23

I'm trying out Ubuntu. Been a Mac user. I like ubuntu a lot but I'm uncomfortable not having an app-firewall that reports what connections are being made to the internet. I find it unnerving to not have any control over what can & cannot connect to the internet.

Little Snitch works great on the Mac for this purpose. Is there anything comparable on Ubuntu? The default UFW firewall cannot stop apps from connecting so is pretty useless.

Jorge Castro
  • 71,754
Lindsey
  • 251

9 Answers9

8

Linux application firewalls have not yet caught on and there have been various third party projects that come and go over the years.

Currently the best, IMO, is Leopard Flower

enter image description here

There are detailed instructions on how to install Leopard Flower here

Note: It was written for Ubuntu 10.10

Install dependencies (python-qt4 is for the graphical front end)

sudo apt-get install iptables libnetfilter-queue libnetfilter-conntrack python-qt4

Download the zip file from http://sourceforge.net/projects/leopardflower/files/latest/download

Extract the zip file

This will extract a directory, lpfw

Open a terminal and cd into the directory (Assuming it is in ~/Downloads)

cd ~/Downloads/lpfw

Run the program

sudo ./lpfw

See the above link for more detailed instructions as well as more advanced configuration.

Panther
  • 102,067
  • it's not available in the repos? I have to go outside to get it? I have a practice of only installing from repos, so I'd prefer not to go outside. But I'm going to check this out. – Chad--24216 May 29 '12 at 17:17
  • No, it is not in the repos, sorry. – Panther May 29 '12 at 17:23
  • @bodhi.zazen : instructions severely outdated, package must be built from source now. – ish Jun 01 '12 at 04:48
  • @izx - OUCH !!! That is sort of the problem with application firewalls in Linux, a project pops up, but seems to fall unmaintained. Does it build from source ? – Panther Jun 01 '12 at 05:16
  • @bodhi.zazen: yes -- on precise, but with deps, etc. it's not a DIY for newbies. Dep names have changed, etc. Someone needs to make a deb package/PPA out of it. – ish Jun 01 '12 at 05:18
  • 1
    What does +150 mean for this answer? I hope 150 was not awarded. This is nice answer but it is not usable/installable and not even available in repos. Plus very out of date and not supported. – Chad--24216 Jun 13 '12 at 15:21
  • @bodhi.zazen Compile from source works on 13.04, instructions are in the README & INSTALL file. Does exactly what the OP wanted. – airtonix Jun 30 '13 at 20:12
  • @bodhi.zazen also, program author is working on a rewrite to address seperation of concerns, I suggested on his github repo that dbus be considered to help with the separation. At the moment without the GUI running, new rules can't be created, and there is no feedback about why packets are dropped. I mean, if you create rules to block firefox from going to some website, then in six months will you remember why said website isn't loading? – airtonix Jul 14 '13 at 06:44
  • 2
    Is there a activly maintained alternative to Leopard Flower? As of 2014-01-12, this project is no longer under active development. – Victor Häggqvist Mar 31 '14 at 18:42
  • @VictorHäggqvist No, all these applications seem to die the same death. – Panther Mar 31 '14 at 19:13
  • 2
    https://github.com/themighty1/lpfw seems to be the new home – unhammer Aug 07 '15 at 10:52
  • The project seems to mave moved to GitHub, and it the README now says: "UPDATE October 2020. I no longer plan to contribute to this project because a better alternative with an active maintainer and community has appeared over the last years. I recommend using OpenSnitch ( https://github.com/evilsocket/opensnitch ) which uses similar techniques to LPFW." – Flimm Nov 16 '22 at 10:54
  • Please downvote this out-of-date answer, (or if you're the author, please delete it). – Flimm Nov 16 '22 at 10:55
7

If you are looking for a fresh application (GTK 3), have a look to my application (in heavy development) at http://douaneapp.com/

ZedTuX
  • 643
  • Has anyone tried this? I'd be interested in feedback, it's a very nice looking application. Any update on the process of getting listed in the Ubuntu Software Center? (per http://askubuntu.com/q/357002/31592 ) – blong Aug 27 '14 at 17:07
  • The application is not yet stable and will never been in the USC as they rejected my app (due to the fact that it has a kernel module ......) – ZedTuX Aug 27 '14 at 17:54
  • Ah, alright. Well, hopefully it's stable soon. There must be some process or steps that USC recommends for applications that depend on kernel modules, right? – blong Aug 27 '14 at 18:09
  • Well they just said to me that it's not secure. The guy hasn't gave me any tips on how to make it possible... – ZedTuX Aug 31 '14 at 15:51
  • that stinks. Any update at this point? I feel like this app is something a lot of folks would like to use with Ubuntu, however I'd want the backing of the Ubuntu Software Center first. – blong Sep 17 '14 at 17:21
  • have you seen this abandoned project? http://sourceforge.net/projects/leopardflower/files/Source/, that one does not seem to use kernel modules; I wonder if some tips could be found there may be? despite I think the way firewall works have changed so much that we cant even compile it anymore and your project may be the only way now! – Aquarius Power Oct 08 '14 at 06:00
  • Well Douane has been built on the Linux Kernel Netfilter hooks. Changing this would mean rewriting the entire project. :) – ZedTuX Oct 08 '14 at 09:51
  • BTW if there are people how want to contribute, I will be more than happy to collaborate! – ZedTuX Oct 08 '14 at 09:52
  • @ZedTuX just tested it now, awesome work. Many thanks! – Mena Jun 08 '17 at 19:28
  • Thank you @Mena! You can also thanks the contributors ;-) – ZedTuX Jun 09 '17 at 08:08
  • FYI I'm currently working on the project again (as much as I can). I made a new website (https://douaneapp.com) and also an installer (look at the website). On the website I've made a "Roadmap" section where you can see what I'm working on. If anyone wants to help me, you're all very welcome! – ZedTuX May 02 '20 at 12:20
6

Some GUI suggestions that maybe fit your needs.

