subgraph/fw-daemon subgraph/fw-daemon

  • Stars
    star
    104
  • Rank 330,604 (Top 7 %)
  • Language
    Go
  • License
    Other
  • Created almost 9 years ago
  • Updated about 6 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
subgraph/fw-daemon
github

subgraph

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Subgraph Application Firewall

Subgraph Firewall

A desktop application firewall for Subgraph OS.

Subgraph Firewall is an application firewall that is included in Subgraph OS. While most firewalls are designed to handle incoming network communications, an application firewall can handle outgoing network communications. Subgraph Firewall can apply policies to outgoing connections on a per-application basis.

Application firewalls are useful for monitoring unexpected connections from applications. For example, some applications may phone home to the vendor's website. Often this activity is legitimate (non-malicious) but it still may violate the user's privacy or expectations of how the software operates. Subgraph Firewall gives users the choice to allow or deny these connections.

Malicious code may also phone home to a website or server that is operated by the hacker or malicious code author. Subgraph Firewall can also alert the user of these connections so that they can be denied.

Application firewalls cannot prevent all malicious code from connecting to the Internet. Sophisticated malicious code can subvert the allowed connections to bypass the firewall. However, the firewall may alert the user of connection attempts by less sophisticated malicious code.

The configuration settings for Subgraph Firewall are stored in /etc/sgfw.

From /etc/sgfw/sgfw.conf:

Log level specifies the level of verbosity of logging:

	LogLevel = "NOTICE"

Log redaction this tells SGFW to write destination hostnames to system logs, or not:

	LogRedact = true / false

PromptExpanded controls the level of detail in the prompt:

	PromptExpanded = true / false

PromptExpert enables or disables "export mode":

	PromptExpert = true / false

Specifies the default rule action:

	DefaultAction = "SESSION"

Read more in the Subgraph OS Handbook.

Building

# First install the build dependencies
apt install debhelper dh-golang dh-systemd golang-go libcairo2-dev libglib2.0-dev libgtk-3-dev libnetfilter-queue-dev
# To build the Debian package:
git clone -b debian https://github.com/subgraph/fw-daemon.git
cd fw-daemon
## To build from stable
gbp buildpackage -us -uc
## To build from head
gbp buildpackage -us -uc --git-upstream-tree=master
## Install the package
dpkg -i /tmp/build-area/fw-daemon{,-gnome}-*.deb
## Refresh your gnome-shell session 'alt-r' type 'r' hit enter.

You will be left to install the matching iptables rules. While this may vary depending on your environment, pre-existing ruleset and preferred mechanism; something like the following needs to be added:

iptables -t mangle -A OUTPUT -m conntrack --ctstate NEW -j NFQUEUE --queue-num 0 --queue-bypass
iptables -A INPUT -p udp -m udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass
iptables -A OUTPUT -p tcp -m mark --mark 0x1 -j LOG
iptables -A OUTPUT -p tcp -m mark --mark 0x1 -j REJECT --reject-with icmp-port-unreachable

More Repositories

1

oz

OZ: a sandboxing system targeting everyday workstation applications
Go
430
star
2

Vega

Subgraph Vega
Java
350
star
3

Orchid

Java
221
star
4

sgos_handbook

Subgraph OS Handbook
HTML
117
star
5

macouflage

macouflage is a MAC address anonymization tool, written in Golang, for Linux-based operating systems.
Go
114
star
6

subgraph-os-issues

Subgraph OS issues repository
73
star
7

go-nfnetlink

A library for communicating with Linux netfilter subsystems over netlink sockets.
Go
54
star
8

usblockout

USBLockout monitors your user session and triggers Grsecurity Deny New USB feature.
Go
53
star
9

paxrat

paxrat is a utility to set PaX flags on a set of binaries.
Go
34
star
10

roflcoptor

Tor Control Port Filter and State Tracker Daemon
Go
25
star
11

subgraph_metaproxy

Subgraph Metaproxy is a proxy redirector.
Go
21
star
12

go-procsnitch

Golang Proc Sockets Library
Go
19
star
13

subgraph-debian-packages

Information and build status for SubgraphOS Debian packages
Shell
18
star
14

gtk-layer-shell-rs

Rust bindings for gtk-layer-shell library
Rust
17
star
15

citadel

Subgraph Citadel image builder
BitBake
17
star
16

macouflage-multi

One-pass MAC spoofer for multiple devices (based on libmacouflage).
Go
16
star
17

libmacouflage

Go
16
star
18

subgraph_desktop_stretch

Shell
16
star
19

subgraph-kernel-configs

GCC Machine Description
15
star
20

subgraph-oz-profiles

Repository of maintained OZ profiles and seccomp filters.
14
star
21

pH

Subgraph pH
Rust
11
star
22

defector

Captive portal authenticator Subgraph OS
Go
11
star
23

go-seccomp

Go support for parsing, compiling, and installing Chromium OS Seccomp-BPF policy files.
Go
11
star
24

procsnitch-old

THIS REPOSITORY IS AN ARCHIVE - SEE
Go
9
star
25

subgraph-os-apparmor-profiles

AppAprmor profiles for Subgraph OS
8
star
26

sgmail

Subgraph Mail
Java
7
star
27

chromium-extension-packager

A program to maintain a list of Chromium extensions, check for updates and package them as Debian packages.
Go
6
star
28

gnome-shell-extension-ozshell

GNOME Shell extension for interfacing with the OZ application sandboxing framework
JavaScript
6
star
29

onioncfg

Onion network configuration UI
Go
6
star
30

sgstatus

Status monitor for Sway WM bar
Rust
5
star
31

citadel-tools

Collection of software tools used by Citadel
Rust
5
star
32

gnome-shell-extension-torstatus

GNOME Shell aggregate system menu Tor indicator.
JavaScript
5
star
33

procsnitchd

Procsnitch Daemon
Go
3
star
34

subgraph-nm-never-autoconnect

This package installs a network-manager dispatcher hook that sets every connection to never auto connect thus preventing accidental reconnections.
Shell
3
star
35

contrib-oz-profiles

Repository of unmaintained/contributed OZ profiles and seccomp filters.
2
star
36

subgraph-defaults

subgraph-defaults implements various defaults in Subgraph OS (gsettings, tweaks, etc)
2
star
37

gnome-shell-extension-drive-menu

JavaScript
2
star
38

sgflow

Subgraph Flow desktop launcher
C
2
star
39

org

2
star
40

gnome-session-subgraph

GNOME Session for Subgraph OS
Shell
2
star
41

citadel-docs

gnome application for documentation of Citadel
CSS
1
star
42

subgraph-design-artifacts

Images, CSS, HTML, etc related to Subgraph and projects
HTML
1
star
43

subgraph-sysctl-config

Subgraph OS configuration package for sysctl
1
star
44

sublogmon-gui

sublogmon GUI interface
Go
1
star
45

sgmenu

Rust
1
star
46

go-xdgdirs

Golang library for reading and parsing XDG User Dirs
Go
1
star
47

subgraph-standard

Default packages metapackage for Subgraph OS
1
star
48

subgraph-tor-config

Subgraph OS configuration package for tor settings
1
star