OpenSnitch vs Firewalld

Hi all,

I’m a recent Fedora convert from Windows, and one of the things I miss is having a GUI firewall. I’ve tried tinkering with Firewalld but its way over my head.

I came across OpenSnitch and it seems to fit the bill. However, I also recall reading somewhere (for the life of me I can no longer find it) that firewalls in Linux work differently, something about port vs application blocking. Essentially a malicious program can simply open another process or port and bypass an application based filter.

  1. Does application level blocking work in Fedora?
  2. Is OpenSnitch a good alternative to Firewalld? Any cons or other factors to consider?
  3. How do 3rd party firewalls like OpenSnitch interact with things like SELinux? Or even firewalld? If there’s a conflict in rulesets, how is it resolved?

I’ve been finding plenty of generic writeups and installation guides on OpenSnitch. I’m really looking for a deep dive analysis on the effectiveness (or not) of OpenSnitch. Furthermore, because there are different distros families, and presumably each does firewalling differently, I decided to ask here. Any input is welcome, there’s much I’m unfamiliar with Fedora, especially on security related matters.
Thank you!

Why not use both?

Use firewalld for your layer 2/3 level blocking and use opensnitch for your application level blocking.

firewalld is much more flexible when used as an inbound layer2/layer3 level firewall. Opensnitch is higher level and better at blocking application traffic, especially outbound traffic.

What is layer 2 or 3? Any documentation I can read up on? (search isn’t turning up anything relevant)

For gui firewall management the command firewall-config does that. It may require you to install that package.

Yes this is correct, a firewall does not protect you from malicious programs running on the same machine, which may offer some security through obscurity if the program doesn’t open another process to connect to the internet, which most just do anyways regardless of firewall usage. There are also other more reliable ways of bypassing a firewall on the same machine.

I wrote a similar program (picosnitch) which focuses only on the “snitching” part which can detect the aforementioned case and some of the others ones, but not block them, as this would impact your network latency due to how application firewalling works on Linux, and I wanted to avoid scope creep.

Nope, they’re all pretty much the same since this is taken care of by the Linux kernel, only the default user interface and rules may differ. The exception being Qubes OS (which I haven’t used personally and may be slightly wrong) which runs every program in it’s own virtual machine, and the firewall can cut off access for individual virtual machines. This is much more effective at blocking programs, and probably most malware.

Other than Qubes or virtual machines, you have some sandboxing options which aren’t as effective as they are on platforms like Android, but still work well enough like disabling the network permission for Flatpaks (there’s a convenient GUI called Flatseal), or more advanced options like firejail or a custom namespace with unshare.

1 Like

Thanks everyone for your inputs. If it helps anyone else in the future, I ended up going with Portmaster instead.