Getting started
After installing opensnitch, notice that a new icon appeared on the systray:
You can launch the GUI from that icon or from the system menu (Internet -> OpenSnitch)
The daemon will start intercepting connections, prompting you to allow or deny them. If you don't apply an action, after 15 seconds (configurable) it'll apply the default action configured.
When you open the GUI, you'll see all the connections and processes that the daemon has intercepted. Double click on a row to view the details of a process, rule, host or user.
ℹ️ Tip: Configure the default action to Allow (Preferences -> UI -> Default Action, and optionally [x] Disable pop-ups), let it run for a while (hours, days, weeks), and observe passively what your machine is doing.
This action has two advantages: you'll learn about your system and OpenSnitch will create the rules for you (Rules tab -> Temporary).
Remember to change it back to Deny.
To see and modify the rules accumulated so far, click on the OpenSnitch icon in the System Tray. A GUI listing the rules will appear. You can click on each rule and then click on the Trash Can icon to delete it. Or you can click on a rule and right-click on it to modify allow/deny or duration etc. The list may take up to 15 seconds to show the update in the GUI. Note: if you modify the action of a rule (e.g. change from deny to allow), the name of it may not change (e.g. may stay as "deny-...").
Once you know which are the common processes, IPs and hosts that your machine is connecting to, you can start creating permanent rules (Duration: always) to deny or allow them. You can also convert temporary rules to permanent by right-clicking on a temporary rule or by double-clicking on it, and then edit it.
A common practice is to apply a rule of "Least privilege", i.e., block everything by default and allow only those processes or connections that you want to.
Read more about blocking lists
Some processes are part of the GNU/Linux ecosystem, and critical to the well functioning of it. Some of these processes are:
/usr/bin/xbrlapi
/usr/bin/dirmngr
/usr/bin/kdeinit5
Some others are not critical, but as part of the system they have their function, like discovering devices or resolving domains. For example:
/usr/libexec/colord-sane
/usr/sbin/avahi-daemon
/usr/libexec/dleyna-server-service
/lib/systemd/systemd-timesyncd
/usr/lib/systemd/systemd-resolved
/usr/sbin/ntpd
Some applications launch external processes, so for example, you may be prompted to allow application A, and just right away asked to allow application B. This is the case with Epiphany web browser, gnome-maps, snap or Spotify: https://github.com/gustavo-iniguez-goya/opensnitch/issues/134#issuecomment-772876103
/usr/bin/epiphany
/usr/lib/x86_64-linux-gnu/webkit2gtk-4.0/WebKitNetworkProcess