Program Guard allows users of a Linux workstation to control which programs access the Internet, last updated, 2006

Progran Guard

Gufw an interface powered by ufw, last updated, 2012

Gufw

FireFlier last updated, 2009

FireFlier

Guarddog last updated, 2007.

enter image description here

TuxGuardian last updated, 2006.

enter image description here

InJoy Firewall™ commercial application (offers a 30 day trial version) last updated, 2007.

enter image description here

pl1nk
  • 6,399
  • TuxGuardian looks like it provides what I'm looking for; however, it's no longer supported and badly out of date :( (upticked for TuxGuardian suggestion) – Chad--24216 Jun 06 '12 at 14:26
  • @Chad--24216 I see, however check out Program Guard also --added recently to my answer – pl1nk Jun 06 '12 at 15:39
  • Please only recommend one solution per answer post, that way, we can vote on each app separately. – Flimm Nov 16 '22 at 10:53
3

OpenSnitch

OpenSnitch is application firewall inspired by Little Snitch that works on Ubuntu. Here's a screenshot of a prompt OpenSnitch displays when Firefox tries to connect to the Internet:

Screenshot

Installation instructions on Ubuntu 23.04 or later:

Run this command:

sudo apt install opensnitch

Now launch "OpenSnitch" from your GUI.

Installation instructions for older versions of Ubuntu:

  • Download the opensnitch and python3-opensnitch-ui .deb files from this releases page:

    • If you're using a 64 bit system, download opensnitch_1.5.2-1_amd64.deb and python3-opensnitch-ui_1.5.2-1_all.deb
    • If you're using a 32 bit system, download opensnitch_1.5.2-1_i386.deb and python3-opensnitch-ui_1.5.2-1_all.deb
    • If you're using an ARM 64 bit system, or an ARM hard float system, download the corresponding .deb files

  • Install both of these files by double clicking and installing them, or by running this on the command line:

    sudo dpkg -i Downloads/opensnitch*.deb Downloads/python3-opensnitch-ui*.deb

  • You can launch the OpenSnitch GUI tool by launching "OpenSnitch".

If for some reason you can't run OpenSnitch after installing it, you may be experiencing this bug (GitHub issue, Launchpad bug report). To fix it, run on the command-line:

sudo apt install python3-pip
pip3 install --ignore-installed --user grpcio==1.44.0

Pip installs modules to ~/.local/share/lib/python*, so you can delete that directory if you want to undo the previous command.

Flimm
  • 41,766
3

anfd is a perl script which does the job, but it is not at all as userfriendly as little snitch. There is a good, but German wiki page. Download the script here and run it with anfd -h to see the following help text:

anfd - Ain't no firewall daemon.

anfd [-D] [-i 'iptables command'] [-x] [-c configfile] [-p pidfile]
anfd -k [-p pidfile]
anfd (-h|-?)

Anfd is a userspace daemon that uses the netfilter-ip_queue mechanism to hinder
specific software from "phoning home". It is not security software but privacy
software.

Options:
        -h, -?      : Print this help message.
        -D          : Debug mode - don't detach from terminal and print detailed infos
        -i 'command': Use this iptables command to insert the QUEUE rule.
                      Default: $ipt
        -x          : Dont insert any iptables rule. Admin will take care of that
                      herself.
        -c file     : Use this config file. Default: $default_config
        -p pidfile  : Use this pid file. Default: $pid_file
        -k          : Kill running anfd process.
lumbric
  • 3,994
2

Something like this might be good to you. Firestarter looks a powerful firewall program. Might be worth giving a shot.

But I would advise just using IPtables. As stated above it can be configured with ufw for ease of use.

Ubuntu has a great documentation for its IPtables implementation. With this you dont really need an app. If you are comfortable with the cmd line then you wil be able to set up your firewall to drop everything leaving your PC. Without yourself adding a rule to allow it. eg. for example port 80 for webserver.

Once you have used IPtables you will wonder how you worked without it!

EDIT: Might find that its not so easy to get a sort of idiot proof firewall like that on Linux. And that's no way a dig at you I use it on my MacBook Pro ha! ( OSX is great imo ) Just the applications available on linux usually involve a bit more configuration.

Bill

LinuxBill
  • 2,067
1

Here is a guide on how to install comodo. I dont know if the program is as good as little snich. Hope that program is what you were looking for!

Leo
  • 194
0

InJoy firewall is by far the best option if you can afford it. ($60)

InJoy

Hope this helps,

Leinardo

Community
  • 1
godismyjudge95
  • 649
0

SELinux:

A Linux kernel integrating SELinux enforces mandatory access-control policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs. This reduces or eliminates the ability of these programs and daemons to cause harm when compromised

SELinux has been integrated into version => 2.6

http://en.wikipedia.org/wiki/Security-Enhanced_Linux http://www.nsa.gov/research/selinux/index.shtml http://www.ibm.com/developerworks/linux/library/l-selinux/enter image description here

LinuxUser
  • 134
  • sure would be nice if App-Armor or SELinux could be tied in with UFW/GUFW to give some sort of application awareness to the in/out of packets through the firewall. – Chad--24216 Jun 06 '12 at 14:22
  • I remember way back that AppArmor had a gui, but they dropped it because it was not being maintained... which is a shame because it made dealing with AppArmor rules nice and easy. – airtonix Jun 30 '13 at 19:55