Anyone tried Little Snitch yet?
Posted by eattherichnow@reddit | linux | View on Reddit | 31 comments
Haven’t had the time yet, but I’m wondering how it compares to other GUI tools such as the one built into KDE. Personally I generally use firewalld and it’s commands, but quick introspection of “which process is doing this” (and “what is this process doing”) is something I used to do by grepping netstat -lnp, and haven’t really optimized since.
MarzipanEven7336@reddit
You mean OpenSnitch?
pftbest@reddit
Opensnitch has terrible UI. It is written in python and takes up 300MB ram in background. But even that would be OK if it had a good user interface, but it's not. It doesn't allow you to easily match a network address with a specific application like little snitch does. You have to manually click + on each popup and also need to be very careful in how you write regexp for them because it has 0 validation, if you made a typo it will just silently ignore your rule. Also if you have 2 java applications that you want to limit independently, good luck with that, because they both will show as "/usr/bin/java" in opensnitch with no way to separate.
MarzipanEven7336@reddit
What? What old as shit are you running?
pftbest@reddit
1.7.2 from arch repos
MarzipanEven7336@reddit
Are you using the BPF Kernel Modules?
pftbest@reddit
I have no issue with low level details, the BPF and the opensnitch daemon work perfectly fine as they should. The problem is python UI interface that you use to approve or deny connections and create rules.
MarzipanEven7336@reddit
The question I was asking was, "DID YOU LOAD THE BPF Kernel Module" It allows OpenSnitch to do work in a kernel bpf module, which is way better than just using nftables..
pftbest@reddit
Of course it is using BPF, or else there is no point, without BPF it wouldn't be able to filter by application, duh. Did you even read my message?
Damglador@reddit
OpenSnitch can compare by CMD which would include apps' class or whatever.
The only issue I have with it is it breaks NFS, after I discovered that I decided that I don't need a firewall that much anyway.
pftbest@reddit
Yes, you can use CMD, but then you have to write regexp by hand, because CMD also contains other arguments like opened file name or whatever.
Damglador@reddit
Oh no, a whole
.*stupid.reverse.dns.*.C'mon, it's not that big of a deal.
pftbest@reddit
Yes, it works, and yes I use it. But it doesn't make it good. If it had better UI I would be wasting less of my time writing stupid regexes
Damglador@reddit
How else do you expect it to know how your silly framework distinguishes one process from another? That's an issue with all interpreted languages that use system interpreter. The only way I can imagine to solve this is some kind of complex logic of parsing desktop files and matching them with the process properties, but it wouldn't be a matter of UI anymore.
pftbest@reddit
The same way you can specify regexp for everything, you can allow specifying the application filters. Where I can add
/usr/bin/java (\w+).*
/usr/bin/python3 (\w+).*
etc..
And when it sees such path it can match on the first capture group or whatever. I'm not against writing custom configs once where they are really needed. I am against writing them on a 45s timer every time a popup launches because the app connected to some new endpoint I never saw before. And instead of clicking yes or no, I have to speedrun setting up all the filters from scratch, because if I just click Reject it will discard all of the useful info, that I can't get back later.
Damglador@reddit
So basically a regex template to not write it each time?
pftbest@reddit
As one possible approach, yes. I think it's not hard to come up with more ways to solve this if you really try.
The raw functionality is not an issue here, the lower levels work great in opensnitch. You mentioned some issues with NFS but I think this was also resolved, at least I didn't see any issues with local connections last half a year.
The problem is in UI and defaults. The way it is setup by default is not in a way that is very useful. Nowadays most applications use well known services like github.com , aws and others for tracking, updates, etc. So you can't just block the whole github.com domain completely, you need to match it with applications accurately, or else there is no point. You can do it in opensnitch, but it is pain the ass with the current UI.
gainan@reddit
If you mean that you have to click on the [+] button to open the "advanced view", you can configure from the Preferences dialog to make it permanent.
Also, once you let it ask you to allow outbound connections from common binaries (~10 maybe on most systems), it should not ask you again. It's a pain at first, but after a few pop-ups it should only prompt you when something not expected wants to open an outbound connection.
both the GUI and the daemon validates regexp:
daemon:
The GUI show an error when creating an invalid rule in the rules editor.
One way of distinguish both instances if filtering by binary path + cmdline. If the apps connect to different ports you can also filter by destination port. Or if they run under different users, you could also filter by path+cmdline+uid.
eattherichnow@reddit (OP)
No, that one has been around for a while. LittleSnitch is a new, (partially) proprietary product by the developers of the OG Mac LittleSnitch.
duongdominhchau@reddit
LittleSnitch is originally a MacOS application. OpenSnitch is a Linux application inspired by LittleSnitch for MacOS. LittleSnitch dev released another version for Linux and open source 2 out of 3 components of it yesterday (https://obdev.at/blog/little-snitch-for-linux/). OP is clearly asking about this release, they are not asking for application suggestion.
Vortelf@reddit
https://github.com/obdev/littlesnitch-linux
fellowsnaketeaser@reddit
LittleSnitches job is mainly to block commercial software from phoning home (read priacy). Nowadays, on Linux, I don't touch any non-open source software with a stick, so I have 0 use for it.
leaflock7@reddit
the dev clearly states what its is use and it is focused on privacy rather than security .
where you are wrong though is that you should only use something like that because only commercial/proprietary apps phone home.
unless you send countless hours checking the code of each open-source you use then the same use case exists here. to show you where an app can phone back .
phylter99@reddit
I use it on the regular for macOS. It’s a valuable little tool. The ad blocking works pretty good too. I didn’t know it was available for Linux now.
eattherichnow@reddit (OP)
It's pretty new (on Linux), which is why I haven't tried it out yet.
spliggity@reddit
used it for many years on macos and was a big fan, have not tried the linux version, honestly surprised they're not charging for it.
cigh@reddit
If you consider opensnitch as the same concept, it has more Features than just checking which Program does what.
It activly asks the user if they want to den or accept an out going connection.
I used it for a few years, but after some problems with certain programs I stopped using it. It got in my way more than it made my device "more secure"
Marce7a@reddit
Why bother when there is:
https://github.com/evilsocket/opensnitch
https://github.com/safing/portmaster
Damglador@reddit
Portmaster has horrendous UI, I don't give a crap about how "modern" it looks, it's unintuitive.
OrganicNectarine@reddit
Second that. I was around when postmaster started, and the UI has been a mess at every stage, including the redesign. It looks pretty, but it's incredibly hard to find what you are looking for.
gainan@reddit
firewalld or ufw do not filter connections by binary, while LittleSnitch/Lulu and OpenSnitch do.
On the other hand,
netstat,ps,top,htop,lsofand similar tools cannot be trusted to analyze linux systems if you suspect they've been infected with malware. Malicious binaries can easily hide themselves from these tools.scandii@reddit
I used to be a heavy little snitch user like 20 years back? didn't know it was still around.
conceptually it isn't really an inspection tool as much as it is a privacy tool, it was built to alert you when applications are trying to phone home with an allow/deny setup and they added some pretty data around that concept.