OpenSnitch is a GNU/Linux port of the Little Snitch application firewall

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com

Our great sponsors
  • WorkOS - The modern identity platform for B2B SaaS
  • InfluxDB - Power Real-Time Data Analytics at Scale
  • SaaSHub - Software Alternatives and Reviews
  • opensnitch

    OpenSnitch is a GNU/Linux interactive application firewall inspired by Little Snitch.

    Agree on the GUI however opensnitch does seem to assume a single user with a single X server, I have not been able to figure out a way last time I tried to get it to work with say 2 X servers and a VNC session or two running concurrently (meaning I couldn’t figure out a way to get connection alerts anywhere but in one of them, as also described here https://github.com/evilsocket/opensnitch/issues/388 )

    Little snitch does not have this issues and you can have multiple users logged in with fast user switching and all can operate their notifications no problem.

  • tiny-snitch

    an interactive firewall for inbound and outbound connections

    the issue is that libnetfilterqueue doesn’t have pid information, and so that must be looked up or joined to another data stream at runtime. this can fail. flakes at this point can be dangerous, and can reduce confidence in the system. they can also encourage you to add rules at both system and program level, which is annoying.

    one alternative is to specify rules at system level instead of program level. that’s the approach i ended up landing on[1]. i wish i had finer granularity, but i’m glad i don’t have flakes.

    it’s hard to imagine that monitoring network exfil isn’t THE best way to secure any system. at the least, it’s an important and necessary step.

    1. https://github.com/nathants/tinysnitch

  • WorkOS

    The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.

  • picosnitch

    Monitor Network Traffic Per Executable, Beautifully Visualized

    > Linux is still dicey to correlate traffic with a particular app, especially if the connection is/was shortlived.

    This is actually pretty easy and reliable to do now with BPF[0].

    I also used the same approach to create a somewhat user-friendly TUI and web dashboard for it[1]. It is able to hash the executable (even if it was shortlived).

    [0] https://www.gcardone.net/2020-07-31-per-process-bandwidth-mo...

    [1] https://github.com/elesiuta/picosnitch

  • bcc

    BCC - Tools for BPF-based Linux IO analysis, networking, monitoring, and more

    Thanks! Also I used lost_cb [0] to detect if a packet or connection (with security_socket_connect) was missed between the BPF and Python parts, but is it possible for the BPF program to miss either entirely without triggering that callback?

    If so (without a kernel vulnerability which should be a given) I'd like to have it mentioned under the limitations section so others can be aware as well.

    [0] https://github.com/iovisor/bcc/blob/master/docs/reference_gu...

  • plonky

    a Perl program to generate a conky rc file

    You can use lsof in Linux to show connexions:

    lsof -i -n -P | grep "\\-\>" | awk '{a[\$1"_p"\$2]++;}END{ for (it in a){print it,a[it]}}' | sort -nr -k2,2

    This project uses conky to display the current connexions:

    https://github.com/viviparous/plonky/blob/main/plonky.pl

  • rustdesk

    An open-source remote desktop, and alternative to TeamViewer.

    I've got a self hosted host in my office. When you deploy a client, you can rename the Windows exe to include the DNS name and public key of your host and it will then use them - clever idea. So I don't think you need their TURN/STUN. I suspect those are simply provided as a service and nothing more sinister.

    They also provide three or so really low spec jump boxes to get people up and running if they can't self host - again, I call that altruism not sinister.

    I will get Wireshark out anyway to check about this stuff next week.

    You can do your own real due-dil stuff yourself by browsing around this: https://github.com/rustdesk/rustdesk - read the issues, browse the source (read the comments!) get a feel for the software.

    I'm asserting that it is no worse than anything else. I can also assert that the binaries that I get on Arch Linux are probably from the official sources (I checked a few strings etc). I can't sign off the Windows binaries but I can assert that I do trust them from their GitHub repo.

    I can assert things until I'm blue in the face but I trust rustdesk more than most remote access facilities for now but I am still kicking the tyres.

  • libprocesshider

    Hide a process under Linux using the ld preloader (https://sysdig.com/blog/hiding-linux-processes-for-fun-and-profit/)

    unfortunately malicious lkms and userland rootkits can hide processes/connections from lsof/netstat

    https://github.com/gianlucaborello/libprocesshider

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

  • opensnitch

    OpenSnitch is a GNU/Linux application firewall (by gustavo-iniguez-goya)

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts