Little Snitch or similar app for Fedora?

I used LittleSnitch on Mac for 10-15 years. I feel a bit naked without it :slight_smile: (even on Linux!)

Example - today i installed Thunderbird (on Mac) just to try to export my mail ready to bring to Thunderbird on Fedora. Little Snitch immediately ‘caught’ Thunderbird connecting to location.services.mozilla.com, and also to Google apis or some other google server I can’t recall now.

It reminded me that I won’t have the network ‘snitch’ on Fedora, and not sure I like that. I am therefore wondering if privacy-focussed Fedora users use anything similar to monitor connections? If so, recommendations are welcome :slight_smile:
Thanks

I wrote picosnitch which you may be interested in. For example I can see /usr/libexec/geoclue which was started by systemd sends 890 bytes and receives 1216 bytes from location.services.mozilla.com every 5 minutes.

If you’re also interested in blocking connections you could look into opensnitch, portmaster, pihole, firejail, etc.

3 Likes

Use Flatpaks from Flathub and if you are on GNOME (Fedora default) install Flatseal from flathub.

To avoid duplicate apps you might want to remove Fedoras Flatpak repository.

flatpak remote-add --user --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
flatpak remote-rm fedora

Instead of using an additional application to monitor all the traffic, just use Flatpaks and the internet toggle in Flatseal. This means you might want to uninstall some apps already preinstalled, and install them again as Flatpak.

This is an easier approach, opensnitch also caused startup lag for me.

2 Likes

If you disable location services during the initial setup this does not happen. I am unsure of how it may be disabled after the initial setup is complete, but am sure that could be done.

1 Like

Gnome Settings > Privacy > Location Services

2 Likes

Thanks and yep I agree, I also had the same issue with opensnitch and just use flatseal for my own use case. I was just mentioning some alternatives for what was asked (individual connections to specific addresses, for programs you otherwise want connected) in case my program didn’t suit their needs.

Thanks, I intentionally have it enabled though, I was just using it as an example since OP used that address in their example (I don’t have Thunderbird installed).

1 Like

Thanks but I really don’t understand that, I’ve tried hard honest!

I thought Flatpaks were the ‘best’ way to install apps on fedora? Why would I want to remove the Fedora repos? Surely i need that for all my software installs/management/uninstalls?

I’m getting more confused now as I just looked for an app in Software, called ksnip. It defaults to RPM, I have to choose flatpak if i want that. Am I wrong above, is RPM ‘better’ for an average (inexperienced) user?!

Flatseal - I looked this up. Sure looks cool, I use permissions on my phone (GrapheneOS) to limit permissions for apps, never thought about doing it on laptop. It’s quite techie though so not sure how much I will use it, but will install it as I’d like to know I at least CAN deny an app network access if I want.

But the question was regarding Liittle Snitch. It’s not about permissions, it’s about knowing about (and therefore being able to block if desired) EVERY specific connection being made. For example I always block connections to Google, and often AWS or ad networks etc etc. Having that granular control over all network connections being made (including at OS level) was nice on Mac, hoped I could do that here on Fedora too. Is it possible?
Thanks

It is confusing thats correct.

Distributions that use Flatpak are mainly Fedora and OpenSuse (and many smaller ones).

Opensuse adds flathub by default, which is the main, official flatpak repository with packages maintained by upstream (the actual project) developers.

Fedora does something else. Flatpak is just a packaging format, so you can also package RPMs as flatpaks, put them in the sandbox and add a Fedora runtime and they work the same.

Fedora does this, they take their RPMs and repackage them as Flatpaks, so they are containerized etc, but not officially maintained. There is also only a very small amount of them, so you need to add the Flathub Flatpak repository anyways.

This means you have

  • fedora RPM repos
  • fedora flatpakked RPM repo (“fedora flatpak repo”)
  • flathub flatpak repo

This causes duplicates, in graphical Appstores you will sometimes have the Fedora variant and the Flathub variant. If you use only Fedora Flatpaks, you will save RAM as they all use the same runtime (base dependencies needed by apps).

But Flathub flatpaks use different runtimes, meaning if you use apps from flathub (which will be needed as Fedora flatpaks are not many) you will have at least 2 runtimes installed, updated and loaded into RAM, meaning more storage space, network traffic and RAM consumption.

Fedora Flatpaks may be more secure as Fedora controls the build environment. But they are (almost) never officially maintained, meaning other people package the app than the ones that actually write the code, which may cause “fedora specific bugs”.

That is why fedora flatpaks are somewhat controversial, and you may want to remove that repo to only install flatpaks from flathub.

The Fedora flatpak repo is added by default.

flatpak remote-delete fedora

To the rest, you are asking to restrict network permission on a per-call base, which is way more “techie” than just pressing the “internet connection” button in Flatseal. Dont guess, just install it and see.

The recommendation comes from the point that Flatpaks are the future (for most GUI apps) and are way better for restricting internet access per-app than using OpenSnitch.

Opensnitch has the said speed drawback.

