The only reason I can't love linux

Let me get this straight first, I really like Linux. It’s pretty much everything I love about OSX just wrapped up in a more customizable, easier accessible and more diverse operating system. But there’s one thing, which is a showstopper for me.

There’s on thing I have used since my windows days and continue to use it to this very day on OSX. It’s Little Snitch (on Windows it was Zone Alarm). It’s the application that I will install first on any new Mac that I’d get and I will not be using a computer productively without it. Why? That’s quite simple. I want control over what applications can do and can’t do while still being able to use the rest of the application without further issues. That’s why I prefer iOS over Android as well, as I can deny for example the access to my contacts but don’t get locked out of the app completely like I’d get in android (where I can either allow everything and install it or just can’t even download it). This is the only reasonable behavior to me, why should and app no longer work if I deny only parts of what it needs? Right, I won’t be able to use that specific part of the app but I mean, if I block that specific part I have my reasons to not use that feature anyway. For an app to say “Sorry, I can’t work at all if you don’t allow this” it really has to be the core feature of it. And for that case, I’d be happy to search for a similar app that doesn’t necessary require that feature. The same thing applies to network connections. Sometimes it’s enough to say “You are not allowed to access the internet at all” for certain applications like simple editors or other offline applications, but that’s not often the case. For example, what about updates? The app should be able to check for those, but here’s the catch, ONLY for those. Why should the app be able to connect to isenddatasomewhere.com for updates as well, because it’s surely not the right domain to check for updates. However, I might want to allow it for some other application to connect to that domain.

And that’s what Little Snitch allows me to do. I can say per application where it is allowed to connect to and where it isn’t. And the applications still work, apart from the features I don’t allow obviously, which is the goal that I wanted to reach. So Little Snitch is great, I think we got that now. For Windows I mentioned Zonealarm, but I haven’t heard of it for some time. As far as I can remember, it worked in a similar fashion, per application per host/IP basis. If that’s not the case, then I guess I have to search for another one if I’d ever go back to windows (which will probably never happen anyway). So what about Linux?

Linux has all these great tools, is open source and has a great community so it surely has something similar, right? Well… It turns out there isn’t one like Little Snitch. Linux enthusiasts might be shouting things like “USE UFW!” or “WHAT ABOUT IPTABLES?!” at me, but those tools don’t really solve the problem, do they? I mean, they do a pretty good job a trying what I want to have, but there are still problems. UFW, as far as I’m concerned, only blocks ports and IPs in general, not on a per application basis. This might be enough to block malicious ports or only allow HTTP traffic through, but I might want to limit usage of HTTP traffic for certain applications. Having to write it down into a file manually isn’t really nice either, but that’s not really too much of a problem, given at least for this there are tools like GUFW that would be easier to use. It wouldn’t really bother me if I had Little Snitch for Linux but only needed to write the rules manually into a file because ultimately this is pretty much a one-time-never-again task, so it doesn’t really bother me as long as I get the result I wanted.

Moving on to other approaches there’s Douane for example. Let’s disregard the fact that it either crashed my system or didn’t even run for a moment, because I’d also happily spend some hours fixing it if it would be the solution to my problem, but it sadly isn’t. Douane filters on a per application basis, which is cool, but disregards the rest. This would be fine, for webbrowsers and multiplayer games, as I won’t end up doing fine grained rules for those anyway, but that would only cover about 3% or less of the applications I’m using, so its pretty much useless as well. It looks nice, I give it that, but that doesn’t really help too much.

Lastly, iptables. Pretty much as close to the goal as you can be, but it doesn’t quite reach it. So it does allow me to set rules per IP and port while also letting me specify the owner/process that this rule applies to. This is what I want right? Not quite. First, I can’t anticipate what IPs the application will connect to, so I would just get an error from the application and would not be able to whitelist the IP in the table. Or I would have to whitelist all connections and then check for the IPs to blacklist/whitelist - not ideal. Secondly, no hostnames/domain. You can’t expect me to go back to the table after a month and still be able to identify which IP is corresponding to which domain. The IP behind a domains don’t change often, but they still can and I certainly don’t want to be in the need of updating my rules just because the IP behind a domain updated and thus iptables would block the connections.

I might be too nitpicky or just making up problems that don’t look like them for other people, but I do care a bit more about my privacy and security, given this is less of a security fix. And caring about your privacy is becoming more and more important in this age and I think this is something to address. I would like to do this myself, but I don’t have the resources the do it. I lack knowledge in the Linux kernel, my c/c++ is almost not existing and I barely got time work on a bigger project outside of uni/work. So if you have a solution to my needs/problem I’d be really really grateful if you could tell me (email/twitter), because I would be love to switch to Linux, but without this, I really can’t. Thank you.