The eBPF filter in Linux Snitch decides immediately, so no TCP handshake leaks. But, as a consequence, we cannot inspect packet headers to verify the remote name and it's easier to trick it to show a false name. Little…
What exactly do you mean with rDNS resolver? We do not want the reverse lookup name. For instance, if you look up a google.com name with dig, you get an IP address. If you then do the reverse lookup with dig -x, you get…
Yes. For these cases it won't work. OpenSnitch intercepts the client side library for this reason. I would rather want to avoid this for the moment and wait for feedback.
Thanks for that hint! We still get the lookup if it leaves the machine unencrypted, but if you have both, the Unix domain socket and DNS encryption, we miss lookups.
Thanks for sharing! I took rustnet as proof that complex eBPF programs can be done in Rust. Otherwise I would not have dared to try this! Reducing the set of privileges is on my todo list, but for the moment I just want…
It's hard to expand on the gut feeling. I wanted to have the app myself. Adding licensing to the code, limiting functionality for a demo mode, and then wait whether Linux users would pay for it just did not feel right.…
Sorry, I overlooked that. I actually checked the license only to the point whether we can include it without other obligations and then downloaded what was offered as a download on either the web site or github, can't…
I'll post in our blog about the development background later. The Linux version shares no code with the Mac version. Only concepts. It's written in Rust and JavaScript (for the Web UI). Our site is primarily aimed at…
It won't work with WSL because WSL does not provide eBPF, as far as I know.
I'll investigate how much effort it is to adapt the build procedure. But I think this should be possible. I've put an item on the todo list.
Little Snitch for Linux is not made to defend against malware. You need to code with paranoia in mind from the very beginning if you want that.
We meanwhile found out that it does not pass the eBPF verifier on kernels above 6.19.0. When this happens, it's restarted over and over again, running the eBPF verifier in a loop on all available CPUs. We are working on…
It depends on several factors. One factor here was the decision to make it web based. The other is that this one is by me, and I'm not a UI designer or frontend developer. I usually work on network stack, model design…
As far as I can tell, they are very different in their goals. Portmaster is targeted at security and business customers, it's surprisingly powerful for an open source project. The interception mechanism seems to be…
An external appliance does not have access to your process table, so it can't tell you which process originated the request. Only which device.
There is currently no treatment of errors because I would not know how to handle them anyway. There are two tables which can overflow affecting the filter: the table of open flows and the table of recent DNS lookups.…
On macOS, it requires access to /dev/bpf. That's why we added filter rules for bpf there. On Linux, we intercept at a level where packets already have an Ethernet header. I hope that Paqet injects before* this layer,…
eBPF is very limited in the code complexity you can achieve. DPI on QUIC, for example, needs a lot of cryptography. That's simply not possible in eBPF. DPI on ordinary TLS still requires that you collect enough network…
As the author of Little Snitch for Linux, I can tell you what drives us: we are a small company where people (not investors) make the decisions. It was a personal choice of mine, driven by a gut feeling. I'm curious…
eBPF programs are able to accuratly process network traffic in high performance, but the amount of CPU instructions you can use is limited. Otherwise it would not be high performance. This limits the complexity of…
eBPF limits the size of the code, its complexity and how data can be stored. You cannot just implement any algorithm in eBPF for that reason. That's not only a weakness, it's also a strength of eBPF. This way it can…
We have not detected a targeted attack yet. On the Mac side, we are safe: No dependencies on any third party libraries. Only Apple. On the Linux side, there is no single big vendor such as Apple who provides all the…
Little Snitch is not there to replace OpenSnitch. It's just an additional option you can choose from. Some people might prefer it, others not.
Which one? Mac or Linux? For the Linux Snitch, just stop the service. For the macOS Snitch, you need to move the app to the trash via Finder. Only Apple can remove the network extension and they do this only when…
Just because I did not port the parser for it to Rust. And I thought that the lsrules format is rare for blocklists. If there is popular demand, we can add it.
