macOS app Little Snitch is now available on Linux
Objective Development releases Little Snitch for Linux, built in Rust with eBPF. A web-based network monitor that shows which processes phone home, now available for Intel, ARM64, and RISC-V Linux systems.
Little Snitch Crosses to Linux
Objective Development, the Austrian company behind the macOS network monitor Little Snitch, has released a Linux version. It is built in Rust, uses eBPF for kernel-level traffic interception, and ships as a .deb package for Intel, ARM64, and RISC-V.
The Linux port works differently from the macOS version. Instead of a native GUI, it runs a web-based interface. That means you can monitor a remote Linux server from any browser on any device. Useful if you want to see what your home server is actually phoning home to.
Why It Exists
Creator Christian Starkjohann says he built it because existing Linux options like OpenSnitch did not give him what he needed: a one-click view of which processes make which connections, with the ability to block any of them instantly. He installed Linux on old hardware and immediately felt the system was "naked" without network monitoring.
Running it on stock Ubuntu for a week, he found 9 system processes making internet connections. On macOS, that number was over 100. Firefox connected to Mozilla advertising and telemetry servers on launch before any browsing happened. LibreOffice made zero network connections during use.
Privacy Tool, Not a Firewall
The Linux version is positioned as a privacy aid rather than a full security tool. eBPF has strict resource limits, and processes can evade it. That makes it harder to reliably block determined adversaries compared to system-level filtering on macOS. The focus is on seeing what legitimate software does behind the scenes and blocking unwanted connections from apps that are not actively trying to evade monitoring.
The eBPF kernel component and UI are open source. The backend is closed, carrying over 20 years of Little Snitch architecture that Objective Development wants to protect for now.
What This Means for Security Teams
For anyone running Linux servers exposed to the internet, visibility into outbound connections is a baseline requirement. Tools like Little Snitch complement network-level defenses. Combined with a Web Application Firewall protecting inbound traffic, outbound monitoring covers the other half of the equation.
Solutions like Cloudflare, Imperva, and ModSecurity handle inbound threat filtering. Little Snitch for Linux handles outbound visibility. Together, they close the loop on network monitoring for Linux deployments.
WAFplanet Take
This is a welcome addition to the Linux security toolkit. Most server admins have no idea what their systems connect to outbound. The web-based UI is a smart design choice for headless servers. It is not a replacement for a proper WAF or firewall, but it fills a gap that has been open for too long. If you run Linux servers, this is worth testing alongside your existing WAF setup.