How To Install OpenSnitch Application-Level Firewall In Ubuntu

OpenSnitch is a Linux port of the Little Snitch firewall application for MacOS, currently considered beta software.

[[Later edit]] the original OpenSnitch was abandoned. There's a fork with improvements and bug fixes that's currently in development, so I suggest using the fork instead of the unmaintained project. See this article for details.

If you're looking for an application-level firewall for Linux that comes with a GUI, give OpenSnitch a try. This firewall software can monitor applications running on your system, blocking their Internet access until you allow or deny it.

Here's how OpenSnitch works. When an application tries to access the internet, it is initially blocked, and a dialog is displayed, asking you if you want to allow its connection once, this session, or forever:

OpenSnitch Linux Application FIrewall

You can also block its access by changing the first drop-down from Allow connections to Block connections, and select the duration in the same way (once, for this session, or forever).

As you can see from the screenshot above, multiple information is provided, like the domain the application tries to connect to, the source and destination IP, or the process ID.

From its tray icon, you can access the OpenSnitch Network Statistics, which displays information about current processes, hosts, addresses, ports or users, as well as a general overview of your current connections:

OpenSnitch Linux Application FIrewall

While the application comes with a Qt graphical user interface, it can also be used from the command line. For how to specify custom rules for OpenSnitch, see this page.

After allowing or denying an application to connect to the Internet, there's no GUI to change this in case you change your mind, at least for now. But you can reset a rule by deleting (or modifying) the rule file which you'll find in the /etc/opensnitchd/rules directory (after OpenSnitch is installed and runs once).

OpenSnitch is still in beta, so it lacks some features. Right now, the OpenSnitch daemon only intercepts and manages outgoing connections, but support for incoming connections is planned.

OpenSnitch is not packaged for most Linux distributions (I couldn't find any packages for Debian / Ubuntu / Linux Mint). To download the OpenSnitch source and see how to install it, check out this page.

The officially provided OpenSnitch installation instructions for Ubuntu are a bit incomplete, so I wrote a how-to myself below.

How to install OpenSnitch application-level firewall in Ubuntu or Linux Mint

The guide below requires Ubuntu 18.04, 18.10, 19.04, or 19.04 (or newer). I didn't manage to build it in Ubuntu 16.04. These steps should also work on Linux Mint 19.*, elementary OS Juno, Pop!_OS 18.04 and newer, and other Linux distributions based on Ubuntu 18.04 and newer.

1. Go is needed for some packages, and for this whole procedure to work properly, some paths need to be added to your PATH. For this, run the commands below:

echo "export GOPATH=\$HOME/.go" >> ~/.bashrc
echo "export PATH=\$PATH:\$GOROOT/bin:\$GOPATH/bin:\$HOME/.local/bin:\$HOME/.bin" >> ~/.bashrc
. ~/.bashrc

2. Install the OpenSnitch dependencies:

sudo apt install golang-go python3-pip python3-setuptools python3-slugify protobuf-compiler libpcap-dev libnetfilter-queue-dev python-pyqt5 pyqt5-dev pyqt5-dev-tools git

3. Start building OpenSnitch and its requirements:

go get
go get -u
cd $GOPATH/src/
export PATH=$PATH:$GOPATH/bin
python3 -m pip install --user grpcio-tools
go get
cd $GOPATH/src/
sudo -H make install

When running the go get command, you may get an error saying that no Go files were found (can't load package: package no Go files in...). Ignore this message, and continue with the rest of the steps.

The last command above uses -H because some PIP commands are ran by the install file, and the -H option sets the HOME variable to target user's home dir, so it doesn't messes with some permissions.

4. Add OpenSnitch to startup and start its services (you only need to run these commands once):

mkdir -p ~/.config/autostart
cd ui
cp opensnitch_ui.desktop ~/.config/autostart/
sudo systemctl enable opensnitchd
sudo service opensnitchd start

How to remove OpenSnitch

To remove OpenSnitch from your Ubuntu / Linux Mint system, use this guide. This is required because OpenSnitch was installed from source, and not by using a package.

Stop and disable the opensnitchd service:

sudo service opensnitchd stop
sudo systemctl disable opensnitchd

Remove installed OpenSnitch files:

rm ~/.config/autostart/opensnitch_ui.desktop
rm -rf ~/.go/src/
sudo rm /usr/local/bin/opensnitch-ui
sudo rm /usr/local/bin/opensnitchd
sudo rm -r /etc/opensnitchd
sudo rm -r /usr/local/lib/python3.*/dist-packages/opensnitch_ui*
sudo rm -r /usr/local/lib/python3.*/dist-packages/opensnitch/
sudo rm /etc/systemd/system/opensnitchd.service
sudo rm /etc/systemd/system/
sudo rm /usr/share/applications/opensnitch_ui.desktop
sudo rm /usr/share/kservices5/kcm_opensnitch.desktop