LittleSnitch for Linux

Posted by pluc 20 hours ago

1223 points | 403 commentspage 2

moduspol 9 hours ago|

I used Little Snitch on Mac a few years ago and liked it, though I wasn't a fan of how (necessarily) deep it had to be in the OS to work. It felt like one of those things where, the moment you have any kind of network connectivity issue, it's the first thing you need to disable to troubleshoot because it's the weirdest thing you're doing.

I guess what I'd really like is a middleware box or something that I could put on my home network, but would then still give the same user experience as the normal app. I don't want to have to log into some web interface and manually add firewall rules after I find something not working. I like the pop-ups that tell you exactly when you're trying to do something that is blocked, and allow you to either add a rule or not.

I'm probably straddling some gray area between consumer-focused and enterprise-focused feature sets, but it would be neat.

vanc_cefepime 8 hours ago||

I am the same, used Little Snitch for a few years back in the late 2000s, I think like 2010 until a few years back when I moved fulltime to Linux. Back then, my parents had an iMac and I was the designated "IT" person to keep it running efficiently. My siblings had a bad habit of installing games and hack software on it for their games. I ended up purchasing a license and after the first few hours/days of configuring allow/block lists, it worked pretty well. It earned the label of "Little B*ch" from them since it would stop their gaming hacking apps from connecting and wrecking havoc. Eventually I learned to keep them on a standard user account and separate admin for installing software.

Long story you didn't ask for. Like I said, I haven't used Little Snitch in a while. I'll give this a whirl this weekend. What I have done over the past few years is run AdGuard Home on a min home server. This has helped keep ads undercontrol in our hoursehold and I have an easy "turn off adguard for 10 mins" in homeassistant for the wife so she can do some shopping online since it can occasionally break some sites, but overall they tolerate adguard and think it's a good middle ground. I have a few block lists, nothing too crazy or strict to avoid breaking most sites. On the desktops/laptops, they all run FireFox w uBlock origin.

dyauspitr 8 hours ago|||

How deep it was in the OS was exactly what I liked about it. I only wished it were open source so I know what exactly is happening with that level of access.

halfcat 9 hours ago||

I’ve also wanted something like this. The challenge is with an external appliance you lose awareness of which process is initiating the request.

This is solvable to some degree but requires varying degrees of new complexity depending how smooth of a user experience you’re aiming for.

karlzt 7 hours ago||

How does it compare to Portmaster?

https://news.ycombinator.com/item?id=29761978

Portmaster – Open-source network monitor and firewall [315 points | 113 comments]

https://news.ycombinator.com/item?id=23539687

Show HN: Block trackers system-wide on Linux/Windows, a Pi-hole “to go” alt

[6 points by davegson on June 16, 2020 | 2 comments]

https://news.ycombinator.com/submitted?id=davegson

Bromeo 20 hours ago||

How does it compare to opensnitch? https://github.com/evilsocket/opensnitch

sgc 18 hours ago||

I just tried littlesnitch and it did not resolve very many ips to domains, which is pretty basic. It also failed to identify most processes, and they were grouped under "Not Identified". It appears these are known limitations of the Linux version [1]. So for that alone I need to stick with opensnitch.

[1] "Little Snitch for Linux is built for privacy, not security, and that distinction matters. The macOS version can make stronger guarantees because it can have more complexity. On Linux, the foundation is eBPF, which is powerful but bounded: it has strict limits on storage size and program complexity. Under heavy traffic, cache tables can overflow, which makes it impossible to reliably tie every network packet to a process or a DNS name. And reconstructing which hostname was originally looked up for a given IP address requires heuristics rather than certainty. The macOS version uses deep packet inspection to do this more reliably. That's not an option here." -- from https://obdev.at/products/littlesnitch-linux/index.html

littlesnitch 11 hours ago|||

Regarding unidentified processes: Little Snitch daemon must have been running when the process started in order to identify it reliably. It's best to reboot after installation so that Little Snitch starts before everything else. I should probably note this somewhere.

And regarding failed reverse DNS names: Little Snitch is sniffing DNS lookups. If lookups are encrypted, there is little it can do. We usually recommend DNS encryption at the systemd layer, not at app layer. This way we can see lookups on 127.0.0.53 and the actual lookup sent out is still encrypted.

