LittleSnitch for Linux

Posted by pluc 22 hours ago

1239 points | 407 commentspage 3

hackingonempty 22 hours ago|

LittleSnitch doesn't tattle on itself phoning home.

p-e-w 21 hours ago||

Is that true? If so, that’s not a good sign. I remember how impressed I was by ZoneAlarm in the early 2000s asking permission for itself to connect to the Internet, using the exact same dialogue it presented for any other program, with no dark patterns suggesting that the user should give preferential treatment to it.

jshier 21 hours ago|||

Doesn't seem to be, I can see LittleSnitch itself connecting to yoyo.org and obdev.at. GP may be referencing a past bug, either in LittleSnitch or macOS.

littlesnitch 12 hours ago||

If it connects to yoyo.org, you have subscribed to Peter Lowe's blocklist and Little Snitch is trying to update the list from there.

jshier 8 hours ago||

I have, yes. Didn't bother to check the domains, just wanted to say they were visible.

allthetime 17 hours ago|||

It does… and if it didn’t it would be trivial to prove.

littlesnitch 12 hours ago||

Any proofs for this claim?

brachkow 10 hours ago||

LittleSnitch for Mac is a good looking app.

I always thought that ugly UIs on Linux are because of good designers do not intersect well with programming enthusiasts.

But looking how ugly same app looks on Linux, I’m starting to think it could be a technical limitation. Can someone elaborate?

mfro 10 hours ago|

It just depends on the UI frameworks available to developers and their interest in building something good-looking. Different UI frameworks are available for different platforms, and there are only a few good ones that are cross-platform. Qt and GTK are pretty common for linux apps and typically don't look great.

tankenmate 17 hours ago||

I'm so surprised that so few people have heard of Portmaster, it's been around for years and runs on Linux (and Windows if you must). And if you don't need traffic history it's free.

cyberpunk 17 hours ago|

portmaster is the tool i use for upgrading installed ports on freebsd since… like… olden times.

TheTaytay 19 hours ago||

I’ve been researching the “best” way to build a little outbound network proxy to replace credential placeholders with the real secrets. Since this is designed to secure agents workloads, I figured I might as well add some domain blocking, and other outbound network controls, so I’ve been looking for Little-snitch-like apps to build on. I’ve been surprised to find that there aren’t a ton of open source “filter and potentially block all outbound connections according to rules”. This seems like the sort of thing that would be in a lot of Linux admins’ toolkit, but I guess not! I appreciate these guys building and releasing this.

LoganDark 19 hours ago|

Something almost no firewalls get right is pausing connections (NOT rejecting them) until I've decided whether to allow or not. The only firewalls I've seen do this are Little Snitch for Mac, and Portmaster for Windows (before they made it adware / started locking existing local features behind the subscription).

Avicebron 19 hours ago|||

Firewalls don't do this because they are built at the wrong layer to do proper pending calls. It's too narrow of a design space for most firewalls to care.

LoganDark 19 hours ago||

True, most firewalls aren't built to pause for user input. But then again, that's why almost no firewall software is suitable for this user experience.

tankenmate 17 hours ago||||

I use Portmaster (on Linux) and I have never seen ads (either in the app or apps that get their DNS from Portmaster) on it. About the only thing I saw different between the free version and the base level paid for version was traffic history and weekly reports (and badges on Discord if that's your kind of thing).

LoganDark 8 hours ago||

Both used to be free. And you may not consider it advertising when unavailable features exist in the free UI just to tell you they're paid, but I do. Especially when they used to be free.

jcgl 14 hours ago|||

OpenSnitch seems to do this just fine? Unless I’m misunderstanding your point. Connections seem to just block until I take an action on the dialog. Now, if an application itself has specified a short timeout (looking at you, NodeJS-based stuff), that obviously doesn’t help. But for most software it works great.

riobard 15 hours ago||

>> The macOS version uses deep packet inspection to do this more reliably. That's not an option here.

