OpenSnitch - an application firewall for LinuxRecently I talked about the LockBox distribution which ships with a hardened network configuration and some network security tools. One utility stood out during my time with the distribution: OpenSnitch.
OpenSnitch is a rare tool in the Linux ecosystem. It is a service with a friendly graphical desktop application which assists the user in blocking network connections based on which daemon or application is making the connection attempt. Most Linux firewall tools focus on blocking access to specific network ports or remote servers. OpenSnitch focuses on which program is trying to access the network or send network traffic to remote machines. The OpenSnitch service can monitor connection attempts, let us know which processes are trying to talk over the network, and to which remote servers. It's an interesting and powerful tool, one which I felt deserved more attention.
OpenSnitch provides a number of install options. Pre-built Deb and RPM packages are available and supported on most major distributions. The OpenSnitch software is open source (licensed under the GNU General Public License version 3) and the project provides instructions for building the software from its source code.
I decided to run OpenSnitch on Linux Mint. Following the documentation, I downloaded two packages, one for the OpenSnitch background service and one for the graphical interface. Installing these with the command "sudo dpkg -i opensnitch*.deb python3-opensnitch-ui*deb" results in an error, which is expected. We then run "sudo apt -f install" to install the necessary dependencies. In all, the OpenSnitch software and its dependencies require about 200MB of downloaded packages.
Running the above installation commands added OpenSnitch to my application menu. Clicking the application's icon, which looks like a cloud, adds its icon to the system tray. We can right-click on the system tray entry to enable or disable the OpenSnitch service. This is essentially enabling and disabling a firewall, though it does not appear to interfere with any other existing firewalls, such as UFW. Left-clicking the OpenSnitch system tray icon opens the software's desktop application and this is where things get interesting.
While the OpenSnitch service is running, any time a new program tries to talk over the network, a pop-up window appears. This pop-up tells us the name of the process trying to communicate with the outside world. We are then given the chance to allow the program to form its network connection or deny it. The response is timed and we have about 15 seconds after the window appears to make our choice. The default action is to deny the network request, blocking the program from talking with the outside world.
OpenSnitch -- Notification of a new ping connection attempt (full image size: 290kB, resolution: 1125x863 pixels)
We can choose how long OpenSnitch will remember our choice. By default, OpenSnitch will remember to block or allow the program until we restart the computer. However, it can also be told to remember our choice for a set number of minutes or indefinitely.
The defaults presented in these notification pop-ups can be adjusted in OpenSnitch's settings and I'll get to that later. For now I want to provide an overview of the OpenSnitch application window and how it presents us with information.
The OpenSnitch window
The OpenSnitch application is divided into eight tabs, though we will probably only ever need two of them. The first tab is called Events. Here we see a list of recent connection attempts made by software on our system. The Events tab lists the time, destination, protocol, and process name of each connection request. It also shows whether the request to connect through the network was allowed or denied. The Event tab is basically a dashboard showing what is happening on our system right now.
The third tab (yes, I'm skipping the second one for a moment) is called Rules. The Rules tab shows much the same information - the time a connection attempt was made and the name of the process making the attempt. We are also shown whether the action will be allowed or blocked along with an indicator of how long the current rule will last. We can right-click on a rule to change its duration (how long the rule stays in effect). We can also right-click to toggle the rule between allowing and blocking the connection attempt.
The other six tabs (Nodes, Hosts, Applications, Address, Ports, and Users) all show a summary of recent events, sorted by the name of the tab. For instance, the Address tab lists remote machines which our computer has tried to contact recently. We can double-click any entry to see more information (events) associated with one specific address. Likewise, the Applications tab shows a list of programs which have tried to communicate over the network. We can double-click the name of a program to see recent connection attempts made by that one program.
Basically, these six tabs all show a quick summary of recent events, organized by program name, remote address, remote network port, etc. Then selecting one grouped entry in the tab shows all the corresponding events. This makes it quite easy to see what is happening by digging down through layers. For instance, if I want to see all network connection attempts from my user, I can click on the Users tab. Then find my user name in the list, and double-click it to see all recent events associated with my account.
In short, the Events tab tells us what is happening now. The rules tab tells us how OpenSnitch reacts to what is happening. The other tabs sort events into groups to make it easier to track what a specific computer, user, or application is doing.
Proactively making rules
While OpenSnitch defaults to waiting for network connection attempts to happen and then asks us, via a pop-up window, whether to allow or block the network traffic, we can be proactive and make up rules ahead of time. There is a button near the top of the OpenSnitch window which allows us to craft our own rules.
We can use a variety of parameters to craft a rule, all of them nicely presented to us in a window. We can specify the name of an application to block, which protocols (TCP or UDP) we want to filter, how long the rule lasts, specific hosts or domains we want to filter. We can also specify whether the rule we are making should block or allow new connections.
OpenSnitch -- Creating a new rule to block IRC traffic (full image size: 181kB, resolution: 1125x863 pixels)
The rule creation window is easy to navigate and I like how easy it is to make up new rules to allow or deny connections. I feel it is worth mentioning that new rules designed to block traffic do not appear to stop connections already in progress. For instance, if Firefox is downloading a file and I make a rule to stop Firefox from making connections, the existing connection continues to work. The rule will apply only to new connections being made in the future.
OpenSnitch -- Watching traffic from the HexChat IRC client get blocked (full image size: 282kB, resolution: 1125x863 pixels)
Last, but not least, there is a small settings panel built into OpenSnitch to adjust how the application works. This settings panel allows us to adjust the default behaviour when new connections come along - allowing or denying them and for how long. We can also change the location of the OpenSnitch database. By default it is kept in memory, but we can save rules and data in a file for more permanent use. We can also make small adjustments to the user interface and what information is shown.
The defaults appear to be set up to block new connections, but only until the system is restarted. If we are crafting long-term rules we will want to make a permanent file database and probably set new connection attempts to be denied "forever".
For years I've heard people new to Linux talk about how they would like a user friendly, application-focused firewall solution. Linux distributions typically focus on blocking traffic based on network ports and hostnames. The few solutions which have focused on process filtering tend to be either harder to set up or less friendly to use. OpenSnitch is one of the first tools I have encountered which provides both the rules and real-time monitoring that Windows tools (such as Zone Alarm) provide. The fact that OpenSnitch manages to be friendly, pretty easy to navigate, and flexible in how we manage both rules and new connections is fantastic. I'm really happy with how this tool work and how easy it is to set up.
What I particularly like about OpenSnitch is that it is not just useful for making new rules, the way traffic is sorted and cataloged in the various tabs is great. Even if you are not interested in locking down your network, I think it is well worth installing OpenSnitch to find out what processes are talking over your network and who they are talking with. For example, while I was running Linux Mint, some programs sent out signals to Canonical servers which appears to be used for connectivity checks and/or getting a count of how many users are on-line. You might be interested in seeing how many programs are phoning home or pinging remote servers in an effort to count users or check for news updates.
* * * * *
I would like to thank Shells.com for providing me with the test environment for this review. This made it faster for me to set up the test environment and use it while traveling. I've talked about Shells.com services in an earlier article.