How to run OpenSnitch automatically in an appVM, but not in the template?

ephile · June 15, 2023, 8:42pm

As an application firewall, opensnitch is designed to run automatically out-of-the-box, so has to be explicitly disabled in the template to prevent it from running there. However, I still want it to run automatically in a dispVM based on the template. Here’s what I have so far:

in dom0:

qvm-run -u root --pass-io --no-gui debian-12-template 'apt install opensnitch -y'
qvm-run -u root --pass-io --no-gui debian-12-template 'systemctl stop opensnitch && systemctl disable opensnitch'
qvm-run -u root --pass-io --no-gui debian-12-dvm 'systemctl enable opensnitch'

After opening a dispVM (based on debian-12-dvm) a grey icon appears in the tray, implying opensnitch is enabled, but not operational.

qvm-run -u root --pass-io --no-gui disp#### 'systemctl start opensnitch'

turns the tray icon turns black, indicating that opensnitch is operational, but manually enabling opensnitch each time is really not tenable. I’m wondering what the best approach would be to automating the final step?

In general, how can one disable an app in the template, while enabling it to start automatically in the appVMs based on that template?

solene · June 15, 2023, 8:57pm

Open a terminal in your disposable template, in the menu it should be “Template (dispo): fedora-XX-dvm”.

Edit the file /rw/config/rc.local to add the commands. Shutdown the template.

This will be inherited by disposable VMs.

ephile · June 15, 2023, 9:13pm

OK, that works! Thanks.

For completeness, ran the following in my debian-12-dvm terminal:

echo "systemctl start opensnitch" >> /rw/config/rc.local

zks1 · February 4, 2024, 5:24am

Hello, I am trying to run opensnitch on my r4.2. I followed the steps outlined in this thread, and opensnitch runs. I can open the gui, etc and it shows a ‘status’ of running, but I’m not seeing any events show up.

I’m running it in my sys-firewall qube via the default-dvm.

Is there some other way to test or check that it is working properly? Or am I missing something?

Thanks in advance!

ephile · February 4, 2024, 3:14pm

I have OpenSnitch running effectively in a few (debian-12) AppVms, where I am seeing events and am able to filter my outgoing traffic, but I’m still in r4.1. I prefer to leave sys-firewall alone, so have not tried using a single instance of OpenSnitch to catch all outbound traffic. The downside of this approach is having multiple cloud icons in the tray, which all look the same.
Unfortunately the best suggestion I can offer is to try implementing OpenSnitch in an AppVm first, where I know it works. Once you’re seeing events in the AppVM, you could try implementing it in sys-firewall. The latter may require some additional tweaks, for OpenSnitch to be able to see the traffic and to play nice with nftables.

zks1 · February 4, 2024, 8:44pm

Good points. I’ll try it in an appvm first then. Thx!