OpenSnitch Icon

Makes internet connections from all apps visible, allowing you to block or manage traffic on a per-app basis. GNU/Linux port of the Little Snitch application firewall.

Open Source

OpenSnitch Source Code

Author

evilsocket

Description

OpenSnitch is a GNU/Linux interactive application firewall inspired by Little Snitch.

#application-firewall#data-breach#firewall#linux#networking#security

Homepage

License

GPL-3.0

Created

16 Apr 17

Last Updated

17 May 24

Latest version

v1.6.5.1

Primary Language

Python

Size

18,171 KB

Stars

9,735

Forks

478

Watchers

9,735

Language Usage

Language Usage

Star History

Star History

Recent Commits

  • Gustavo Iñiguez Goia (17 May 24)

    ui, prefs: load and conf daemon DefaultAction In f5f30b1e5840c6afbba4cdf9536a320e63842555 we added the option to reject connections as DefaultAction. If configured, load and set it in the preferences dialog.

  • Gustavo Iñiguez Goia (17 May 24)

    ui, prefs: improved loading auth options

  • Gustavo Iñiguez Goia (17 May 24)

    ui: fixed deleting rules reverts 2ec37ed5939c9489964610b78aa319eaf22891f9 Closes: #1133

  • Gustavo Iñiguez Goia (15 May 24)

    updated default-config.json with latest added opts More info about these options: https://github.com/evilsocket/opensnitch/wiki/Configurations

  • Gustavo Iñiguez Goia (15 May 24)

    allow to customize ebpf options Allow to customize: - EventsWorkers: number of goroutines to handle kernel events. Default 8. - QueueEventsSize: max number of events in the queue. By default 0, meaning that it'll relay on the available goroutines to process the events. If it's > 0, and the daemon can't process the events fast enough, they'll be queued. Once the queue is full, it'll behave as it was of size 0. If there're lost events, a message will be logged: "Lost ebpf events..."

  • Gustavo Iñiguez Goia (14 May 24)

    loggers, remote_syslog: check if we're connected when writing, check if we're connected, or reconnecting.

  • Gustavo Iñiguez Goia (14 May 24)

    fw: allow to configure interception queue number - Added new configuration field to allow configure fw interception number queue (default to 0): "FwOptions": { "QueueNum": 0 } (we still need to reconfigure nfqueue queues in order for this to take effect). - If the fw configuration path is not supplied, default to /etc/opensnitchd/system-fw.json

  • Gustavo Iñiguez Goia (14 May 24)

    fixed segfaults when loading fw/loggers - The loggers were not being properly initialized. - The fw was only being load on reload, instead of on startup and reload. Kudos to @1fishe2fishe for reporting this problem and proposing a fix in #1130!

  • Gustavo Iñiguez Goia (14 May 24)

    Merge pull request #1126 from tioguda/master i18n: updated Brazilian Portuguese translation

  • Gustavo Iñiguez Goia (12 May 24)

    fw minor changes use struct{} instead of bool for exit channels, func parms cosmetic change.

  • Gustavo Iñiguez Goia (12 May 24)

    do not flush conns when adding the inteception rules part of previous commit.

  • Gustavo Iñiguez Goia (12 May 24)

    make connections flushing configurable By default when adding the interception rules, we were killing all existing connections, to force them go to the netfilter queue. However in some environments this is not acceptable, so now it's configurable. Besides, we were doing this only for nftables, so now it also works for iptables.

  • Gustavo Iñiguez Goia (12 May 24)

    stop proc monitor when disabling interception When disabling the interception from the server (GUI), the network interception was stopped, but the procs monitor kept running. Now the procs monitor in use is also stopped, not to interfere with the rest of the system (except 'proc').

  • Gustavo Iñiguez Goia (11 May 24)

    removed fw rules initialization from main now they're added after loading the configuration.

  • Gustavo Iñiguez Goia (11 May 24)

    loggers improvements improvements to the loggers modules: - allow to specify a connection timeout (there was only a write timeout). - performance improvements when building the messages to be written/sent. - allow to restart the connection with remote servers if we fill up the messages queue. This can occur for example if we connect to a remote server, start sending messages, but we haven't allowed other connections yet. In this case the connections never recovered from this state, and we weren't prompted to allow the needed connections. (more work nd testing needed)

  • Gustavo Iñiguez Goia (11 May 24)

    more work on reloading configuration continuation of previous commit bde5d34deb5e5c5858991510c48fbd58913a193a - Allow to reconfigure stats limits (how many events we keep on the daemon, number of workers, ...) - Allow to reconfigure loggers.

  • tioguda (06 May 24)

    i18n: updated Brazilian Portuguese translation

  • Gustavo Iñiguez Goia (05 May 24)

    changed ui/client/configuration tests In order to test ebpf<->proc changes we'll need to have access to a valid ebpf module.

  • Gustavo Iñiguez Goia (02 May 24)

    reload more config options without restarting the daemon Reload the configuration without restarting the daemon when changing: - server authentication options. - GC percentage. - Rules path. - Loggers. - FW options. - eBPF modules path. Also, try to avoid unnecessary changes.

  • Gustavo Iñiguez Goia (30 Apr 24)

    added Reject to the list of DefaultActions(s) We only offered two options for the DefaultAction option: allow/deny. Since a long time ago we support "reject"ing connections, but it was not configurable as the DefaultAction. Closes: #1108

  • Gustavo Iñiguez Goia (30 Apr 24)

    build parent process hierarchy of already running processes We build the parent process tree of a process when it's executed for the first time. Now we also build the tree when an already running process opens a new outbound connection by the first time.

