Jump to content
Not connected, Your IP: 52.15.190.187
Sign in to follow this  
SeUbHS

ANSWERED Eddie Network Lock and gufw

Recommended Posts

Posted ... (edited)

In reference to: 

On 3/30/2018 at 9:31 PM, Staff said:

Hello!

 

You can consider to enforce permanent firewall rules that block all the outgoing traffic from your system. In this way, the activation of Network Lock will unlock communications to our VPN servers and bootstrap servers only. When Network Lock is disabled, the previous "block all" rules will be restored.

 

This means also that as long as Eddie has not started, your system traffic is totally blocked (even at boot). Just make sure that you allow anyway DHCP communications to your router, they are vital to establish a connection inside your local network.

 

Kind regards


Unfortunately, when I closed eddie-ui, I noticed that my ping 8.8.8.8 started working again, which means somehow the gufw deny outgoing & deny incoming became undone. Are you sure this solution is still supposed to work on linux? I tried with and without the network lock activated on eddie-ui (if it starts up with network locked disabled, it actually can't connect to the VPN servers at all until I disable my gufw firewall). Edited ... by OpenSourcerer
Edit to accomodate split

Share this post


Link to post
2 minutes ago, SeUbHS said:

Unfortunately, when I closed eddie-ui, I noticed that my ping 8.8.8.8 started working again, which means somehow the gufw deny outgoing & deny incoming became undone. Are you sure this solution is still supposed to work on linux? I tried with and without the network lock activated on eddie-ui (if it starts up with network locked disabled, it actually can't connect to the VPN servers at all until I disable my gufw firewall).


Hello!

Here a serious complication might have entered into play. UFW does not support nftables, while all modern distributions are based on nftables for the packet filtering system. Eddie does support nftables and correctly uses it. UFW must rely on translations back and forth performed, for example, by iptables-nft. However the translation tools do what they can, but if you start mixing iptables with nftables syntax rules, by experience we know that "bad things will happen".  If you have an nftables based distribution and you want to use Eddie's Network Lock (or the AirVPN Suite) you have two options:

1. avoid UFW, which after all is a frontend of a frontend of a frontend, by disabling it, and operate on the firewall rules directly with nft. To disable UFW the following command should be sufficient and permanent:
sudo ufw disable

2. Alternatively, force Eddie to use the iptables-legacy system. Open the "Preferences" > "Network Lock" window and select "iptables-legacy" on the "Mode" combo box. By forcing consistency of rules' syntax by all the programs operating on firewall rules the translator tools should work properly.

However, if your system is still entirely based on iptables (no nftables at all) then the above can not be the cause of the problem and it's necessary to look elsewhere to find the problem roots.

Kind regards
 

Share this post


Link to post
14 hours ago, Staff said:

Hello!

Here a serious complication might have entered into play. UFW does not support nftables, while all modern distributions are based on nftables for the packet filtering system. Eddie does support nftables and correctly uses it. UFW must rely on translations back and forth performed, for example, by iptables-nft. However the translation tools do what they can, but if you start mixing iptables with nftables syntax rules, by experience we know that "bad things will happen".  If you have an nftables based distribution and you want to use Eddie's Network Lock (or the AirVPN Suite) you have two options:

1. avoid UFW, which after all is a frontend of a frontend of a frontend, by disabling it, and operate on the firewall rules directly with nft. To disable UFW the following command should be sufficient and permanent:
sudo ufw disable

2. Alternatively, force Eddie to use the iptables-legacy system. Open the "Preferences" > "Network Lock" window and select "iptables-legacy" on the "Mode" combo box. By forcing consistency of rules' syntax by all the programs operating on firewall rules the translator tools should work properly.

However, if your system is still entirely based on iptables (no nftables at all) then the above can not be the cause of the problem and it's necessary to look elsewhere to find the problem roots.

Kind regards
 

Thanks, I disabled and uninstalled gufw. I backed up my nft rules via:
sudo nft list ruleset > /path/to/backup-file.nft
I then created new_nft.nft file with the following:
table inet filter {
    chain input {
        type filter hook input priority 0; policy drop;
    }
    chain forward {
        type filter hook forward priority 0; policy drop;
    }
    chain output {
        type filter hook output priority 0; policy drop;
    }
}

I then ran `sudo nft -f ./new_nft.nft` which blocked ping and everything else. However, eddie-ui won't open now unless I flush nft. I'm guessing I need to add an exception for some kind of airvpn IP? I was under the impression eddie-ui would just undo this block and implement it's own firewall rules upon startup though?

Share this post


Link to post
On 2/12/2024 at 1:41 AM, SeUbHS said:

I then ran `sudo nft -f ./new_nft.nft` which blocked ping and everything else. However, eddie-ui won't open now unless I flush nft. I'm guessing I need to add an exception for some kind of airvpn IP? I was under the impression eddie-ui would just undo this block and implement it's own firewall rules upon startup though?


Hello!

You may tell Eddie to activate Network Lock at startup in the "Preferences" > "General" window to have your rules overwritten.

The total block you enforced will prevent Eddie (and any other program) to communicate to and from localhost. This may break several programs, you should add allow rules to and from 127.0.0.1 at least. Eddie frontend and backend talks to each other via TCP on 127.0.0.1. Please note that the activation of Network Lock requires that Eddie can talk to the backend process (the only one running with root privileges) so the total block you enforced can not be circumvented by Eddie, not even if Network Lock must be enforced as soon as the program is launched.

Kind regards
 

Share this post


Link to post

Thanks, whitelisting the loopback allows eddie to start now and everything is working as it should with no leaks. 😀

Share this post


Link to post
Guest
This topic is now closed to further replies.
Sign in to follow this  

×
×
  • Create New...