Skip to content

block lists

Jump to bottom
wiki auto updater edited this page Sep 30, 2022 · 22 revisions

Starting from version 1.4.0rc1, you can block or allow lists of domains.

Since version 1.5.0rc1 you can also use lists of IPs, network ranges and domains with regular expressions.

It can be used to block ads, trackers, malware domains or limit to what domains an application connects to.

Use cases:

  1. How to add a global rule to block malware or ads

  2. Limiting to what domains an application can connect to

Notes

Troubleshooting

Resources

Important note: This feature may not work if your system uses systemd-resolved to resolve domains. Compiling opensnitch-dns.c eBPF module may help to workaround this problem. If blocklists don't work, change your nameserver in /etc/resolv.conf to 1.1.1.1, 9.9.9.9, etc... and see if it works.

How to add a global rule to block ads or trackers:

  1. Create a new rule: 000-block-domains

  2. Check [x] Enable, [x] Priority, Duration: always, [x] To this list of domains image

  3. Download list of domains of ads to block (choose any directory you wish):

$ mkdir /media/ads-list/
$ wget https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt -O /media/ads-list/ads-and-tracking-extended.txt

Note: be sure that the files have an extension (.dat, .txt, .list, etc...). Don't drop files without extension into the directory

  1. Visit any website, and filter by the name of the rule 000-block-domains . You can use block-test.developerdan.com which is included in the above list.

image

Limiting to what domains an application can connect to:

We'll create 2 rules:

  • one for allow connections from an app to a limited number of domains.
  • another one for deny everything from that app.
  1. Create 2 rules: 000-allow-app , 001-deny-all-from-app
  2. 000-allow-app:

image

Inside /media/app/ write a file (allowlist.txt for example) with a list of domains the app can connect to in hosts format:

127.0.0.1 xxx.domain.com

Note: be sure that the file has an extension (.dat, .txt, .list, etc...).

Remember that you may need to add the domain without the subdomains (domain.com, xxx.domain.com, etc)

  1. 001-deny-all-from-app:

image

Notes

Lists of domains (only in version >= v1.4.x):

  • It must be in hosts format:
# this is a comment, it's ignored
# https://www.github.developerdan.com/hosts/
0.0.0.0 www.domain.com
127.0.0.1 www.domain.com

Lists of domains with regular expressions (or not) (only in version >= v1.5.x):

  • one regular expression per line:
# https://raw.githubusercontent.com/mmotti/pihole-regex/master/whitelist.list
adtrack(er|ing)?[0-9]*[_.-]
^analytics?[_.-]
^pixel?[-.]
^stat(s|istics)?[0-9]*[_.-]

Lists of IPs (only in version >= v1.5.x):

  • One per line: IPs
# https://iplists.firehol.org/
6.7.8.9
9.8.7.6

Lists of NETs (only in version >= v1.5.x): Nets:

# https://iplists.firehol.org/
1.0.1.0/24
1.2.3.0/16
  • Lines started with # are ignored. Write comments always on a new line, not after a domain.
  • The domains local, localhost, localhost.localdomain and broadcasthost are ignored.
  • Whenever you save the file to disk, OpenSnitch will reload the list.
  • OpenSnitch doesn't refresh periodically the list loaded, but you can do it with this script: update_adlists.sh

    1. Give it execution permissions:

      chmod +x update_adlists.sh

    2. Edit the script, and modify the adsDir path to point to the directory where you want to save the lists.

    3. Add the script to your user's crontab (in this example, the script will be executed every day at 11am, 17pm and 23pm):

      $ crontab -e
0 11,17,23 * * * /home/ga/utils/opensnitch/update_adlists.sh

Troubleshooting

When you define a blocklist/allowlist rule, the directory choosen is monitored for changes. If you delete, add or modify a file under that directory, the lists will be reloaded. You'd see these logs in /var/log/opensnitchd.log:

[2022-03-31 23:58:19]  INF  clearing domains lists: 2 - /etc/opensnitchd/allowlists/regexp
[2022-03-31 23:58:19]  DBG  Loading regexp list: /etc/opensnitchd/allowlists/regexp/allow-re.txt, size: 72
[2022-03-31 23:58:19]  INF  2 regexps loaded, /etc/opensnitchd/allowlists/regexp/allow-re.txt
[2022-03-31 23:58:19]  INF  2 lists loaded, 2 domains, 0 duplicated

This feature may not work if your system uses systemd-resolved to resolve domains. Compiling opensnitch-dns.c eBPF module may help to workaround this problem.

If blocklists still don't work:

  • stop systemd-resolved: systemctl stop systemd-resolved
  • change your nameserver in /etc/resolv.conf to 1.1.1.1, 9.9.9.9, etc... and see if it works. A simple telnet to an entry of the list should be blocked and logged accordingly.

See this issue #646 for more information.

Resources

Video tutorials:

opensnitch-1hosts.webm
opensnitch-1hosts-1.webm

Lists of ads, trackers, malware domains, etc that you can use:

https://github.com/badmojr/1Hosts

https://oisd.nl/?p=dl

https://filterlists.com/ (filter by Syntaxis: hosts)

https://www.github.developerdan.com/hosts/

https://firebog.net/

https://github.com/StevenBlack/hosts

https://pgl.yoyo.org/adservers/

https://iplists.firehol.org/

Please help us make this wiki better.

How to submit changes: https://github.com/evilsocket/opensnitch/blob/wiki/README.md

  1. Installation
    1. Dependencies and how it works
  2. Getting started
    1. Events window
      1. Themes
    2. Process monitor dialog
    3. Pop-up dialogs
  3. Configuration
    1. Monitor method: audit
    2. Monitor method: eBPF
    3. Rules
      1. Best practices
    4. Rules editor
      1. Rules examples
    5. System rules
      1. System rules legacy
    6. Block lists, ads|malware|...
    7. Nodes
      1. Authentication
      2. Configuration examples
      3. Generating TLS certificates
    8. SIEM integration
      1. Grafana + Loki + Promtail
      2. ElasticSearch + LogStash + Kibana
  4. Compilation
    1. Cross-compilation for arm
    2. Building packages with pbuilder
  5. GUI translations
    1. Adding, updating and installing translations
  6. FAQs and common errors
    1. Known problems
      1. GUI known problems
      2. daemon known problems
      3. General
    2. FAQs
    3. Why OpenSnitch does not intercept application XXX
  7. Examples OpenSnitch in action
Clone this wiki locally