LittleSnitch for Linux

April 9, 2026
aisecurityprivacyhardware
Fiber optical device with similar bright connectors with blue cables made of rubber with plastic pigtails on edges
Photo by Brett Sayles on Pexels

It has been reported that Little Snitch, the macOS app that makes background network chatter visible, now has a Linux incarnation — and it behaves mostly like the old friend you hoped for. Want to know which program is "phoning home"? Little Snitch for Linux shows you which applications talk to which servers, how much data they move, and lets you block the ones you didn't invite. That sinking feeling when an app silently leaks data? This aims to turn it into a one‑click action.

What the interface looks like

Once installed you launch the UI with littlesnitch or by visiting http://localhost:3031/ — bookmark it or install the Progressive Web App. Chromium family browsers support PWA natively; Firefox users can get similar behavior with the PWA extension. The connections view lists current and past activity, shows what your rules and blocklists are stopping, and offers sorting and filters (by last activity, data volume, name) so oddballs jump out. There’s a traffic diagram with drag‑to‑zoom to focus on a time window; blocking a connection is literally a single click.

Rules, blocklists and formats

Blocklists let you cut off whole categories at once; Little Snitch downloads and updates them automatically. It accepts a handful of common formats — one domain per line, one hostname per line, /etc/hosts style, and CIDR ranges — but not wildcards, regex/glob patterns or URL lists. Popular lists like Hagezi, Peter Lowe, Steven Black and oisd.nl are mentioned as starting points. Note: the .lsrules format from macOS is not compatible with the Linux version. Rules go deeper than blocklists — target a specific process, port or protocol, and compose broad or narrow policies as you need.

Under the hood and important caveats

Little Snitch hooks into the kernel using eBPF; an eBPF program watches outgoing connections, feeds a daemon that tracks stats and enforces rules, and the UI serves from that daemon. The source for both the eBPF program and the web UI is on GitHub, and advanced users can swap in their own builds. Default configs live in /var/lib/littlesnitch/config/ and you should place edits in /var/lib/littlesnitch/overrides/config/ so they persist. One big caveat: the web interface is open to any local process by default — a misbehaving app could, in theory, flip rules or disable filtering — so enable authentication if that worries you. Finally, remember the subtle but crucial line: this is a privacy tool, not a drop‑dead security fortress. eBPF is powerful but bounded, and Little Snitch for Linux is designed to inform and empower, not to be your last line of defense.

Sources: obdev.at, Hacker News