Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Oct 21 18:11
    CLAassistant commented #69
  • Oct 21 18:11
    dependabot[bot] labeled #69
  • Oct 21 18:11
    dependabot[bot] opened #69
  • Oct 21 18:11

    dependabot[bot] on pip

    Bump babel from 2.5.3 to 2.9.1 … (compare)

  • Jul 09 02:17
    ulises-castro commented #53
  • Jun 01 22:04
    CLAassistant commented #68
  • Jun 01 22:04
    dependabot[bot] labeled #68
  • Jun 01 22:04
    dependabot[bot] opened #68
  • Jun 01 22:04

    dependabot[bot] on pip

    Bump urllib3 from 1.22 to 1.26.… (compare)

  • May 22 07:11
    tejasjyothishetty opened #67
  • May 22 06:19
    tejasjyothishetty opened #66
  • Apr 20 17:05
    joedownloads1 opened #65
  • Mar 29 16:57
    CLAassistant commented #64
  • Mar 29 16:57
    dependabot[bot] labeled #64
  • Mar 29 16:57
    dependabot[bot] opened #64
  • Mar 29 16:57

    dependabot[bot] on pip

    Bump pygments from 2.2.0 to 2.7… (compare)

  • Mar 25 21:51
    CLAassistant commented #63
  • Mar 25 21:51
    dependabot[bot] labeled #63
  • Mar 25 21:51
    dependabot[bot] opened #63
  • Mar 25 21:50

    dependabot[bot] on pip

    Bump pyyaml from 3.12 to 5.4 B… (compare)

Miheer Dewaskar
@miheerdew
Hi Aniket, cool project you have here. Can you explain how is your approach different than editing /etc/hosts file (done for instance in https://github.com/viccherubini/get-shit-done)?
aniketpanjwani
@aniketpanjwani
Architecturally, Chomper works by passing outgoing traffic flows through a transparent proxy (https://mitmproxy.org/). The main advantage of this is that you can now create both blacklists and whitelists, whereas the hosts file approach as in the project you've linked only allow for blacklists. It will also be easy to code a feature which allows blocking specific requests within domains using wildcards, e.g. blocking amazon.com/gp/video/* to prevent access to Amazon videos, but retain access to Amazon shopping. You can't do wildcards at the request level with a hosts file.
I should make these differences clear in the docs - thanks for the question!
Miheer Dewaskar
@miheerdew
Another basic question: What's the difference between whitelisting a website and not blacklisting it?
But the wildcard feature is cool!
Miheer Dewaskar
@miheerdew
What does step 5 of the installation do? I was wondering how to replicate it on mac
Miheer Dewaskar
@miheerdew
If you could create a gui and make it cross platform, that would be great! Projects like SelfControl and get-shit-done seem to be popular.
aniketpanjwani
@aniketpanjwani

To understand whitelisting/blacklisting, suppose I want to focus hard on coding. I know the only websites I'll need to use are stackoverflow.com, unix.stackexchange.com, python.org, and aws.amazon.com. With whitelisting, I can just allow the user to go to those files and none others. Hosts files approaches only allow blacklists, which means that you would have to specify every website you don't want to go to. That's really difficult, because you can always find another website to distract you.

Step 5 is configuring the computer to allow ip forwarding (http://docs.mitmproxy.org/en/stable/transparent/linux.html). There are analagous configuration instructions for OSX as well (http://docs.mitmproxy.org/en/stable/transparent/osx.html). I think the other main change that would have to be done for OSX is to adjust the networking setup functions in chomper/utils.py to use pf. It's not something I can develop since I don't have access to OSX, but if you hack a solution, I'd love to see it. My immediate goal is to fix this issue (aniketpanjwani/chomper#1) and implement wildcards. Then, the next thing is to get my hands on OSX to make it cross platform.

Miheer Dewaskar
@miheerdew
Ah I get it. I'll try to look into pf.
Samidhya Sarker
@desertSniper87
Does mitmproxy support windows? Can this application be ported to windows?
aniketpanjwani
@aniketpanjwani
mitmproxy supports windows. I don't plan to personally develop a windows port anytime soon, because the current implementation of Chomper relies heavily on Unix-specific features: the sudoers file, iptables, GNU screen, crontab. However, if you wanted to add windows support as a Github Issue, that would be great. If you're just looking for a windows internet blocker - consider Cold Turkey: https://getcoldturkey.com/pricing/
Samidhya Sarker
@desertSniper87
Cold Turkey blocks on the hosts file. Plus you need to pay a one-time fee to access features like Scheduling or breaks.
aniketpanjwani
@aniketpanjwani
That's true, but I think it's your best option for now. I'm going to make a more complete development plan this weekend, but I think that windows support likely will not occur for a while.
Miheer Dewaskar
@miheerdew
Hi Aniket, I was looking at PF. Following the instructions here doesn't redirect all outgoing traffic (as the note at the bottom of the page says).
This answer might be relevant, and I will also look into how Dansguardian/Squid handles pf.
aniketpanjwani
@aniketpanjwani
Hmm... that's pretty annoying. One option is to spin Chomper up in a VM or Docker container. However, that's a layer of complexity I'd rather avoid. I'm still planning on MacOS compatibility in release 0.3.0 (https://github.com/aniketpanjwani/chomper/projects/6). After 0.2.1, I'm going to make a hackintosh with a spare thinkpad so that I can work on MacOS myself.
Thanks Miheer!
aniketpanjwani
@aniketpanjwani
aniketpanjwani
@aniketpanjwani
There's also this gist: https://gist.github.com/kujohn/7209628
Miheer Dewaskar
@miheerdew
Thanks for the links. The problem is that the rdr command only works for connections coming into the interface, but doesn't apply to connections going out from the interface (which is what we want).
I think that mitm is going into an infinite loop with some of my solutions. But if I understand correctly, your iptable rules are using the user != root option to prevent this
Miheer Dewaskar
@miheerdew
And thanks. I am starting with #2 because that way I can start using chomper :) . Using a mitim proxy seems to be the only genuine (non-hacky) solution to problem of restricting web-browsing. So that is an additional motivation for me to get this transparent proxy to work.
Miheer Dewaskar
@miheerdew
If we are unable to set up a transparent proxy, the other option is to set mitmproxy as an explicit proxy. So no need to go to a VM/Docker container :)
aniketpanjwani
@aniketpanjwani

