I remember before Little Snitch there was ZoneAlarm for Windows[0] (here is a good screenshot[1]). No clue if the current version of ZoneAlarm does anything like that (have not used it in 2 decades). I always found it weird that Linux never really had anything like it.
[0]: https://en.wikipedia.org/wiki/ZoneAlarm
[1]: https://d2nwkt1g6n1fev.cloudfront.net/helpmax/wp-content/upl...
I wrote a program similar to this for AmigaOS many, many years ago. I would have been inspired by ZoneAlarm or a program like it.
I've just found it and uploaded it to github. Looking at the code, I can see my horrible C style of the time. There's probably bugs galore.
https://github.com/JetSetIlly/Direwall
If I remember correctly, it runs as a commodity and patches the socket library. Interestingly, the socket library was not re-entrant (unusual for Amiga libraries) so I had to patch the Exec OpenLibrary() function to monitor the loading of new copies of the socket library. But it's been a long time so memories are hazy.
It'll be interesting to see if it is still compiles and runs for modern AmigaOS, if any active Amiga programmers are around to see.
What I really liked about ZoneAlarm wasn't just that it was a very nice technology - and it was; but also that it got the user expectations and training right from a very early stage.
It was quite insistent on the fact that it would be "noisy" at first as it queried all the programs you ran, but would then quieten down once it had been "trained". It got that across in clear, simple language.
I think it was so successful because it got the soft side of its security job right as well as the hard part. It's certainly why I recommended it to anyone at the time...
Was working as an IT consultant. We got a call from an international manufacturer in the area for support. Local lead IT manager took down the firewall which infected their computer network around the world. All they wanted were bodies to help clean systems and apply OS updates.
My personal computer had ZoneAlarm on it. It became ground zero for reporting about infected systems. They ignored systems they thought were save; CISCO phone system running on Windows server and other backend devices. The company then bought a few licenses to run their own laptops.
It is such a same that Microsoft destroyed _ERD Commander_ and other quality tools which assisted in the clean up.
> [ZoneAlarm] I always found it weird that Linux never really had anything like it.
There was simply no need for it. GNU provided most of the software, spyware was unknown.
Only since comercial vendors package for linux and bring their spyware along, the desire to inspect network rose.
This is such a naive view on computer security. It’s not just about spyware, which is also not exclusive to commercial vendors.
It's not, though. There simply wasn't enough malware to worry about. Why would I run a firewall when I was unlikely to ever encounter a malicious program?
I mean, supply chain attacks are a thing that could have happened even in the earlier days. Linux almost got backdoored in 2003.
Also with the number of remote code execution exploits that have occurred in Web browsers over the years it's hard to know for sure if what you installed hasn't been hijacked unless you spent all your time on gnu.org
Yes, but the probability of the average user getting pwned was so small that it wasn't worth the constant firewall babysitting.
What else is this about? Debian repositories still contain no malware and if you install software exclusively from them, you'll be safe.
Run OpenSnitch for a while and you'll quickly realize how much of your system does phone home. Off the top of my head:
- GNOME Shell (extension updates without a way to disable this, weather),
- GNOME Calculator (currency exchange rates),
- NetworkManager (periodic hotspot portal checks in most configurations),
- GDB (debuginfod enabled by default),
- Firefox (extension updates, push notifications, feature flags, telemetry, ..., some parts cannot be disabled),
- VSCodium (Open VSX callbacks even when installing extensions from disk with updates disabled, JSON schema auto-downloads, extensions making their own unsolicited requests, ...),
- Electron (dictionary updates from Google servers, no way of disabling; includes any application running on top of upstream Electron, such as Signal, Discord, etc.),
- GoldenDict (audio samples fetched from the Internet on word look-up, no way to disable)
Of course, this is nothing compared to Windows [0] and macOS [1], but the malpractice of making Internet connections without asking, by default, has unfortunately been finding its way everywhere since modems stopped making audible sounds.
Having read about PRISM and seen the leaked dashboards of Paragon Graphite (said to be used by ICE), and with LLMs bridging the gap between mass and targeted surveillance, I don't want any of this.
[0] https://github.com/microsoft/calculator/blob/ffd0519676019a0...
[1] https://sneak.berlin/20201112/your-computer-isnt-yours/
> GNOME Calculator (currency exchange rates),
Which would crash (technically hang) if you blocked it. [0]
[0] https://forums.debian.net/viewtopic.php?p=818264
People still care about these things on Debian. But as is said 20 years ago there was no need, because the default was to be sane.
Are these malware ?
Per se? No, maybe with the exception of GNOME Shell which literally runs code from the Internet unsandboxed. Can the traffic they silently generate be used for malicious purposes? Absolutely.
