When it comes to protecting your Linux system from unwanted network connections, having a good firewall is essential. While most Linux users rely on traditional firewalls like iptables, firewalls, or ufw, these usually work at the network level and don’t give detailed control over which applications can connect to the internet.
This is where OpenSnitch comes in, a GNU/Linux application firewall designed to give you control over your outgoing connections on a per-application basis.
In this article, we will explore what OpenSnitch is, how it helps secure your Linux machine, and guide you through simple installation and usage steps.
What is OpenSnitch?
OpenSnitch is an open-source application firewall for Linux, inspired by the popular Little Snitch on macOS. It monitors outgoing network connections and alerts you whenever a program tries to connect to the internet. You can then decide whether to allow or block the connection.
Why Use OpenSnitch?
- Manage outgoing network requests on an app-by-app basis.
- See which apps connect to which servers, IPs, and domains.
- Completely free, with code available on GitHub.
- Comes with a graphical interface for easy rule management.
- Blocks suspicious apps from sending data out without your knowledge.
Unlike traditional firewalls that focus on incoming traffic or broad rules, OpenSnitch focuses on outgoing connections and the apps generating them, making it ideal for users wanting better control over what leaves their system.
Installing OpenSnitch on Linux
OpenSnitch is officially available in package form for many Linux distributions like Ubuntu, Debian, Fedora, Arch Linux, and more.
First, head to the official GitHub release page to download the latest package files for your distribution:
- For Debian/Ubuntu →
.debfiles. - For Fedora/CentOS/RHEL →
.rpmfiles. - For Arch Linux → use
sudo pacman -S opensnitch.
OpenSnitch comes in two packages:
- The main firewall daemon (opensnitch).
- The optional graphical interface (python3-opensnitch-ui or opensnitch-ui).
Let’s break it down by distro:
Install OpenSnitch on Debian & Ubuntu
After downloading the .deb packages (both daemon and UI), open a terminal in your Downloads folder and run:
sudo apt install ./opensnitch*.deb ./python3-opensnitch-ui*.deb
Alternatively, you can just double-click the files to install them with your system’s software installer, which will install and set up both the firewall daemon and its GUI.
Install OpenSnitch on Fedora / CentOS / RHEL
If you downloaded the .rpm files, you have two options depending on your package manager (yum or dnf).
sudo yum localinstall opensnitch-*.rpm opensnitch-ui*.rpm OR sudo dnf install ./opensnitch-*.rpm ./opensnitch-ui*.rpm
After installation, start the firewall daemon and enable it to launch at boot.
sudo systemctl enable --now opensnitchd OR sudo systemctl enable --now opensnitch
To start the GUI, just type:
opensnitch-ui
How OpenSnitch Works
Once installed and running, OpenSnitch monitors every outgoing connection made by your applications. The first time a new app tries to access the internet, OpenSnitch will prompt you with a pop-up asking what to do.
You will see:
- The application name and its path.
- The IP address or domain it’s trying to connect to.
- The port being used.
Then you can choose to:
- Allow once
- Block once
- Always allow
- Always block
This makes it very easy to control network access based on both application and destination.
Example Use Case: Firefox
Suppose you open Firefox, and it tries to connect to the internet.
OpenSnitch will show a prompt like:
- App:
/usr/lib/firefox/firefox - Destination: 93.184.216.34 (example.com)
- Port: 443 (HTTPS)
You might choose “Always allow” so that Firefox can access the web without future prompts. If you were unsure about the app or destination, you could select “Block once” or “Always block” instead.
Managing Rules
Rules are created each time you approve or deny a connection.
You can manage them easily in the GUI:
- View existing rules.
- Edit or delete them.
- Organize by application or domain.
- Temporarily disable rules or the firewall entirely.
OpenSnitch stores these rules in plain text files, so you can even edit them manually if needed (usually found in /etc/opensnitch/rules/).
Conclusion
OpenSnitch is a powerful tool that brings a missing piece of security to Linux — the ability to control outgoing traffic at the application level. It’s open source, actively developed, and works across multiple Linux distributions with minimal setup.
With the latest package-based installation, getting started is easier than ever. Whether you’re a privacy advocate or just want to keep your system secure, OpenSnitch gives you the visibility and control you need.
Tried it on Fedora and ran into dependency issues. Ended up compiling from source. Needs better distro support or at least a flatpak/snap option.
UI isn’t starting:
Themes not available. Install qt-material if you want to change GUI’s appearance:
Loaded network aliases from /usr/lib/python3/dist-packages/opensnitch/network_aliases.json
~ OpenSnitch GUI – 1.7.0 ~
protobuf: 3.12.4 – grpc: 1.30.2
Hope it will not cause connection problems now which I can’t configure without GUI.
@Tice,
It looks like the OpenSnitch GUI isn’t starting properly because the required theme package (qt-material) isn’t installed.
You can try running the following command to fix it:
That should resolve the “Themes not available” warning and hopefully allow the GUI to launch correctly.
As for the concern about not being able to configure network rules without the GUI — you’re absolutely right. The GUI is the main way to manage and allow/deny connections interactively, so getting it running is important.
Let me know if the GUI still doesn’t start after installing the theme package — happy to help you troubleshoot further.
Can OpenSnitch be used on non-systemd systems?
@dragonmouth,
Yes, OpenSnitch can be used on non-systemd systems, but it may require some manual setup. Since it provides a systemd service by default, you’ll need to start and manage the daemon using your system’s init system (like OpenRC, runit, or SysVinit) instead of systemd.
Just be sure to launch the daemon (opensnitchd) and the UI manually or via your init system of choice. Some additional tweaking might be needed depending on your distro.
Hope that helps!
Thanks
Been using OpenSnitch for a few months now and it’s a game-changer for privacy. Finally, I can see what apps are trying to reach out. Great alternative to Little Snitch on macOS.
This is exactly what Linux has been missing. I always felt uneasy about what apps might be phoning home. Now I can block them easily. Great write-up!
Worked great on Arch, but had to tweak some systemd settings to get it to start on boot. Not quite plug-and-play, but still worth it.
Slowed down my system a bit when running multiple apps. Might be too heavy for older machines.
Not for beginners. If you’re not comfortable dealing with network prompts or don’t know what to allow/block, it can be overwhelming.