Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
Bromeo 7 hours ago

How does it compare to opensnitch? https://github.com/evilsocket/opensnitch

sgc 5 hours ago | parent | next [-]

I just tried littlesnitch and it did not resolve very many ips to domains, which is pretty basic. It also failed to identify most processes, and they were grouped under "Not Identified". It appears these are known limitations of the Linux version [1]. So for that alone I need to stick with opensnitch.

[1] "Little Snitch for Linux is built for privacy, not security, and that distinction matters. The macOS version can make stronger guarantees because it can have more complexity. On Linux, the foundation is eBPF, which is powerful but bounded: it has strict limits on storage size and program complexity. Under heavy traffic, cache tables can overflow, which makes it impossible to reliably tie every network packet to a process or a DNS name. And reconstructing which hostname was originally looked up for a given IP address requires heuristics rather than certainty. The macOS version uses deep packet inspection to do this more reliably. That's not an option here." -- from https://obdev.at/products/littlesnitch-linux/index.html

toredash 2 hours ago | parent [-]

Is there any DNS based software to do block/allow? Kinda lika what's present in CiliumNetworkPolicies in Kubernetes networking?

gus_ 13 minutes ago | parent | next [-]

OpenSnitch (+ block lists) ;)

or DNS stubs with filtering capabilities.

M95D 42 minutes ago | parent | prev | next [-]

Yes, PiHole is the most common, but malware can easily bypass that using shared domains, P2P or IP addresses directly.

Use a filtering proxy instead and no gateway / route to the internet.

Milpotel 2 hours ago | parent | prev [-]

You mean like PiHole or AdGuard?

lapcat 7 hours ago | parent | prev | next [-]

"I researched a bit, found OpenSnitch, several command line tools, and various security systems built for servers. None of these gave me what I wanted: see which process is making which connections, and in the best case deny with a single click." https://obdev.at/blog/little-snitch-for-linux/

haswell 7 hours ago | parent [-]

I've used OpenSnitch for years, and while LittleSnitch definitely has a better UI for showing which process is making which connections over time, OpenSnitch does a pretty good job here. I get a modal popup when a program that hasn't made a connection tries to make a connection, and I can either allow/deny in one click, or further customize the rule e.g. allowing ntpd to connect, but only to pool.ntp.org on port 123.

Where LittleSnitch is definitely ahead is showing process connections over time after said process has been allowed.

unsnap_biceps 6 hours ago | parent [-]

When I looked at OpenSnitch (years ago), it didn't support running headless on a server. Am I mistaken about this, or has it changed?

sgc 5 hours ago | parent | next [-]

You can run daemons on several nodes (different machines) and view them all through a central ui, it is pretty cool.

mixmastamyk 5 hours ago | parent | prev [-]

The UI is a separate package. Though you might just configure the firewall yourself at that point.

colesantiago 7 hours ago | parent | prev [-]

It is free, no subscription at all and truly open source.

As software should be.

lordmoma 6 hours ago | parent [-]

how should maintainer make money?

abeyer 4 hours ago | parent | next [-]

Personally I'd be fine with a commercial license with source available here... the issue isn't the price, it's the fact that you're asked to MITM every network connection you make under the control of a binary blob.

I think it's fair to ask that a developer choosing to build a thing that requires that kind of access should be expected to err on the side of transparency.

righthand 3 hours ago | parent | prev | next [-]

You mean “how can I donate?”

https://github.com/evilsocket/opensnitch?tab=readme-ov-file#...

konart an hour ago | parent [-]

So... what if the maker can't make it on donations only?

foo12bar 5 hours ago | parent | prev | next [-]

Hunt, gather.

SV_BubbleTime 3 hours ago | parent [-]

There was also toolmaker to support the hunter and gatherer… so… back to square one.

4 hours ago | parent | prev [-]
[deleted]