How To Install OpenSnitch Application-Level Firewall In Ubuntu

OpenSnitch is a Linux port of the Little Snitch firewall application for MacOS, currently considered beta software.

If you're looking for an application-level firewall for Linux that comes with a GUI, give OpenSnitch a try. This firewall software can monitor applications running on your system, blocking their Internet access until you allow or deny it.

Here's how OpenSnitch works. When an application tries to access the internet, it is initially blocked, and a dialog is displayed, asking you if you want to allow its connection once, this session, or forever:

OpenSnitch Linux Application FIrewall

You can also block its access by changing the first drop-down from Allow connections to Block connections, and select the duration in the same way (once, for this session, or forever).

As you can see from the screenshot above, multiple information is provided, like the domain the application tries to connect to, the source and destination IP, or the process ID.

From its tray icon, you can access the OpenSnitch Network Statistics, which displays information about current processes, hosts, addresses, ports or users, as well as a general overview of your current connections:

OpenSnitch Linux Application FIrewall

While the application comes with a Qt graphical user interface, it can also be used from the command line. For how to specify custom rules for OpenSnitch, see this page.

After allowing or denying an application to connect to the Internet, there's no GUI to change this in case you change your mind, at least for now. But you can reset a rule by deleting (or modifying) the rule file which you'll find in the /etc/opensnitchd/rules directory (after OpenSnitch is installed and runs once).

OpenSnitch is still in beta, so it lacks some features. Right now, the OpenSnitch daemon only intercepts and manages outgoing connections, but support for incoming connections is planned.

OpenSnitch is not packaged for most Linux distributions (I couldn't find any packages for Debian / Ubuntu). To download the OpenSnitch source and see how to install it, check out this page.

The officially provided OpenSnitch installation instructions for Ubuntu are a bit incomplete, so I wrote a how-to myself below.

How to install OpenSnitch application-level firewall in Ubuntu


The guide below requires Ubuntu 17.10 or 18.04 (or newer). I didn't manage to build it in Ubuntu 16.04.


1. Make sure you have the backports repository enabled if you're not using the latest Ubuntu version (18.04), by going to Software & Updates and checking the Unsupported updates (backports) option on the Updates tab.

2. Go is needed for some packages, and for this whole procedure to work properly, some paths need to be added to your PATH. For this, run the commands below:

echo "export GOPATH=\$HOME/.go" >> ~/.bashrc
echo "export PATH=\$PATH:\$GOROOT/bin:\$GOPATH/bin:\$HOME/.local/bin:\$HOME/.bin" >> ~/.bashrc
source ~/.bashrc

3. Install the OpenSnitch dependencies:

sudo apt install golang-go python3-pip python3-setuptools python3-slugify protobuf-compiler libpcap-dev libnetfilter-queue-dev python-pyqt5 pyqt5-dev pyqt5-dev-tools git

4. Start building OpenSnitch and its requirements:

go get github.com/golang/protobuf/protoc-gen-go
go get -u github.com/golang/dep/cmd/dep
pip3 install --user grpcio-tools
go get github.com/evilsocket/opensnitch
cd $GOPATH/src/github.com/evilsocket/opensnitch
make
sudo -H make install

The last command above uses -H because some PIP commands are ran by the install file, and the -H option sets the HOME variable to target user's home dir, so it doesn't messes with some permissions.

5. Add OpenSnitch to startup and start its services (you only need to run these commands once):

mkdir -p ~/.config/autostart
cd ui
cp opensnitch_ui.desktop ~/.config/autostart/
sudo systemctl enable opensnitchd
sudo service opensnitchd start

How to remove OpenSnitch


To remove OpenSnitch from your Ubuntu system, use this guide. This is required because OpenSnitch was installed from source, and not by using a package.

Stop and disable the opensnitchd service:

sudo service opensnitchd stop
sudo systemctl disable opensnitchd

Remove installed OpenSnitch files:

rm ~/.config/autostart/opensnitch_ui.desktop
rm -rf ~/.go/src/github.com/evilsocket/opensnitch
sudo rm /usr/local/bin/opensnitch-ui
sudo rm /usr/local/bin/opensnitchd
sudo rm -r /etc/opensnitchd
sudo rm -r /usr/local/lib/python3.6/dist-packages/opensnitch_ui*
sudo rm -r /usr/local/lib/python3.6/dist-packages/opensnitch/
sudo rm /etc/systemd/system/opensnitchd.service
sudo rm /etc/systemd/system/multi-user.target.wants/opensnitchd.service
sudo rm /usr/share/applications/opensnitch_ui.desktop
sudo rm /usr/share/kservices5/kcm_opensnitch.desktop

2 comments:

  1. Hi there,

    Unfortunately gives several messages when trying this line:

    go get -u github.com/golang/dep/cmd/dep

    undefinedsort.SliceStable

    ReplyDelete
    Replies
    1. What Ubuntu version are you using? That error gives me the impression that your system has an old Go version and that's what's causing it. That's why I noted in the article that this guide requires Ubuntu 17.10 or 18.04 (or newer). In fact if I remember correctly even if updating Go to a newer version, there were still some issues in older Ubuntu versions.

      Delete

Powered by Blogger.