I remember looking into Douane a while ago and was not impressed. Rather than implementing all of the rules and policy in userspace (as OpenSnitch does) it implements the rules in kernelspace. It also has a bunch of questionable technical decisions in how policies are handled, especially when it comes to "edge cases" like processes with long paths[1] or connections where the socket file descriptor is greater than 8 or something like that[2].
My main complaint about implementing all of these things in kernel space is that it's simply not necessary -- with netfilter_queue and connmark you can relay all decision making to userspace without losing any generality. The only thing that you might argue is a benefit of using a kernel module is that figuring out the "path" for an application might be easier but I'm not sure I agree. Also Douane simply will not work properly with containers because of how it assumes that everything is in the host namespace.
As an aside, I decided to write my own application-level firewall for GNU/Linux[3] (mainly as an exercise to myself to learn Rust as well as learn more about low-level network programming in Linux). My plan is to make it far more modular than OpenSnitch with an client API so the GUI can be completely separate (and also perhaps allowing different clients to have different policies).
Good luck on your project! Be sure to visit r/rust in case you have any trouble. The people over there are very helpful.
There are couple books/guides around about good practices in rust. You should be able to find with proper googling. If you can't, comment here. I should be able to dig it out from my bookmarks.
And about Douane, I don't know a lot about what you said, so I can't comment on it. It definitely didn't feel polished but it was honestly the best one around, so again, good luck with your new endeavor.
Looks very interesting! Would you like to add LDAP support, maybe in a modularized way to store rules "somewhere" and provide a mechanism for mandatory application of these rules on clients ("enforce rules from trusted storage x")?
Others could build GUIs around the storage (LDAP, SQLite, whatever) and we could share rules via a website. That would be a great help for many users! Thanks!
> Would you like to add LDAP support, maybe in a modularized way to store rules
My thinking is to make it so that you just have a "dumb" daemon which has the concept of a process requesting the ability to connect to an IP/unix socket and sends requests over gRPC to clients that make access decisions. So there's no long-term storage of rules in the daemon (except possibly in some edge cases).
In any case I'm still writing a PoC so it's a bit early for features like that.
My main complaint about implementing all of these things in kernel space is that it's simply not necessary -- with netfilter_queue and connmark you can relay all decision making to userspace without losing any generality. The only thing that you might argue is a benefit of using a kernel module is that figuring out the "path" for an application might be easier but I'm not sure I agree. Also Douane simply will not work properly with containers because of how it assumes that everything is in the host namespace.
As an aside, I decided to write my own application-level firewall for GNU/Linux[3] (mainly as an exercise to myself to learn Rust as well as learn more about low-level network programming in Linux). My plan is to make it far more modular than OpenSnitch with an client API so the GUI can be completely separate (and also perhaps allowing different clients to have different policies).
[1]: https://github.com/Douane/douane-dkms/blob/master/douane.c#L... [2]: https://github.com/Douane/douane-dkms/blob/master/douane.c#L... [3]: https://github.com/cyphar/whistled