HN

Need help?
<- Back
LittleSnitch for Linux

LittleSnitch for Linux

pluc

Comments (161)

  • alhazrod
    I remember before Little Snitch there was ZoneAlarm for Windows[0] (here is a good screenshot[1]). No clue if the current version of ZoneAlarm does anything like that (have not used it in 2 decades). I always found it weird that Linux never really had anything like it.[0]: https://en.wikipedia.org/wiki/ZoneAlarm[1]: https://d2nwkt1g6n1fev.cloudfront.net/helpmax/wp-content/upl...
  • cromka
    I know it sounds crazy at this point, but with popular YouTubers switching to Linux, gamers overall well-aware of Steam on Linux advantages and switching as well, plus popular software like LittleSnitch getting ported, 2026 can without irony be named as Year of Linux Desktop, right?
  • supernes
    Tried it on Fedora 43 (6.19.11 x86_64) and it loaded all CPU cores, dumped 50K lines in the journal and failed to start.> Error: the BPF_PROG_LOAD syscall returned Argument list too long (os error 7).> littlesnitch.service: Consumed 3min 38.832s CPU time, 13.7G memory peak.
  • cromka
    I'd like to point out it uses very little memory, barely 33MB here. That's impressive!
  • xrio
    Back when I was still using macOS I loved Little Snitch and was a paying customer. And I agree nothing on Linux comes close. Would it be technically feasible to also provide this as a Flatpak to support immutable distros like Bazzite?
  • Bromeo
    How does it compare to opensnitch? https://github.com/evilsocket/opensnitch
  • mathfailure
    Nice to have this as an extra option, but being a linux user I value openness of code. I am pretty content with opensnitch + opensnitch-ui.
  • microtonal
    Wow. I have used Little Snitch on Mac for years, love this!If anyone from obdev is reading, please give us a way to pay for it, even if it stays free :), I'd love to support development and would happily pay something between the price of Little Snitch and Little Snitch Mini.Anyway, thanks a lot!
  • dSebastien
    I've been using Simplewall on Windows for a while but I think it's not maintained anymore. Need to find an alternative
  • hubabuba44
    Congrats on the Linux port, this looks very nice.Shameless plug: for anyone who wants something fully open source and terminal-based, I maintain RustNet (https://github.com/domcyrus/rustnet). It's a bit different because it's a TUI for real-time connection monitoring with deep packet inspection, not a firewall. No blocking/rules, but it's cross-platform (Linux/macOS/Windows), the entire codebase is open, and it sandboxes itself after init via Landlock with capability dropping.
  • Cider9986
    This has the author's blog post on it https://obdev.at/blog/little-snitch-for-linux/
  • Tepix
    > One thing to be aware of: the .lsrules format from Little Snitch on macOS is not compatible with the Linux version.Why?
  • parhamn
    Okay hear me out, I use little snitch for a while. Great product. Love finding out what phones where. I make every single request (except my browser, because I'm fine with their sandbox) block until I approve.Recently I was wondering how you really have to trust something like little snitch given its a full kernel extension effectively able to MITM your whole network stack.So I went digging (and asked some agents to deep research), and I couldn't find much interesting about the company or its leadership at all.All a long way to say, anyone know anything about this company?
  • tankenmate
    I'm so surprised that so few people have heard of Portmaster, it's been around for years and runs on Linux (and Windows if you must). And if you don't need traffic history it's free.
  • TheTaytay
    I’ve been researching the “best” way to build a little outbound network proxy to replace credential placeholders with the real secrets. Since this is designed to secure agents workloads, I figured I might as well add some domain blocking, and other outbound network controls, so I’ve been looking for Little-snitch-like apps to build on. I’ve been surprised to find that there aren’t a ton of open source “filter and potentially block all outbound connections according to rules”. This seems like the sort of thing that would be in a lot of Linux admins’ toolkit, but I guess not! I appreciate these guys building and releasing this.
  • Avicebron
    Probably should throw it out there that I'm building something inspired by littleSnitch for windows. Currently a bit stealthy about it. But when I crowd source the funding for a code signing cert I'll get it out there. Lots of inspiration from LittleSnitch, in spirit if not actual code.
  • xn--yt9h
    Giving it a shot right now. Very easy setup, intuitive UI, but a lot of requests' processes are not identified (while they could easily be identified, as they belong to the browser that has some, but less, identified calls)
  • wolvoleo
    Ohhh interesting. Little snitch is one of 2 apps I miss from when the Mac was my daily driver. The other app was pixelmator
  • mostlysimilar
    Incredible. LittleSnitch is must-have for macOS and trying to get equivalent functionality on Linux was painful. So very happy to see this, and very happy to give the developers at Objective Development my money.
  • adrianwaj
    There was a similar Show HN from 3 weeks ago. https://news.ycombinator.com/item?id=47387443 (open source too) - and there is a live window from all the machines in the swarm. https://dialtoneapp.com/explore - but only 2 so far. Maybe LittleSnitch can generate more data than this? Could end up an immune system for bad actors.Anything new to get much better performance from low-spec machines that is idiot-proof is a game-changer.
  • sersi
    > For keeping tabs on what your software is up to and blocking legitimate software from phoning home, Little Snitch for Linux works well. For hardening a system against a determined adversary, it's not the right tool.What would be the right tool to harden in a similar way to little snitch on mac? Meaning intercepting any connection and whitelisting them reliably.
  • wodenokoto
    Honestly I think it is odd such a tool isnøt considered as standard to an OS as a process manager.Anyway, this one looks great. I hope Linux distros will incorporate this or similar into the network widgets.
  • hackingonempty
    LittleSnitch doesn't tattle on itself phoning home.
  • winrid
