OpenSnitch — manual control of network activity of Linux applications
Greetings!

OpenSnitch is a desktop open source application capable of blocking outgoing requests from various programs, with desktop notifications 🔔. In this note we’ll cover installing, launching, and demonstrating how OpenSnitch works on the Linux Mint 22 distribution 🐧.

Preface

Some introductory data about the OpenSnitch program 📑:

CharacteristicValue
PlatformLinux
Distribution (runtime environment in the article)Linux Mint 22
OpenSnitch version reviewed1.5.8
Written inPython, Go, C, Qt
Software categoryFirewalls
Network traffic control methodsproc or ebpf or auditd
Log file/var/log/opensnitchd.log

OpenSnitch is an information security tool that lets you significantly increase the level of control over your system (and we love that 😌). The project is inspired by a similar tool for MacOS: Little Snitch.

The OpenSnitch program works as a service/daemon, managed through a desktop GUI application.

The main concept: when any user program/utility attempts to make a request to a network resource (including the internet), OpenSnitch will block it and display a graphical notification. Depending on the decision made (allow, deny, or take no action), a filtering rule is created, which can later be changed/deleted, and configured flexibly if needed. New rules can also be created manually.

In the first stages of use, OpenSnitch may seem excessive in terms of control, since with every little thing any network activity will be audited with a notification shown and blocked by default 🔒.

But from experience, I’ll say that it’s enough to spend a short period once forming a list of access rules for your applications: allow what’s needed, and sell deny what’s not needed, and OpenSnitch will stop bothering you often 😴.

In return, you’ll be sure that if some proprietary program tries to send data to third-party servers, you’ll know about it. And if you miss the notification, the default policy will be applied — out of the box this is a deny rule.

I developed the habit of using such software back when I was a Windows user 🪟. By the way, there I used a similar open source tool called Simplewall (because even Notepad tries to get on the internet for some reason in Windows 😡). Simplewall’s operating principle is similar to OpenSnitch: blocking connections with notifications shown 💬.

How does it work?

OpenSnitch offers a choice of one of 3 methods for controlling network connections (specified in settings):

It’s also worth noting that the OpenSnitch project is actively developed 👌 and in recent versions a lot of interesting things have been added, for example:

Looks promising, but let’s leave these features for future material 😇, and today we’ll only cover the basic functionality.

Installing OpenSnitch

This program is in the standard repositories of Linux Mint / Ubuntu / Debian. So just open a terminal, update the package cache, and run the installation:

BASH
sudo apt update && sudo apt install -y opensnitch
Click to expand and view more

You can check the installed version of OpenSnitch like this:

BASH
opensnitchd --version
Click to expand and view more

Two executable files should appear on the system: opensnitchd and opensnitch-ui. The first, as its name suggests, is the service/daemon that runs in the background via the init system systemd. You can check its status with this command:

BASH
systemctl status opensnitch
Click to expand and view more

The service should be running, and its autostart should be enabled:

If that’s not the case, run the command:

BASH
sudo systemctl enable --now opensnitch
Click to expand and view more

This command does two things at once: it starts the service and enables its autostart on system boot.

The autostart of the graphical interface (minimized to the tray) is provided via a system .desktop file in the /etc/xdg/autostart directory:

BASH
cat /etc/xdg/autostart/opensnitch_ui.desktop
Click to expand and view more

You can disable the GUI autostart (and OpenSnitch itself) in the corresponding section of the system settings:

Launching and overview of the GUI

You can perform the first launch of the OpenSnitch graphical interface through the application menu:

The application icon will appear in the system tray. And you’ll most likely see it in action right away: any network activity in the user session will trigger a pop-up notification window:

In the example above, the file synchronization program syncthing is trying to connect to TCP port 8080 at address 127.0.0.1.

Here, within 30 seconds, we’re offered the option to create a rule that allows or denies network access to the specified resource.

As you can see in the screenshot above, the following parameters are available for a rule:

Request type— by executable file — by specific command — to a specific network address or subnet — to a specific network port — by specific user — by process ID (PID)
Rule duration— until system reboot — once — forever — for a certain period
Rule action— allow the connection — deny the connection

If no action is chosen before the timer expires, the default policy will be applied. Out of the box this is: deny any network access from the executable file until the next system reboot. This behavior can easily be changed in the program settings, which we’ll discuss below.

⚠️It’s important to understand that network access control will be applied to all programs and utilities (including console ones). So in the early stages I recommend carefully studying exactly what and where is trying to gain access.

For example, in the screenshot below you can see that the name resolution service utility systemd-resolvd is trying to reach a DNS server on the standard port 53:

For such system requests it’s best to immediately create persistent rules tied to the executable file, to reduce the number of triggers to nerves in the future.

Clicking the OpenSnitch icon in the system tray will open the program’s main window. Note that in the top right corner ↗️ there’s a button to stop OpenSnitch:

The program’s interface is split into tabs 📑, let’s briefly review each of them below.

“Events” tab

This section is a log of all recorded network connections:

It’s convenient here to analyze current connections and identify suspicious activity 🔍.

“Nodes” tab

Displays a list of local and remote nodes that OpenSnitch controls:

In our example there’s only our local node here. When using OpenSnitch as a centralized server, the controlled nodes will be displayed here (there will be a separate note about this).

If you “drill into” the selected node with a double click, we’ll see the details of its network activity:

“Rules” tab

The most important section. Here all OpenSnitch traffic filtering rules are listed:

What you can do here:

Double-clicking a selected rule takes us to a section showing the network activity related to it. Here, by clicking the edit button (in the top left corner), you can change the conditions of its operation:

“Hosts” tab

This tab shows a list of domain names the system has established connections with, as well as the number of such connections:

Double-clicking a host lets you see which programs interacted with it:

“Applications” tab

Here’s a list of all programs/utilities that went out to the network and the number of such attempts.

Double-clicking the selected program will open a table of its network activity. And clicking the browse button (magnifier icon) lets you see process details: open files, I/O statistics, environment variables used, etc.:

“Addresses” tab

This tab, as expected, shows all the IP addresses of hosts your applications have interacted with:

Double-clicking an address lets you see the statistics related to it:

“Ports” tab

This section presents a list of network ports used on the system and the number of accesses to them:

Similar to the “Addresses” tab, double-clicking lets you see details related to the applications that accessed the specified port:

“Users” tab

And here’s a list of the owner users of processes that are actively using the network:

Similarly, double-clicking a user lets you see the processes related to them and their network activity:

Program settings

It remains to look at the OpenSnitch settings section:

Here you can change the program’s operating parameters:

Afterword

Now our arsenal has +1 to paranoia our system’s protection complex 🧑‍💻🛡️. Personally, OpenSnitch turned out to be a very convenient, flexible, and effective way to monitor how applications work, as well as to prevent unwanted network activity on the system. It’s amazing when you look at the list of processes trying to gain network access 😱.

If this note turned out to be useful to you, check out the Useful software section, you might be interested in my other materials as well.

Thanks for reading! And take care of your privacy 🥷.

Useful materials

Copyright Notice

Author: Ivan Cherniy

Link: https://r4ven.me/en/software/opensnitch-ruchnoj-kontrol-setevoj-aktivnosti-linux-prilozhenij/

License: CC BY-NC-SA 4.0

Blog materials may be used with attribution to the author and source, for non-commercial purposes, and under the same license.

Start searching

Enter keywords to search articles

↑↓
ESC
⌘K Shortcut