One thing I concluded over the years is that it's (almost) a lost battle to only try to use software that don't collect user data -- heck, even software that used to be privacy-friendly, like this one, can suddenly turn evil.
Instead, I started to consider all software to be suspicious, and resort to using application firewalls at all times, on all the operating systems. Is there a need for software X to connect somewhere? No? Blocked in full. Yes? Then I analyze what it sends and where, and if it still works when blocked. Don't know? Well, the application firewall will log any attempts for you to investigate.
For Linux, there OpenSnitch for that purpose: https://github.com/evilsocket/opensnitch
When looking at a PKGBUILD, there's a few things I like to check:
$url...
, and url is set to https://github.com/evilsocket/opensnitch
. That repository has over 6,000 stars, so that's good.curl
or wget
commands, and any commands targeted outside $pkg
and $src
. Some bash & Linux experience here is useful.There's OpenSnitch - whenever an app tries to use the network you get a popup that asks whether you'd like to grant it access and for how long (so if you say "forever" you only get 1 prompt per app). You can enable or disable an app's access whenever you like.
Sorry, it seems that you're right: the rules documentation only mentions matching on dest.* values, not source.* values
Actually, I think there's another problem here: an application firewall is primarily about allowing vs. denying, not determining which interface traffic is to be routed through.
Here's a five year old thread discussing the problem. It has no really good solutions, but some workarounds that may be helpful:
https://superuser.com/questions/983727/route-only-specific-traffic-through-vpn
I'm really happy that the OpenSnitch project is alive again. It's an outbound firewall that can block based on application as well as port. Maybe the dev could use some help ? https://github.com/evilsocket/opensnitch
It's still at the beginning so it's normal to not have proper website now.
Here's the documentation and where all stuff happens:
https://github.com/evilsocket/opensnitch
I've been using it for a few months and I think it's great as an application firewall compared to all other port-based firewalls.
Be advised that at the moment it supports blocking only outgoing connections, blocking the incoming ones will come in the future.
> was going to script a rule creation program to import those domains into opensnitch.
If you create a rule with the field `[x] To this list of domains`, and specify a directory with files in `hosts` format, opensnitch will reload the rule whenever any of the files changes.
https://github.com/evilsocket/opensnitch/wiki/block-lists
> That works wonders on forums because it blocks out all the ad stuff and data mining scripts. It doubled performance.
awesome!
> Is there a way to see what requests were denied in opensnitch?
Yes, on the Events tab, just select Deny, or just type "deny" in the search textbox.
Your distro has very little to do with what data goes out. What does control what goes out is which applications you use (the browser being the biggest problem by far...)
Essentially every program/service/app on your machines (and every single individual web page you got to):
On Mac OS X, I bought and found very useful "Little Snitch". Little snitch gives you control over every network connection on the machine.
There is an open source application ( OpenSnitch https://github.com/evilsocket/opensnitch )
I used it a couple of times. It seemed to use lots of CPU resources. Hopefully it is better about that now.
Open Snitch was a project created for use on Linux, but no idea how hard it is to run or get running. Something to look into for you though.
Linux port are not in plans. Only when WINE will be have WFP port to a Linux, because simplewall written in Pure WinAPI, so now .
Anyway, at this time Linux have already good FW apps: - https://github.com/evilsocket/opensnitch - https://gitlab.com/douaneapp/Douane
For surebif you want a nice GUI, then:
I find it nice, just not very intuitive to set up your own rules.
Before installing such software, do a backup of your system, like using TimeShift...
>little snitch linux
I belive u/Cheeseblock27494356 is referring to OpenSnitch. The original OpenSnitch was a port of OSX's Little Snitch -> went dormant for a while -> someone forked it to continue developement -> that fork has now returned back to the original github page to continue dev there.
The best Firewall in a "On-demand" type. I bookmarked this one: https://github.com/evilsocket/opensnitch
Most of Linux firewalls just provide (Allow/Block) tables, but more user-friendly will be a prompt for every app that wants to connect to internet at the moment, and lets you dynamically decide.
That's also something that intrigued me for a long time. Circa 2005 I remember using a layer7 iptables extension to filter connections, but it was mainly for servers (as well as snort + guardian.pl and other solutions).
