Discussion
Little Snitch for Linux
hackingonempty: LittleSnitch doesn't tattle on itself phoning home.
Bromeo: How does it compare to opensnitch? https://github.com/evilsocket/opensnitch
lapcat: "I researched a bit, found OpenSnitch, several command line tools, and various security systems built for servers. None of these gave me what I wanted: see which process is making which connections, and in the best case deny with a single click." https://obdev.at/blog/little-snitch-for-linux/
alhazrod: I remember before Little Snitch there was ZoneAlarm for Windows[0] (here is a good screenshot[1]). No clue if the current version of ZoneAlarm does anything like that (have not used it in 2 decades). I always found it weird that Linux never really had anything like it.[0]: https://en.wikipedia.org/wiki/ZoneAlarm[1]: https://d2nwkt1g6n1fev.cloudfront.net/helpmax/wp-content/upl...
rvz: Also from [0].> You can find Little Snitch for Linux here. It is free, and it will stay that way.Don't worry, the authors know that there's no point in charging Linux users. Unlike Mac users.So you might as well make it $0 and the (Linux) crowd goes wild that they don't need to pay a cent.However...> I researched a bit, found OpenSnitch, several command line tools, and various security systems built for servers. None of these gave me what I wanted: see which process is making which connections, and in the best case deny with a single click.OpenSnitch is open source. You don't need to trust it as you can see the code yourself. Little Snitch on the other hand, is completely closed source.Do you still trust them not to do self-snitching on you, even though it is $0 and closed source?[0] https://obdev.at/blog/little-snitch-for-linux/
SamuelAdams: So if this is free to use on linux, what is to stop someone from doing what Colima did to Docker? Aka make a tiny Linux VM on MacOS and package Little Snitch within that?
papascrubs: Two of the three components of LittleSnitch for Linux are open source. The eBPF (kernel portion) and UI are fully open source.
Cider9986: This has the author's blog post on it https://obdev.at/blog/little-snitch-for-linux/
poglet: Simplewall is a good option for managing outgoing connections on Windows. https://simplewall.org
Cider9986: It barely has any of the features of the MacOS version, there is no shortage of cracks for Little Snitch, and there is Lulu. Other than that, I am not sure.
haswell: I've used OpenSnitch for years, and while LittleSnitch definitely has a better UI for showing which process is making which connections over time, OpenSnitch does a pretty good job here. I get a modal popup when a program that hasn't made a connection tries to make a connection, and I can either allow/deny in one click, or further customize the rule e.g. allowing ntpd to connect, but only to pool.ntp.org on port 123.Where LittleSnitch is definitely ahead is showing process connections over time after said process has been allowed.
Avicebron: Probably should throw it out there that I'm building something inspired by littleSnitch for windows. Currently a bit stealthy about it. But when I crowd source the funding for a code signing cert I'll get it out there. Lots of inspiration from LittleSnitch, in spirit if not actual code.
waterTanuki: Why would one use this over PiHole?
serious_angel: > The macOS version can make stronger guarantees because it can have more complexity. On Linux, the foundation is eBPF, which is powerful but bounded: it has strict limits on storage size and program complexity. Under heavy traffic, cache tables can overflow, which makes it impossible to reliably tie every network packet to a process or a DNS name. > And reconstructing which hostname was originally looked up for a given IP address requires heuristics rather than certainty. The macOS version uses deep packet inspection to do this more reliably. > That's not an option here. > > Source: https://web.archive.org/web/20260409002901/https://obdev.at/products/littlesnitch-linux/index.html The above feels like an utter AI slop nonsense, sorry. I believe eBPF, the Linux Kernel feature, is absolutely capable for accuracy and perfect processing of network traffic.Have you ever checked Calico or Cilium, or at least, Oryx?
walrus01: Completely different thing. A littlesnitch type thing is for all traffic. Pihole is a DNS query thing that prevents various ad content from being loaded. It's also trivially easy for a malicious application with network access to bypass any instance of pihole on your LAN by doing its own DNS over HTTPS lookups to its own set of server(s) by IP.
weird-eye-issue: That website redirected my browser to a very sketchy website after a couple seconds.Don't open it.@dang
lapcat: > Do you still trust them not to do self-reporting or phoning home, even though it is $0 and closed source?If you trust Little Snitch on Mac, then yes.They've been in business for over 20 years. They're not going to blow their entire business and reputation for a few Linux users.
emmelaich: Yep, I trust the obdev.at / Snitch guys.I do wonder however, are they sufficiently careful about their processes and own machines to avoid a supply chain attack completely.They must be a target for the various hacking groups out there.
roughly: I run both (LS on Mac, at least), they do different things - pi.hole is a great ad blocker which applies to all of the devices on your network. Little Snitch is doing something different - it tells you every call that every app you use is making, and allows you to approve or deny each one. So, you can block telemetry for apps, or you can block certain apps from contacting certain servers, or you can just use it to watch what apps on your system are calling out to where.
p-e-w: Is that true? If so, that’s not a good sign. I remember how impressed I was by ZoneAlarm in the early 2000s asking permission for itself to connect to the Internet, using the exact same dialogue it presented for any other program, with no dark patterns suggesting that the user should give preferential treatment to it.
