OpenSnitch
github.com/evilsocket/opensnitch Linux
Makes internet connections from all apps visible, allowing you to block or manage traffic on a per-app basis. GNU/Linux port of the Little Snitch application firewall.
- Homepage: github.com/evilsocket/opensnitch
- GitHub: github.com/evilsocket/opensnitch
- Web info: web-check.xyz/results/github.com
OpenSnitch Source Code
Author
Description
OpenSnitch is a GNU/Linux interactive application firewall inspired by Little Snitch.
Homepage
License
GPL-3.0
Created
16 Apr 17
Last Updated
05 Apr 24
Latest version
Primary Language
Python
Size
18,129 KB
Stars
9,590
Forks
474
Watchers
9,590
Language Usage
Star History
Top Contributors
-
@gustavo-iniguez-goya (1161)
-
@evilsocket (277)
-
@adisbladis (42)
-
@tioguda (13)
-
@MarkoShiva (8)
-
@Northern-Lights (8)
-
@0xacb (6)
-
@ovari (6)
-
@themighty1 (6)
-
@omern1 (4)
-
@lainedfles (4)
-
@petterreinholdtsen (4)
-
@intika (3)
-
@gnuhead-chieb (3)
-
@SpencerIsGiddy (3)
-
@raphting (3)
-
@ckuethe (3)
-
@raboof (3)
-
@luzpaz (2)
-
@freddii (2)
-
@WojtekWidomski (2)
-
@Ph0rkoz (2)
-
@p- (2)
-
@nberlee (2)
-
@melizeche (2)
-
@jkozera (2)
-
@davide125 (2)
-
@carlosotgz (2)
-
@nnsee (1)
-
@ryanolton (1)
Recent Commits
-
Gustavo Iñiguez Goia (11 Feb 24)
ui: fixed deleting rules with list limits Fixed deleting rules when the GUI is configured to display a maximum number of rules.
-
Gustavo Iñiguez Goia (08 Feb 24)
pop-ups: filter by absolute path+cmdline on some cases If the pop-ups' target is to filter by cmdline, but the typed/launched command is not absolute or it starts with /proc, also filter by the absolute path to the binary.
-
Gustavo Iñiguez Goia (05 Feb 24)
Updated ebpf compilation instructions kudos to @planetoryd for reporting it (#1080).
-
Gustavo Iñiguez Goia (05 Feb 24)
updated ebpf makefile - Added -fno-stack-protector: https://lore.kernel.org/bpf/194f38f2dc7d521375e5a660baaf1be31536be9a.camel@gmail.com/ https://reviews.llvm.org/D142046 - Added -Wno-unused-value, -Wunused to warn on unitialized/not used variables. kudos to @planetoryd for reporting this (#1080).
-
Gustavo Iñiguez Goia (02 Feb 24)
pkgs: improved rpm upgrades We were not handling configuration upgrades properly on rpm based systems. Now local changes to default-config.json and system-fw.json are kept, and if the distributed files changes in the future, new files will be created with the extension .rpmnew
-
Gustavo Iñiguez Goia (28 Jan 24)
clean dns ebpf hooks on exit We were not reacting to common exit signals, only to kill/interrupt signals, so the DNS uprobes were never properly removed. Each uprobe has the PID of the daemon in the identifier, so in theory, there shouldn't be conflicts, but better clean our probes on exit. previous to this commit with the daemon running (and lot of starts/stops): ~ # cat /sys/kernel/debug/tracing/uprobe_events |wc -l 367 after stopping the daemon: ~ # cat /sys/kernel/debug/tracing/uprobe_events |wc -l 364 ~ # > /sys/kernel/debug/tracing/uprobe_events ~ # cat /sys/kernel/debug/tracing/uprobe_events |wc -l 0 ~ # cp opensnitchd-new /usr/bin/opensnitchd ; service opensnitchd start ~ # cat /sys/kernel/debug/tracing/uprobe_events |wc -l 3 ~ # service opensnitchd stop ~ # cat /sys/kernel/debug/tracing/uprobe_events |wc -l 0
-
Gustavo Iñiguez Goia (26 Jan 24)
on aarch64 send exec events directly to userspace On 68c2c8ae1aeb7356f9d90e88e2129465c472e646 we excluded failed execve* calls from being delivered to userspace, in order to get the binary that was executed and avoid errors/confusion. But on aarch64, it seems that we fail to save the exec event to a map, so the event is never delivered to userspace. So for the time being, send the exec events as soon as they arrive on aarch64, without checking if the call failed.
-
Gustavo Iñiguez Goia (26 Jan 24)
ebpf,dns: initialized structs On the previus commit we just disabled dns uprobes for armhf/i386 to avoid loading errors. A better fix is to initialized the structs used. On armhf still fails after loading it, when attaching to the uprobes (offsets?), and on i386 it doesn't seem to send anything to userspace (more analysis needed). - Increased the number of IPs associated with a domain that are delivered to userspace. (getfedora.org returns 30 ipv4+ipv6). - Fixed getting the aliases of a domain when using gethostbyname().
