How To Install OpenSnitch Application-Level Firewall In Ubuntu

OpenSnitch is a Linux port of the Little Snitch firewall application for MacOS, currently considered beta software.

If you're looking for an application-level firewall for Linux that comes with a GUI, give OpenSnitch a try. This firewall software can monitor applications running on your system, blocking their Internet access until you allow or deny it.

Here's how OpenSnitch works. When an application tries to access the internet, it is initially blocked, and a dialog is displayed, asking you if you want to allow its connection once, this session, or forever:

OpenSnitch Linux Application FIrewall

You can also block its access by changing the first drop-down from Allow connections to Block connections, and select the duration in the same way (once, for this session, or forever).

As you can see from the screenshot above, multiple information is provided, like the domain the application tries to connect to, the source and destination IP, or the process ID.

From its tray icon, you can access the OpenSnitch Network Statistics, which displays information about current processes, hosts, addresses, ports or users, as well as a general overview of your current connections:

OpenSnitch Linux Application FIrewall

While the application comes with a Qt graphical user interface, it can also be used from the command line. For how to specify custom rules for OpenSnitch, see this page.

After allowing or denying an application to connect to the Internet, there's no GUI to change this in case you change your mind, at least for now. But you can reset a rule by deleting (or modifying) the rule file which you'll find in the /etc/opensnitchd/rules directory (after OpenSnitch is installed and runs once).

OpenSnitch is still in beta, so it lacks some features. Right now, the OpenSnitch daemon only intercepts and manages outgoing connections, but support for incoming connections is planned.

OpenSnitch is not packaged for most Linux distributions (I couldn't find any packages for Debian / Ubuntu). To download the OpenSnitch source and see how to install it, check out this page.

The officially provided OpenSnitch installation instructions for Ubuntu are a bit incomplete, so I wrote a how-to myself below.

How to install OpenSnitch application-level firewall in Ubuntu


The guide below requires Ubuntu 17.10 or 18.04 (or newer). I didn't manage to build it in Ubuntu 16.04.


1. Make sure you have the backports repository enabled if you're not using the latest Ubuntu version (18.04), by going to Software & Updates and checking the Unsupported updates (backports) option on the Updates tab.

2. Go is needed for some packages, and for this whole procedure to work properly, some paths need to be added to your PATH. For this, run the commands below:

echo "export GOPATH=\$HOME/.go" >> ~/.bashrc
echo "export PATH=\$PATH:\$GOROOT/bin:\$GOPATH/bin:\$HOME/.local/bin:\$HOME/.bin" >> ~/.bashrc
source ~/.bashrc

3. Install the OpenSnitch dependencies:

sudo apt install golang-go python3-pip python3-setuptools protobuf-compiler libpcap-dev libnetfilter-queue-dev python-pyqt5 git

4. Start building OpenSnitch and its requirements:

go get github.com/golang/protobuf/protoc-gen-go
go get -u github.com/golang/dep/cmd/dep
go get github.com/evilsocket/opensnitch
cd $GOPATH/src/github.com/evilsocket/opensnitch/daemon
make
sudo make install
cd ..
cd ui
pip3 install --user -r requirements.txt
sudo -H pip3 install .

I avoided running pip3 with sudo for the requirements installation, but this is required for OpenSnitch itself because it tries to install some files in system folders. Don't worry though, this won't mess with any permissions because it's just for OpenSnitch and also, we're using the -H option which sets the HOME variable to target user's home dir.

5. Add OpenSnitch to startup and start its services (you only need to run these commands once):

mkdir -p ~/.config/autostart
cp opensnitch_ui.desktop ~/.config/autostart/
sudo systemctl enable opensnitchd
sudo service opensnitchd start

How to remove OpenSnitch


To remove OpenSnitch from your Ubuntu system, use this guide. This is required because OpenSnitch was installed from source, and not by using a package.

Stop and disable the opensnitchd service:

sudo service opensnitchd stop
sudo systemctl disable opensnitchd

Remove installed OpenSnitch files:

rm ~/.config/autostart/opensnitch_ui.desktop
rm -rf ~/.go/src/github.com/evilsocket/opensnitch
sudo rm /usr/local/bin/opensnitch-ui
sudo rm /usr/local/bin/opensnitchd
sudo rm -r /etc/opensnitchd
sudo rm -r /usr/local/lib/python3.6/dist-packages/opensnitch_ui*
sudo rm -r /usr/local/lib/python3.6/dist-packages/opensnitch/
sudo rm /etc/systemd/system/opensnitchd.service
sudo rm /etc/systemd/system/multi-user.target.wants/opensnitchd.service
sudo rm /usr/share/applications/opensnitch_ui.desktop
sudo rm /usr/share/kservices5/kcm_opensnitch.desktop

No comments:

Powered by Blogger.