Introduction
Every time an application on your computer opens a network connection, it does so quietly and without asking. Little Snitch for Linux makes this activity visible and gives you the means to do something about it. You can see which applications talk to which servers, block connections you did not invite, and keep an eye on traffic history and data volumes over time.
What Little Snitch for Linux is
Little Snitch for Linux consists of three components:
- An eBPF kernel program which observes outgoing and incoming network connections inside the Linux kernel.
- A daemon (
littlesnitch --daemon) which receives data from the kernel program, tracks statistics, manages your rules, and serves the user interface. - A web based user interface which runs in your browser.
The eBPF program and the web UI are released under the GNU General Public License version 2 and their source code is publicly available on GitHub. The daemon is proprietary, but free to use, free of ads and free to redistribute.
Relationship to Little Snitch for macOS
Little Snitch for Linux is a simplified sibling of Little Snitch for macOS. It shares the same goal, giving you insight into and control over the network activity of your applications, but it is a separate product with a different architecture. Rule set backups from the macOS version (the .lsbackup format) are not compatible with the Linux version.
Privacy, not security
This distinction matters and you should understand it before relying on the product:
Little Snitch for Linux is built for privacy. It is an excellent tool for keeping tabs on what your software is up to and for blocking legitimate software from phoning home.
It is not built for security in the sense of hardening a system against a determined adversary. The technical foundation on Linux, eBPF, is powerful but bounded: it enforces strict limits on storage and program complexity. Under heavy traffic, internal cache tables can overflow, which makes it impossible to reliably tie every network packet to a process or a DNS name. Reconstructing which host name was originally looked up for a given IP address relies on heuristics rather than certainty.
The macOS version can make stronger guarantees because it can afford more complexity, including deep packet inspection. That is not an option on Linux. If you want to know why in detail, see Advanced Topics.
How this manual is organized
Chapters 2 through 6 walk you through installation and everyday use. Chapters 7 through 10 cover configuration beyond the defaults. Chapter 11, Advanced Topics, explains the inner workings for technically interested readers. Everyday topics are explained twice on purpose: once in plain language in the main chapters, and once in full technical depth in Advanced Topics.
Was this help page useful? Send feedback.
© 2016-2026 by Objective Development Software GmbH