Monitor Linux App Network Connections with Little Snitch
▼ Summary
– Objective Development has released a free Linux version of its Little Snitch firewall tool, which provides per-process visibility into outbound connections.
– The tool uses an eBPF-based kernel component for traffic interception and a web-based UI, allowing for remote monitoring from any device.
– The kernel code and user interface are open source, while the backend that manages rules and connections remains closed source.
– The company describes this initial version as functional but less polished than its macOS counterpart and notes eBPF constraints mean it can be bypassed by determined evasion.
– It currently works on kernel 6.12+, with potential compatibility down to kernel 5.17 to support older distributions like Debian 12 and Ubuntu 24.04 LTS.
For Linux users seeking granular control over their system’s network activity, a significant tool has arrived. Objective Development, the creator of the popular macOS firewall Little Snitch, has launched a free version for Linux. This release addresses a longstanding need for a desktop-focused application that provides clear, per-process visibility into outbound connections, moving beyond command-line tools or server-centric security solutions.
The application’s architecture leverages modern technologies for flexibility and performance. Its kernel component utilizes eBPF (Extended Berkeley Packet Filter) for traffic interception, a choice that offers better portability than traditional kernel modules. The core backend is developed in Rust, while the user interface is a web application. This web-based UI is a notable feature, enabling users to monitor a Linux server running Little Snitch remotely from any device, including a Mac. The company suggests this is ideal for managing connections on services like Nextcloud, Home Assistant, or Zammad.
In terms of licensing, the project adopts a mixed model. The kernel component and the web user interface are open source, with the UI licensed under GPL v2. This allows for community review, bug fixes, and adaptation to different kernel versions. However, the backend, which handles the critical tasks of managing firewall rules, block lists, and the connection hierarchy, remains proprietary, though free to use.
The company is transparent about the tool’s current capabilities and limitations. They position this initial Linux release as functionally sitting between their minimal “Mini” version and the full-featured macOS product. It is described as a useful and honest first version that may lack some polish. Importantly, the security model is built for transparency and user control, not for resisting active evasion. Due to the resource constraints inherent to eBPF, the firewall could be bypassed by techniques like flooding its tables. Its primary purpose is to reveal the network behavior of legitimate software and allow users to block unwanted connections.
Compatibility is currently confirmed for systems running kernel version 6.12 and newer. On older kernels, the tool encounters a technical limit with the eBPF verifier’s maximum instruction count. The developers note that support could theoretically be extended back to kernel 5.17, which introduced the necessary `bpf_loop()` function. Achieving this would bring compatibility to stable distributions like Debian 12 (Bookworm) and Ubuntu 24.04 LTS (Noble). Objective Development is actively seeking contributions from developers with the expertise to help bridge this compatibility gap. The project is publicly available on GitHub for download and community involvement.
(Source: Help Net Security)
