Little Snitch for Linux

150 points by ehamberg

What a cool effort! This write-up made me smile.

One important note: unlike the macOS version, Little Snitch for Linux is not a security tool. eBPF provides limited resources, so it's always possible to get around the firewall for instance by flooding tables.

I'd like to learn more about what's behind this observation.

junon

eBPF will drop packets instead of back pressure. You can't rely on eBPF for security related networking tasks.

https://securityboulevard.com/2023/09/pitfalls-of-relying-on-ebpf-for-security-monitoring-and-some-solutions/

Foxboron

Haven't seen this mentioned, but pointing out that this is proprietary.

Little Snitch for Linux has three components. The eBPF kernel program and the web UI are both released under the GNU General Public License version 2 and available on GitHub. The daemon (littlesnitch --daemon) is proprietary, but free to use and redistribute.

hoistbypetard

I thought they did a solid job disclosing that:

The kernel component, written for eBPF, is open source and you can look at how it's implemented, fix bugs yourself, or adapt it to different kernel versions. The UI is also open source under GPL v2, feel free to make improvements. The backend, which manages rules, block lists, and the hierarchical connection view, is free to use but not open source. That part carries more than twenty years of Little Snitch experience, and the algorithms and concepts in it are something we'd like to keep closed for the time being.

I know that doesn't help if you think all software should be free-as-in-freedom (I'd prefer that, but I empathize with people who don't feel able to release their software that way for whatever reason) but I thought it was a very clear, well-explained disclosure.
- Foxboron
  
  but I thought it was a very clear, well-explained disclosure.
  
  It was more targeted the discussion on this forum, I was not under the impression they where trying to hide this.
mordae

https://ads.mozilla.org/

Now I feel very angry.
- zie
  
  "When you advertise on Mozilla’s Firefox and MDN Web Docs, you’ll connect with over 210 million selective, discerning, brand-loyal users. Because they trust us, they’ll trust you." - https://ads.mozilla.org
  
  That last sentence!
- dmytrish
  
  uBlock Origin blocks that domain for me. Thanks Mozilla for enabling that!
arcayr

... found OpenSnitch ... None of these gave me what I wanted: see which process is making which connections, and in the best case deny with a single click.

doesn't opensnitch do these things? i use it and can see that info in the main dash, and oneclick allow/deny (+ additional filtering if wanted). you can see it in the opensnitch readme. it also uses ebpf.
vaguelytagged

Awesome! little snitch is one of the first things that go on my Mac, nice to see it on Linux too.

I particularly use it to encrypt my dns traffic
jussi
Delighted to see Little Snitch on Linux! Would love to use it, but I can't seem to get it to work on latest Fedora with 6.19 kernel:
```
processed 1000001 insns (limit 1000000) max_states_per_insn 65 total_states 47767 peak_states 68337 mark_read 0

Caused by:
    Argument list too long (os error 7)
19799.449 WARN  cannot stat mountpoint: "/run/user/1000/doc": EACCES: Permission denied
```
Just wondering if I am missing some dependencies, or something.
- fishinthecalculator
  
  It seems to be due to btrfs, from https://obdev.at/products/littlesnitch-linux/download.html
  
  Note: Little Snitch version 1.0.0 does not currently work with the Btrfs file system! Btrfs is used by default on Fedora, so Little Snitch does not currently identify processes on Fedora. We are working on an 1.0.1 release to fix the issue as soon as possible!
  - jussi
    
    Thanks! Somehow I missed this notice.
- dandellion
  
  There's also portmaster, which does work on linux, without needing a UI to run on the physical machine like opensnitch.
  
  I'm excited to try this one though, especially since the configuration files seem like they could be generated, so it might be actually useful on NixOS, where the binary paths always change...
  
  Unfortunate that it is non-free though.
  - riking
    
    the UI is the killer feature
    
    dandellion
    
    I've ran opensnitch, and I think the experience was pretty awful. At least out of the box.
    
    The daemon would wait for a UI to connect before doing anything (just allowing all traffic in the mean time), not great for headless machines.
    
    portmaster still has a UI, its just web-based, and the application starts working immediately. It still asks about connections with timeouts and whatnot, just like opensnitch