Control outgoing traffic on Linux: Little Snitch is here
What is phoning home on Linux? With the Little Snitch firewall, applications can now also be monitored outside of macOS.
(Image: heise medien)
Little Snitch, previously known primarily as a macOS firewall, is coming to Linux. The software monitors outgoing network connections at the application level and shows users which processes are communicating with whom. If necessary, connections can be selectively blocked, albeit with technical limitations.
The software works as a host-based application firewall. Instead of just filtering ports or IP addresses, Little Snitch controls outgoing traffic per process and allows for fine-grained rules. The tool is known for its interactive queries for new connections and its graphical representation of network activity. On Linux, it encounters established tools like nftables or ufw, which primarily work in a packet- and network-centric manner.
Rules per Application Instead of per Port
The Linux version links network rules directly to applications. Connections can be controlled not only by destination address or port, but by specific binary or process. For example, an administrator can allow curl to access only a specific API domain and block all other destinations. Control thus shifts from the network level to the application level.
When a process establishes a connection for the first time, Little Snitch informs the user and requests a decision. This is useful, for example, when a newly installed tool sends telemetry data unnoticed. On Linux, such interactive mechanisms are rare so far – most firewall solutions rely on logging and subsequent rule maintenance.
(Image:Â Objective Development Software GmbH)
A Network Monitor displays active connections with destination systems, protocols, and data volume. This allows for the detection of continuously active background connections or unusual communication patterns. This is useful for both debugging and analysis.
Rules can be defined by protocols and destinations – for example, to restrict connections to HTTPS. Such functions typically require close integration with DNS resolution.
GUI Instead of Command Line
Unlike many Linux tools, Little Snitch relies heavily on a graphical interface. Rules are created via the UI instead of through nftables rule sets. This is particularly beneficial for desktop users who want more transparency without having to delve into low-level firewall configuration.
Technically, the Linux implementation uses eBPF to intercept network connections at the kernel level. This enables performant and portable monitoring – unlike kernel extensions, which would be distribution-dependent. Assigning network packets to user-space processes is challenging. eBPF offers a comparatively flexible way to monitor socket and network events.
Videos by heise
Privacy Tool with Limitations
Little Snitch helps users detect unexpected connections, such as those for telemetry data. Nevertheless, it is not a security tool: eBPF has technical limitations that allow for bypasses. OpenSnitch follows a similar concept on Linux; in comparison, Little Snitch offers a combination of a mature interface, visualization, and rule engine. The software is by no means aimed solely at the desktop; as the user interface has been implemented as a web application, Little Snitch can explicitly also be used on headless servers and controlled remotely from other devices, for example, to monitor the connections of services like Nextcloud.
Little Snitch for Linux currently runs on Linux kernel 6.12 and later – in practice, this means on Debian 13, Ubuntu 25.04, Mint 22, Fedora 40, or RHEL 10, as well as on rolling release distros like Arch and Manjaro, as explained in the developers' blog post. Interested users can download the tool for free from the provider's website.
(fo)