I thought it would be easier to do DPI on Linux than macOS. No???

littlesnitch 10 hours ago||

eBPF is very limited in the code complexity you can achieve. DPI on QUIC, for example, needs a lot of cryptography. That's simply not possible in eBPF. DPI on ordinary TLS still requires that you collect enough network packets to get the name, hold them back until you have a decision and then re-inject them. Holding back packets is not even possible at the layer where we intercept. And even if we find a layer to do this, it adds enough complexity that we no longer pass the verifier.

amonith 15 hours ago||

Yeah I thought that was one of the primary use cases of eBPF. Not an expert though, just read about some of these things.

eviks 18 hours ago||

Does it leak your IP like the Mac version?

https://news.ycombinator.com/item?id=35363343

> Little Snitch for Linux is not a security tool.

Maybe not?

> Its focus is privacy:

Or maybe yes?

littlesnitch 12 hours ago|

You are referring to the TCP three way handshake problem here. The macOS version is bound by the API provided by Apple: We get the API call for filtering only after the three way handshake has started.

The Linux version is limited in complexity. It has to decide immediately. This has the consequence that no packet leaves the machine if the connection is denied, but on the other hand it means that it's easier to trick. The macOS version can inspect the first packet sent (deep packet inspection) to find the remote host name in TLS headers. The Linux version relies on heuristics: The most recent lookup seen which returned the IP address determines the name. This part is Open Source and you can inspect the algorithm.

your_challenger 13 hours ago||

I use Lulu on my mac. Is it good enough (compared to LittleSnitch)?

notpushkin 6 hours ago||

Haven’t tried LittleSnitch, but from what I see it’s on par as far as features go. LuLu’s UI could use some improvements, but otherwise it’s perfectly fine for the job.

VladVladikoff 9 hours ago||

I would say it's better.

hiccuphippo 5 hours ago||

Awesome. I always felt Linux was missing a per-application firewall. I didn't dig much into it but at least iptables didn't have rules for that when I looked.

cromka 16 hours ago||

I know it sounds crazy at this point, but with popular YouTubers switching to Linux, gamers overall well-aware of Steam on Linux advantages and switching as well, plus popular software like LittleSnitch getting ported, 2026 can without irony be named as Year of Linux Desktop, right?

notThrowingAway 13 hours ago||

The year of the Linux Desktop will always be $CURRENT_YEAR + 1

pyrale 7 hours ago|||

To me, the year's in the past. I haven't touched Windows since 2017, and nothing bad happened to me.

But you're right, I guess for some people, there will already be a good reason not to use Linux.

neocron 6 hours ago||||

I did the switch in 2013 and haven't missed it. For games I ran vga_passthrough and later VFIO and others until pretty recently (I think right after covid I switched to steam directly on linux)

stronglikedan 7 hours ago||||

The year of the Linux Desktop will be powered by fusion.

dmos62 13 hours ago|||

What do you call a fallacy where it is implied that the future will be like the past?

almostjazz 10 hours ago|||

Problem of induction: https://en.wikipedia.org/wiki/Problem_of_induction

xpe 10 hours ago||||

Reminds me about schools of thought on rates of change:

  > ## Accelerating Change [One School]
  >
  > Our intuitions about change are linear; we expect roughly
  > as much change as has occurred in the past over our own
  > lifetimes. But technological change feeds on itself, and
  > therefore accelerates. Change today is faster than it was
  > 500 years ago, which in turn is faster than it was 5000
  > years ago. Our recent past is not a reliable guide to how
  > much change we should expect in the future.
  >
  > Strong claim: Technological change follows smooth curves, 
  > typically exponential. Therefore we can predict with fair
  > precision when new technologies will arrive, and when they
  > will cross key thresholds, like the creation of [AI].
  >
  > Advocates: Ray Kurzweil, Alvin Toffler(?), John Smart

  https://www.yudkowsky.net/singularity/schools

mayukh 8 hours ago||

linear % change implies exponential change in absolute terms

j-bos 11 hours ago||||

Maybe similar to boy who cried wolf?

BeetleB 7 hours ago|||

"The future aint what it used to be."

raincole 13 hours ago|||

> 2026 can without irony be named as Year of Linux Desktop, right?

