LAN exclusion / multiple IPs

[gitthangbaby]

Hello

first step for me is to exclude LAN. Just like in NetLimiter. So many local devices and local broadcast and i want to enable it all as this is not what i want to filter. IMO it's very good to first enable LAN and then watch for misbehaving apps who want to reach WAN as well. If you don't distinguish between LAN and WAN, you end up with way more popups and you also introduce WAN leaks. Imagine you allow a standard app like avahi/bonjour which works with local broadcasts. An user without LAN rule would tend to allow this app completely, but that way you never find out about WAN leaks.

So the question is. Is there a way to enter multiple IP ranges? The "[X] To this destination IP" literally offers this as an example:

127.0.0.1, 1.2.3.[0-9]+

but it doesn't work. You can have only 1 regexp i guess. You can't combine normal and regexp in one line i think.
Since regexp is so ugly for IPs, what about simple nonregexp format "127.0.0.1/24, 1.2.3.0/8".
Or better, have a simple way of enabling all LAN communication (a zone for LAN / WAN).

Can we have more examples in general. There are few regexp examples, and linked guides, but it's unknown to me how to do the example from the edit box above. Thanks!

[themighty1]

Hi, you are bringing up valid points.
Luckily it seems that the functionality you are after is already implemented in OpenSnitch.
Here's what I did:
run curl 127.0.0.1
you will get a popup. In it select
to 127.0.0.* -> forever -> Allow
After that you can try
curl 127.0.0.122
wget 127.0.0.200 etc
you will see that now all apps are allowed 127.0.0.* without any popups from OpenSnitch

Is this what you were asking for?

[licaon-kter]

There should be a toggle for all RFC1918 IPs imho.

[gustavo-iniguez-goya]

Is there a way to enter multiple IP ranges?

Probably it's safe to write:
^(127\..*|172\..*|192.168\..*|10\..*)$

Normally you would validate each part of the IP: 127.[0-9]+.[0-9]+.[0-9]+ , but in this case as we're comparing only IPs, 127..* would match "127." and everything behind it (not only numbers).

[gitthangbaby]

Thanks. I think the edit box hint misled me and the hint rather describes two examples. I can filter LAN with [127.0.0.[0-9]|192.168.1.[0-9] ] for example. I'd love your example to be dropped on wiki, if possible.
Is it true the configuration is not saved? I've restarted it and rules were gone. And i cannot import the CSV. I search the drive for incl etc/opensnitchd and ~/.config/opensnitch without success. Looks like the data is in memory so far - what a tease:)
Thanks for your efforts, i can't believe Linux has this important tool.

[gustavo-iniguez-goya]

Is it true the configuration is not saved?

rules are only saved to disk if you select Duration: Always. If it's not saved, check the daemon logs, maybe the regexp failed.

I'd love your example to be dropped on wiki, if possible.

Sure, no problem. In fact, I added it yesterday :)

If you have more doubts or necessities regarding regular expressions, drop them here and I'll update the wiki.

There should be a toggle for all RFC1918 IPs imho.

It's not a bad idea @licaon-kter , we could also add some common LAN IP ranges like 192.168.1.0/24, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8. We could also load the list of known ports with their names.

[gustavo-iniguez-goya]

I've got ready this change. Now you can filter by destination network or IP, using regular expressions if you want.

I've added some common private ranges from here https://en.wikipedia.org/wiki/Reserved_IP_addresses
10.0.0.0/8
127.0.0.0/8
169.254.0.0/16
172.16.0.0/12
192.168.0.0/16
192.168.0.0/24
192.168.1.0/24
192.168.2.0/24
224.0.0.0/4

::1/128
fc00::/7
fe80::/10
fd00::/8

Filtering by multiple networks on the same rule is not possible yet. Any other network range that I should add?

[gitthangbaby]

Do you mean those values will be in a combo box? Or can be typed in x.x.x.x/y format from now?
I'm just guessing, reading messages back and forth. If it's in a combo box (or even not), my cool idea is to have alias called "LAN" to translate internally to all the (hard coded) ranges above. Faster regexpless resolve by code, user error prone, solves the problem of multiple rules. Bingo.
[X] To this destination IP: [LAN ]
or if it was ment to be a new toggle (checkbox?):
[X] To local destinations

As for skipped 255* and ff: ranges for broadcasts. Not entirely sure it has to be part of private group, and i personally have a separate rule for them. It's confusing that some of the ranges from wikipedia overlap with broadcasts it seems. E.g. i detected these and googled each of them is used for multicast:
224.0.0.251|ff02::fb|255.255.255.255|ff02::1|239.255.255.250
So 239 for Service Discovery pops up out of nowhere, and 224 is from the wikipedia list and is used for Bonjour.

Thanks for the priorities, seems like no need to create anti-rules per each WAN connection for the LAN apps anymore. Superb.

[gustavo-iniguez-goya]

Do you mean those values will be in a combo box? Or can be typed in x.x.x.x/y format from now?

yes and yes. So now you can type an IP, a network, a regexp to match IPs or select predefined network ranges from a combo box.

Regular expressions are powerful, but it's more natural to type 192.168.1.0/24 than ^(192\.168\..*)$

(...) have (an) alias called "LAN" to translate internally to all the (hard coded) ranges above

ah okok, I didn't read that part I guess, or ignored it O:) . Added now, as also suggested by @licaon-kter :
LAN -> ^(192\.168\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|172\.[0-9][0-9]+\.\d{1,3}\.\d{1,3}|10\.\d{1,3}\.\d{1,3}\.\d{1,3}|::1|f[cde].*::.*)$