OpenSnitch: a simple application firewall for GNU/Linux
OpenSnitch is an application firewall with a simple graphical interface that allows to easily accept or deny network connections from any program.
Table of Contents
OpenSnitch consists of two “parts”: the daemon (the service that runs in the background), and the GUI (the graphical application). Check https://github.com/evilsocket/opensnitch/releases for instructions to download and install the DEB/RPM packages for the deamon and the GUI.
# Ubuntu sudo apt install opensnitch*.deb python3-opensnitch-ui*.deb
OpenSnitch is also available on AUR (Arch Linux): in this case, both the daemon and GUI are merged in one package.
After installed, ensure the daemon is running: start and enable
# systemd sudo systemctl enable --now opensnitch.service
Note if there is no systemd service installed
On some systems (e.g. Arch Linux), you may need to run
opensnitchd to start the daemon (before that, create a folder named ‘rules’, that folder will be used by OpenSnitch to save your permanent rules). To be able to run the daemon on the background and detached from the terminal, first run
opensnitchd with root permissions:
sudo opensnitchd -rules-path <folder path> &
- If you don’t add
-rules-path <folder path>(e.g.:
-rules-path /home/user/rules) opensnitchd will look for the rules folder on your working directory.
After that, run
jobs to find the job number of the process (the number between square brackets) and use
disown to detach the “job” from the terminal.
$ jobs + Running sudo opensnitchd & $ disown %1
opensnitchd as a systemd service, you can create a simple
opensnitchd.service) file on
/etc/systemd/system with this content (replace the rules folder path with yours):
[Unit] Description=Start opensnitchd [Service] ExecStart=opensnitchd -rules-path /home/user/rules [Install] WantedBy=multi-user.target
systemctl daemon-reload (as root/with sudo) to reload systemd and start (and enable) the service:
sudo systemctl enable --now opensnitchd.service
Now you can start the graphical application (select OpenSnitch on the Program Menu and click on the taskbar icon if it starts minimized). If everything is working properly, you’ll see “Status Running” on the top-right. If it shows “Status -“, the daemon has not been started.
First time you start the GUI, you’ll see some popups that alert you an application want to establish a network connection. You can allow or deny all the application requests, or only the specific IP, hostname, port, etc. (open the dropdown menu on the pop-up to select your choice). You can also select the rule duration (until next reboot, always, only once, etc.). After the selection, a new rule will be created.
You can edit the rules on the Rules section (right-click on the rule). You can also disable, duplicate or delete them.
OpenSnitch main window has several tabs or sections: events (to see any connection request), nodes, rules, hosts, applications, addresses (IPs), ports and users, so you can easily see and filter the network connections.
On the “Status” row, there are some icons: to save the current section content to a CSV file, to open OpenSnitch global settings and to create a rule. On the top-right, you can also disable or re-enable OpenSnitch.
If you need to create a custom rule, click on the icon with a document and a “plus” symbol.
Just like in the pop-up window, you can select the rule action, its duration, and what you want to filter (an executable, a hostname, a port, etc.)
Click on the second icon on the top toolbar (the settings icon) to edit OpenSnitch global settings.
If you have any suggestion, feel free to contact me via social media or email.
Latest tutorials and articles: