OpenSnitch — Linux Application Firewall with Interactive GUI

Introduction

OpenSnitch is an application-level firewall for Linux that intercepts outgoing network connections and prompts the user to allow or block them. It gives you visibility into which processes communicate with which hosts, bringing Little Snitch-style control to the Linux desktop.

What OpenSnitch Does

• Intercepts all outgoing connections at the process level using eBPF or kernel modules
• Displays a real-time popup asking the user to allow or deny each new connection
• Saves rules per executable, destination, port, or user for automatic future decisions
• Provides a Qt-based GUI dashboard with connection statistics and rule management
• Logs all connection attempts with process path, command line, destination, and protocol

Architecture Overview

OpenSnitch consists of a daemon (opensnitchd) written in Go and a GUI (opensnitch-ui) written in Python with Qt. The daemon hooks into the kernel networking stack using nftables and eBPF to intercept packets. When a new outbound connection is detected, the daemon resolves the originating process via /proc and sends a gRPC request to the UI, which displays a prompt. The user's decision is stored as a JSON rule file on disk.

Self-Hosting & Configuration

• Install the daemon and UI packages from GitHub releases or your distro's repository
• The daemon runs as a systemd service with root privileges for packet interception
• Rules are stored as individual JSON files in /etc/opensnitchd/rules/
• Configure default actions (allow, deny, or ask) in /etc/opensnitchd/default-config.json
• Use the GUI to manage rules, view connection logs, and export/import rule sets

Key Features

• eBPF-based process tracking for low-overhead connection attribution
• Support for nftables and iptables backends for broad kernel compatibility
• Regex and wildcard matching in rules for flexible policy definitions
• Multi-node support to manage rules across multiple machines from one UI
• Connection log export to CSV for analysis and auditing

Comparison with Similar Tools

• Little Snitch (macOS) — commercial macOS firewall; OpenSnitch provides similar functionality for Linux, free of charge
• UFW/iptables — network-layer firewalls without per-process awareness; OpenSnitch operates at the application level
• Portmaster — similar concept with a web UI; OpenSnitch uses a desktop-native Qt interface
• GlassWire (Windows) — Windows network monitor; OpenSnitch fills the same role on Linux

FAQ

Q: Does it slow down my network? A: Overhead is minimal. The eBPF backend tracks connections in kernel space with negligible latency; the popup only appears for new, unmatched connections.

Q: Can I run it headless on a server? A: Yes. Set the default action to deny or allow in the config and manage rules via the JSON files without the GUI.

Q: Which Linux distributions are supported? A: Debian, Ubuntu, Fedora, Arch, and openSUSE packages are available. It works on any distro with a 4.18+ kernel and nftables.

Q: Does it block incoming connections too? A: OpenSnitch focuses on outbound connections. Use nftables or iptables directly for inbound filtering.

Sources

• https://github.com/evilsocket/opensnitch
• https://github.com/evilsocket/opensnitch/wiki