Linux application level firewalls

Little snitch

• Website
• GitHub
• Rust
• AUR package littlesnitch-bin
• Downloads

License:

The daemon (littlesnitch --daemon) is proprietary, but free to use and redistribute.

Experience:

• Tested incoming connection on port 22: blocked, but no popup and it didn't show up in the connection view

OpenSnitch

• GitHub
• Python
• LittleSnitch for Linux: OpenSnitch Is the Outbound Firewall You've Been Waiting For
• Wiki
  • FAQ

Install

• Wiki: Installation

sudo pacman -S opensnitch
sudo systemctl enable --now opensnitchd

Config

• OpenSnitch config: /etc/opensnitchd/default-config.json
• Firewall baseline: /etc/opensnitchd/system-fw.json
• Default rule path where rules from the UI will get placed in: /etc/opensnitchd/rules/

Maintain rules in ~/.config

• This lets you share rules with your dotfiles
• Change Rules.Path to i.e. /home/varac/.config/opensnitchd/rules/
• Create an systemd unit override with systemctl edit opensnitchd.service and add:

[Service]
ExecStart=
ExecStart=/usr/bin/opensnitchd -rules-path /home/varac/.config/opensnitchd/rules/

Usage

• Beware: The firewall is only active when the UI application is running !

Limitations

• Why OpenSnitch does not intercept application XXX