For whom? Average desktop users? Average users don't know what LittleSnitch is, let alone calling it "popular software."

watusername 8 hours ago|||

For Linux desktop users. A bit of tongue-in-cheek but that's pretty much the argument that I've heard in some circles ("it works for us and not going away anytime soon - why waste time convincing others?").

cromka 11 hours ago|||

That's some beautiful, text-book straw man!

raincole 11 hours ago||

So for whom?

dainank 15 hours ago|||

I think there is a lot of talk (and this is good), but very little action. Market share is still incredibly low for LNX. I believe only a small subset of people actually attempt the jump from WIN to LNX (since most just want to play their games and run their programs without hassle) and then quickly realize that its tougher than they anticipated and swiftly return to WIN.

Latty 14 hours ago|||

This is true, but also the original comment still stands: Linux desktop usage outside developers was so low that it was barely worth mentioning before, so even a small uptick like this is a serious change, and it's how bigger changes start.

I definitely don't think it's even the likely outcome, but for Linux to get serious traction this is how it has to start: power users but not the traditional developer crowd start actually moving, and in doing so produce the guides, experience, word of mouth, and motivation that normal people need to do so, alongside the institutional support from Valve to actually fix the bugs and issues.

It remains to be seen if a critical mass will find it usable long-term, but if it were to happen, this is how it would look at the start, and Microsoft are certainly doing their best to push people away right now, although I suspect the real winner is more likely to be Apple with the Macbook Neo sucking up more of the lower end.

sgbeal 12 hours ago||

> Microsoft are certainly doing their best to push people away right now

According to a speculative blog post by Eric S. Raymond in September 2020, Microsoft is literally moving towards replacing Windows' internals with Linux. Unfortunately, that post is now unreachable, but searching for "eric raymond article about windows being replaced with a linux kernel" finds many third-party references to it and summaries of it.

zbikowski 10 hours ago||

Last phase of the desktop wars? by Eric Raymond: https://esr.ibiblio.org/?p=8764

Doxin 15 hours ago||||

5% on the steam survey though. The jump isn't quite as big from previous years as it seems as they did some corrections to the statistics this year, but 5% is nothing to sneeze at.

npodbielski 14 hours ago||

Exactly! Me personally in 2010 would never though about the time when one on every 20 gamers will be Linux user. That is huge IMHO.

veber-alex 12 hours ago||

I wouldn't be too exited. Statistics like this are very problematic.

For example, I have Steam installed on my Macbook pro and I occasionally play a single very simple game there. Does that make me a macOS gamer? of course not. The vast majority of games I want to play don't work on macOS.

I suspect that most of those 5% are just Linux users who have steam installed and play a small amount of games. Some probably just installed it to check what's available and don't play anything.

Everyone I know who is a "serious" gamer, as in exited about upcoming releases of AAA games is using Windows.

dainank 9 hours ago|||

Indeed. The bigger problem is also that consistently the most played games are multiplayer competitive titles with anti-cheat software that is only written for Windows (and sometimes MacOS). I suppose this issue will solve itself, once enough people start playing on Linux. Then developers will be forced to support that too in order to not lose too much of their player base, but we are still a far cry from this threshold.

npodbielski 12 hours ago|||

That would mean that it still would be around 0,5%. If you want to split the hair probably 4,5% of this 5% is Steam Deck.

aqme28 13 hours ago||||

As someone who did make the jump, it was actually a lot easier than I anticipated. I encourage others to do the same. The only games I can't play are some AAA multiplayer games I wasn't particularly interested in anyways.

dainank 9 hours ago||

I think for people who are browsing this site, it will certainly be easier than expected. For the average person, most likely not.

rounce 14 hours ago||||

What’s with the weird abbreviations?

kwanbix 10 hours ago|||

He is saving 4 keystrokes out of ~400 by typing LNX instead of Linux.

freedomben 10 hours ago||

But holding the shift key makes up for it, so seems like a bad strategy

dainank 9 hours ago||

You are overthinking it. It is neither a strategy nor keystroke saving (although technically with shift its 4 keystrokes as opposed to 5 for Linux and quite a few saved for Windows). I just typed that without thinking probably because it looks better and reads a bit easier (subjectively).