Wasn’t it KDE that had malware in its theme store not too long ago? Let that sink in for a bit. You changed around some icon themes and it executed arbitrary code.
And let’s not pretend that kde wouldn’t have an extension system if it could - but it’ll never have one because implanting one in that c++ spaghetti nightmare will never happen.
I think you meant to reply to this: https://news.ycombinator.com/item?id=47702680
But if not, I'm not criticizing GNOME in isolation here. It's just what I use and what I'm most familiar with. KDE has the same issues and it does have an extension system too. It's called KNewStuff.
you could always run kwin_wayland and prevent all that phoning home...
Problem with updates is that without automatic ones, users could stay on outdated systems and possibly get hacked through some vulnerability(of which there are many). While on the other hand, having explicit confirmations for each network request would be crazy annoying.
Maybe some middleground of having the tool OP sent built-in would be a good option.
I run all my systems with all outgoing connections blocked by default, and yes, it is annoying.
But it wasn't always this way, and so, I don't think it has to be. People just need to start paying attention to this.
The impact of a lot of those vulnerabilities would be mitigated if the affected programs didn't connect to the network in the first place.
As for updates in general, I really like the model adopted by Linux update managers and BSD port systems. The entire repository metadata is downloaded from a mirror and cached locally, so the search terms never leave your machine. Downloads happen from the nearest mirrors, there's no "standard" mirror software (unless rsync and Apache count?) so they don't report what was downloaded by whom back to any central system and you can always host your own. Everything is verified via GPG. And most importantly, nothing happens on its own; you're expected to run `apt/dnf update` yourself. It won't randomly eat your bandwidth on a metered connection or reveal your OS details to a public hotspot.
Simple, non-invasive, transparent, (almost) all-encompassing, and centrally configurable.
Does it contain Firefox? How about Chrome?
Quote from LittleSnitch:
> Little Snitch for Linux is built for privacy, not security
What's your definion of malware in this context?
It contains Firefox and Chromium. You are right that they may call home, but at least it's very limited and easily configurable. Could be too much for you but fine with me. Also Debian does change their config by default to minimize privacy issues: https://news.ycombinator.com/item?id=32582260
It's far from easy in the case of Firefox [0], and the last time I tried, some .mozilla.com domains would still get pinged. Chromium doesn't even have an official guide. The only options I found to be reliable are source-level patches, i.e. ungoogled-chromium and LibreWolf.
Note that LibreWolf still leaves some of the stuff on for you to manually disable (dom.push.connection.enabled, extension updates).
[0] https://support.mozilla.org/en-US/kb/how-stop-firefox-making...
In firefox, goto about:config and search for url.
You're welcome.
Ads, trackers, general boost to privacy. Not every protection tool is just about malware.
Yeah I will also be safe if I never turn on the PC, but some of us use computers to do actual work.
Completely forgot about ZoneAlarm. I remember using it in the early 2000s!
I read ZoneAlarm and it was like suddenly a part of my brain that went unvisited for 25 years lit up...
WinAmp skins. Alternate shells for Windows(!). Cygwin because I still played too many games to go full Linux.
Yeah...
btw all versions of WinAmp + skins still work great in 2026 even on Win11 :)
It still whips the llama's ass.
I helped administer the CheckPoint commercial version of this before 2010 in a large enterprise (Checkpoint Integrity it was badged as). Really good product though we did have some bugs with it - I do remember the developers from Israel got involved and were very capable.
It mostly worked exactly as you would want a desktop firewall to, and integrated nicely with Cisco VPN tech, so you could ensure Integrity was operating correctly before fully opening up the tunnel for access to corporate assets.
Same. And in a similar vein--AnalogX NetStat Live.
Same... Totally forgot about ZA.
Such nostalgia! I probably forgot about it after switching over to Linux 25 years ago.
Same!
This reminded me of running Kerio Personal Firewall. When Kerio ended I switched to either ZA or Comodo firewall, one of them introduced a neat feature of running executables in containers. Made clicking random things so much easier. But the best part with all of these was restricting windows to where it could barely do anything. "RandomXYZ.DLL wants to execute random what and connect to random where? I dont think so MS." lol
Who remembers BlackICE Defender tho?
https://archive.org/details/BlackICE_Defender
I was there for SoftICE and BlackICE.
Simpler times.
I remember switching from Win95 to NT4.0 just to be able to use SoftICE properly under Windows without all the stability problems, it was an incredible time! SoftICE felt like absolute wizardry at the time.
