How To Install OpenSnitch Application-Level Firewall In Ubuntu

OpenSnitch is a Linux port of the Little Snitch firewall application for MacOS, currently considered beta software.

If you're looking for an application-level firewall for Linux that comes with a GUI, give OpenSnitch a try. This firewall software can monitor applications running on your system, blocking their Internet access until you allow or deny it.

Here's how OpenSnitch works. When an application tries to access the internet, it is initially blocked, and a dialog is displayed, asking you if you want to allow its connection once, this session, or forever:

OpenSnitch Linux Application FIrewall

You can also block its access by changing the first drop-down from Allow connections to Block connections, and select the duration in the same way (once, for this session, or forever).

As you can see from the screenshot above, multiple information is provided, like the domain the application tries to connect to, the source and destination IP, or the process ID.

From its tray icon, you can access the OpenSnitch Network Statistics, which displays information about current processes, hosts, addresses, ports or users, as well as a general overview of your current connections:

OpenSnitch Linux Application FIrewall

While the application comes with a Qt graphical user interface, it can also be used from the command line. For how to specify custom rules for OpenSnitch, see this page.

After allowing or denying an application to connect to the Internet, there's no GUI to change this in case you change your mind, at least for now. But you can reset a rule by deleting (or modifying) the rule file which you'll find in the /etc/opensnitchd/rules directory (after OpenSnitch is installed and runs once).

OpenSnitch is still in beta, so it lacks some features. Right now, the OpenSnitch daemon only intercepts and manages outgoing connections, but support for incoming connections is planned.

OpenSnitch is not packaged for most Linux distributions (I couldn't find any packages for Debian / Ubuntu). To download the OpenSnitch source and see how to install it, check out this page.

The officially provided OpenSnitch installation instructions for Ubuntu are a bit incomplete, so I wrote a how-to myself below.

How to install OpenSnitch application-level firewall in Ubuntu


The guide below requires Ubuntu 17.10 or 18.04 (or newer). I didn't manage to build it in Ubuntu 16.04.


1. Make sure you have the backports repository enabled if you're not using the latest Ubuntu version (18.04), by going to Software & Updates and checking the Unsupported updates (backports) option on the Updates tab.

2. Go is needed for some packages, and for this whole procedure to work properly, some paths need to be added to your PATH. For this, run the commands below:

echo "export GOPATH=\$HOME/.go" >> ~/.bashrc
echo "export PATH=\$PATH:\$GOROOT/bin:\$GOPATH/bin:\$HOME/.local/bin:\$HOME/.bin" >> ~/.bashrc
source ~/.bashrc

3. Install the OpenSnitch dependencies:

sudo apt install golang-go python3-pip python3-setuptools python3-slugify protobuf-compiler libpcap-dev libnetfilter-queue-dev python-pyqt5 pyqt5-dev pyqt5-dev-tools git

4. Start building OpenSnitch and its requirements:

go get github.com/golang/protobuf/protoc-gen-go
go get -u github.com/golang/dep/cmd/dep
pip3 install --user grpcio-tools
go get github.com/evilsocket/opensnitch
cd $GOPATH/src/github.com/evilsocket/opensnitch
make
sudo -H make install

The last command above uses -H because some PIP commands are ran by the install file, and the -H option sets the HOME variable to target user's home dir, so it doesn't messes with some permissions.

5. Add OpenSnitch to startup and start its services (you only need to run these commands once):

mkdir -p ~/.config/autostart
cd ui
cp opensnitch_ui.desktop ~/.config/autostart/
sudo systemctl enable opensnitchd
sudo service opensnitchd start

How to remove OpenSnitch


To remove OpenSnitch from your Ubuntu system, use this guide. This is required because OpenSnitch was installed from source, and not by using a package.

