
OpenSnitch is a GNU/Linux port of the Little Snitch application firewall - LinuxBender
https://github.com/evilsocket/opensnitch
======
kstrauser
Little Snitch is one of my favorite apps in the world, and it's one of the
very first things I install on any new Mac.

For those unfamiliar, it monitors and restricts _outbound_ connections that
your applications are trying to make. For example, you might be working away
and suddenly get a popup saying:

"Chrome is making an outbound TCP connection to adserver.trackallusers.com,
port 9876. Do you want to:

\- Allow or Deny the connection...

\- To all hosts in the domain trackallusers.com, that specific hostname, or
that specific IP address, or all hosts everywhere...

\- On this port or any port...

\- Protocol TCP...

\- Once, or for the next 15 minutes / 1 hour / 2 hours / until I reboot /
forever"

...and it will postpone making that connection until you answer. You can set
defaults for that popup according to your own preferences, for instance to
block by domain name instead of hostname so that "server432.example.com" and
"server592.example.com" don't have to be managed separately.

When you first run Little Snitch, it's a bit overwhelming. Safari and Chrome
want to talk to all kinds of things on TCP/80 and 443, so you pretty quickly
say they're allowed to make any 80 or 443 connection they want without further
pestering you. Soon you have a good coverage of your apps' normal behaviors,
and that's where it really shines. For instance, suppose your text editor
commonly talks to "updateserver.example.com" to check for app updates. But
this morning, it's suddenly trying to chat with "exfiltrator.badhost.ru". Uhh,
maybe you want to block that and see what's going on.

And my earlier Chrome example isn't an exaggeration. It's surprising how many
websites want to connect to ad or tracking servers on nonstandard ports. I
actually appreciate that a lot because those connections stick out like sore
thumbs and I can permanently deny them.

Sorry if this reads like an ad pitch for Little Snitch. I'm not associated
with them, but I'm a very, very happy customer. I'm very happy to see
something like it becoming available for my friends using Linux is awesome.

~~~
mrspeaker
Using Little Snitch, and seeing the amount of phoning-home Chrome was doing
was my "straw that broke the camels back". It tipped me over the edge: drove
me back to Linux, Duck Duck Go, NextDNS (I'm not confident enough to "roll my
own), turning everything off on my phone (location services, search helpers
etc), and not using software that checks for updates or does the least amount
of telemetry (I went from VSCode to Emacs)... favoring anything that doesn't
track/use cdns/anything by default: whatever is vaguely usable (no matter how
annoying) and tracks the least, wins.

I could block it all with Little Snitch - but it's a technical solution to a
political problem. I miss a lot of the convenience, and I miss a lot of the
slickness/lovely UIs... but Lil' Snitch taught me that that's the price!

~~~
m463
I found the same thing with little snitch and Firefox. Now I block all the
mozilla domains using little snitch and update firefox using Safari.

Related, people also complain about Microsoft phoning home, but Apple does the
same thing. (Not that apple is as blatant a jerk as microsoft)

~~~
3xblah
Add Google to the list. It is unfortunate that not even one of these companies
can differentiate from the others on this practice. They each assume that the
user gives them a free pass to make automatic outbound connections, where no
consent from the user is required, for whatever purpose they deem "necessary".

------
antiuniverse
This is neat, but it seems strange to call it a "port" of a closed source
proprietary commercial product. It doesn't actually seem to be related beyond
also being a firewall with a UI that kinda imitates Little Snitch.

I think a better term might be "clone"?

~~~
TwoNineFive
This is correct. This is not a port. I wouldn't even call it a clone. It's
more like "inspired by."

It's just a Hyperbolic Headline.

~~~
heavyset_go
> _It 's just a Hyperbolic Headline._

Maybe, but it's effective. I instantly know what it does instead of trying
ascertain what makes Yet Another Linux Firewall different from the rest.

~~~
Wowfunhappy
Then call it a "recreation" of Little Snitch or something.

Calling it a "port" is completely inaccurate and misleading. I clicked on this
thread thinking the Little Snitch developers must be involved somehow.

And If I were the Little Snitch devs, I'd be more than a little annoyed.

------
gruez
Software like this seem like snakeoil to me. They often rely on process paths
to identify applications, but that can be easily bypassed by using a
reputable/plausible program as a lackey [1], or more sophisticated techniques
like process hollowing[2]. Afterwards, they can communicate as the (presumably
whitelisted) application. Any host-based rules (if any) can be bypassed by
routing internet traffic using "popular" domains (eg. CDNs, social media
networks), or by social engineering (eg. triggering a request at the same time
as a user action, to make the user think it's something he intended to do).

On unsandboxed platforms, you either trust an application completely, or you
don't. Tools like little snitch don't turn dangerous programs into safe ones;
they only give you a false sense of security.

