[nathants]

securing a machine that is updated regularly and runs untrusted code is not realistic, monitoring network exfil is.

an exploit that cannot communicate is likely benign and easy to detect in the attempt.

monitor all outbound network connections with a gui prompt that defaults to deny. whitelist trusted domains/ip for a better experience and a bit less security.

macos has littlesnitch[1], linux has opensnitch[2], or roll your own on libnetfilterqueue[3].

bonus points if the filtering happens upstream at a router or wireguard host so a compromised machine cannot easily disable filtering.

bonus points if the filtering is at executable level granularity instead of system level.

1. https://www.obdev.at/products/littlesnitch/index.html

2. https://github.com/evilsocket/opensnitch

3. https://github.com/nathants/tinysnitch

[figglestar]

> monitor all outbound network connections with a gui prompt that defaults to deny. whitelist trusted domains/ip for a better experience and a bit less security.

> bonus points if the filtering happens upstream at a router or wireguard host so a compromised machine cannot easily disable filtering.

Is it possible to combine these two with open/tinysnitch somehow? It'd be nice to easily build a whitelist but with the way Windows works I couldn't trust any firewall that was running on Windows itself.

[nathants]

filtering upstream is easy, just send all traffic to a linux wireguard server and run a snitch there. getting the gui prompt is a bit tricker. for maximum trust, that gui should probably be on another device than the original machine. ie a push notification to your phone.