-
Gustavo Iñiguez Goia (26 Jan 24)
added more debug info to the dns ebpf hook Added the path to the libc as well as the calculated offset for the uprobe. Don't return on the first error found loading a uprobe, instead try all the uprobes and return if the loaded uprobes are 0.
-
Gustavo Iñiguez Goia (26 Jan 24)
fixed dns ebpf module for i386/arm architecture The opensnitch-dns module was not loading on i386/arm architectures. With the following changes it loads and some uprobes are attached. for-loops unrolling doesn't still work though on i386/armhf (help needed). And on armhf the perf_output channel fails to load for some uprobes.
-
Gustavo Iñiguez Goia (25 Jan 24)
fixed debug msg printing resolved IP
-
Gustavo Iñiguez Goia (22 Jan 24)
ui:use appimages pattern as default target if found If the path of a process starts with /tmp/.mount_*, which is the common path for appimages, use it as the default target on the popups. Previously it was only added to the list of targets, but preselecting it will help users to create rules for appimages.
-
Gustavo Iñiguez Goia (20 Jan 24)
on errors stop established conns monitor There's a long running task that monitors established connections every ~2s. When a connection is not found via ebpf or proc, sometimes it's found there so we can use the inode to search for the process. However on some systems the netlink call to dump the sockets may fail continuously, wasting resources. It'll also fail if you block connections to port 0 (common case for ICMP packets). So if there're too many errors dumpng the sockets, stop this task for these cases.
-
Gustavo Iñiguez Goia (18 Jan 24)
process tree improvements - When discovering the hierarchy of a process, reuse components of the tree if they're already on cache, to improve speed and reduce mem allocs. - When building the tree of a proces, rebuild the tree if the first component doesn't have pid 1. Otherwise reuse the tree.
-
Gustavo Iñiguez Goia (18 Jan 24)
minor improvement/refactoring Move queues setup to its own func. Don't declare some dns vars inside for loops.
-
Gustavo Iñiguez Goia (18 Jan 24)
removed not used functions part of the previous commit.
-
Gustavo Iñiguez Goia (18 Jan 24)
ebpf cached improvements Simplify the cache of connections by storing only the PID of a process, instead of the Process object. We can obtain the Process object from the cache of processes by PID.
-
Gustavo Iñiguez Goia (17 Jan 24)
allow to configure GC percentage Added config option to set how often the garbage collector runs. For example: "Internal": { "GCPercent": 75 }, If this option is not specified in the config file, or the value is 0, then the GC percentage is not configured. More info: https://pkg.go.dev/runtime/debug#SetGCPercent
-
Gustavo Iñiguez Goia (17 Jan 24)
added more options to debug the daemon - Improved -mem-profile icli option for writing memory statistics. - Added -trace-file cli option for writing trace events. https://github.com/google/pprof/blob/main/doc/README.md https://go.dev/blog/pprof
-
Gustavo Iñiguez Goia (15 Jan 24)
strings concatenation improvements Use strings.Join() to concatenate strings, instead of Sprint*(), for better performance.
-
Gustavo Iñiguez Goia (15 Jan 24)
fixed typo
-
Gustavo Iñiguez Goia (14 Jan 24)
structs fields reorganized Structs' fields reorganized based on fieldalignment tool output
-
Gustavo Iñiguez Goia (08 Jan 24)
ebpf: delete pid from exec maps if it exists We track new processes execution by intercepting the enter and exit of the functions, but sometimes the exit hook is not called, so the corresponding entry was not being removed from the map. In this situation the map becomes full and accepts no new entries. Now the entry is deleted from the map once the process exits, if it still exists in the map.
-
Gustavo Iñiguez Goia (07 Jan 24)
sys-fw: load default config path if non supplied By default load the system fw config file from /etc/opensnitchd/system-fw.json. There're these options to specify the file to load: - via cli option with -fw-config-file - writing it in the default-config.json file: "FwOptions": { "ConfigPath": "..." } If both options are empty, then the default one is used. FIXME: When the cli option is used to load the fw configuration, and the main preferences are saved, the fw is reloaded but the path to the fw config is lost.
-
Gustavo Iñiguez Goia (05 Jan 24)
updated TestProcIOStats test On this test we assumed that there would always be reading stats for our own process /proc/self, but on restricted environments that might not alwys be the case. Anyway, a value of 0 is not an error in itself. Closes #1075
-
Gustavo Iñiguez Goia (05 Jan 24)
ebpf: fixed dns uprobes We were not deleting DNS entries from the hash map, so when it reached the maximum capacity (12k entries), we couldn't allocate new entries, resulting in events not being sent to userspace.
