OpenSnitch — Outbound Awareness for Linux That Doesn’t Guess
Most firewalls protect from the outside. OpenSnitch watches the inside. It tracks what’s leaving the system — which binary, which process, where it’s trying to connect — and asks whether that should be happening in the first place.
Inspired by Little Snitch on macOS, OpenSnitch brings the same kind of per-process network control to Linux. But with fewer dialogs, more logging, and full transparency. It hooks into the system, watches outbound connections in real time, and lets admins decide what flies and what gets dropped.
It doesn’t block ports. It blocks behavior.
What It Sees (and Stops)
| Layer | What It Watches |
| Process-Level Connections | Which binary is making the call — not just the PID or user. |
| Destination Awareness | IP, port, protocol, FQDN — all logged, all matchable in rules. |
| User-Based Policies | Separate rules per user, or apply global blocks — flexible by design. |
| Interactive Prompts (Optional) | Ask once, allow forever, or deny on the fly — decision gets logged either way. |
| Rule Matching by Pattern | Block all outbound to certain ports, or just one tool’s access to DNS. |
| Full Audit Logging | See every attempt, allowed or blocked — searchable for later review. |
| JSON-based Rulesets | Portable, editable, version-controllable. |
| eBPF or Netfilter Backend | Lightweight, efficient, sits between userland and network stack. |
Where It Belongs
OpenSnitch makes the most sense in setups where:
– Applications shouldn’t be phoning home without permission.
– Workstations are handling sensitive data or development builds.
– Egress traffic matters just as much as inbound security.
– Packet inspection isn’t enough — attribution to process is required.
– There’s a need to know what tool leaked that outbound request at 03:00.
It’s especially useful on dev machines, security-focused endpoints, or personal systems used in operational environments.
Getting It Running (Fast, If You Know What You’re Doing)
- Install from Repo or Build from Source
Some distros include it, others need manual install. Python-based UI, Go-based daemon. Nothing too strange.2. Run the Daemon as Root
System service handles rules and decisions. Uses Netfilter or eBPF under the hood.3. Start the UI (Optional)
Qt interface shows real-time prompts and history. CLI-only deployments also possible.4. Decide How It Should Behave
Interactive? Silent logging? Predefined policies? All customizable. Per user, per group, per system.5. Write or Import Rules
Rules are stored in JSON — editable with a text editor, or managed through UI events.6. Let It Watch
Once deployed, it just runs. Alerts on new behavior. Learns nothing unless told to.
Final Word
OpenSnitch isn’t designed to replace a perimeter firewall or manage a fleet. But for single-node visibility — for knowing which process just reached out to an IP that never should’ve been touched — it’s one of the cleanest, quietest solutions around.
It won’t solve outbound policy for a whole org. But for the machine it runs on, it sees what matters. And it remembers.