Also, it's currently only sniffing UDP lookups, not TCP. The eBPF part is already very close to the complexity limits (700k instructions of allowed 1M) and adding TCP parsing would exceed this limit. It should be possible to forbid TCP port 53 with a rule, though. Some complex DNS lookups will fail, but routine things should still work.

patrakov 6 hours ago|||

The thing is, 127.0.0.53 is a fallback. The real default upstream is nss_resolve, which talks to systemd-resolved via non-DNS protocol on a UNIX-domain socket. Ubuntu disabled this in favor of the less-featured fallback. If you insist on sniffing DNS, you need to add instructions to disable the native nss_resolve module by not including it in /etc/nsswitch.conf.

sgc 7 hours ago||||

If I don't know who my machine is talking to, the information is not very useful. So there needs to be a fallback on some level.

Perhaps there should be a mode where littlesnitch just does its own lookup using the system-configured rDNS, for example from the ui or for specific processes, etc? It should be cached if it is a recent lookup, so minimal performance implications; and offloaded to the system rDNS resolver, so minimal instruction set.

janc_ 8 hours ago||||

Not all "hostname lookups" by applications happen over DNS (or the DNS is done by something like systemd-resolved, which is often using encrypted lookups), so in many cases, depending on NSS configuration (e.g. 'file', 'resolve', 'db', 'nis', 'mymachines', 'libvirt', 'winbind', ...) this would never work?

WhyNotHugo 4 hours ago|||

I'm curious, why not do things like the DNS look-up from userspace?

a022311 10 hours ago||||

I guess that makes sense, since it's pretty new. OpenSnitch is great software in terms of functionality but I find the UI lacking. If LittleSnitch can keep the same functionality, while improving the UI, I'm switching. My other current concern here is that the LittleSnitch UI is just a Webview and I think it would be much better if there was a native option (ideally GTK-based for me, but Qt would also be acceptable). Webviews are slow and full of bloat.

jms703 4 hours ago||||

I wonder why LS can't be given access to systemd resolved stub resolver to get all my DNS lookups.

toredash 15 hours ago|||

Is there any DNS based software to do block/allow? Kinda lika what's present in CiliumNetworkPolicies in Kubernetes networking?

M95D 14 hours ago|||

Yes, PiHole is the most common, but malware can easily bypass that using shared domains, P2P or IP addresses directly.

Use a filtering proxy instead and no gateway / route to the internet.

chupasaurus 5 hours ago||

1) Dnsmasq, you don't need the whole PiHole for that.

2) You're advising security through obscurity instead of a network namespace + firewall.

Milpotel 15 hours ago||||

You mean like PiHole or AdGuard?

gus_ 13 hours ago|||

OpenSnitch (+ block lists) ;)

or DNS stubs with filtering capabilities.

giancarlostoro 8 hours ago|||

Not sure, I was wondering the same, opensnitch is what I have installed but its not on currently, I probably got tired of it for whatever reason.

pixxel 8 hours ago||

[dead]

lapcat 20 hours ago|||

"I researched a bit, found OpenSnitch, several command line tools, and various security systems built for servers. None of these gave me what I wanted: see which process is making which connections, and in the best case deny with a single click." https://obdev.at/blog/little-snitch-for-linux/

haswell 20 hours ago||

I've used OpenSnitch for years, and while LittleSnitch definitely has a better UI for showing which process is making which connections over time, OpenSnitch does a pretty good job here. I get a modal popup when a program that hasn't made a connection tries to make a connection, and I can either allow/deny in one click, or further customize the rule e.g. allowing ntpd to connect, but only to pool.ntp.org on port 123.

Where LittleSnitch is definitely ahead is showing process connections over time after said process has been allowed.

unsnap_biceps 19 hours ago||

When I looked at OpenSnitch (years ago), it didn't support running headless on a server. Am I mistaken about this, or has it changed?

sgc 18 hours ago|||

You can run daemons on several nodes (different machines) and view them all through a central ui, it is pretty cool.

mixmastamyk 18 hours ago|||

The UI is a separate package. Though you might just configure the firewall yourself at that point.

colesantiago 19 hours ago||

It is free, no subscription at all and truly open source.

As software should be.

lordmoma 19 hours ago||

how should maintainer make money?

abeyer 17 hours ago|||

Personally I'd be fine with a commercial license with source available here... the issue isn't the price, it's the fact that you're asked to MITM every network connection you make under the control of a binary blob.

I think it's fair to ask that a developer choosing to build a thing that requires that kind of access should be expected to err on the side of transparency.

