Little Snitch is one of my favorite apps in the world, and it's one of the very first things I install on any new Mac.
For those unfamiliar, it monitors and restricts outbound connections that your applications are trying to make. For example, you might be working away and suddenly get a popup saying:
"Chrome is making an outbound TCP connection to adserver.trackallusers.com, port 9876. Do you want to:
- Allow or Deny the connection...
- To all hosts in the domain trackallusers.com, that specific hostname, or that specific IP address, or all hosts everywhere...
- On this port or any port...
- Protocol TCP...
- Once, or for the next 15 minutes / 1 hour / 2 hours / until I reboot / forever"
...and it will postpone making that connection until you answer. You can set defaults for that popup according to your own preferences, for instance to block by domain name instead of hostname so that "server432.example.com" and "server592.example.com" don't have to be managed separately.
When you first run Little Snitch, it's a bit overwhelming. Safari and Chrome want to talk to all kinds of things on TCP/80 and 443, so you pretty quickly say they're allowed to make any 80 or 443 connection they want without further pestering you. Soon you have a good coverage of your apps' normal behaviors, and that's where it really shines. For instance, suppose your text editor commonly talks to "updateserver.example.com" to check for app updates. But this morning, it's suddenly trying to chat with "exfiltrator.badhost.ru". Uhh, maybe you want to block that and see what's going on.
And my earlier Chrome example isn't an exaggeration. It's surprising how many websites want to connect to ad or tracking servers on nonstandard ports. I actually appreciate that a lot because those connections stick out like sore thumbs and I can permanently deny them.
Sorry if this reads like an ad pitch for Little Snitch. I'm not associated with them, but I'm a very, very happy customer. I'm very happy to see something like it becoming available for my friends using Linux is awesome.
Using Little Snitch, and seeing the amount of phoning-home Chrome was doing was my "straw that broke the camels back". It tipped me over the edge: drove me back to Linux, Duck Duck Go, NextDNS (I'm not confident enough to "roll my own), turning everything off on my phone (location services, search helpers etc), and not using software that checks for updates or does the least amount of telemetry (I went from VSCode to Emacs)... favoring anything that doesn't track/use cdns/anything by default: whatever is vaguely usable (no matter how annoying) and tracks the least, wins.
I could block it all with Little Snitch - but it's a technical solution to a political problem. I miss a lot of the convenience, and I miss a lot of the slickness/lovely UIs... but Lil' Snitch taught me that that's the price!
Huge fan of Little Snitch, and I agree: it's been really useful for discovering and shutting down all the telemetry and ad traffic. One thing people don't realize is that you can take many of the popular ad-blocking lists and subscribe to them in Little Snitch! Peter Lowe's Block List, for instance, produces a plain-text format (https://pgl.yoyo.org/adservers/serverlist.php?hostformat=lit...) that's perfect: you subscribe to it in Little Snitch, and it automatically blocks everything on the list everywhere, with updates pulled on the regular from the pgl.yoyo.org servers.
One frustration I've had lately—and it's not Little Snitch's fault!—is the number of unnamed micro-service endpoints in use. Office365, Dropbox, and others have started using random cloud IPs for their content distribution endpoints, so you get a popup for "OneDrive wants to connect to XXX.YYY.ZZZ.QQQ on port 25427. Allow?" You have no basis for knowing if that IP is legit or not, you can't use the port to judge it, and you know if you cut off too many of them the app will break. Super frustrating, and seems deliberately designed to break things like LS.
Also I personally also am a huge fan of Little Snitch, I do want to caution everyone who rushes to install that, after all, like all software Little Snitch has bugs, and because it runs in ring 0, any bugs can potentially have annoying consequences, including being exploited by malware.
See for example this news report[0] or the DEF CON talk[1].
I personally do use Little Snitch, but this is after consideration of my own privacy desire against risk of security holes being exploited. I personally chose the former. You should personally weigh these and decide.
But a much, much cheaper and much easier and simpler to use software is TripMode - https://www.tripmode.ch/ ...
While it is not marketed as an outbound firewall, it does a great job as one. It isn't as sophisticated as Little Snitch and doesn't offer fine-grained levels of filtering but that's a plus for those who are not advanced users - it simply allows or blocks an "app" from connecting to the internet. It can also monitor your bandwidth usage.
