# OpenSnitch OpenSnitch is an interactive, application-level firewall for Linux — a port of the concept behind macOS's Little Snitch. The kernel firewall (`iptables`/`nftables`/`ufw`) sees packets but not the process that made them; OpenSnitch fills that gap by hooking into Netfilter via NFQUEUE and asking which **executable** is attempting to talk to the network. Every new outbound connection triggers a prompt: allow or deny, once or persistently, scoped to this process, this user, this destination, this port. Why this matters: most exfiltration and telemetry happens silently from binaries you trust. A browser is expected to talk to the internet. A LibreOffice update checker, a closed-source app phoning home, a curl pipe-to-shell installer leaking your IP — those are not. OpenSnitch makes that traffic visible and revocable without needing to read source code or `strace` the process. The architecture splits cleanly: a Go daemon enforcing rules in kernel space, a Python/Qt GUI for prompts and history. Rules live in JSON on disk, version-controllable (a nice pairing with [[etc keeper]] if dropped under `/etc`). Default-deny is feasible after a learning period — most desktops settle into a stable rule set within a few days. Contrarian read: most Linux users skip a host firewall because [[Uncomplicated Firewall (UFW)|UFW]] feels redundant behind a NAT. OpenSnitch is the firewall that actually pays its weight on a workstation — not because of inbound threats, but because outbound visibility is the thing you don't otherwise have. ## References - https://github.com/evilsocket/opensnitch - https://github.com/evilsocket/opensnitch/wiki ## Related -