7402 5 hours ago||||

I've happily been a paid user on macOS for years, I would guess the number of paid users there was able to fund the Linux development.

righthand 16 hours ago||||

You mean “how can I donate?”

https://github.com/evilsocket/opensnitch?tab=readme-ov-file#...

konart 14 hours ago||

So... what if the maker can't make it on donations only?

preisschild 13 hours ago||

Then development will stop and users don't have the software anymore.

If users consider this software important they should donate so they can keep using it.

veber-alex 10 hours ago||

How exactly is this different from payed software?

dizhn 9 hours ago|||

There is a ton of software that lives on because it matters to the developer(s). I know "but mah monetization" is huge on this forum but it's not an all encompassing rule and it does not completely reflect the existing reality.

bornfreddy 6 hours ago||

Strong disagree on this stance. You want to use the software? Cool, pay for it. Need access to source? It's on github, go nuts. Want to change it? Sure, feel free, but whoever uses it should pay the original developer. You can even charge extra for your modifications. Don't like the terms? Too bad - feel free to rewrite from scratch.

FOSS simply isn't sustainable if you want to make a living out of it. It protects a lot of user freedoms - even those that don't actually matter to users that much - at the expense of the rights of developers. There are a lot of ways that developers could be paid and users would still be protected (have access to source and the right to modify). The only ones benefitting from the current situation are BigTech.

/rant

dizhn 6 hours ago||

Who are we to dictate terms to or divine the intentions of someone who releases software with say the MIT license? It might sound surprising but a lot of developers just want to share their work altruistically. There are some you couldn't pay if you wanted to. It's all voluntary.

> FOSS simply isn't sustainable if you want to make a living out of it.

This is probably true enough. Yet there are a million open source projects that existed, some for decades. There has go to be another way and another motivation.

> even those that don't actually matter to users that much - at the expense of the rights of developers

I would assume those developers would use a different license or even create their own terms.

> The only ones benefitting from the current situation are BigTech.

Paying the original developers will not change this. Big tech is big. They take whatever they can, sometimes killing the original project in the process. Perhaps a license like GPL is the solution to that particular problem.

I don't mean to come off snarky. I do agree with a lot of the things that you're saying but I see the free software movement as a completely voluntary and human thing. You could not get rid of it if you wanted. Paying for it is an auxiliary thing and concentrates too much on the wrong thing IMO. A lot of free software developers are already gainfully employed, some are millionaires. Yes some are struggling but then they are still voluntarily sharing their work with the whole world. That must mean they have their valid reasons for doing so.

righthand 5 hours ago|||

The developer isn’t accepting a job offer to develop it, they’re accepting donations. That’s literally how the software devs for Opensnitch choose to receive payment.

foo12bar 18 hours ago||||

Hunt, gather.

SV_BubbleTime 16 hours ago||

There was also toolmaker to support the hunter and gatherer… so… back to square one.

preisschild 13 hours ago||||

open source / free software is not necessarily free as in free beer. You can sell GPL software.

microtonal 15 hours ago||

Wow. I have used Little Snitch on Mac for years, love this!

If anyone from obdev is reading, please give us a way to pay for it, even if it stays free :), I'd love to support development and would happily pay something between the price of Little Snitch and Little Snitch Mini.

Anyway, thanks a lot!

chawyehsu 3 hours ago||

Just tried it on my laptop. Unfortunately, my laptop got extremely hot about 10 seconds after installation. The resource monitor showed that it was eating up all of my laptop's CPU. I panically stopped the service and uninstalled it before I could even open the web UI. It was a really poor first impression.

mobeigi 7 hours ago||

I used to use a Windows firewall which basically hijacked a bunch of WinAPI calls and let me approve/deny every request. Trying to be a good secure boy I ran this setup for a while but it was exhausting. Every single action needed dozens of approval windows. After a while I removed the software. I reckon it is good situationally though, trying out a new program for first time (that isn't risky enough for a VM or sandbox), might be good to turn on a tool like this.

adrianwaj 16 hours ago||

There was a similar Show HN from 3 weeks ago. https://news.ycombinator.com/item?id=47387443 (open source too) - and there is a live window from all the machines in the swarm. https://dialtoneapp.com/explore - but only 2 so far. Maybe LittleSnitch can generate more data than this? Could end up an immune system for bad actors.

Anything new to get much better performance from low-spec machines that is idiot-proof is a game-changer.

alsetmusic 18 hours ago||

Congrats to Linux users on getting a great tool from a quality development shop. Objective Development is one of our (Mac users) exemplars for attention to detail and fit & finish.

