opensnitch icon indicating copy to clipboard operation
opensnitch copied to clipboard
verified publisher icon evilsocket

Ping is blocked

Open Danny3 opened this issue 1 year ago • 4 comments

The 'ping' command is blocked I was trying to ping another computer on my LAN with the following command: ping 192.168.1.2 Which gave this output: PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.

Here the above message stays unchanged for a long time, until I press CTRL+C, which then shows: --- 192.168.1.2 ping statistics --- 60 packets transmitted, 0 received, 100% packet loss, time 60423ms

After spending 2-3 hours on the other computer to see what is going on, I moved to the firewall and deleted all rules to see if I blocked ping by mistake and see the pop-up again, but the pop-up is never shown when the ping command is executed.

Include the following information:

  • OpenSnitch version: 1.5.8.
  • OS: Debian 12 with the 'testing' repository
  • Version: 12 (Bookworm) or 13 (Trixie) if the enabled 'testing' repository make it Trixie.
  • Window Manager: KDE
  • Kernel version: 6.10.9-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.10.9-1 (2024-09-08) x86_64 GNU/Linux

To Reproduce Install the firewall from Debian's repository with a command like: sudo apt install opensnitch

Steps to reproduce the behavior:

  1. Open Konsole terminal emulator
  2. Ping a local devices that is up and running
  3. Wait for the ping to show the normal output
  4. See that there's no output, except for the ping attempt
  5. Pause the firewall
  6. See that the ping finally starts working and lines of output are added

Post error logs: There are no error logs, as far as I can see. Except this one in the [2m[2024-09-20 10:04:37][0m [97m[43m WAR [0m iptables not available: exec: "iptables": executable file not found in $PATH

Expected behavior (optional) Ping command not blocked, as always. This is the first time in years when I see that is blocked.

Additional context I saw another open issue about ping being blocked by having Firefox open. I don't use Firefox, but LibreWolf and I tried to close it for testing, but doesn't solve this problem. Only pausing the firewall solves the problem.

Any idea what could be the problem here or what more should I try?

Thank you!

Danny3 avatar Sep 20 '24 10:09 Danny3

I think I found a solution!

I uninstalled (purged) it. And then downloaded and installed the files from here, version: 1.6.6 Which seems to work Ping seems to work normally now, without having to disable the firewall.

Can the version in Debian's repository be updated to this one, that seems to work? I much prefer to have it installed from Debian's repository so I can easily be notified when there's an update and update to it.

BTW, the uninstall (purge) command probably doesn't work correctly, at least as I expected it, by removing not only the rules, but also the settings that I previously made and the tab that I have selected last time I had it open. Not a big problem, but I think that when a program is uninstalled in the purge way, everything should be removed so that if it's reinstalled, it will look and behave like it was the first time being installed.

Danny3 avatar Sep 20 '24 13:09 Danny3

hey @Danny3 !

iptables not available: exec: "iptables": executable file not found in $PATH

This may be the reason of the issue. Check where is the iptables binary: whereis iptables or command -v iptables as root.

And see if the path is added to $PATH.

Can the version in Debian's repository be updated to this one, that seems to work?

If I'm still on time to do it yes. I haven't had all the free time I expected this year.

gustavo-iniguez-goya avatar Sep 20 '24 20:09 gustavo-iniguez-goya

hey @Danny3 !

iptables not available: exec: "iptables": executable file not found in $PATH

This may be the reason of the issue. Check where is the iptables binary: whereis iptables or command -v iptables as root.

And see if the path is added to $PATH.

Can the version in Debian's repository be updated to this one, that seems to work?

If I'm still on time to do it yes. I haven't had all the free time I expected this year.

whereis iptables, gives this output (without or with sudo): iptables:

command -v iptables gives no (empty) output (without sudo)

I even tried logging in as root with this command: sudo su

And then rand the both commands, which for the first it gave me the same: iptables: And for the second, no output.

sudo command -v iptables gives this output: sudo: command: command not found

I logged out from the root account and I rant this command too: sudo nala show iptables Which shows in its output: .............................. Installed: no .............................. So I guess that all these commands just show that this package is not installed. Is it required by the firewall to work properly? I ran this command too: sudo nala show opensnitch And I see this in its output: ............................................. Depends: libnetfilter-queue1, libc6, libnfnetlink0 ............................................. If the iptables packages is requires, why it's not in the dependency list so when I install opensnitch package, its dependencies are pulled too? It's some kind of normal mistake in the package definition on Debian's repository? If you have the time and you update it in this repository, maybe you can add this dependency too to it.

BTW echo $PATH, gives this output: /usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

Any idea how the firewall downloaded from here works without the iptables package being installed and the one from Debian's repository doesn't? Did you embedd some version of iptables inside it?

Thank you very much (sorry for the delay in response)!

Danny3 avatar Oct 03 '24 07:10 Danny3

So I guess that all these commands just show that this package is not installed. Is it required by the firewall to work properly?

With your current configuration yes. You'll have "Firewall: iptables" in your /etc/opensnitchd/default-config.json

If the iptables packages is requires, why it's not in the dependency list so when I install opensnitch package, its dependencies are pulled too?

I think that it used to be installed by default on all distros, so probably that's why it's not added as dependency. But now that it's deprecated, I guess it's not installed by default anymore.

Any idea how the firewall downloaded from here works without the iptables package being installed and the one from Debian's repository doesn't? Did you embedd some version of iptables inside it?

Version v1.6.x works without iptables, because by default we use nftables. For nftables we don't rely in any system binary, we add/remove rules directly to the kernel with a lib.

Try changing "Firewall: iptables" to "Firewall: nftables", I think it should work.

gustavo-iniguez-goya avatar Oct 11 '24 07:10 gustavo-iniguez-goya