JoeBOFH: This is different. This shows you what in your operating system is making connections out and to where.
lapcat: This comment seems a bit confused.A supply chain attack doesn't directly attack an end developer but rather a supplier of the developer. So who or what is the supplier in this case?
hsbauauvhabzb: This seems pedantic and I think you know the answer.
colesantiago: It is free, no subscription at all and truly open source.As software should be.
jiveturkey: I guess you haven't actually implemented anything in eBPF.
laweijfmvo: isn’t this essentially built into Windows these days? although it seems to come with a lot of programs pre-approved.
Dig1t: >The daemon (littlesnitch --daemon) is proprietary, but free to use and redistribute.Worth noting that it is closed source. Would be worth contributing patches to OpenSnitch to bring it up to parity with Little Snitch.https://github.com/evilsocket/opensnitch
BoredPositron: Most of the windows firewalls tools are just front ends for the integrated one with more sensible defaults.
mathfailure: Nice to have this as an extra option, but being a linux user I value openness of code. I am pretty content with opensnitch + opensnitch-ui.
cortesoft: LittleSnitch isn't for ad blocking (only), it is for tracking/blocking/allowing ALL connections from various processes. PiHole only blocks DNS requests to known ad servers.
lapcat: > I think you know what they’re questioning and why.No, not really. And I disagree with the premise, "They must be a target for the various hacking groups out there."How would you even hack them? I'm a developer too; how would you hack me?
brandon272: Completely forgot about ZoneAlarm. I remember using it in the early 2000s!
heartbreak: Options range from carefully targeted phishing or social engineering attacks to poor opsec and a five dollar wrench.
BoredPositron: If they trust the devs why would they not trust them to not yolo deploy new versions?
jerukmangga: It's interesting hw lng it took for linux to get a user friendly application firewall like OpenSnitch
emmelaich: They don't build their own machines or write their compilers or write their own crpyto code or ... so many other things.
unsnap_biceps: When I looked at OpenSnitch (years ago), it didn't support running headless on a server. Am I mistaken about this, or has it changed?
MegagramEnjoyer: Thanks for sharing Open Snitch
forsalebypwner: I'd be curious to hear additional details if you can share - got a timeline, or somewhere I can enter my email address for updates? I'd love to alpha/beta test if you're looking for testers.I've been a GlassWire user for years, which partially fills the role of LS, but not very well. Aside from the many performance issues I've seen, it's missing a lot of LS essentials. To be fair, I think the focus of GlassWire is more about visualizing traffic on your Windows computer, but I definitely believe there is a need for better Windows network software for power users.
lordmoma: how should maintainer make money?
ece: Same, just wish it was regularly updated in the distro repos.
dylan604: because a company worthy of trust doesn't yolo their versions. a company that does yolo versions is not trustworthy.
waterTanuki: I mean, if you're at the point where your machine is compromised by a process with full network access little snitch won't help much either.
waterTanuki: To clarify, I'm aware that pihole is not intended to run on a client OS, and doesn't monitor at a process level. I'm focused on the intended effect rather than the process itself (blocking malicious/ad servers).pi.hole is primarily billed as an ad blocker, but the fundamental way it works is by applying a curated set of DNS lists that are blocked (commonly telemetry and ad servers), and the admin dashboard which is just a web page (therefore works on all platforms, smartphones included) will do the same thing: it tells you every call that every app on every device on your network is making, and you can approve or deny it. You can curate your own list as well and block servers/connections you don't want on the network.LS afaik operates in the same area where it's intended to be used for privacy. I guess I could see it being useful for people who don't have admin access to their router, but for people who do have such access I would think the benefits of network-wide DNS monitoring/blocking would outweight the costs of having to configure your router settings.
flexagoon: Also see Safing Port master:https://safing.io/
lapcat: > They don't build their own machines or write their compilers or write their own crpyto code or ... so many other things.An attack on any of these things has nothing specifically to do with the developers of Little Snitch and would have vastly more widespread and important effects.Why would you even be talking about Little Snitch if a compiler were compromised?!? Your paranoia here is bizarrely narrow.
mrbluecoat: > The macOS version uses deep packet inspection to do this more reliably. That's not an option here.Isn't MacOS just *nix under the hood? Genuinely curious about this difference.
LamaOfRuin: That seems... not correct?The comment was asking about preventing a compromised supplier for the developers.A supply chain attack can be anywhere in the supply chain to the target. If I, the end user, am the target, then a supply chain attack compromising the developer of LittleSnitch is effective.I may then be a conduit to compromising other software or components, and would both I and LittleSnitch would be part of the supply chain that could be attacked targeting them.
Avicebron: It's a custom WFP driver. No timeline yet..If you or I guess anyone is curious sereno[hyphen]alpha[dot]ramble[thenumberoftechn9ne'sfavoriterum]@passinbox.com
lapcat: > a five dollar wrench.I'm not even going to respond to this ridiculousness.I still don't know why anyone thinks that, among all developers in the world, a little indie Mac developer is getting targeted specifically.
emmelaich: ?! The same way every other developer that has been hacked. You surely cannot be suggesting you're un-hackable. That seems ludicrously hubristic.
lapcat: > The same way every other developer that has been hacked.There's not one single way, so, no, you're just hand-waving here.
hsbauauvhabzb: Because it might not be the developers doing the deploying, but a malicious actor?