But nowadays we've got https://github.com/evilsocket/opensnitch for the desktop.
"Better" is subjective. And in many categories, I agree with you overall. There are ofc some places where Windows has ~~better~~ more functional and more stable software (application firewalls for instance). Linux does have them but many of the alternatives don't work/require a lot of effort to get going and the one that does isn't as ~~good~~ stable and feature-rich. Ofc the Linux one is FOSS which I appreciate a lot but that doesn't negate the other qualities. Besides afw's, I've seen a few other niche areas where Windows has more options (that unfortunately don't work well in Wine) such as locally installed tax software (some people don't like doing it on websites) and legal software (writing wills, business contacts, etc).
But TBH I don't think most people are looking at that so much as that Steam hasn't gotten 100% platinum ratings on protondb. That seems like what's kept more people back when I've tried to convert them than anything else. That and simply having to learn something different.
Here is something I noticed about POP OS, Let me start by saying I LOVE POP OS, but this was concerning for me so I UNINSTALLED Firefox. Install Opensnitch a soft firewall, https://github.com/evilsocket/opensnitch , its an excellent firewall and put you in control of ALL connections in and out of your OS with a ez GUI, on a Fresh install of POP OS, it will prompt you for Mozilla Firefox trying to phone home with in minutes after install is complete without even launching Firefox. The weather widget/feature in POP OS is somehow tied into Mozilla and tries to phone home etc, and like other folks said Mozilla Firefox by default phones home and collects data about you, you have to disable it. I removed Firefox and the weather widget feature quit working.
If you wanted to monitor (and restrict) network connections take a look at https://github.com/evilsocket/opensnitch
You could install the daemon on the computers and the GUI on your PC. Then configure the server address of each daemon so they connect to your PC.
I'd love to read an update when you get everything up and running :)
Search for ‘application firewall’ and Linux. Other terms may exist. Whether it can then compile for your Linux is something else.
I use something similar to this on my Mac. https://github.com/evilsocket/opensnitch
Are you sure it is Plasma which is geolocating? I don't think Pi-hole can know which process is attempting to connect. Use OpenSnitch for that, on the PC not the Raspi.
I don’t have recommendations for everything, but.
Hi, thank you for your reply.
I ran that and it only came up with a few files in my Steam Proton folder, which are most likely false positives.
I believe the project was OpenSnitch (https://github.com/evilsocket/opensnitch).
I also did a 'Refresh Install' (not clean install), which according to Pop!_OS documentation (https://support.system76.com/articles/pop-recovery), reinstalls the OS, except for the home directory, apps from the Pop!_Shop (Ubuntu) were kept, except for Bleachbit (as root) which was removed. I think this is because it removes everything that isn't in the home directory.
All other apps not from the Pop Shop/Ubuntu repository, such as MullvadVPN, were removed.
I'm going to agree with you that I think I am safe at this point?
> Do you know which is the way to completely block apps to access internet, in and out? And if there was a way like simplewall for it to automatically mark every app which tries to access web.
What you want is a Layer 7 firewall. I don't use them on an OS, I use hardware devices for the job. That said, blocking or allowing the port has been sufficient for 99% of my needs up to now.
If you insist on installing an application aware firewall, consider OpenSnitch. Fair warning: If you don't understand the basics of IPTables, this is gonna be really hard for you.
Here's its repository, from where you can download it, compile it, etc.:
https://github.com/evilsocket/opensnitch
Hopefully it works for you too !
If you don't like it and want a port-based firewall, I would recommend GUFW.
another option: opensnitch https://github.com/evilsocket/opensnitch
Install the daemon on the server with the default configuration (DefaultAction: allow), and modify the GUI address to point to your desktop (/etc/opensnitchd/default-config.json
, Address: "192.168.x.x:50051"
).
Install the GUI on your desktop, and launch the GUI from a terminal with: /usr/bin/opensnitch-ui --socket "[::]:50051"
.
In most replies, people fail to understand what do you want, and propose some sandboxing solutions, completely ignoring the fact that such solutions e.g. often can't be enabled/disabled on demand while the application is running, or that they require several manual command line actions, completely dismissing user experience...