Forgeties79 9 hours ago|||

I hope more and more folks who want gaming computers realize how turnkey bazzite is, especially if you’re team red. It’s pretty remarkable

lilOnion 13 hours ago|||

2026 is the year of the linux phone. We need to embrace that the year of the linux desktop (2025) was successful.

lossyalgo 7 hours ago|||

According to latest Steam stats[0], Linux hit > 5% for the first time ever, so definitely successful (to some degree).

[0] https://store.steampowered.com/hwsurvey/steam-hardware-softw...

gonzalohm 10 hours ago||||

I wish. I'm tired of not owning my phone. But I don't see a push being done to get a proper Linux phone

ta8903 11 hours ago||||

Sadly year of the linux phone feels like it's getting farther away.

delusional 8 hours ago|||

What does "the year of the Linux phone" mean when half the phones already run Linux?

Forgeties79 6 hours ago|||

Android/Google does not fulfill the spirit of that. Yes it’s technically Linux, but it’s not what one expects from a Linux experience. We all know this, we all know Linux is under the hood, but “Linux phone” is basically shorthand for more user control, more open source aspects, more secure/private, and far away from companies like Google/apple/etc. Android phones do not fill that request even with graphene and such. Google still has too much control.

mavhc 7 hours ago|||

And the other half run BSD

a-dub 7 hours ago|||

kde linux may make it happen. that and command line agents that help people fix their systems.

Forgeties79 5 hours ago||

It’s definitely what converted me (steamOS first real experience, then mint, pop, and now bazzite)

Perz1val 15 hours ago|||

Also unrelated, but more linux gamers proves my personal observation that on the spectrum of computer literacy gamers are just below powerusers and programmers. We see more less technical people migrate over to Linux gradually and now it's gamers turn. Well, that's kind of obvious for everybody except Microsoft apparently.

brainzap 13 hours ago|||

does wifi work yet? last year it didnt for me

weberer 13 hours ago|||

Wifi has been working out of the box for close to 20 years now. On some computers with old Broadcom cards, you have to enable non-free drivers. What model are you using?

janc_ 10 hours ago||||

WiFi works fine if there are drivers for whatever WiFi chip you have.

Unfortunately there are no standards for OS to talk to WiFi devices like exist for many other types of hardware, so it’s not possible to make generic drivers.

JoBrad 10 hours ago||||

Did you forget your WiFi password?

einsteinx2 9 hours ago||||

yes

IshKebab 3 hours ago|||

Wifi and Bluetooth are pretty decent now. As far as I can tell the biggest blockers are:

* Laptop battery life. Still in the "it's fine; I get 5 hours!" stage.

* Wayland & graphics. It's still a mess. Getting there though. Probably will be ok in about 5 years I'd guess.

* RAM management. I don't know why nobody cares about this but when Mac or Windows run low of RAM I don't even notice. With Linux it either hard freezes and reboots, or hard freezes for like 5 minutes and then kills a completely random program. How is that ok? My solution here was to upgrade both my computers to 128 GB of RAM, but that isn't really a viable option today!

* Generally bugginess. Both KDE and Gnome are just not as rock solid as Windows 11. I know I'll get downvoted for this but I haven't experienced a single crash on Windows 11 (and no ads or bloatware because I did research and used the LTSC edition). In KDE, much as I love it, the taskbar crashes regularly and I cannot make head nor tail of the completely random order it wants to put windows in. You can't even drag them into a sensible order. Gnome was not much better.

Still KDE is a lot better now than it was in the kidney bean days so I reckon in another 5 years it will probably be pretty solid too.

cromka 41 minutes ago||

> * Laptop battery life. Still in the "it's fine; I get 5 hours!" stage.

Not on ARM, though! Getting 8-10h here easily.

> * RAM management

Agreed, since I switched to Linux, I am getting regular OOM on my 16GB laptop.

IshKebab 15 hours ago||

No.

dSebastien 16 hours ago|

I've been using Simplewall on Windows for a while but I think it's not maintained anymore. Need to find an alternative

high_priest 16 hours ago|

Fort Firewall is my tool of choice. Each connection requires explicit approval.

efilife 15 hours ago||

same with simplewall

More comments...