An alternative that does not come with a potentially machine-bricking kernel panic bug is Opensnitch [1], last updated 14 months ago with a change to "funding.yaml" asking for donations.<p>A fork seems to be relatively alive [2] and I use it personally -- it works well, but is a bit of a PITA to build. Time to buy the devs a coffee...<p>[1] <a href="https://github.com/evilsocket/opensnitch" rel="nofollow">https://github.com/evilsocket/opensnitch</a>
[2] <a href="https://github.com/gustavo-iniguez-goya/opensnitch" rel="nofollow">https://github.com/gustavo-iniguez-goya/opensnitch</a>
> <i>Warning: unfortunately the project is suffering of a kernel freeze bug [0] that can break your machine!</i><p>> <i>You can follow the bug resolution from this issue.
Have a look at the Roadmap [1] to see when this issue should be fixed!</i><p>> <i>The current version is 0.8.2</i><p>This does not seem to be the fastest of projects... The bug was reported 6 years ago.<p>From the bug report (6 months ago):<p>> So, could a noob use it already without breaking the computer?<p>> No, not yet<p>[0] <a href="https://gitlab.com/douaneapp/douane-dkms/-/issues/3" rel="nofollow">https://gitlab.com/douaneapp/douane-dkms/-/issues/3</a><p>[1] <a href="https://douaneapp.com/#roadmap" rel="nofollow">https://douaneapp.com/#roadmap</a>
Privacy tooling should not come from a page that does not work without javascript. Moreover, this functionality is easy to achieve using user groups and the iptables owner module.<p>Here's an example that prevents atom from leaking telemetry.<p><pre><code> # add group atomblind
sudo groupadd atomblind
# add your username to atomblind group
sudo usermod -a -G atomblind <username>
# do not allow outbound traffic from group atomblind
sudo iptables -I OUTPUT -m owner --gid-owner atomblind -j DROP
# overwrite atom binary with a hook
# atom_binary is absolute path to your atom binary
echo "#!/bin/bash" > atom_hook
echo "sg atomblind -c 'atom_binary'" >> atom_hook
chmod +x atom_hook
./atom_hook</code></pre>
After the Big Sur update, I realized Little Snitch was the last reason I was sticking with MacOS. Now I have no reason.<p>I really hope Linux gets a viable alternative to Little Snitch, such as this Douane, or OpenSnitch.
Seems trivial to exploit the kernel module:<p><pre><code> struct network_activity * activity = NLMSG_DATA(nlh);</code></pre>
<untrusted data from the netlink socket>
append_rule(activity->process_path, (activity->allowed == 1));
...<p>append_rule:
// Don't do anything if the process_path length is > PATH_LENGTH
if (strlen(process_path) > PATH_LENGTH)
return;<p>But nobody enforces the process_path has a terminating 0 byte, so likely it can be abused for all kinds of attacks on the kernel. Better don't run it anywhere you care about security.<p>I found this from about 2 minutes code reading, so likely there wasn't any code audit done ever.
A quick look at the code reveals a kernel module with major security vulnerabilities, so I wouldn't call it "privacy respecting."<p>Avoid...
i also built off the original opensnitch[1]. libnetfilterqueue is really great.<p>i used bpftrace instead of ftrace to get the process metadata, but eventually removed it after frustration building bpftrace.<p>currently it is a global inbound/outbound firewall with ui prompts.<p>i’ve recently had success running archlinux packaged bpftrace in a privileged container, so will be adding process metadata back in soon.<p><a href="https://github.com/nathants/tinysnitch" rel="nofollow">https://github.com/nathants/tinysnitch</a>
Do I get it correctly that the only reason for the kernel module is to be able to show GUI popup live when an app accesses the network for the first time? Because otherwise I believe it's easier to mark the packets with selinux and then filter them with netfilter.