  • Gustavo Iñiguez Goia (29 Apr 24)

    disable (process) ebpf events when to many errors if an invalid opensnitch-procs.o module was loaded, we were flooding the log with errors. In these cases stop processing events after 20 errors (random, we should have no errors). This may occur if the module is malformed (valid .o ebpf module but different structs, etc), or when loading modules from other versions. Closes: #1099 #1082

  • Gustavo Iñiguez Goia (28 Apr 24)

    ebpf: performance improvement for opensnitch-procs We were sending to userspace unnecessary exit events, consuming unnecessary CPU cycles. We only intercept execve and execveat, but sched_process_exit is invoked by more functions (sched_process_exit, clone, ...), so we were receiving on the daemon events that we did nothing with them, apart from consuming CPU cycles. On some scenarios like on servers running saltstack (as salt-master), this caused to consume more CPU than needed. cherry picked from 15fcf6753516a1e22add87cb2b4f5de4a14540ec

  • Gustavo Iñiguez Goia (27 Apr 24)

    added more kernel config paths for checking system requirements On Fedora Silverblue the kernel config of the current kernel is under /usr/lib/modules/<kernel>/config Closes: #1117

  • Gustavo Iñiguez Goia (27 Apr 24)

    ui: allow to configure screen/themes scale factor Added new options to the Preferences dialog, to configure screens/themes scale factor. If the UI is using the System theme (default), configure Qt scale options (needs UI restart): QT_AUTO_SCREEN_SCALE_FACTOR (default True) QT_SCREEN_SCALE_FACTORS (If auto scale is False, use this value(s)) The user can configure different scale factors for multiple screens, by separating values with ; (1;1.5, etc...) https://doc.qt.io/qt-5/highdpi.html#high-dpi-support-in-qt If the UI is using a qt-material theme, you can configure the "density" scale of the theme: https://github.com/UN-GCPDS/qt-material?tab=readme-ov-file#density-scale https://github.com/evilsocket/opensnitch/wiki/GUI-known-problems#gui-size-problems-on-4k-monitors Closes: #1102

  • Gustavo Iñiguez Goia (11 Feb 24)

    ui: fixed deleting rules with list limits Fixed deleting rules when the GUI is configured to display a maximum number of rules.

  • Gustavo Iñiguez Goia (08 Feb 24)

    pop-ups: filter by absolute path+cmdline on some cases If the pop-ups' target is to filter by cmdline, but the typed/launched command is not absolute or it starts with /proc, also filter by the absolute path to the binary.

  • Gustavo Iñiguez Goia (05 Feb 24)

    Updated ebpf compilation instructions kudos to @planetoryd for reporting it (#1080).

  • Gustavo Iñiguez Goia (05 Feb 24)

    updated ebpf makefile - Added -fno-stack-protector: https://lore.kernel.org/bpf/[email protected]/ https://reviews.llvm.org/D142046 - Added -Wno-unused-value, -Wunused to warn on unitialized/not used variables. kudos to @planetoryd for reporting this (#1080).

  • Gustavo Iñiguez Goia (02 Feb 24)

    pkgs: improved rpm upgrades We were not handling configuration upgrades properly on rpm based systems. Now local changes to default-config.json and system-fw.json are kept, and if the distributed files changes in the future, new files will be created with the extension .rpmnew

OpenSnitch Website

Website

GitHub: Let’s build from here · GitHub

GitHub is where over 100 million developers shape the future of software, together. Contribute to the open source community, manage your Git repositories, review code like a pro, track bugs and features, power your CI/CD and DevOps workflows, and secure code before you commit it.

Redirects

Does not redirect

Security Checks

All 66 security checks passed

Server Details

  • IP Address 140.82.112.4
  • Hostname lb-140-82-112-4-iad.github.com
  • Location San Francisco, California, United States of America, NA
  • ISP GitHub Inc.
  • ASN AS36459

Associated Countries

  • US

Saftey Score

Website marked as safe

100%

Blacklist Check

github.com was found on 0 blacklists

  • ThreatLog
  • OpenPhish
  • PhishTank
  • Phishing.Database
  • PhishStats
  • URLhaus
  • RPiList Not Serious
  • AntiSocial Blacklist
  • PhishFeed
  • NABP Not Recommended Sites
  • Spam404
  • CRDF
  • Artists Against 419
  • CERT Polska
  • PetScams
  • Suspicious Hosting IP
  • Phishunt
  • CoinBlockerLists
  • MetaMask EthPhishing
  • EtherScamDB
  • EtherAddressLookup
  • ViriBack C2 Tracker
  • Bambenek Consulting
  • Badbitcoin
  • SecureReload Phishing List
  • Fake Website Buster
  • TweetFeed
  • CryptoScamDB
  • StopGunScams
  • ThreatFox
  • PhishFort

Website Preview

OpenSnitch Reviews

More Firewalls

About the Data: OpenSnitch

API

You can access OpenSnitch's data programmatically via our API. Simply make a GET request to:

https://api.awesome-privacy.xyz/networking/firewalls/opensnitch

The REST API is free, no-auth and CORS-enabled. To learn more, view the Swagger Docs or read the API Usage Guide.

About the Data

Beyond the user-submitted YAML you see above, we also augment each listing with additional data dynamically fetched from several sources. To learn more about where the rest of data included in this page comes from, and how it is computed, see the About the Data section of our About page.

Share OpenSnitch

Help your friends compare Firewalls, and pick privacy-respecting software and services.
Share OpenSnitch and Awesome Privacy with your network!

View Firewalls (14)