Congrats to Objective Development for expanding their well-loved tool to a new platform. You guys rock.

ProllyInfamous 18 hours ago||

>attention to detail

Why does LittleSnitch (Mac) pre-resolve IP addresses, before user presses Accept/Deny?

IMHO DNS queries shouldn't initiate without user input.

littlesnitch 10 hours ago|||

Little Snitch is bound to the API provided by Apple. The NEFilterDataProvider API calls `handleNewFlow()` only after sending out the first IP packet.

Version 6 added DNS encryption and in principle we could filter lookups (similar to PiHole) at this level. That brings other issues, though: This filter is system-wide, so process-specific rules (and overrides) would not work. And results can be cached by mDNSResponder. So when a blocklist causes an issue, you may not be able to fix it by simply disabling the blocklist. But it's still something we consider.

ProllyInfamous 4 hours ago||

>in principle we could filter lookups

I've been telling people about ya'll's DNS leaks for over a decade [3] — glad to finally hear back — most people won't believe me [0] until this flaw is demonstrated on their specific machine (easy enough). Those already using LittleSnitch will then typically set up better filtering (e.g. DNS white/blacklist, PiHole, et.alius).

And until the behavior is fixed, I will keep spreading the good word. Does the Linux version have this same flaw (i.e. backend requirements similar to Mac initial IP leak)?

----

A very neat product (LittleSnitch), but I stopped using it solely for above reason [1]. IMHO, this flaw should be better documented in your installer/docs.

[0] e.g. they'll lament "there is no way the developer would allow that sort of leak/behavior!" Their denial is a helluvadrug

[1] I had a 5-user site license, IIRC. Shortly after purchasing, I discovered above leakage so stopped using entirely [v3 user 33TEWP20B0-724KY-5XE522FEAC [2]]

[2] Go ahead and blacklist/cancel the above registration (it's a manyyearsold version, barely used) – my current mailing address is in my user profile (no longer use email/phone). Would love to help/feedback to make your product better. Would also love a refund (all these years later, on principle)

[3] e.g: <https://news.ycombinator.com/item?id=35363343> (/hn/2023)

alsetmusic 16 hours ago|||

Question for devs, not me.

eviks 16 hours ago||

Did the "attention to detail" phrase come from devs or you?

alsetmusic 11 hours ago||

From me. OD is a great dev firm. Do you understand my statement?

ProllyInfamous 4 hours ago|||

>OD is a great dev firm

Please see my response to OD [I presume /u/littlesnitch is OD representative]. Nobody is disputing their "greatness" — I'm just criticizing a flaw in their approach to domain name filtering.

Hopefully OD will refund my original license (unused for many many many years, after I discovered this flaw). That would be good, in principle; good business. Hopefully OD will be more forthcoming in this vulnerability (or better disclose it) — or better yet: fix the unbelievable behavior.

eviks 11 hours ago|||

Do you understand that you can't redirect the question addressed to you to the devs if that question questions your own statement by pointing out that some important details are not attended to?

Avicebron 20 hours ago||

Probably should throw it out there that I'm building something inspired by littleSnitch for windows. Currently a bit stealthy about it. But when I crowd source the funding for a code signing cert I'll get it out there. Lots of inspiration from LittleSnitch, in spirit if not actual code.

forsalebypwner 19 hours ago|

I'd be curious to hear additional details if you can share - got a timeline, or somewhere I can enter my email address for updates? I'd love to alpha/beta test if you're looking for testers.

I've been a GlassWire user for years, which partially fills the role of LS, but not very well. Aside from the many performance issues I've seen, it's missing a lot of LS essentials. To be fair, I think the focus of GlassWire is more about visualizing traffic on your Windows computer, but I definitely believe there is a need for better Windows network software for power users.

Avicebron 19 hours ago||

It's a custom WFP driver. No timeline yet..

If you or I guess anyone is curious sereno[hyphen]alpha[dot]ramble[thenumberoftechn9ne'sfavoriterum]@passinbox.com

accidue 13 hours ago|||

The irony of having to ask AI to figure that out… we’ve come full circle.

forsalebypwner 13 hours ago|||

Just reached out (I think )

hiccuphippo 3 hours ago|

Awesome. I always felt Linux was missing a per-application firewall. I didn't dig much into it but at least iptables didn't have rules for that when I looked.

More comments...