[1]
[https://news.ycombinator.com/item?id=22207089](https://news.ycombinator.com/item?id=22207089)

[2]
[https://wikileaks.org/ciav7p1/cms/page_3375167.html](https://wikileaks.org/ciav7p1/cms/page_3375167.html)

~~~
jedisct1
An application can also repeatedly ask for permissions, flooding the user with
(little snitch or whatever) popups until they gave up and disable it just to
be able to use their computer again.

~~~
Wowfunhappy
Which would tell the user the app is malevolent.

------
chmars
Be careful with using Little Snitch etc.:

'Predictably, online discussions about problems with app translocation and
Little Snitch usually recommend stripping quarantine flags, and from what I
can see, this has become quite widespread practice. Yet – just as in the blog
article – no one seems to be concerned that what they are doing is bypassing
macOS’s primary security defences.'

[https://eclecticlight.co/2020/01/26/last-week-on-my-mac-
when...](https://eclecticlight.co/2020/01/26/last-week-on-my-mac-when-more-
security-subverts-security/)

------
frio
I believe the project may be dead --
[https://github.com/evilsocket/opensnitch/issues/259](https://github.com/evilsocket/opensnitch/issues/259)
\-- but I see there has been some activity since then.

~~~
gus_
Many of the PRs have been added here, plus some other ideas and improvements:
[https://github.com/gustavo-iniguez-
goya/opensnitch](https://github.com/gustavo-iniguez-goya/opensnitch)

------
beagle3
One feature opensnitch has (and I have not seen mentioned here) is that you
can run the filter on one device e.g. your openwrt router, and the GUI on your
laptop; this is a nice feature that no other “personal” firewall (including
the original LittleSnitch) provides - filtering for your iPad and smart tv as
well!

------
DavideNL
Fun fact: in macOS Little Snitch if you create a separate profile for your VPN
interface (as specified with the goal to allow certain apps/traffic only when
the VPN is up), circumventing the VPN it is as easy as:

    
    
        curl --interface en0 ifconfig.co
    

In other words, no firewall rules are applied to actually block traffic on the
non-VPN interface. _Apps_ are only blocked from accessing the internet when
the VPN interface goes _down_.

------
adultSwim
This project is no longer maintained.

[https://github.com/evilsocket/opensnitch/issues/259](https://github.com/evilsocket/opensnitch/issues/259)

~~~
cmroanirgo
> _yes, i 'm not working on it anymore and i'm not responding to issues,
> because i lost interest and nobody pays me for this ... if this project is
> so essential (?), the "Linux community" can fork it and send a PR._

[https://github.com/evilsocket/opensnitch/issues/259#issuecom...](https://github.com/evilsocket/opensnitch/issues/259#issuecomment-498604956)

------
squarefoot
Reminds me of that Windows marvel called Kerio Personal Firewall which allowed
to restrict connections for any application, a feature that Linux should have
had since forever and is becoming more and more important today. Most Linux
FOSS apps may not call home, but closed hosted or emulated ones (through WINE
for example) often do.

~~~
beagle3
Linux does do that, and has since the Kernel 2.2 or so; In fact, opensnitch is
a user mode process thanks to Linux allowing that, whereas windows needed
drivers last I checked (win 2000 days, but the network driver model was still
the same for win 7 and even later iirc)

~~~
pjmlp
Windows Filtering Platform also has a user mode component.

~~~
beagle3
That's good to know.

Can it divert, modify and delay packets? Or just have a set of rules for
go/no-go?

~~~
pjmlp
Not sure, as I never used it. The filter engine runs in user space and several
behaviors can be implemented as COM instances.

[https://docs.microsoft.com/en-
us/windows/win32/fwp/windows-f...](https://docs.microsoft.com/en-
us/windows/win32/fwp/windows-filtering-platform-architecture-overview)

------
ct0
I always wondered what the windows equivalent was, knowing how well received
the app has been for mac users.

~~~
dikei
There's loads of firewall application on Windows: ZoneAlarm, Comodo, Tinywall.
Some use their own packets filtering driver, while some are just frontend for
Window's built-in firewall.

I used to run these for a while, but it gets annoying real fast with large
amount of pop-up. So now I stop using them, and only block known bad IPs using
my Pi-hole, allowing everything else.

~~~
tbyehl
> only block known bad IPs using my Pi-hole

I'd consider this too nit-picky in most contexts, but we're in a thread about
connection-blocking software. PiHole is a DNS server. It cannot block IPs or
connections.

I'm with you that Little Snitch style filtering gets annoying, but DOH is
going to obsolete PiHole / DNS filtering very fast. Can't filter DOH at the
gateway without taking on all the other hassles of MITM and can't prevent an
app from using whatever DOH server it chooses.

------
nathants
i wanted something a bit simpler, so forked and reduced. recently dropped path
matching except for display in the visual prompt, simple global firewall,
inbound and out. as others noted, path matching is quite janky. never saw a
use of libnetfilterqueue before this, so hats off to evilsocket.

