Overview

File opensnitchd.1 of Package opensnitch

.\" Copyright (c) 2023 Gustavo Iñiguez Goya <gustavo.iniguez.goya@gmail.com>
.\" All rights reserved.
.\"
.\" SPDX-License-Identifier: GPL-3.0-or-later
.de CW
.sp
.in +4n
.nf
.ft CW
..
.de CE
.ft R
.fi
.in
.sp
..
.\" Like .OP, but with ellipsis at the end in order to signify that option
.\" can be provided multiple times. Based on .OP definition in groff's
.\" an-ext.tmac.
.de OM
.  ie \\n(.$-1 \
.    RI "[\fB\\$1\fP" "\ \\$2" "]...\&"
.  el \
.    RB "[" "\\$1" "]...\&"
..
.\" Required option.
.de OR
.  ie \\n(.$-1 \
.    RI "\fB\\$1\fP" "\ \\$2"
.  el \
.    BR "\\$1"
..
.TH OPENSNITCHD 1 "2023-02-19" "opensnitchd 1.5.8"
.SH NAME
opensnitchd \- GNU/Linux interactive firewall application
.SH SYNOPSIS
.SY opensnitchd
.OP \-rules-path path
.OP \-cpu-profile path
.OP \-debug
.OP \-error
.OP \-warning
.OP \-important
.OM \-log-file path
.OM \-mem-profile path
.OP \-no-live-reload
.OM \-process-monitor-method name
.OM \-queue-num num
.OM \-ui-socket path
.OP \-version
.OM \-workers num
.YS
.SH DESCRIPTION
.LP
opensnitchd is the OpenSnitch agent that intercepts outbound connections,
and send them to the server. The server can be a GUI, a TUI, or a
.I headless
component to just log the network activity (a SIEM for example).
By default it'll allow all connections, creating temporal rules for you
so you can review them later.
.LP
.SH OPTIONS
.TP
.BI "\-rules-path " path
Specifies where the rules will be written to. Default "rules".
.TP
.BI "\-cpu-profile " path
A file path where the CPU data for later use will be written.
.TP
.BI "\-debug"
Set LogLevel to DEBUG.
.TP
.BI "\-warning"
Set LogLevel to WARNING.
.TP
.BI "\-important"
Set LogLevel to IMPORTANT.
.TP
.BI "\-log-file " path
A file path where the logs will be written to. This path can be a device file,
like /dev/stdout to print logs to standard output.
.TP
.BI "\-mem-profile " path
A file path where the memory data will be written once the daemon exits.
.TP
.BI "\-no-live-reload"
By default daemon's rules and configuration is reloaded whenever it changes.
This option disables this feature.
.TP
.BI "\-process-monitor-method " method
Force process monitor method, overriding what is defined in the configuration.
Valid methods: ebpf, audit, proc
.TP
.BI "\-queue-num " num
Force to use this netfilter queue num. The default queue number is 0, but if
it's already used by other software, you can set another queue number here.
.TP
.BI "\-ui-socket " path
Force to use this socket path, instead of the one defined in the configuration.
The path format is unix:///path/to/socket.sock or ip:port ("127.0.0.1:50051")
.RS
(https://github.com/grpc/grpc/blob/master/doc/naming.md)
.RE
.TP
.BI "\-version"
Prints out daemon version.
.TP
.BI "\-workers " num
Change maximum number of workers to process outbound connections.
By default 16 workers are launched, but if it's not enough increase this number.
.SH FILES
.I /etc/opensnitchd/rules/
.RS
Default daemon directory rules.
.RE
.I /etc/opensnitchd/default-config.json
.RS
Default daemon configuration.
.RE
.I /etc/opensnitchd/system-fw.json
.RS
Configuration of system firewall rules (iptables/nftables).
.TP
Firewall rules defined here bypasses OpenSnitch interception. Use it to allow VPNs or other services.
.SH DIAGNOSTICS
OpenSnitch needs at least one firewall rule to intercept outbound connections:
.LP
iptables -t mangle -L OUTPUT | grep NFQUEUE
.RS
NFQUEUE all -- anywhere anywhere ctstate NEW,RELATED NFQUEUE num 0 bypass
.RE
.LP
If you suspect that OpenSnitch blocks an application and doesn't prompt you to allow or deny it,
using the GUI enable the option
.I [x] Debug invalid connections
under Preferences -> Nodes.
Or set the configuration option
.B InterceptUnknown
to true.
.LP
.I Tip:
You can also add rules to the file /etc/opensnitchd/system-fw.json, to allow network services without being intercepted by the daemon.
.LP
Another way of debugging errors is by launching the daemon from the command line:
.IP
.PD 0
.IP 1. 4
Set LogLevel to DEBUG under Preferences -> Nodes (or LogLevel to 0 in the configuration)
.IP 2. 4
Stop the daemon: systemctl stop opensnitch
.IP 3. 4
Launch it from cli: /usr/bin/opensnitchd -rules-path /etc/opensnitchd/rules/
.PD
.LP
.SH REPORTING BUGS
Problems with
.B opensnitchd
should be reported on github https://github.com/evilsocket/opensnitch/issues
.UR https://github.com/evilsocket/opensnitch/issues
.SH HISTORY
.B OpenSnitch
was originally written by Simone Margaritelli (evilsocket) in 2017-2018.
.LP
In 2019, after some time of inactivity, Gustavo Iñiguez Goya started
contributing, fixing bugs and adding new functionality, with
the esential help of the community, and valuable contributions from themighty1 and
calesanz among others.
.SH "SEE ALSO"
.PP
.UR https://github.com/evilsocket/opensnitch
.B OpenSnitch
Home Page
.UE
.SH AUTHORS
The complete list of
.B OpenSnitch
contributors can be found on https://github.com/evilsocket/opensnitch
openSUSE Build Service is sponsored by
Places