Installing opensnitch in Debian (Buster and newer)
What is opensnitch?
Opensnitch is an application level firewall, it shows connections made by applications and helps protecting privacy. It is clone of Littesnitch for macOS (paid app, there is a free alternative lulu that has about the same features).
It allows monitoring and blocking unnecessary or suspicious connections by creating firewall rules in the GUI. I use it to monitor firefox and change my configuration.
I don't use chrome in general but according to this article Choose your browser carefully, it also makes unwanted connections.
The Opensnitch package available in Debian Bookworm
Install it with apt:
apt-get install opensnitch python3-opensnitch-ui
How to install opensnitch
Download the prebuilt deb packages: daemon and GUI
https://github.com/evilsocket/opensnitch/releases
Then run:
dpkg -i opensnitch_1.4.0.rc-1_amd64.deb
dpkg -i python3-opensnitch-ui_1.4.0.rc-1_all.deb
apt-get -f install
opensnitch-ui
Blocking connections from firefox
Opensnitch gave me a list of domains firefox is connecting to and I went to check how these domains are used and decided whether I want to block them.
- content-signature-2.cdn.mozilla.net: This is used for securing firefox public services.
- location.services.mozilla.com: Useless service for me
- ocsp.digicert.com: Check certificate validity.
- safebrowsing.googleapis.com: Used to flag malicious sites (disabled with the preference "Block dangerous and deceptive content")
- push.services.mozilla.com: Push service
- shavar.services.mozilla.com: is used to update the list of trackers that are getting blocked when tracking protection is turned on.
- ocsp.pki.goog: Check certificate validity.
- ocsp.godaddy.com: Check certificate validity
Then I changed my firefox configuration ('about:config') like this:
- extensions.blocklist.enabled false: I don't need that after I have installed my extensions
- in Preferences > Privacy & Security > Disable Block dangerous and deceptive content: I browse websites I trust.
- app.normandy.enabled false: I don't want to test new features.
- dom.push.enabled false: I don't need that
- services.sync.prefs.sync.privacy.trackingprotection.cryptomining.enabled false
- services.sync.prefs.sync.privacy.trackingprotection.enabled false
- services.sync.prefs.sync.privacy.trackingprotection.fingerprinting.enabled false
- services.sync.prefs.sync.privacy.trackingprotection.pbmode.enabled false
Mozilla has a page showing how to stop firefox making automatic connections.
I block the OCSP servers because I browse to reliable and trustworthy websites and I think it is privacy invasion. I wish there was an alternative solution with the certificate validity checks done in the client.
hashtags: #privacy