-
Gustavo Iñiguez Goia (04 Jan 24)
ui: display alert details by double-clicking on it
-
Gustavo Iñiguez Goia (04 Jan 24)
fixed loading dns ebpf module Closes #1076
-
Gustavo Iñiguez Goia (03 Jan 24)
ui: save and display alerts/events from the daemon New option to save and display alerts/events received from the daemon, like system fw errors or eBPF modules errors. Until now we only displayed a desktop message, making it difficult to review the message in detail, or other actions.
-
Gustavo Iñiguez Goia (31 Dec 23)
fixed leak dispatching alerts Fixed potential leak when disconnecting from the GUI, and at the same time dispatching an alert/message to the GUI.
OpenSnitch Website
Website
GitHub: Let’s build from here · GitHub
GitHub is where over 100 million developers shape the future of software, together. Contribute to the open source community, manage your Git repositories, review code like a pro, track bugs and features, power your CI/CD and DevOps workflows, and secure code before you commit it.
Redirects
Does not redirect
Security Checks
All 66 security checks passed
Server Details
- IP Address 140.82.112.4
- Hostname lb-140-82-112-4-iad.github.com
- Location San Francisco, California, United States of America, NA
- ISP GitHub Inc.
- ASN AS36459
Associated Countries
-
US
Saftey Score
Website marked as safe
100%
Blacklist Check
github.com was found on 0 blacklists
- ThreatLog
- OpenPhish
- PhishTank
- Phishing.Database
- PhishStats
- URLhaus
- RPiList Not Serious
- AntiSocial Blacklist
- PhishFeed
- NABP Not Recommended Sites
- Spam404
- CRDF
- Artists Against 419
- CERT Polska
- PetScams
- Suspicious Hosting IP
- Phishunt
- CoinBlockerLists
- MetaMask EthPhishing
- EtherScamDB
- EtherAddressLookup
- ViriBack C2 Tracker
- Bambenek Consulting
- Badbitcoin
- SecureReload Phishing List
- Fake Website Buster
- TweetFeed
- CryptoScamDB
- StopGunScams
- ThreatFox
- PhishFort
Website Preview
OpenSnitch Reviews
More Firewalls
-
Provides simple and advanced ways to block access to the internet. Applications and addresses can individually be allowed or denied access to Wi-Fi and/or mobile connection.
-
Notifies you when an app is trying to access the Internet, so all you need to do is just Allow or Deny. Allows you to create filter rules based on IP address, host name or domain name, and you can allow or deny only specific connections of an app.
Not Open Source -
AFWall+
(Android - Rooted)
xdaforums.com/t/5-0-root-3-6-0-afwall-iptables-firewall-28-aug-2023.1957231Android Firewall+ (AFWall+) is an advanced iptables editor (GUI) for rooted Android devices, which provides very fine-grained control over which Android apps are allowed to access the network.
-
An open-source ad-blocker and firewall app for Android 6+ (does not require root).
-
Firewall app for iPhone, allowing you to block any connection to any domain.
Not Open Source -
Tool to control Windows Filtering Platform (WFP), in order to configure detailed network activity on your PC. (Windows)
-
Free, open source macOS firewall. It aims to block unknown outgoing connections, unless explicitly approved by the user.
-
A very polished application firewall, allowing you to easily manage internet connections on a per-app basis. (Mac OS)
Not Open Source -
Open source GUI firewall for Linux, allowing you to block internet access for certain applications. Supports both simple and advanced mode, GUI and CLI options, very easy to use, lightweight/ low-overhead, under active maintenance and backed by a strong community.
-
The ufw (Uncomplicated Firewall) is a GUI application and CLI, that allows you to configure a firewall using
iptables
much more easily. -
IPFire is a hardened, versatile, state-of-the-art Open Source firewall based on Linux. Easy to install on a raspberry Pi, since it is lightweight and heavily customizable.
-
An open source firewall tool for Linux that builds upon the Netfilter system built into the Linux kernel, making it easier to manage more complex configuration schemes with iptables.
-
Enterprise firewall and router for protecting networks, built on the FreeBSD system.
About the Data: OpenSnitch
API
You can access OpenSnitch's data programmatically via our API.
Simply make a GET
request to:
https://api.awesome-privacy.xyz/networking/firewalls/opensnitch
The REST API is free, no-auth and CORS-enabled. To learn more, view the Swagger Docs or read the API Usage Guide.
About the Data
Beyond the user-submitted YAML you see above, we also augment each listing with additional data dynamically fetched from several sources. To learn more about where the rest of data included in this page comes from, and how it is computed, see the About the Data section of our About page.
Share OpenSnitch
Help your friends compare Firewalls, and pick privacy-respecting software and services.
Share OpenSnitch and Awesome Privacy with your network!