OpenSnitch - an Application Firewall for Linux [Review]

Just because Linux is a lot more secure than Windows, there is no reason you should not be cautious. There are a number of firewalls available for Linux that you can use to make your Linux system more secure. Today we will be taking a look at one of such firewall tool called OpenSnitch.

What is OpenSnitch?

Linux firewall and security

OpenSnitch is a port of Little Snitch. Little Snitch, in turn, is an application firewall designed solely for Mac OS. OpenSnitch is created by Simone Margaritelli, also known as evilsocket.

The main thing that OpenSnitch does is track internet requests made by applications you have installed. OpenSnitch allows you to create rules for which apps to allow to access the internet and which to block. Each time an application that does not have a rule in place tries to access the internet, a dialog box appears. This dialog box gives you the option to allow or block the connection.

You can also decide whether this new rule applies to the process, the exact URL it is attempting to reach, the domain that it is attempting to reach, to this single instance, to this session or forever.

OpenSnitch firewall app in Linux
OpenSnatch rule request

All of the rules that you create are stored as JSON files so you can change them later if you need to. For example, if you incorrectly blocked an application.

OpenSnitch also has a nice graphical user interface that lets you see at a glance:

  • What applications are accessing the web
  • What IP address they are using
  • What User owns it
  • What port is being used

You can also export the information to a CSV file if you wish.

OpenSnitch is available under the GPL v3 license.

OpenSnitch firewall interface
OpenSnitch processes tab

Installing OpenSnitch in Linux

The installation instructions on the OpenSnitch GitHub page are aimed at Ubuntu users. If you are using another distro, you will have to adjust the commands. As far as I know, this application is only packaged in the Arch User Repository.

Before you start, you need to have Go properly installed and the $GOPATH environment variable is defined.

First, install the necessary dependencies.

sudo apt-get install protobuf-compiler libpcap-dev libnetfilter-queue-dev python3-pip
go get github.com/golang/protobuf/protoc-gen-go
go get -u github.com/golang/dep/cmd/dep
python3 -m pip install --user grpcio-tools

Next, you will need to clone the OpenSnitch repo. There will probably be a message that no Go files where found. Ignore it. If you get a message that git is missing, just install it.

go get github.com/evilsocket/opensnitch
cd $GOPATH/src/github.com/evilsocket/opensnitch

If the $GOPATH environment variable is not setup correctly, you will get a “no such folder found” error on the previous command. just cd into the location of the “evilsocket/opensnitch” folder that was listed when you cloned it to your system.

Now, we build and install it.

make
sudo make install

If you get an error that the dep command could not be found, add GOPATH/bin is in the PATH.

Once that is finished, we will initiate the daemon and start the graphical user environment.

sudo systemctl enable opensnitchd
sudo service opensnitchd start
opensnitch-ui
OpenSnitch firewall interface
OpenSnitch on Manjaro

Experience

I’ll be honest: my experience with OpenSnitch was not great. I started by trying to install it on Fedora. I had trouble finding some of the dependencies. I switched over to Manjaro and was happy to find it in the Arch User Repository.

Unfortunately, after I ran the installation, I could not launch the graphical user interface. So I ran the last three steps by hand. Everything seemed to be working fine. The dialog box popped up asking me if I wanted to let Firefox visit the Manjaro website.

Interestingly, when I ran an AUR tool yay to update my system, the dialog box requested rules for yay, pacman, pamac, and git. Later, I had to close and restart the GUI because it was acting up. When I restart it, it stopped asking me to create rules. I installed Falkon and OpenSnitch did not ask me to give it any permissions. It did not even list Falkon in the OpenSnithch GUI. I reinstalled OpenSnitch. Same issue.

Then I moved to Ubuntu Mate. Since the installation instructions were written for Ubuntu, things went easier. However, I ran into a couple issues. I tweaked the installation instructions above to fix the problems I encountered.

Installation was not the only issue that I ran into. The dialog box that appeared every time a new app created a connection only lasted for 10 seconds. That was barely enough time to explore the available options. Most of the time, I only had time to allow an application (only the ones I trust) to access the web forever.

The GUI also left a bit to be desired. For some reason, the window was set to be on top all of the time. On top of that, there are no setting to change it. It would also have been nice to have the option to change rules from the GUI.

OpenSnitch hosts tab

Final Thoughts on OpenSnitch

I like what OpenSnitch is aiming for: any easy way to control what information leaves your computer. However, it has too many rough edges for me to recommend it to a regular or hobby user. If you are a power user, who likes to tinker and dig for answers then maybe this is for you.

It’s kinda disappointing. I would have hoped that an application that recently hit 1.0 would be in a little better shape.

Have you ever used OpenSnitch? If not, what is your favorite firewall app? How do you make your Linux system more secure? Let us know in the comments below.

If you found this article interesting, please take a minute to share it on social media, Hacker News or Reddit.

About the author
John Paul Wohlscheid

John Paul Wohlscheid

My name is John Paul Wohlscheid. I'm an aspiring mystery writer who loves to play with technology, especially Linux. You can catch up with me at: http://johnpaulwohlscheid.work/

Become a Better Linux User

With the FOSS Weekly Newsletter, you learn useful Linux tips, discover applications, explore new distros and stay updated with the latest from Linux world

It's FOSS

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to It's FOSS.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.