LittleSnitch for Linux

Posted by pluc 1 day ago

1261 points | 413 commentspage 5

wolvoleo 20 hours ago|

Ohhh interesting. Little snitch is one of 2 apps I miss from when the Mac was my daily driver. The other app was pixelmator

0xbadcafebee 22 hours ago||

> Compatible with Linux kernel 6.12 or higher

I know everyone today is used to upgrading every 5 seconds, but some of us are stuck on old software. For example, my Linux machine keeps rebooting and sucks up power in suspend mode because of buggy drivers in 6.12+, so I'm stuck on 6.8. (which is extra annoying because I bought this laptop for its Linux hardware support...)

littlesnitch 15 hours ago|

In theory, it could be possible to get the requirement down to 5.17, but I don't get around the verifier constraints on pre 6.12 kernels. Maybe somebody who is more experienced with eBPF and the verifier can help. This part is Open Source and you can replace it.

badc0ffee 23 hours ago||

Does anyone know how the blocking functionality works? I worked on some eBPF code a few years ago (when BTF/CO-RE was new), and while it was powerful, you couldn't just write to memory, or make function calls in the kernel.

Is there a userland component that's using something like iptables? (Can iptables block traffic originating from/destined to a specific process nowadays?)

littlesnitch 15 hours ago|

eBPF is extended in every kernel version. There is a layer where you get network packets and return a verdict. Little Snitch uses this type of eBPF function. You can look at the sources on Github.

thewanderer1983 16 hours ago||

Does little snitch and similar software work against solutions like Paqet?

https://github.com/hanselime/paqet

littlesnitch 13 hours ago|

On macOS, it requires access to /dev/bpf. That's why we added filter rules for bpf there.

On Linux, we intercept at a level where packets already have an Ethernet header. I hope that Paqet injects before* this layer, but only a test can give the proof.

thewanderer1983 4 hours ago||

Thanks for the response. Sorry I should of been less vague. Paqet works on raw sockets with KCP. Though it's intended for good. What's to assume bad actors aren't also using this method to get around solutions like littlesnitch?

A recent example, but not the only is a Iran a botnet, using this to get around detection.

https://cybersecuritynews.com/iran-linked-botnet-exposed-aft...

xrio 19 hours ago||

Back when I was still using macOS I loved Little Snitch and was a paying customer. And I agree nothing on Linux comes close. Would it be technically feasible to also provide this as a Flatpak to support immutable distros like Bazzite?

jcgl 18 hours ago||

I’m not aware of flatpaks specifically having th capability to run system software, daemons, etc. Some other immutable packaging formats should be able to (systemd-sysext at least, and snap iirc).

littlesnitch 15 hours ago||

As far as I can tell, Flatpak does not allow a daemon running as root early during system boot.

xn--yt9h 19 hours ago||

Giving it a shot right now. Very easy setup, intuitive UI, but a lot of requests' processes are not identified (while they could easily be identified, as they belong to the browser that has some, but less, identified calls)

littlesnitch 15 hours ago|

Little Snitch must be running when the process starts in order to identify it correctly. You get less "Not Identified" if you run it for a while, or you should get none if you reboot and Little Snitch can start before everything else.

I would love to fix this requirement, but have not found a way yet.

altermetax 11 hours ago||

Low-effort take: can't you just run ss -tulpn repeatedly and parse the output?

Myzel394 12 hours ago||

I hope they provide a binary without dynamic libraries so that we can use this on nixos as well

chirau 10 hours ago||

How does this work with WSL2? Will it monitor windows traffic as well?

jimgill 10 hours ago|

Old bottle with new lable, but good to keep eye on interfaces

More comments...