OpenSnitch: a simple application firewall for GNU/Linux

OpenSnitch is an application firewall with a simple graphical interface that allows to easily accept or deny network connections from any program.

Table of Contents

• Installation
  • Note if there is no systemd service installed
• Usage
  • First steps
  • App sections
  • Custom rules
  • Global settings

Installation

OpenSnitch consists of two “parts”: the daemon (the service that runs in the background), and the GUI (the graphical application). Check https://github.com/evilsocket/opensnitch/releases for instructions to download and install the DEB/RPM packages for the deamon and the GUI.

# Ubuntu
sudo apt install opensnitch*.deb python3-opensnitch-ui*.deb

OpenSnitch is also available on AUR (Arch Linux): in this case, both the daemon and GUI are merged in one package.

After installed, ensure the daemon is running: start and enable opensnitch.service.

# systemd
sudo systemctl enable --now opensnitch.service

Note if there is no systemd service installed

On some systems (e.g. Arch Linux), you may need to run opensnitchd to start the daemon (before that, create a folder named ‘rules’, that folder will be used by OpenSnitch to save your permanent rules). To be able to run the daemon on the background and detached from the terminal, first run opensnitchd with root permissions:

sudo opensnitchd -rules-path <folder path> &

• If you don’t add -rules-path <folder path> (e.g.: -rules-path /home/user/rules) opensnitchd will look for the rules folder on your working directory.

After that, run jobs to find the job number of the process (the number between square brackets) and use disown to detach the “job” from the terminal.

$ jobs
[1]+  Running                 sudo opensnitchd &
$ disown %1

To run opensnitchd as a systemd service, you can create a simple .service (e.g.: opensnitchd.service) file on /etc/systemd/system with this content (replace the rules folder path with yours):

[Unit]
Description=Start opensnitchd

[Service]
ExecStart=opensnitchd -rules-path /home/user/rules

[Install]
WantedBy=multi-user.target

Then, run systemctl daemon-reload (as root/with sudo) to reload systemd and start (and enable) the service:

sudo systemctl enable --now opensnitchd.service

Usage

First steps

Now you can start the graphical application (select OpenSnitch on the Program Menu and click on the taskbar icon if it starts minimized). If everything is working properly, you’ll see “Status Running” on the top-right. If it shows “Status -“, the daemon has not been started.

First time you start the GUI, you’ll see some popups that alert you an application want to establish a network connection. You can allow or deny all the application requests, or only the specific IP, hostname, port, etc. (open the dropdown menu on the pop-up to select your choice). You can also select the rule duration (until next reboot, always, only once, etc.). After the selection, a new rule will be created.

You can edit the rules on the Rules section (right-click on the rule). You can also disable, duplicate or delete them.

App sections

OpenSnitch main window has several tabs or sections: events (to see any connection request), nodes, rules, hosts, applications, addresses (IPs), ports and users, so you can easily see and filter the network connections.

On the “Status” row, there are some icons: to save the current section content to a CSV file, to open OpenSnitch global settings and to create a rule. On the top-right, you can also disable or re-enable OpenSnitch.

Custom rules

If you need to create a custom rule, click on the icon with a document and a “plus” symbol.

Just like in the pop-up window, you can select the rule action, its duration, and what you want to filter (an executable, a hostname, a port, etc.)

Global settings

Click on the second icon on the top toolbar (the settings icon) to edit OpenSnitch global settings.

If you have any suggestion, feel free to contact me via social media or email.