[https://github.com/nathants/tinysnitch](https://github.com/nathants/tinysnitch)

------
I_am_tiberius
Great that this exists. I really like the application. Here are some issues:

\- There's a countdown when an unknown outgoing connection is discovered - the
countdown is currently not being stopped when you focus the countdown window.
The countdown is only 15 seconds or so - if the countdown is over, it
automatically approves the connection.

\- Rules cannot be edited via the python interface. There is one config file
per rule though.

\- My computer has been freezing sometimes since I started using it. Not sure
but that behavior is related to the tool.

\- Sometimes high cpu usage.

\- It would be great of have some kind of rule-set which can be used as a
starting point (optionally).

\- Python interface is slow. Generally not a fan of client applications that
are based on Python.

~~~
beagle3
All the defaults are configurable (with a config file, not GUI). I have set it
to “default deny” and 60 secs.

------
pjmlp
Nice to see it implemented in Go instead of C, one more example of systems
software.

------
anaphor
You could do something like this more efficiently using eBPF I bet. E.g. based
on TCPLife
[https://github.com/iovisor/bcc/blob/master/tools/tcplife.py](https://github.com/iovisor/bcc/blob/master/tools/tcplife.py)

------
parvenu74
What is the Windows equivalent of this tool?

~~~
aargh_aargh
About 15 years ago this kind of "application firewall" used to be really
popular on Windows. IIRC, ZoneAlarm and/or Kerio was really popular? And some
Antivirus software also included application firewall. Can't vouch for
anything particular these days, though, haven't used such thing for a long
time.

~~~
pdonis
The problem with all such applications on Windows was (and probably still is)
that it was too easy to install something that could bypass them at the
network layer.

The other issue was that their blocking wasn't fine-grained enough; you
couldn't, for example, do what others are describing elsewhere in this thread,
allowing an application like firefox to connect to a particular site on a
particular port only. You could only allow or block the application itself.
You could tell the firewall to explicitly ask you on every request, but of
course that wasn't feasible for apps like Internet Explorer. So anything that
wanted to get around the firewall could just script Internet Explorer to send
its request in the background and you would never see it.

~~~
dikei
> allowing an application like firefox to connect to a particular site on a
> particular port only.

Eh, this is such a basic task that even Window's built-in firewall can do it.
They just do not make it very obvious in the UI.

~~~
pdonis
_> even Window's built-in firewall can do it_

If it can now, that's progress. Windows didn't even have a built-in firewall
back when third-party firewalls like ZoneAlarm were popular.

~~~
joshuaissac
Zone Labs released ZoneAlarm in 2000. Microsoft shipped Windows XP with the
built-in Internet Connection Firewall (later rebranded to Windows Firewall) in
2001. ZoneAlarm was far more intuitive to use, but there was only one year
when Windows did not have a built-in firewall while ZoneAlarm already out.

~~~
dikei
To be fair, Window XP's firewall cannot block Outgoing connection, only
Incoming. Vista SP1 and later versions of Windows include a firewall with
Outbound blocking.

------
ChrisMarshallNY
Good show! I use Little Snitch for my computer. It really does rat out the
apps that want to tell others about me.

------
eecc
Considering that LittleSnitch is a TM, I don’t expect this project to last
long with the current name...

~~~
_-___________-_
Seems to have lasted quite a while already...

------
qwerty456127
I would even pay for a LittleSnitch clone for Linux if it worked nearly as
good as LittleSnitch does.

~~~
m463
it would be nice to have a littlesnitch box for the network

~~~
qwerty456127
There already are enough powerful network-level firewalls available for Linux.
The key feature of LittleSnitch mising on Linux is controlling network
activities of _particular applications_ on your computer.

~~~
mokus
That’s one key feature, but another is the real-time approval UI. I’d love to
have that for my other network devices like printers, video game consoles,
etc.

If I had that I might even consider off-the-shelf “smart home” stuff but for
now I just won’t buy any such hardware unless it’s 100% local with wires
and/or 802.1X support, and even then I don’t really trust it.

~~~
qwerty456127
Try Vuurmuur. It's not exactly what you describe but pretty close to that.

------
jedisct1
I've never been a fan of that kind of application.

As a user, it ruins the usability of the operating system. Having alert boxes
constantly popping up feels empowering at first, and eventually becomes really
annoying and distracting.

As a developer, it breaks your application's expectations and is the root
cause of hard to diagnose bug reports. People don't understand what they do
and end up breaking software updates (making applications _less_ secure) or
other applications features.

~~~
eugeniub
As a user, you don’t have to use it.

As a developer, you kind of have to just accept users taking back their own
privacy and work around it.

------
knolax
I'm not too familiar with this but would it be possible to spoof the process
command to evade any relevant rules?

------
boarnoah
Neat, really liked the idea of lil snitch.

Is the UI a python web app or a Qt desktop app? There's references to both in
the readme

~~~
arnado
I think it's a python Qt app.

There is also an open issue for tracking a replacement UI in Go

------
ct520
Looking for something similar but on windows, suggestions?

------
bigcohoneypot
Finally

