Ubuntu gives you a solid firewall with ufw, but it tells you almost nothing about which application is making a network connection or where that connection is going. If you have ever wanted the kind of per-process network visibility that macOS users get with Little Snitch, you now can get exactly that on Linux. In April 2026, Objective Development officially released Little Snitch for Linux, bringing the same application-level network monitoring to Ubuntu, Debian, Fedora, and other distributions. This guide walks you through how to install Little Snitch on Ubuntu 24.04 LTS from scratch, including the required kernel upgrade, BTF verification, daemon setup, and web UI configuration.

What Is Little Snitch and Why Should You Use It on Ubuntu?

Little Snitch is an application firewall that gives you real-time visibility into every outgoing network connection on your system, broken down by process. Instead of seeing “traffic on port 443,” you see “Firefox connected to cdn.example.com, transferred 1.4 MB.” That level of detail changes how you think about network security.

The Linux version works using eBPF (extended Berkeley Packet Filter), a kernel-level mechanism that lets programs observe and intercept network events without recompiling the kernel. Objective Development wrote the eBPF component and the web UI under the GPL v2 license, so both are open source and free to inspect. The daemon itself is proprietary but free to use and redistribute.

Here is what you get with Little Snitch on Ubuntu:

• Live connection monitoring grouped by application
• One-click block or allow per app, domain, or server
• Traffic history with data volume per process over time
• Auto-updating domain blocklists in multiple formats
• Custom rules targeting specific processes, ports, and protocols
• A web-based UI accessible at localhost:3031, installable as a PWA

If you have previously used OpenSnitch on Ubuntu, Little Snitch offers a more polished interface and better blocklist management. The trade-off is the kernel requirement, which the next section covers in detail.

Prerequisites

Before you begin the Little Snitch on Ubuntu 24.04 setup, confirm the following:

• OS: Ubuntu 24.04 LTS (Noble Numbat) with a desktop or server environment
• Architecture: 64-bit system (amd64, arm64, or riscv64)
• Privileges: A user account with sudo access
• Kernel: Linux kernel 6.12 to 6.19 (Ubuntu 24.04 ships with 6.8 by default; this guide covers the upgrade)
• BTF support: Required and present on all standard Ubuntu mainline kernels 6.12+
• Internet access: Required to download the kernel and the .deb package
• Tools: wget, apt, dpkg, systemctl (all present by default on Ubuntu)

Important: Kernel versions above 6.19 currently reject Little Snitch’s eBPF program. Objective Development is working on a fix. Stick to the 6.12 to 6.19 range for now.

Step 1: Update Your Ubuntu 24.04 System

Always start with a full system update. This ensures your package lists are current and avoids dependency conflicts later in the process.

sudo apt update && sudo apt upgrade -y

What this does: apt update refreshes the local package index from all configured repositories. apt upgrade -y installs all available upgrades without prompting. The -y flag auto-confirms so you do not need to press Enter manually.

After the upgrade finishes, reboot to activate any updated packages:

sudo reboot

Once the system comes back up, confirm your current kernel version before doing anything else:

uname -r

Expected output on a fresh Ubuntu 24.04 system:

6.8.0-57-generic

If your output already shows 6.12.x or higher, skip Step 2 and go directly to Step 3. If it shows 6.8.x, continue to Step 2.

Step 2: Upgrade the Linux Kernel to 6.12 on Ubuntu 24.04 LTS

This is the step that most guides skip or get wrong. Little Snitch for Linux requires kernel 6.12 or above because its eBPF program hits the instruction count limit enforced by the verifier in older kernels. Ubuntu 24.04’s default kernel 6.8 does not meet this requirement.

The cleanest way to get a supported kernel on Ubuntu 24.04 without compiling from source is the Ubuntu Mainline Kernel PPA.

Install the Mainline Kernel Tool

sudo add-apt-repository ppa:cappelikan/ppa
sudo apt update
sudo apt install mainline -y

What this does: This PPA provides the mainline tool, a small utility that downloads and installs pre-built mainline kernels directly from kernel.ubuntu.com. It handles the multi-package .deb install automatically.

Install Kernel 6.12

sudo mainline install 6.12

This command downloads and installs three packages: linux-image, linux-headers, and linux-modules for kernel 6.12. The process takes a few minutes depending on your connection speed.

