Monitoring application data traffic

Firewall On or Off

In the main window's header bar, on the far right, you will find the play/pause button where you can turn the firewall on and off. This button is especially important initially because you need some time to define rules for all the applications that need to contact the outside world. You can use this button to break up the task into convenient chunks of time.

In the menubar below, you will find eight tabs. The Events tab lists all contacts to the outside world in real time (Figure 5). Nodes typically only lists one socket per device, from which the OpenSnitch GUI obtains the data for visualization. The default for this is /tmp/osui.sock.

Figure 5: The Events tab lists all outside connections in real time. You can see connection attempts from Firefox to different IP addresses here.

The Rules tab, as expected, lists the application rules that have been created (Figure 6). The Hosts tab lists the remote sites that applications have attempted to contact and how often that occurred per host. The Applications tab lists the applications that tried to make contact and shows the frequency of those attempts.

Figure 6: Because Firefox (as shown in Figure 5) wants to access many IPs, click on the List of domains/IPs tab in the Rule dialog to specify exactly what the program is allowed to do.

The Addresses tab keeps track of the URLs contacted and the frequency of contact attempts. Ports does the same in terms of the ports on the contacted hosts, while the Users tab lists the users involved and records the number of contact attempts initiated by the users. From any of these tabs, you can edit entries that are released for editing by right-clicking on them.

To avoid losing your way when faced with many entries, you can also sort or filter the entries on the individual tabs. At the bottom of the window, you can see the number of connections during the current uptime and how many of them were rejected (dropped).


OpenSnitch can manage virtually anything that connects to a host from a Linux system. For multi-user systems, the rules can also be defined individually for each user. According to the developers, however, OpenSnitch occasionally misses an app's connection attempt; the project wiki [7] on GitHub explains the possible reasons for this. However, I did not experience any such oversights in my test. An FAQ [8] answers frequently asked questions relating to the application firewall.

Once you have created all your rules, OpenSnitch runs unobtrusively in the background. A notification will only appear if you install a new app that makes an attempt to contact the outside world. If an app makes a conspicuous number of connections, you will want to harden the rule for that app by checking each process for an outgoing request or the domain contacted in each case, and then confirm or deny access.


While OpenSnitch is annoying at first, this means it is doing its job properly. You can temporarily avoid the many requests for rules by disabling the firewall and then defining more rules when it suits you. Getting started with OpenSnitch is comparatively easy thanks to the good documentation [9].

OpenSnitch is particularly interesting for browser plugins, web apps, or third-party applications in general. It helps you keep a closer eye on these applications and make adjustments to rules as necessary. You will be surprised about what some apps try to do. In conclusion, OpenSnitch definitely improves the security of your system without asking too much of you beyond the initial setup.

The Author

Ferdinand Thommes lives and works as a Linux developer, freelance writer, and tour guide in Berlin.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Firewalld and OpenSnitch

    For maximum security, you'd better watch traffic in both directions. This hands-on workshop takes you through the steps of setting up firewalls for outgoing as well as incoming traffic.

  • FOSSPicks

    Graham looks at Krita 4.0, FreeTube 0.2.0, OpenSnitch, Yoda, Citybound, GZDoom, and much more!

  • FOSSPicks

    Graham recently found the perfect use for his old Nintendo DS Lite. Thanks to having exactly the same screen resolution, it now runs the brilliant ZXDS Sinclair ZX Spectrum emulator.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More