Skip to main content
TechnologyApr 10, 2026· 4 min read

Little Snitch on Linux: finally available, but open source is only halfway

After over twenty years as a macOS exclusive, Little Snitch lands on Linux. Objective Development released the first official version for the penguin in April 2026, redesigning the entire architecture of the tool from scratch to fit the open-source ecosystem. The result is an application firewall written in Rust that utilizes eBPF to intercept outgoing connections directly in the kernel, without patches to the kernel itself or additional modules.

How it works under the hood

The technical heart of the Linux version is radically different from that of macOS. Instead of the deep packet inspection that characterizes the Apple version, here comes into play eBPF (Extended Berkeley Packet Filter): a mechanism that allows the execution of sandboxed code directly in the kernel to observe and block connections before they leave the network interface. An eBPF program monitors outgoing traffic and passes the data to a local daemon, which manages statistics, preconditions the rules, and serves the web UI.

The user interface is not a native desktop application but a Progressive Web App accessible on localhost:3031, usable remotely or from a smartphone. The tool supports blocklists in the most common formats, including Hagezi and oisd.nl, with rules for domains, hostnames, and CIDR. Rule management happens in real-time: every process attempting an outgoing connection is identified and can be blocked or authorized with per-application granularity.

System requirements

The minimum requirement is the Linux kernel 6.12 compiled with BTF support. This choice is not arbitrary, given that Linux kernel 6.12 introduced substantial improvements to the eBPF verifier, reducing the number of code paths to analyze and allowing for more complex eBPF programs. Practically, this translates to Ubuntu 25.04, Debian 13, Fedora 40, RHEL 10, or any up-to-date rolling-release distribution like Arch or Manjaro. .deb packages are available for x86-64, ARM64, and RISCV64. Objective Development does not rule out future compatibility with kernel 5.17 through a refactor of eBPF code.

Open source yes, but not completely

The distribution model is hybrid and openly declared by the developers. The eBPF component, which is the part of the code that actually runs in the kernel and deals with intercepting connections, and the web UI are released under GPL v2 license on GitHub: anyone can inspect them, fork them, or replace them with custom builds. On this part of the system, transparency is total.

The main daemon is a different story. This is where the rule engine resides, the per-application blocking logic, the hierarchical traffic analysis, and the algorithms refined over twenty years of development on the macOS version. This component is proprietary: the source is not public, even though the tool is distributed for free, and Objective Development has chosen not to open it to protect its technical heritage. For those who want to inspect the entire decision chain of the firewall, this remains a concrete limitation: what determines what to block and what to allow cannot be verified from the outside. Opening the kernel-level layer is a significant step, but it does not cover the entire perimeter of the system.

Privacy yes, security no

Objective Development is also explicit about an aspect that is often misunderstood: Little Snitch for Linux is a tool for privacy, not for security in the strict sense, and does not claim to be otherwise. The macOS version can offer stronger guarantees thanks to deep packet inspection, but on Linux, the inherent limits of eBPF impose compromises. Under heavy traffic, the eBPF program's cache tables can overflow, making it impossible to reliably associate each network packet with the process that generated it. In those cases, the tool resorts to heuristics to reconstruct which hostname was resolved for a given IP, effectively adopting an approach that works in the vast majority of practical cases, but does not offer absolute guarantees.

There is an additional aspect to consider in multi-user environments or on shared machines: the web UI is exposed on the local loopback by default. A malicious application with local access could theoretically manipulate the rules if a form of authentication is not explicitly configured. It is not a vector for remote attack, but an element to keep in mind in server scenarios.

Comparison with OpenSnitch

The presence of OpenSnitch in the Linux ecosystem necessitates an inevitable comparison, and the two solutions are not mutually exclusive as they respond to different priorities. OpenSnitch is fully open-source, with an active community and code that can be inspected in its entirety, so for those unwilling to accept any proprietary component in their infrastructure, it remains the natural and uncompromising choice.

On a technical level, however, Little Snitch brings a significant advantage. OpenSnitch is written in Go and Python and operates largely in user-space, with an overhead that is felt on machines with high network traffic. The eBPF/Rust implementation of Little Snitch is, on the other hand, more efficient: the code that intercepts connections runs directly in the kernel, with much lower latencies. Those managing workstations or servers with dozens of simultaneous connections will appreciate the difference. Those who prioritize total transparency about internal workings, including the daemon, will find OpenSnitch a more consistent alternative with that philosophy.

The tool is available for free download from the official Objective Development website. No subscription or paid license is required.

Less than €200 for a 10,000 Pa vacuum robot with automatic station: Xiaomi H40 offer on AmazonMac OS X Cheetah Runs on Nintendo Wii Thanks to an Incredible Software Engineering Project