(The Mac version is very stable, but I found the Windows 10 version to be a bit buggy).
I will be curious what kinds of bugs blocking said requests flushes out of various applications. I expect some applications will be built robustly and gracefully accept that adserver.trackallusers.com has suddenly ceased to exist forever, and continue to do what the user expects them to do. But, I will not be surprised if other applications turn out to crash, turn into security vulnerabilities, or throw up annoying popups that say something like, "We use advertisements to pay for this awesome free service we give you. :( Please unblock evil-cabal.org. An assassin has been dispatched to ensure your compliance." Okay, maybe I'm not expecting that last one quite so much, but crashes and breakages are totally plausible, IMO.
Why do people use non-standard ports for public internet-facing services?
To me it just smells of "we don't have enough public IP's, and still manage our network with port-forwarding rather than a proper application level loadbalancer".
That matches my observations that 'ancilery'services frequently seem to be on non-standard ports - like the employee login portal, the company webchat service, the analytics service, etc.
I will second the notion that setting up your preferences after installing little snitch is a bit overwhelming, especially if it's on a machine where you have installed a lot of software.
It's alarming just how much software starts running in the background after a startup, and starts making connections you didn't know about before you ever open a single user application.
Looking up 2020-01-31-user-kstrauser.example.com might cause a DNS lookup to go out, even though little snitch will block the subsequent web traffic to it.
Does Little Snitch work as a kernel extension? I use Lulu but it really screws with Virtualbox and generally can really stress kernel if you try to do something very network intensive. Would love to find better alternative, ideally free.
This is neat, but it seems strange to call it a "port" of a closed source proprietary commercial product. It doesn't actually seem to be related beyond also being a firewall with a UI that kinda imitates Little Snitch.
Software like this seem like snakeoil to me. They often rely on process paths to identify applications, but that can be easily bypassed by using a reputable/plausible program as a lackey [1], or more sophisticated techniques like process hollowing[2]. Afterwards, they can communicate as the (presumably whitelisted) application. Any host-based rules (if any) can be bypassed by routing internet traffic using "popular" domains (eg. CDNs, social media networks), or by social engineering (eg. triggering a request at the same time as a user action, to make the user think it's something he intended to do).
On unsandboxed platforms, you either trust an application completely, or you don't. Tools like little snitch don't turn dangerous programs into safe ones; they only give you a false sense of security.
> They often rely on process paths to identify applications, but that can be easily bypassed by using a reputable/plausible program as a lackey, or more sophisticated techniques like process hollowing
Even that is difficult to achieve and possibly opens up additional attack surfaces. On Linux, AFAIK, there's no built in method to filter packets on the basis of the path of the sending process, so firewalls like this have to be adding a kernel module (like Douane does), which adds attack surface, or basically attempting to work out the path on a "best effort" basis, which seems to be what OpenSnitch does, with mixed results [1] [2].
Seems like this is probably a useful tool to figure out programs that are talking to servers when they're expected to be silent, but I probably wouldn't rely on it for security, at least until / unless more robust application level filtering is built into the Linux kernel. For better or worse, it seems like the intended approach for Linux systems is to rely on the Unix permissions model: a program running under a user is allowed all the permissions that user has. The fact that this isn't really ideal for single-user desktops notwithstanding.
[2] https://github.com/evilsocket/opensnitch/issues/171 <- apparently some applications bypass OpenSnitch by accident, so it wouldn't be surprising to find out that malicious programs could / are doing it on purpose.
> On unsandboxed platforms, you either trust an application completely, or you don't. Tools like little snitch don't turn dangerous programs into safe ones; they only give you a false sense of security.
I think the name carries a great implication here though. It "snitches" on the apps you have running. Mostly it's not practical (or possible) to work out the "trustworthiness" of every application you run. This discussion has several examples of people realising "_Seriously_ chrome/firefox, you're doing _what?_" when they get Snitched on. That seems useful...