Stop and disable the opensnitchd service:

sudo service opensnitchd stop
sudo systemctl disable opensnitchd

Remove installed OpenSnitch files:

rm ~/.config/autostart/opensnitch_ui.desktop
rm -rf ~/.go/src/github.com/evilsocket/opensnitch
sudo rm /usr/local/bin/opensnitch-ui
sudo rm /usr/local/bin/opensnitchd
sudo rm -r /etc/opensnitchd
sudo rm -r /usr/local/lib/python3.6/dist-packages/opensnitch_ui*
sudo rm -r /usr/local/lib/python3.6/dist-packages/opensnitch/
sudo rm /etc/systemd/system/opensnitchd.service
sudo rm /etc/systemd/system/multi-user.target.wants/opensnitchd.service
sudo rm /usr/share/applications/opensnitch_ui.desktop
sudo rm /usr/share/kservices5/kcm_opensnitch.desktop

8 comments:

  1. Hi there,

    Unfortunately gives several messages when trying this line:

    go get -u github.com/golang/dep/cmd/dep

    undefinedsort.SliceStable

    ReplyDelete
    Replies
    1. What Ubuntu version are you using? That error gives me the impression that your system has an old Go version and that's what's causing it. That's why I noted in the article that this guide requires Ubuntu 17.10 or 18.04 (or newer). In fact if I remember correctly even if updating Go to a newer version, there were still some issues in older Ubuntu versions.

      Delete
  2. Hi Logix. First I want to thank you for this wonderful guide. It works so much better than the official install instructions.

    Everything worked great up to the point where I tried starting the service as root.

    I have tried both using the service command:
    service opensnitchd start

    and even manually running it
    /usr/local/bin/opensnitchd -log-file /var/log/opensnitchd.log -rules-path /etc/opensnitchd/rules -ui-socket unix:///tmp/osui.sock

    Either way, it fails to start and as the service repeatedly tries to start, this error shows up in the log:
    [2018-08-20 19:07:06] !!! Error while creating queue #0: Error opening Queue handle: protocol not supported

    In full every time it tries to start these 3 lines show up in /var/log/opensnitchd.log
    [2018-08-20 19:07:20] IMP Starting opensnitch-daemon v1.0.0b
    [2018-08-20 19:07:20] INF Loading rules from /etc/opensnitchd/rules ...
    [2018-08-20 19:07:20] !!! Error while creating queue #0: Error opening Queue handle: protocol not supported

    Any ideas on how to fix this would be much appreciated.

    ReplyDelete
    Replies
    1. Hi. Did you enable and then start the systemd service, like in the article? Using:

      sudo systemctl enable opensnitchd
      sudo service opensnitchd start

      Are you trying to run it without systemd maybe?

      Delete
    2. Hi Logix,

      Yes. It was at that point in the guide where I had the problem. I ran the following as root:
      service opensnitchd start

      I ran the gui as a normal user and the status shows "not running".

      I checked the log /var/log/opensnitchd.log and saw those entries I posted above. The service repeatedly attempts to start and prints those entries every time. I googled for that error and couldn't find anything for Opensnitch or anything even close.

      I tried rebooting and the service tries to start automatically but still generates those messages and the GUI still says "not running".

      Delete
  3. Hi Logix,

    Yes, systemd is running.

    # ps aux|grep systemd | grep -v grep
    root 257 0.0 0.3 56432 5816 ? Ss Aug20 3:15 /lib/systemd/systemd-journald
    root 269 0.0 0.2 43704 3376 ? Ss Aug20 0:01 /lib/systemd/systemd-udevd
    systemd+ 320 0.0 0.2 127284 4124 ? Ssl Aug20 0:01 /lib/systemd/systemd-timesyncd
    message+ 360 0.0 0.2 45244 3984 ? Ss Aug20 5:38 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
    root 364 0.0 0.2 46472 4668 ? Ss Aug20 0:37 /lib/systemd/systemd-logind
    root 9383 0.1 0.3 56436 5956 ? Ss 16:17 0:00 /lib/systemd/systemd --user


    Any ideas? Anything you suggest I try?

    Thanks.

    ReplyDelete
    Replies
    1. I'm sorry, I have no idea what else to do. But I think it's a bug in the application itself, and not related to its installation, so try to submit a bug to its developer: https://github.com/evilsocket/opensnitch.

      Delete
    2. OK. I will try that. Thank you again for the wonderful guide.

      Delete

Powered by Blogger.