If you prefer to do this manually without the mainline tool, you can download the packages directly:

cd /tmp
wget https://kernel.ubuntu.com/mainline/v6.12/amd64/linux-image-unsigned-6.12.0-060112-generic_6.12.0-060112.202411172231_amd64.deb
wget https://kernel.ubuntu.com/mainline/v6.12/amd64/linux-modules-6.12.0-060112-generic_6.12.0-060112.202411172231_amd64.deb
sudo dpkg -i linux-modules-6.12.0*.deb linux-image-unsigned-6.12.0*.deb

Update GRUB and Reboot

After installing the new kernel, update GRUB so the bootloader picks it up:

sudo update-grub
sudo reboot

After reboot, verify the active kernel:

uname -r

Expected output:

6.12.0-060112-generic

Note: Mainline kernels are not officially supported by Canonical. They are appropriate for developer workstations and personal machines. Avoid deploying this on production servers without thorough testing.

Step 3: Verify BTF Kernel Support

BTF (BPF Type Format) allows eBPF programs to inspect kernel data structures at runtime without needing the exact kernel headers the kernel was compiled with. Little Snitch requires BTF to load its eBPF program. All mainstream Ubuntu mainline kernels enable BTF by default, but it is worth confirming before you proceed.

Run this command:

ls /sys/kernel/btf/

Expected output:

vmlinux

If you see vmlinux listed, BTF is active and you are good to continue. If the directory does not exist or is empty, your kernel was compiled without BTF support. In that case, switch to a different 6.12.x build from kernel.ubuntu.com or use the mainline tool to install a different patch version.

Step 4: Download the Little Snitch .deb Package

Go to the official Little Snitch for Linux download page at https://obdev.at/products/littlesnitch-linux/download.html and grab the .deb package for your architecture.

First, confirm your system architecture:

dpkg --print-architecture

Common outputs:

• amd64 — Intel or AMD 64-bit (most laptops and desktops)
• arm64 — ARM 64-bit (Raspberry Pi 4/5, Apple Silicon VMs)
• riscv64 — RISC-V 64-bit

Then download the matching package using wget:

cd ~/Downloads
wget https://obdev.at/products/littlesnitch-linux/download/littlesnitch_1.0.1_amd64.deb

Replace amd64 with arm64 or riscv64 if your system requires it.

Step 5: Install Little Snitch on Ubuntu 24.04 LTS

With the .deb file downloaded, install it using apt. Using apt instead of dpkg -i is better practice here because apt automatically resolves and installs any missing dependencies.

cd ~/Downloads
sudo apt install ./littlesnitch_1.0.1_amd64.deb

What happens during this install:

• The eBPF program is compiled and loaded into the kernel
• The Little Snitch daemon (littlesnitch --daemon) is registered as a systemd service
• Web UI static files are deployed to their system directory
• A default configuration is written to /var/lib/littlesnitch/

After the install completes, verify it with:

littlesnitch --version

You should see a version string returned, confirming the binary is in your PATH and accessible.

Tip: Reboot your system after installation. Processes that were already running before Little Snitch was installed may show up as “Not Identified” in the UI until they restart fresh under monitoring.

Step 6: Start and Enable the Little Snitch Daemon

The installation registers the daemon with systemd but does not automatically start it. Enable and start it now:

sudo systemctl start littlesnitch
sudo systemctl enable littlesnitch

What this does: start launches the daemon immediately in the current session. enable tells systemd to start the daemon automatically on every future boot.

Check that it is running correctly:

sudo systemctl status littlesnitch

Expected output (key lines):

● littlesnitch.service - Little Snitch Application Firewall
     Loaded: loaded (/lib/systemd/system/littlesnitch.service; enabled)
     Active: active (running) since Mon 2026-04-13 07:00:00 WIB

The active (running) status confirms the eBPF program loaded successfully and the daemon is monitoring connections. If you see failed instead, jump to the Troubleshooting section below.

Step 7: Access the Little Snitch Web Interface

Little Snitch does not use a traditional desktop application window. Instead, it runs a local web server and serves its interface at http://localhost:3031.