The eBPF filter in Linux Snitch decides immediately, so no TCP handshake leaks. But, as a consequence, we cannot inspect packet headers to verify the remote name and it's easier to trick it to show a false name. Little…
What exactly do you mean with rDNS resolver? We do not want the reverse lookup name. For instance, if you look up a google.com name with dig, you get an IP address. If you then do the reverse lookup with dig -x, you get…
Yes. For these cases it won't work. OpenSnitch intercepts the client side library for this reason. I would rather want to avoid this for the moment and wait for feedback.
Thanks for that hint! We still get the lookup if it leaves the machine unencrypted, but if you have both, the Unix domain socket and DNS encryption, we miss lookups.
Thanks for sharing! I took rustnet as proof that complex eBPF programs can be done in Rust. Otherwise I would not have dared to try this! Reducing the set of privileges is on my todo list, but for the moment I just want…
It's hard to expand on the gut feeling. I wanted to have the app myself. Adding licensing to the code, limiting functionality for a demo mode, and then wait whether Linux users would pay for it just did not feel right.…
Sorry, I overlooked that. I actually checked the license only to the point whether we can include it without other obligations and then downloaded what was offered as a download on either the web site or github, can't…
I'll post in our blog about the development background later. The Linux version shares no code with the Mac version. Only concepts. It's written in Rust and JavaScript (for the Web UI). Our site is primarily aimed at…
It won't work with WSL because WSL does not provide eBPF, as far as I know.
I'll investigate how much effort it is to adapt the build procedure. But I think this should be possible. I've put an item on the todo list.
Little Snitch for Linux is not made to defend against malware. You need to code with paranoia in mind from the very beginning if you want that.
We meanwhile found out that it does not pass the eBPF verifier on kernels above 6.19.0. When this happens, it's restarted over and over again, running the eBPF verifier in a loop on all available CPUs. We are working on…
It depends on several factors. One factor here was the decision to make it web based. The other is that this one is by me, and I'm not a UI designer or frontend developer. I usually work on network stack, model design…
As far as I can tell, they are very different in their goals. Portmaster is targeted at security and business customers, it's surprisingly powerful for an open source project. The interception mechanism seems to be…
An external appliance does not have access to your process table, so it can't tell you which process originated the request. Only which device.
There is currently no treatment of errors because I would not know how to handle them anyway. There are two tables which can overflow affecting the filter: the table of open flows and the table of recent DNS lookups.…
On macOS, it requires access to /dev/bpf. That's why we added filter rules for bpf there. On Linux, we intercept at a level where packets already have an Ethernet header. I hope that Paqet injects before* this layer,…
eBPF is very limited in the code complexity you can achieve. DPI on QUIC, for example, needs a lot of cryptography. That's simply not possible in eBPF. DPI on ordinary TLS still requires that you collect enough network…
As the author of Little Snitch for Linux, I can tell you what drives us: we are a small company where people (not investors) make the decisions. It was a personal choice of mine, driven by a gut feeling. I'm curious…
eBPF programs are able to accuratly process network traffic in high performance, but the amount of CPU instructions you can use is limited. Otherwise it would not be high performance. This limits the complexity of…
eBPF limits the size of the code, its complexity and how data can be stored. You cannot just implement any algorithm in eBPF for that reason. That's not only a weakness, it's also a strength of eBPF. This way it can…
We have not detected a targeted attack yet. On the Mac side, we are safe: No dependencies on any third party libraries. Only Apple. On the Linux side, there is no single big vendor such as Apple who provides all the…
Little Snitch is not there to replace OpenSnitch. It's just an additional option you can choose from. Some people might prefer it, others not.
Which one? Mac or Linux? For the Linux Snitch, just stop the service. For the macOS Snitch, you need to move the app to the trash via Finder. Only Apple can remove the network extension and they do this only when…
Just because I did not port the parser for it to Rust. And I thought that the lsrules format is rare for blocklists. If there is popular demand, we can add it.