blog/data/2023-06-11-opensnitch-debian.txt

   1 Title: What did I learn from OpenSnitch this summer?
   2 Tags: english, debian, opensnitch
   3 Date: 2023-06-11 08:30
   4
   5 <p>With yesterdays
   6 <a href="https://www.debian.org/News/2023/20230610">release of Debian
   7 12 Bookworm</a>, I am happy to know the
   8 <a href="https://tracker.debian.org/pkg/opensnitch">the interactive
   9 application firewall OpenSnitch</a> is available for a wider audience.
  10 I have been running it for a few weeks now, and have been surprised
  11 about some of the programs connecting to the Internet.  Some programs
  12 are obviously calling out from my machine, like the NTP network based
  13 clock adjusting system and Tor to reach other Tor clients, but others
  14 were more dubious.  For example, the KDE Window manager try to look up
  15 the host name in DNS, for no apparent reason, but if this lookup is
  16 blocked the KDE desktop get periodically stuck when I use it.  Another
  17 surprise was how much Firefox call home directly to mozilla.com,
  18 mozilla.net and googleapis.com, to mention a few, when I visit other
  19 web pages.  This direct connection happen even if I told Firefox to
  20 always use a proxy, and the proxy setting is ignored for this traffic.
  21 Other surprising connections come from audacity and dirmngr (I do not
  22 use Gnome).  It took some trial and error to get a good default set of
  23 permissions.  Without it, I would get popups asking for permissions at
  24 any time, also the most inconvenient ones where I am in the middle of
  25 a time sensitive gaming session.</p>
  26
  27 <p>I suspect some application developers should rethink when then need
  28 to use network connections or DNS lookups, and recommend testing
  29 OpenSnitch (only <tt>apt install opensnitch</tt> away in Debian
  30 Bookworm) to locate and report any surprising Internet connections on
  31 your desktop machine.</p>
  32
  33 <p>At the moment the upstream developer and Debian package maintainer
  34 is working on making the system more reliable in Debian, by enabling
  35 the eBPF kernel module to track processes and connections instead of
  36 depending in content in /proc/.  This should enter unstable fairly
  37 soon.</p>
  38
  39 <p>As usual, if you use Bitcoin and want to show your support of my
  40 activities, please send Bitcoin donations to my address
  41 <b><a href="bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b">15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b</a></b>.</p>
  42
  43 <p><strong>Update 2023-06-12</strong>: I got a tip about
  44 <a href="https://wiki.debian.org/PrivacyIssues">a list of privacy
  45 issues in Free Software</a> and the
  46 <a href="irc://irc.debian.org/%23debian-privacy">#debian-privacy IRC
  47 channel</a> discussing these topics.</p>
  48