I think that the most adequate thing, according to your description, would be OpenSnitch. Unfortunately, it doesn't seem to be a very active project. But at least someone has tried to implement that kind of a firewall. I'd love to see a more polished solution, though.
Ah, thank you.
Little Snitch is a MacOS GUI that halts outbound connections until the user permits them. The idea is that it 1) illustrates how often your machine phones home and 2) empowers the user to disable spyware.
What’s especially cool about Little Snitch is that it prompts the user in real-time, has a simple visual interface for YES|NO, and can be configured to prompt on a per-connection basis rather than per-program.
There have been attempts at a Linux-like clone, such as (OpenSnitch)[https://github.com/evilsocket/opensnitch] but all are dead projects.
Is there any configuration with iptables or lpfw that I can learn for easy out-bound signal authorization?
I have seen questions similar to this asked a few times in the past, people used to suggest 'open snitch' - but i am not sure if it is still in development or not.
https://github.com/evilsocket/opensnitch
Such software is more common on windows it seems, and not really common on linux. (I have never really needed it on linux).
Good Luck.
You might find some alternatives to 'open snitch for linux' in the various search engines. I THINK i have seen a few alternatives mentioned.
You probably are looking for OpenSnitch - a userspace daemon+GUI app that notifies you when any application tries to make a network connection and asks you to approve/decline it.
It doesn't seem to have been packaged in Debian yet, though /u/lamby was working on getting it packaged?
Despite not being mentioned in its readme, OpenSnitch is not developed anymore: https://github.com/evilsocket/opensnitch/issues/259#issuecomment-498604956
no, i went into "insights" tab, then you select on the left menu "network", and you will see a graph with on top the main repo (this only work for main repo! no idea what happen if deleted), and under all the fork ordered by last commit date. Now, you'll see a dot for each commit, so instead of the newest, look for the newest with a lot of dots, as it mean the person is active and not simply patching its little thing.
Direct link: https://github.com/evilsocket/opensnitch/network
Various info about security/privacy on my web pages, such as https://www.billdietrich.me/ComputerSecurityPrivacy.html and https://www.billdietrich.me/PenetrationTestingAndBugBountyHunting.html
I think this project is suspended for lack of help: https://github.com/evilsocket/opensnitch
>Do you know of any similar software that would be available like that on Linux or Windows?
Sorry, I don't. I took a quick look at alternativeto. I noticed a GNU/Linux port of Little Snitch called OpenSnitch, but it looks like it's still a work in progress.
As far as your final point...you're exactly right, but unfortunately I'm a risk taker on a tight budget. I'm mainly concerned with blocking outgoing connections by apps that I don't want phoning home, and much less concerned about being hacked via an unwanted incoming connection. I acknowledge this may be extremely stupid on my part, but I do my best by trying to be hypervigilant about what I download and what links/files I open. I probably also have some false sense of security since I 'm on a mac, especially since I've disabled two of the mac's main security features, System Integrity Protection (SIP) and Gatekeeper, as they interfere with the installation and function of cracked apps. Oh well, c'est la vie*.*
>67% Upvoted
Why? Such posts should be 150% upvoted.
I personally would love to see opensnitch continue developing and reach a stable version. It currently isn't being maintained.
https://github.com/evilsocket/opensnitch
Seriously, it still is not the system's problem that you can't do your homework. It's like getting upset that there's different door locks and they won't all use your one key.
Probably not what you had in mind, but contributing to one of these and packaging it as deb file and getting it into the Debian/Ubuntu/Mint mainstream would be great:
> I plan on using gufw firewall but I read it's not as effective.
I'm not familiar with gufw, but it does look fairly simplistic. You might want to look at opensnitch instead:
For watching those... potentially mischievous or unchecked apps, I really love OpenSnitch. https://github.com/evilsocket/opensnitch
​
It is a beautiful clone of LittleSnitch, a firewall (and much more) for macOS.
I'm going to guess you are probably not the type to compile from source, but someone is recreating the functionality of "LittleSnitch" on Linux.
I would imagine this will eventually make it's way into distro repos, but you can compile it yourself now if you care to.