OpenSnitch is a GNU/Linux interactive application firewall
OpenSnitch is a GNU/Linux application firewall that filters outbound connections, blocks unwanted domains, features a user-friendly GUI, supports centralized management, and offers easy installation and community support.
Read original articleOpenSnitch is a GNU/Linux application firewall that focuses on filtering interactive outbound connections, enabling users to block ads, trackers, and malware domains across their system. It features a graphical user interface (GUI) that simplifies the configuration of the system firewall using nftables. OpenSnitch supports centralized management of multiple nodes and integrates with Security Information and Event Management (SIEM) systems, enhancing its utility for users managing complex network environments. Installation is straightforward for both Debian-based and RPM-based systems, with commands provided for easy setup. Users can access the GUI post-installation to manage their firewall settings. The project encourages community engagement through platforms like Discord and offers extensive documentation for users seeking more information. OpenSnitch has also been highlighted in various publications, showcasing its relevance in the cybersecurity landscape.
- OpenSnitch filters interactive outbound connections and blocks unwanted domains.
- It provides a user-friendly GUI for firewall configuration.
- The application supports centralized management of multiple nodes.
- Installation is simple for both Debian and RPM-based systems.
- Community support is available through Discord and comprehensive documentation.
Related
OpenSnitch: GNU/Linux interactive application firewall inspired by Little Snitch
OpenSnitch is a versatile GNU/Linux application firewall with outbound connections filtering, ad blocking, and SIEM integration. It offers deb/rpm packages on GitHub, press coverage, connection review, donations, and translation opportunities.
Protecting sshd using spiped (2012)
The article highlights spiped as a secure pipe daemon to protect sshd, offering a simpler alternative to 'ssh -L' by establishing a pre-shared secret key between hosts. Spiped enhances server security efficiently.
Show HN: NetSour, CLI Based Wireshark
The GitHub repository showcases NetSour, a Python and Scapy-based network packet sniffer with real-time capture, analysis, DoS detection, and multi-protocol support. Installation via cloning and `pip`, execution with root access. Aimed at educational and admin use, GPL V3 licensed.
How I Computer in 2024
The user has a highly customized NixOS setup for productivity, using a tiling window manager, Google Workspace, Obsidian, Todoist, Alacritty, Visual Studio Code, Tailscale, Mullvad, and Yubikeys for security.
xdg-override: change default application temporarily on Linux
The xdg-override tool modifies xdg-open behavior in GNU/Linux, allowing temporary changes to default applications for files and URLs. Installation is easy, and the author welcomes suggestions for improvements.
- Users appreciate the user-friendly GUI and integration with package managers, making maintenance easier.
- Some express concerns about the limitations of whitelisting and the potential for malware to exploit whitelisted tools.
- There are requests for similar applications on Android and MacOS, indicating interest in broader compatibility.
- Users report issues with crashes and temporary rules not being cleared, suggesting areas for improvement.
- Comparisons with other firewalls like UFW highlight a desire for clarity on features and functionality.
For example, supposed I run `curl` on the terminal, I can either always decide on a case-by-case basis to allow it thru, or I'm required to whitelist it permanently. Once I've whitelisted generic tools like `curl` or `wget`, then the floodgates are really open, since any malware that have compromised my machine can just use `curl` or `wget` to get to the internet without hitting the firewall.
By integrating with the package manager that hasn't been an issue. Once I got through the initial work of setting up my whitelists I just have a little bit of effort each time I add a new package to my nix configs. If I don't want to take on the effort of adding a whitelist to my nix config, I can just add a temporary whitelist that lasts until the next reboot.
It was a steep learning curve and a lot of work, but now its a breeze to maintain.
I like it, but it has a small annoyance in that the temporary rules that have expired don’t get deleted or marked in the interface. So I have to restart the gui once in a while to clear them.
containerA: all outbound traffic allowed
containerB: no outbound traffic allowed, except to reply to a client
containerC: may only reach out to updates.example.com
Is this just per-container iptables? I could wedge iptables into existing images but it seems like a lot of work.
Or maybe something with iptables on the host?
Related
OpenSnitch: GNU/Linux interactive application firewall inspired by Little Snitch
OpenSnitch is a versatile GNU/Linux application firewall with outbound connections filtering, ad blocking, and SIEM integration. It offers deb/rpm packages on GitHub, press coverage, connection review, donations, and translation opportunities.
Protecting sshd using spiped (2012)
The article highlights spiped as a secure pipe daemon to protect sshd, offering a simpler alternative to 'ssh -L' by establishing a pre-shared secret key between hosts. Spiped enhances server security efficiently.
Show HN: NetSour, CLI Based Wireshark
The GitHub repository showcases NetSour, a Python and Scapy-based network packet sniffer with real-time capture, analysis, DoS detection, and multi-protocol support. Installation via cloning and `pip`, execution with root access. Aimed at educational and admin use, GPL V3 licensed.
How I Computer in 2024
The user has a highly customized NixOS setup for productivity, using a tiling window manager, Google Workspace, Obsidian, Todoist, Alacritty, Visual Studio Code, Tailscale, Mullvad, and Yubikeys for security.
xdg-override: change default application temporarily on Linux
The xdg-override tool modifies xdg-open behavior in GNU/Linux, allowing temporary changes to default applications for files and URLs. Installation is easy, and the author welcomes suggestions for improvements.