Open it in two ways:

Option 1: Run the command:

littlesnitch

This opens your default browser directly at the web UI.

Option 2: Open any browser and navigate manually to:

http://localhost:3031

Install as a Progressive Web App (PWA)

For a native app experience without a browser tab:

• Chromium or Chrome: Click the install icon in the address bar and select “Install Little Snitch.” It will appear as a standalone window in your app launcher.
• Firefox: Install the “Progressive Web Apps for Firefox” extension first, then use it to install the site as a standalone app.

The web UI loads the Connections view by default, showing all current and recent network activity grouped by application. Each entry displays the application name, destination domain or IP, connection status, and data volume transferred.

Step 8: Configure Little Snitch on Ubuntu 24.04

Set Up Blocklists

Blocklists let you block entire categories of domains without writing individual rules. To add one, go to the Blocklists section in the web UI and paste a URL pointing to a supported list format.

Supported formats:

• One domain per line
• One hostname per line
• /etc/hosts style entries
• CIDR network ranges

Recommended blocklists to start with:

• Hagezi (multi-purpose, DNS-based)
• oisd.nl (comprehensive, updated daily)
• Peter Lowe’s list (ads and tracking)
• Steven Black Unified Hosts (well-maintained hosts format)

Little Snitch auto-refreshes blocklists at regular intervals.

Write Custom Firewall Rules

Rules give you granular control beyond blocklists. In the Rules view of the web UI, you can create rules that target:

• A specific process (by executable path)
• A specific action (allow or deny)
• A specific port and protocol (e.g., TCP 443, UDP 53)
• A specific destination (domain, hostname, or IP range)

For example, you can create a rule to block a specific application from making any DNS queries on UDP port 53, while still allowing its HTTPS traffic on TCP 443.

Rules take priority over blocklists when both apply to the same connection.

Advanced Configuration via TOML Files

The web UI covers most common settings, but deeper configuration uses plain-text TOML files in the /var/lib/littlesnitch/config/ directory.

The safe way to customize is to copy files into the overrides directory:

sudo cp /var/lib/littlesnitch/config/web_ui.toml /var/lib/littlesnitch/overrides/config/web_ui.toml
sudo nano /var/lib/littlesnitch/overrides/config/web_ui.toml

Little Snitch always loads files from the overrides directory over the defaults. Never edit the default config files directly, as a package update will overwrite them.

Key files and what they control:

After any change to override files, restart the daemon:

sudo systemctl restart littlesnitch

Secure the Web UI

By default, the web UI at localhost:3031 is open to any local process with no authentication. A compromised application running locally could theoretically modify your rules through the API.

Enable authentication by editing your web_ui.toml override file and setting an auth password. If you plan to access the UI from another machine on your network, also configure TLS in the same file to encrypt the connection.

Troubleshooting Common Installation Errors

Error: eBPF Program Rejected by Verifier

Symptom: The daemon fails to start; journalctl shows “eBPF verifier rejected program.”

Cause: Your kernel is either below 6.12 or above 6.19.

Fix: Run uname -r to confirm your kernel version. If below 6.12, repeat Step 2. If above 6.19, downgrade to a 6.12-6.19 build using the mainline tool.

Error: BTF Directory Not Found

Symptom: Daemon fails to start; logs mention BTF or BPF type format errors.

Fix:

ls /sys/kernel/btf/

If the directory is missing, your kernel build lacks BTF support. Use mainline to switch to a standard 6.12.x build.

Error: Dependency Problems During Installation

Symptom: apt install exits with dependency errors.

Fix:

sudo apt --fix-broken install
sudo apt install ./littlesnitch_1.0.1_amd64.deb

Applications Show as “Not Identified”

Cause: Processes running before Little Snitch was installed lack full attribution data.

Fix: Reboot your system. All processes will restart and get properly identified from the moment they launch.

Web UI Unreachable at localhost:3031

Fix:

sudo systemctl status littlesnitch
sudo systemctl restart littlesnitch

If the service fails repeatedly, check the full logs:

journalctl -u littlesnitch --since today

Congratulations! You have successfully installed Little Snitch. Thanks for using this tutorial for installing Little Snitch network monitoring on your Ubuntu 24.04 LTS system. For additional help or useful information, we recommend you check the official Little Snitch website.