Yeah - for sure start with #2 ! It'll be really nice to have someone working in parallel.

The instructions in the gist are different from the instructions in mitmproxy. It seems like the instructions in the gist are providing a work-around for the default inability to port forward on OSX, so I think trying to implement the instructions in the gist is the best path forward.

I'm not sure that an explicit proxy is a good idea. If I understand correctly, an explicit proxy would involve directing each individual browser to the proxy server. However, I'm not sure if it would be possible to implement anything like "hardcore mode", because even if you are a non-root user, you can go into your browser settings and change the proxy settings, thereby evading any block. With a transparent proxy, you can remove the mitmproxy certificate authority while Chomper is running, but then you won't be able to go to any website.

something similar to the stack overflow link you attached: https://apple.stackexchange.com/questions/309286/macos-packet-filter-port-forwarding
Miheer Dewaskar
@miheerdew
The last link seems relevant. The ones before that seems to be doing the same as mitm proxy.
Strangely, something similar to the last link was working yesterday but I need to investigate why it isn't working for me anymore.
By explicit proxy, I meant that 1) We block all connections going outside 2) Only allow connections from the proxy. I believe that is a routine firewall task and can be done by pf. But the last link might allow us to simply use the transparent proxy, let me look into it.
aniketpanjwani
@aniketpanjwani
Let me know how your attempt to implement the last link goes. It looks like others using mitmproxy were struggling with this too at some point: mitmproxy/mitmproxy#1261
Miheer Dewaskar
@miheerdew
Thanks. Unfortunately none of the links in the issue worked for me.
We should ask other mac users if any of those links work for them because I might have changed some settings while playing around with my system.
The second rule from this doesn't seem to work my system.
But again I might be missing something (just a few hours ago I realized that I was trying things out with my VPN on :|)
aniketpanjwani
@aniketpanjwani
Gotcha - thanks for the update. I'm pretty close to finishing all the issues for release 0.1.1. I'll probably be able to clear 0.2 tomorrow. After that, I'll make a hackintosh sometime next week and try this out myself. Hopefully I can get it to work on a clean system.
aniketpanjwani
@aniketpanjwani
Cleared 0.1.1. Will work on 0.2 tomorrow!
aniketpanjwani
@aniketpanjwani
bought a used mac mini on ebay - should come in later this week. I'll be able to begin implementing #2 next weekend.
aniketpanjwani
@aniketpanjwani
0.2 is cleared. Will work on improving the docs this week while waiting for the mac mini to arrive.
Miheer Dewaskar
@miheerdew
@aniketpanjwani Awesome :smile: !
Kamil Badyla
@badeleux
Hey
Is it possible to filter by regex? Mitm allows that, right?
aniketpanjwani
@aniketpanjwani
It's currently not possible to filter by regex or wildcard, but it would be a relatively simple feature to add. Could you make a new Issue on Github if this is something you're interested in having?
Kamil Badyla
@badeleux
Sure
Sebastian Bolaños
@sebohe
@aniketpanjwani, any reason why the chomper installers are on a seperate repo?
Sebastian Bolaños
@sebohe
Got chomper working on Arch linux :clap:
Sebastian Bolaños
@sebohe
Also, because of chomper I discovered pipenv, which seems like an awesome alternative to my current virtualenv setup. Just need to break the old way of doing things xD
aniketpanjwani
@aniketpanjwani
Hi @Sebohe - I think I had a reason for putting them in a separate repo, but can't remember exactly why. I think I just thought that it would be good to have some separation between installer and program.
Also, that's really terrific that you've got it working on Arch! If you're able to create an installer shell script, that would be really helpful. I was trying to get it working on Arch a while ago and gave up - if I recall correctly, th emain pain point was just installing cron and getting cron on path.
aniketpanjwani
@aniketpanjwani
I would be happy to set up a time to work with you on the shell script if you wanted. And pipenv is terrific - been using it for a few months now
Sebastian Bolaños
@sebohe
^ Good point, I already had cron installed so I didn't have to isntall it