached DNS name lookups now failover to global cache only populated by local resolver.
Added proc-coroner module for detecting process deaths.
procsnitch updated to handle multiple levels of "strictness" (necessary to lookup processes generating certain UDP data).
8 years ago
shw
51c181a881
Full support for multiple protocol types (UDP, ICMP).
...
Cleared up awkward fw-settings/fwprompt GUI language caused by introduction of UDP/ICMP ("connection"-less) rules.
fw-daemon automatically passes through all ICMP traffic sent to same address.
Added (temporary) rule for passing through all UDP-based DNS server traffic.
Updated developers' README documentation.
8 years ago
shw
ea31a28d3a
Added requisite Dbus code so that fw-settings automatically refreshes its rulelist on fw-daemon update.
...
(there is an intermittent bug in here somewhere... seems to be a GTK-related fatal race condition)
8 years ago
shw
f47e23e706
Support for firewall rule matching by uid/gid and/or user/group name value.
...
fw-daemon prompt GUI and fw-settings now include user/uid and group/gid info.
sgfw prompt GUI now displays username instead of real name.
Fixed bug in parsing IP addresses as CIDR values.
sgfw_rules entries can now be commented out.
Upgraded bundled go-procsnitch API.
8 years ago
shw
fa70c06af2
CIDR subnet/mask matching support for firewall rules.
8 years ago
shw
1cd25ed699
Added simple regex-based hostname matching for firewall rules.
8 years ago
shw
0708f9127c
Proper logging of all connections denied by firewall.
...
fw-daemon now also forces logging to syslog if launched from a terminal.
8 years ago
shw
e895f204a7
Fixed bug so that system-wide firewall settings match all traffic except sandboxed traffic.
8 years ago
shw
b567e5ce54
oz-init pid mappings are now properly destroyed as these processes exit.
8 years ago
shw
a930fbbce0
Sandboxed process entries in GUI now include sandbox name/ID in display.
...
Removed fatal error when a connection to oz-control socket cannot be established.
8 years ago
shw
ba35abfb46
Name of sandboxed exe returned by procsnitch is now resolved to absolute pathname.
8 years ago
shw
b4ed11261f
Added extra display info for "Sandboxed application" in fw-prompt gnome shell GUI.
...
fw-prompt GUI gracefully displays unknown PIDs and UIDs.
Fixed stupid syntax error bug in oz-init PID management code.
8 years ago
shw
7a1851419c
Added support for using fw-daemon on all processes system-wide.
...
Added changes for fw-daemon to check sandboxed processes' oz-init /proc/[pid]/net/tcp with procsnitch.
fw-daemon IPC accepts "register-init" command to register new oz-init process instance alerts.
fw-daemon also checks for existing oz-init processes on startup.
Updated vendor-bundled go-procsnitch to latest dev version that includes findTCPSocketAll().
8 years ago
shw
30482bf15b
Support for wildcard ports in dynamic OZ/fw rules.
...
Modified behavior for source interface-based rules to allow for fallthrough policies.
8 years ago
shw
e1a994169f
Added removeall IPC command for stripping all rules matching a source interface.
8 years ago
shw
670abc5232
Removed code for custom matching of firewall rules.
8 years ago
shw
9069c91606
Garbage dump commit of current progress.
8 years ago
shw
08266cca76
Support for handling network traffic that can't be uncovered with procsnitch.
8 years ago
shw
e3cc00a51f
Readme for testing fw-daemon with bridged traffic.
8 years ago
shw
cadb859dce
Added ephemeral oz sandbox/fw-daemon rules that can be updated via IPC connection.
...
fw-daemon prompter is now updated with source address of originating packet.
Fixed bug in decoding DNS data.
Packets are dropped properly (by marking and then calling Accept()).
8 years ago
shw
942b0a0c01
Bug fix.
8 years ago
shw
8fe02202de
Very dirty/experimental replacement of nfqueue with native github.com/subgraph/go-nfnetlink package.
8 years ago