OpenSnitch Linux application firewall fork with improvements and bug fixes

OpenSnitch, An application firewall for Linux, no longer It is under active development. However, this does not mean that the project has ended, because Gustavo Bifurcation About 8 months ago, it has been continuously improving.OpenSnitch (fork) Is a free and open source Linux application-level firewall consisting of a daemon (written in Go) and a GUI (PyQt5). It monitors the outbound connections that your application is trying to establish and blocks or allows its connection based on a set of rules (it will prompt the user to allow or deny access when no existing rules are found). The application was inspired by Little Snitch, a host-based commercial application firewall for macOS.

It is worth noting from the very beginning that just like the original OpenSnitch firewall software, fork is under development, and its page says “don’t expect it to be error-free, and don’t rely on it for any type of security”, go into any details.

Use OpenSnitch application-level firewall on Linux

Let’s take a look at how this application works. Make the OpenSnitch daemon run in the background and run the OpenSnitch tray UI. When the application tries to access the Internet, a dialog box prompt will be displayed, asking if you want to allow or deny the connection of this process (or port, etc.). , Lasts a few seconds/minute, or this session exists forever.OpenSnitch Linux application firewall prompt dialog

The dialog box contains the following information, such as application name, domain name/IP trying to connect, port, source IP, destination IP and port, user ID and process ID.
The tray icon allows access to OpenSnitch network statistics (there is also a button to save the statistics to a .cvs file):OpenSnitch firewall network statistics

The GUI does not allow changes to OpenSnitch rules, so after allowing or denying access to certain processes/applications, you will no longer be able to make changes using the GUI. Before the OpenSnith GUI supports editing existing firewall rules (or manually adding rules from the GUI), you need to edit the rules file, which can be found in the following location: /etc/opensnitchd/rules/
This is an example of a simple OpenSnitch rule:

$ cat /etc/opensnitchd/rules/allow-simple-usrlibfirefoxfirefox.json 
  "created": "2020-02-24T14:16:23.5976661+02:00",
  "updated": "2020-02-24T14:16:23.597682816+02:00",
  "name": "allow-simple-usrlibfirefoxfirefox",
  "enabled": true,
  "action": "allow",
  "duration": "always",
  "operator": {
    "type": "simple",
    "operand": "process.path",
    "data": "/usr/lib/firefox/firefox",
    "list": []

You might also like: bandwhich shows the content that takes up network bandwidth on Linux and macOS

OpenSnitch fork

OpenSnitch Linux application firewall forks

Since forking OpenSnitch, Gustavo has improved the software and fixed many problems, including:

  • Added support for advanced rules (lists), which can be used to allow or restrict connections based on target IP, port, etc.-screenshot above
  • The network statistics UI has been greatly improved, and now allows you to filter the results and configure the number of items to be displayed on the “General” tab, etc. Now you can also view the details of the rules/processes from the “General” tab
  • Improved UI performance and fixed UI freeze in some cases, which is a common problem for users of old OpenSnitch firewalls
  • UI HiDPI fix
  • Added more time ranges (30s, 5m, 15m, 30m, 1h) in the “Allow/Deny” dialog
  • You can use ftrace (debugfs) or /proc to search for the running process (PID) and get the process path
  • If the daemon cannot communicate with the UI, the default action will be applied
  • Added the option to allow/deny secondary domains
  • Fixed a crash when parsing .desktop files (a very common problem in the old OpenSnitch)
  • Added UI alert to warn of unanswered connections
  • Show application window when no system tray is available
  • Intercept and parse UDPLite connections
  • Allow interception of local host and multicast connections
  • Other changes

In addition to this, OpenSnitch DEB binaries are now available for download, making it easy to install on Debian 9 and higher, Ubuntu 16.04 and higher, Linux Mint 18 and higher, and other Linux distributions based on these This firewall software (such as Pop! _OS, etc.).
You might like: How to permanently change the MAC address on Linux

Download OpenSnitch (fork)

of OpenSnitch fork The developer has made the OpenSnitch DEB package available for download (you need to download and install these two packages) opensnitch with python3-opensnitch-ui DEB package) and source code. After installing the DEB package, the OpenSnitch firewall daemon will start automatically, but you need to manually start the GUI (tray) from the application menu. The next time you log in, the OpenSnitch tray icon will automatically launch.[Later edit] For Arch Linux/Manjaro users, AUR opensnitch-git The package is switched from the old, maintenance-free OpenSnitch to fork, so you can use it to install it.
To install OpenSnitch (fork) from source code, see its document.