Using Flatseal (or KDEs implemented settings) you just tick the “internet access” checkbox per app and you are done.

for the exact wish, you can use @elesiuta s picosnitch for monitoring and OpenSnitch if you found something and want to block them, with the possible speed drawback. Dont use both at once probably. I would use picosnitch first and see if you find something.

I mean they already answered your question a while ago.

1 Like

Flatpaks may be the future (the FAR future) for most of us, but you are far off in stating and believing that flatpaks are the best choice. Making such a statement as “way better” begs the question of “By whose standards?” and “How did you verify that?”

If the app is available by rpm from a fedora repo then installation from that repo is, for most, the best choice since it has been compiled and tested to work well on fedora or would not be included in the fedora repo. Some few apps may work better when installed as a flatpak but that is truly not the case for the great majority.

As I understand it, flatpaks were developed for use with the immutable OSes (silverblue, kinoite, etc.) and it has been found that most are also usable on the many rpm supported spins. It seems the greatest advantage of flatpaks are that they may use a runtime driver that allows the flatpak app version to be out of sync with installed libraries, etc. so the use might be able to run software that may otherwise not work on the os “as updated”.

The major drawback to using flatpaks exclusively is that flatpak packages from flathub are not subjected to the rigorous quality control and testing that the rpm packages receive. Many (or most) are not created by the same creators that provide the rpm versions. If you are comfortable using software that is not directly part of the fedora ecosystem that is great.

I will, however, continue to use the rpm packages as long as they are available since I am comfortable with the quality control provided for software downloaded directly from the fedora repos.

This is for sure true, but if you want a permission system and in general run apps you dont trust, or simply want the principle of least privilege, flatpaks are unbeaten.

And the post was about blocking internet access, which is very easy and has no performance impact (likely a fixed bug in Opensnitch by now) with Flatpaks.

1 Like

I don’t think it’s a bug in OpenSnitch per se, but rather how application firewalling works on Linux.

This is because in kernel space where it interrupts the connections, it doesn’t know which application created it, and therefore what to do with it yet. So it ends up needing to go from kernel space to user space to check, then back to kernel space, which is slow. This is unlike iptables which does everything quickly in the kernel, or sandboxed programs which use a separate namespace where you can control access to the network device, which is both faster and more secure.

In addition, some programs make many connections on startup, and wait until the connection either completes or fails before continuing execution, so if it’s waiting on a bunch of connections that were slightly delayed, you get your slow downs.

This is why I made picosnitch to not interrupt any connections and basically just check on things for curiosity/basic auditing.

2 Likes

Thank you, that cleared my mind a little at least!
I’m still not entirely sure…

image

Which one would you suggest I choose? :smiley:

Thanks. So I think you’re saying I basically can’t do it, unless I use OpenSnitch which has drawbacks making it fairly undesirable.
Shame, it was really nice to have apps on my Mac which I could allow to connect to home server for license checks (for instance) or for basic functionality, but ‘no thanks’ to the bazillions of spyware crap they so often connect to!
I am however aware that part of my move to Linux was exactly because I can generally trust Linux apps far more as they don’t invade privacy as much. Maybe that’s true enough that I can stop worrying altogether, it just feels a bit scary not having that control I spent years using to prevent apps sending telemetry (and God knows what else) to AWS, Google apis, and so on.
thanks

1 Like

Thanks for this. I guess RPMs are probably ‘better’ for me right now. I am trying to stay as ‘inside Fedora’ as possible. I suspect that I will have to install apps outside the ecosystem at some point (though I hope I don’t need to). But for now, and I should have phrased my question better about this, I think your rationale fits with what I am seeking, at least while I am learning the ropes and am a new user.

This brings a problem though… I haven’t installed a huge number of apps yet but I have installed some. How do I work out:

  1. How many flatpaks I have installed
  2. How to switch to RPM version!

Thanks

The command flatpak list will show the flatpaks installed. sudo flatpak list shows more but the others appear to be installed as system support rather than user apps.

Some are required and installed when installing certain apps through the software app. Others may have been installed from the command line.

Firefox is one that can be removed as a flatpak and is normally installed as an rpm when the system is installed or can be installed as an rpm from the command line. Others are similar.

Would you recommend I find all apps I installed as Flatpaks and ‘swap’ them to RPMs?

Question for you if I may…

There’s an app I really want, it’s called AES Crypt. I used it for years on Mac, great little app for beginners like me to have decent security on certain files/folders, and if I have it Linux it will become cross platform which would be useful to me right now.

But it’s the first app I’ve wanted that isn’t listed in Software app.

I have instructions to download the installer from aescrypt.com and would need to install manually. How ‘bad’ is this? Generally I’d avoid doing so, but this is one very useful app I could do with. What say you please? :slight_smile:

This is partly philosophical. I am using Fedora Kinoite and apart from core apps like filemanager and editor all apps are flatpaks or installed in a container.

If you dont have RAM problems, I would recommend that.

1 Like

Look at the installer. If it requires sudo it will do some system install stuff you may not want. Tbh this should be packaged, sounds useful.

If the installer just places a .desktop entry in the right location it is harmless and can be used.