    Related - I'm working on launching Watch.ly[0] (human-in-the-loop for remotely approving network and file system access for agents) in the next week or so. It works similarly, via eBPF (although we can also fall back to NFQUEUE). Supporting 5.x+ linux kernels[1], osx, and windows.Did not know about LittleSnitch, will definitely check it out.[0] https://watch.ly/[1] https://app.watch.ly/status/
  • anon
    undefined
  • alsetmusic
    Congrats to Linux users on getting a great tool from a quality development shop. Objective Development is one of our (Mac users) exemplars for attention to detail and fit & finish.Congrats to Objective Development for expanding their well-loved tool to a new platform. You guys rock.
  • 0xbadcafebee
    > Compatible with Linux kernel 6.12 or higherI know everyone today is used to upgrading every 5 seconds, but some of us are stuck on old software. For example, my Linux machine keeps rebooting and sucks up power in suspend mode because of buggy drivers in 6.12+, so I'm stuck on 6.8. (which is extra annoying because I bought this laptop for its Linux hardware support...)
  • eviks
    Does it leak your IP like the Mac version?https://news.ycombinator.com/item?id=35363343> Little Snitch for Linux is not a security tool.Maybe not?> Its focus is privacy:Or maybe yes?
  • mrbluecoat
    > The macOS version uses deep packet inspection to do this more reliably. That's not an option here.Isn't MacOS just *nix under the hood? Genuinely curious about this difference.
  • badc0ffee
    Does anyone know how the blocking functionality works? I worked on some eBPF code a few years ago (when BTF/CO-RE was new), and while it was powerful, you couldn't just write to memory, or make function calls in the kernel.Is there a userland component that's using something like iptables? (Can iptables block traffic originating from/destined to a specific process nowadays?)
  • Dig1t
    >The daemon (littlesnitch --daemon) is proprietary, but free to use and redistribute.Worth noting that it is closed source. Would be worth contributing patches to OpenSnitch to bring it up to parity with Little Snitch.https://github.com/evilsocket/opensnitch
  • txrx0000
    As articulated in the author's own blog post:https://obdev.at/blog/little-snitch-for-linux/The core issue is simple and uncomfortable: through automatic updates, a vendor can run any code, with any privileges, on your machine, at any time.-----If the author is serious about this, then they should make their own program completely open source, and make builds bit-for-bit reproducible.For all I know, the proprietary Little Snitch daemon, or even the binaries they're distributing for the open source components, contain backdoors that can be remotely activated to run any code, with any privileges, on your machine, at any time.
  • flexagoon
    Also see Safing Port master:https://safing.io/
  • clomia
    good
  • SamuelAdams
    So if this is free to use on linux, what is to stop someone from doing what Colima did to Docker? Aka make a tiny Linux VM on MacOS and package Little Snitch within that?
  • FloatArtifact
    I wish applications like this could coordinate with upstream firewall like opnsense
  • imagetic
    Dope.
  • rvz
    Also from [0].> You can find Little Snitch for Linux here. It is free, and it will stay that way.Don't worry, the authors know that there's no point in charging Linux users. Unlike Mac users.So you might as well make it $0 and the (Linux) crowd goes wild that they don't need to pay a cent.However...> I researched a bit, found OpenSnitch, several command line tools, and various security systems built for servers. None of these gave me what I wanted: see which process is making which connections, and in the best case deny with a single click.OpenSnitch is open source. You don't need to trust it as you can see the code yourself. Little Snitch on the other hand, is completely closed source.Do you still trust them not to do self-reporting or phoning home, even though it is $0 and closed source?[0] https://obdev.at/blog/little-snitch-for-linux/
  • chris_wot
    Can someone elaborate on the limitations bit?"Little Snitch for Linux is built for privacy, not security, and that distinction matters. The macOS version can make stronger guarantees because it can have more complexity. On Linux, the foundation is eBPF, which is powerful but bounded: it has strict limits on storage size and program complexity. Under heavy traffic, cache tables can overflow, which makes it impossible to reliably tie every network packet to a process or a DNS name. And reconstructing which hostname was originally looked up for a given IP address requires heuristics rather than certainty. The macOS version uses deep packet inspection to do this more reliably. That's not an option here."Is this a limitation of the eBPF implementation? Pardon my ignorance, I'm genuinely curious about this.
  • LoganDark
    Yess, the return of the actually good landing page for the technically-minded. Now all they need to do is roll back the macOS one that looks and reads like it was designed by a marketing agency that knows nothing about computers (or even Little Snitch itself).
  • computing
    doesn't work on arch (btw)
  • waterTanuki
    Why would one use this over PiHole?
  • gauravkashyap6
    [dead]
  • VladVladikoff
    Really like Lulu as an alternative to LittleSnitch https://objective-see.org/products/lulu.html
  • sneak
    It’s not really necessary on Linux. Linux systems work without 40 invisible background services phoning home to the mothership to leak your hardware identifiers for FAA702 collection.
  • serious_angel
    > The macOS version can make stronger guarantees because it can have more complexity. On Linux, the foundation is eBPF, which is powerful but bounded: it has strict limits on storage size and program complexity. Under heavy traffic, cache tables can overflow, which makes it impossible to reliably tie every network packet to a process or a DNS name. > And reconstructing which hostname was originally looked up for a given IP address requires heuristics rather than certainty. The macOS version uses deep packet inspection to do this more reliably. > That's not an option here. > > Source: https://web.archive.org/web/20260409002901/https://obdev.at/products/littlesnitch-linux/index.html The above feels like an utter AI slop nonsense, sorry. I believe eBPF, the Linux Kernel feature, is absolutely capable for accuracy and perfect processing of network traffic.Have you ever checked Calico or Cilium, or at least, Oryx?
  • shawnta
    Great website features, exactly what I needed, thank you.