LittleSnitch for Linux

Original Article ↗ Hacker News Discussion ↗

Overall reception

  • Many macOS users praise Little Snitch and are glad to see a Linux port, citing its usability and “must‑have” status on Mac.
  • Others are skeptical due to its proprietary daemon and early-stage limitations on Linux; several say they’ll stick with OpenSnitch or Portmaster for now.

Functionality and UX

  • Core use case: per‑process visibility and control of outbound connections, with interactive pop‑ups to allow/deny and build rules.
  • Linux version currently struggles to resolve many IPs to hostnames and often shows “Not Identified” processes.
    • Developer explains: daemon must be running before processes start (reboot recommended); encrypted or non‑DNS lookups and TCP DNS are not fully handled.

Architecture and eBPF limitations

  • Linux implementation relies on eBPF; macOS uses a richer kernel API and deep packet inspection.
  • eBPF constraints discussed:
    • Strict limits on instruction count, map sizes, and program complexity.
    • Under heavy traffic, connection/DNS maps can overflow, breaking reliable mapping of packets to processes/hostnames.
    • DPI for TLS/QUIC and buffering/reinjecting packets is considered too complex for eBPF in this design.
  • Some commenters doubt these limits are fundamental; others with eBPF experience back the explanation.

Privacy vs. security guarantees

  • Author positions the Linux version as “for privacy, not security.”
    • It’s good for monitoring and blocking telemetry/legitimate software “phoning home.”
    • Not suitable for hardening against determined adversaries or bypass techniques (e.g., DNS tunneling, proxying via allowed apps).

Open source, trust, and supply‑chain risk

  • eBPF component and UI are open source; the root‑level daemon is closed source but free to use/redistribute.
  • Several commenters are uncomfortable granting a proprietary binary full visibility/control over all traffic and root access.
  • Others argue the vendor’s long history and reputation make malicious behavior unlikely, though supply‑chain and coercion risks are debated.
  • Some insist serious claims about vendors “must be attacked” or worth “millions” to nation‑states are speculative and overstated.

Comparisons to alternatives

  • OpenSnitch: FOSS, years of use, decent UX but weaker visualization/history than Little Snitch; supports central UI for multiple nodes.
  • Portmaster: open‑source, Linux/Windows, interactive firewall plus tracking protection; some users happy, others dislike freemium changes.
  • Pi‑hole/AdGuard: DNS‑level, network‑wide ad/telemetry blocking; complements but does not replace per‑process tools and can be bypassed via DoH/direct IP.
  • Other references: Lulu (macOS), legacy Windows firewalls (ZoneAlarm, Comodo, etc.) and nostalgia over their granular control.

Platform and deployment issues

  • Version 1.0.0:
    • Requires kernel ≥ 6.12; some failures reported on newer kernels (BPF_PROG_LOAD errors, high CPU), and on Btrfs/Fedora (no process identification).
    • Developer acknowledges limited testing, is working on fixes.
  • Not currently suited to Flatpak/immutable desktop distros because it needs a root daemon early in boot.
  • Some users report noticeable battery impact; others note low memory usage.