Wow. Insane throwback. I think I first learned about ZoneAlarm from some PC magazine my parents bought for me. Completely forgot about this great piece of freemium!
if anyone else suddenly started wondering, PC magazines still exist in physical form. There are even still Linux magazines that come with installer CDs for distros. And all kinds of other magazines as well, like for Mac computers, for photo editors, for Raspberry Pi etc.
I learned about it from Leo and Patrick on The Screen Savers
I ran ntop on a router in 2001. It had a highly insightful overview of traffic with nice looking diagrams and everything. There hasn't been anything like that since as far as I'm aware.
ZoneAlarm otoh, was snakeoil. Programs that ran at the same privilege level (typically everything) could bypass it in various ways.
Linux users just browsed firewall logs.
Back when people would try to winnuke others on IRC, the Linux guys would know who sent them the packet and call them out in the channel (and then usually ban them)
It's interesting hw lng it took for linux to get a user friendly application firewall like OpenSnitch
It's because there's no way to make universal kernel modules/drivers, like it is on Windows.
The way to make kernel modules is to submit them to the kernel. Not really sure what a “universal kernel module” really is.
Also that seems irrelevant because it seems this was implemented in eBPF so no kernel modules are required.
> I always found it weird that Linux never really had anything like it.
OpenSnitch must be like ten years old by now. I think also portmaster is somewhat similar too.
ZoneAlarm, assuming it still exists, would be at least 20 years old.
Back then there was also a nice ~$15 program called Net Limiter which allowed one to cap network speeds individually per program.
For me it was Sygate personal firewall back on windows xp
There was also Tiny Firewall which got bought by Computer Associates around 2005. Probably the most complicated or fine grain control for me at that time in Windows XP.
This is what I used! At some point I managed to block DHCP lease renewals on my computer, and Internet would always stop working after a given timespan. Took a good while to figure out I caused the problem myself.
and that's how you learn...
Shooting yourself in the foot really helps to built intuition!
It is probably easier these days when you have a phone to fall back on for if you break the internet on your computer.
Playing with your router is still a pain though, especially if you don't have a device with an Ethernet port. You learn all sorts of fun things like "If you change your router's IP address you get logged out of its management at the old IP address" and "Oh, that's what subnet mask means, weird."
> It is probably easier these days when you have a phone to fall back on
Most definitely. The old lessons were hard learned, and they stayed with you. Going through everything, trying all the combinations, and reading obscure materials for any hints.
I don't want to glorify the old hard way of spending perhaps days on problems that ended up being trivial, but it's obviously different now when one can get all the answers and helpful scripts directly from LLMs. Much less is retained.
Sometimes called "high instructional value".
i loved zonealarm! and also pained myself with all the little rules and upkeep lol
Back in the Halo 2 days ZoneAlarm and Cain and Abel were the go-to host bridging and bluescreen programs.
A simpler time lol.
Used to use Outpost Firewall Pro, too.
Good old Halo 2 stand-bying. An absolute plague.
It was problematic, so we moved to blackice defender iirc
isn’t this essentially built into Windows these days? although it seems to come with a lot of programs pre-approved.
No, the Windows firewall in its default configuration does not restrict outbound connections in any way. Any application can make any outbound connection it wants. If an application attempts to listen for incoming connections from external sources and there is not an existing policy, Windows will pop up a dialog asking the user if they want to allow this and if so whether it should be allowed to listen on all networks, only networks marked as "private", or for domain-bound corporate computers only networks where the domain controller is reachable.
It can be manually configured with very detailed policies, but you have to know where to go to find those controls.
It's been a while since I used ZoneAlarm or Little Snitch, but the last time I used either one the default behavior was instead that any connection attempt or attempt to listen for which there was not a policy would result in a dialog showing all the details about what application is looking to connect to or receive connections from what as well as a variety of options for creating a policy or even not creating a policy and just deciding whether that one connection would be allowed.
Also back when I used ZoneAlarm I had dialup so the taskbar addon they had which showed realtime bandwidth usage and what applications had active connections was really useful. It also had a big red "Stop" button that would immediately disable all connections, which thinking about it in retrospect really makes me miss the more innocent days of the internet.
Iirc the firewall was already in XP. Maybe earlier but sp2 for sure.
Default allows everything though but you could even set outbound blocking rules. Cumbersome UI and no really good visibility though.
Most of the windows firewalls tools are just front ends for the integrated one with more sensible defaults.
You gonna commit seppuku if you try to add rules with the built in one.
[flagged]
That website redirected my browser to a very sketchy website after a couple seconds.
Don't open it.
@dang
That domain is blocked by Hagezi's Ultimate list. Definitely remove that user's comment
@dang doesn't do anything; send a quick email to the contact address with a link