No Nonsense Guide to Install Opensnitch on Pop_os
(article updated 2023.10.28; see below)
For some reason it's a bit painful to install the Desktop-Application-Firewall OpenSnitch on various Linux distros. My daily driver is Pop_OS (currently Pop!_OS 22.04 LTS)
The for me working, repeatable "no nonsense guide" is as follows step by step:
Download the latest release from Releases
We need the 2 deb files - deb x86_64 and the GUI deb, for daemon and the GUI application individually.
Before we install the application itself, we need to manually fulfill the requirements:
sudo apt install python3-pyasn
sudo apt install python3-pip python3-pyasn
pip3 install --user qt-material
pip3 install --user --ignore-installed grpcio
Now we're ready to install the firewall and GUI itself:
sudo apt install ./opensnitch*.deb ./python3-opensnitch-ui*.deb
We can check the service is running:
sudo systemctl status opensnitch
If you have never used a desktop application firewall before, don't get overwhelmed by the amount of connections you're going to see at first - obviously this (like any other firewall) needs configuring first and over time. Stick with it.
update 2023.10.28, opensnitch not starting! [FIX]
Opensnitch-UI is not opening, trying via terminal gives this error:
TypeError: Descriptors cannot not be created directly.
If this call came from a _pb2.py file, your generated code is out of date and must be regenerated with protoc >= 3.19.0.
To resolve this:
pip3 install --upgrade "protobuf<=3.20.1"
opensnitch should now work again, doublecheck the systemctl status after a boot.
IMPORTANT NOTE
It can happen that the login-screen stays blank for a long time, or indefintetly depending on what is blocked and/or if your default block action is "deny". I found a resource that helped me:
This is a very likely solution in most cases
After changing the Default Action to deny, the Desktop Environment does not show up (after restart), try:
- setting the DefaultAction back to allow
- adding a rule to allow system apps.
On Pop_OS for example you can always login to a terminal console pressing CTRL+ALT+F5. (go back with ctrl+alt+F1). Be aware that bluetooth keyboards may not work!
From here you can stop the service with sudo systemctl stop opensnitch.service and go back to your normal login - it should now work.
It seems to be necessary to allow network access to at least (I can't yet confirm, but likely localhost would be enough)
dirmngr xbrlapi host kdeinit5
Save it to /etc/opensnitchd/rules/000-allow-system-cmds.json
{
"created": "2021-04-26T09:58:03.704090244+02:00",
"updated": "2021-04-26T09:58:03.704216578+02:00",
"name": "000-allow-system-cmds",
"enabled": true,
"precedence": true,
"action": "allow",
"duration": "always",
"operator": {
"type": "regexp",
"operand": "process.path",
"sensitive": false,
"data": "^(/usr/bin/host|/usr/bin/xbrlapi|/usr/bin/dirmngr|/usr/bin/slim)",
"list": []
}
}
You can also allow all traffic to localhost (save it to /etc/opensnitchd/rules/000-allow-localhost.json):
{
"created": "2021-04-26T09:58:03.704090244+02:00",
"updated": "2021-04-26T09:58:03.704216578+02:00",
"name": "000-allow-localhost",
"enabled": true,
"precedence": true,
"action": "allow",
"duration": "always",
"operator": {
"type": "network",
"operand": "dest.network",
"sensitive": false,
"data": "127.0.0.0/8",
"list": []
}
}