Applications that perform DLL injection or modify PEB or to try ring 0 escalation can already be detected in some forms by heuristic anti virus. Little Snitch is still useful as long as the other bases are covered. Think of security as a whole instead of debunking a utility because it fails to prevent other types of exploitation
An application can also repeatedly ask for permissions, flooding the user with (little snitch or whatever) popups until they gave up and disable it just to be able to use their computer again.
'Predictably, online discussions about problems with app translocation and Little Snitch usually recommend stripping quarantine flags, and from what I can see, this has become quite widespread practice. Yet – just as in the blog article – no one seems to be concerned that what they are doing is bypassing macOS’s primary security defences.'
One feature opensnitch has (and I have not seen mentioned here) is that you can run the filter on one device e.g. your openwrt router, and the GUI on your laptop; this is a nice feature that no other “personal” firewall (including the original LittleSnitch) provides - filtering for your iPad and smart tv as well!
Fun fact: in macOS Little Snitch if you create a separate profile for your VPN interface (as specified with the goal to allow certain apps/traffic only when the VPN is up), circumventing the VPN it is as easy as:
curl --interface en0 ifconfig.co
In other words, no firewall rules are applied to actually block traffic on the non-VPN interface. Apps are only blocked from accessing the internet when the VPN interface goes down.
Reminds me of that Windows marvel called Kerio Personal Firewall which allowed to restrict connections for any application, a feature that Linux should have had since forever and is becoming more and more important today. Most Linux FOSS apps may not call home, but closed hosted or emulated ones (through WINE for example) often do.
Linux does do that, and has since the Kernel 2.2 or so; In fact, opensnitch is a user mode process thanks to Linux allowing that, whereas windows needed drivers last I checked (win 2000 days, but the network driver model was still the same for win 7 and even later iirc)
i wanted something a bit simpler, so forked and reduced. recently dropped path matching except for display in the visual prompt, simple global firewall, inbound and out. as others noted, path matching is quite janky. never saw a use of libnetfilterqueue before this, so hats off to evilsocket.
Great that this exists. I really like the application. Here are some issues:
- There's a countdown when an unknown outgoing connection is discovered - the countdown is currently not being stopped when you focus the countdown window. The countdown is only 15 seconds or so - if the countdown is over, it automatically approves the connection.
- Rules cannot be edited via the python interface. There is one config file per rule though.
- My computer has been freezing sometimes since I started using it. Not sure but that behavior is related to the tool.
- Sometimes high cpu usage.
- It would be great of have some kind of rule-set which can be used as a starting point (optionally).
- Python interface is slow. Generally not a fan of client applications that are based on Python.
About 15 years ago this kind of "application firewall" used to be really popular on Windows. IIRC, ZoneAlarm and/or Kerio was really popular? And some Antivirus software also included application firewall. Can't vouch for anything particular these days, though, haven't used such thing for a long time.
I've never been a fan of that kind of application.
As a user, it ruins the usability of the operating system. Having alert boxes constantly popping up feels empowering at first, and eventually becomes really annoying and distracting.
As a developer, it breaks your application's expectations and is the root cause of hard to diagnose bug reports. People don't understand what they do and end up breaking software updates (making applications less secure) or other applications features.
[+] [-] kstrauser|6 years ago|reply
For those unfamiliar, it monitors and restricts outbound connections that your applications are trying to make. For example, you might be working away and suddenly get a popup saying:
"Chrome is making an outbound TCP connection to adserver.trackallusers.com, port 9876. Do you want to:
- Allow or Deny the connection...
- To all hosts in the domain trackallusers.com, that specific hostname, or that specific IP address, or all hosts everywhere...
- On this port or any port...
- Protocol TCP...
- Once, or for the next 15 minutes / 1 hour / 2 hours / until I reboot / forever"
...and it will postpone making that connection until you answer. You can set defaults for that popup according to your own preferences, for instance to block by domain name instead of hostname so that "server432.example.com" and "server592.example.com" don't have to be managed separately.
When you first run Little Snitch, it's a bit overwhelming. Safari and Chrome want to talk to all kinds of things on TCP/80 and 443, so you pretty quickly say they're allowed to make any 80 or 443 connection they want without further pestering you. Soon you have a good coverage of your apps' normal behaviors, and that's where it really shines. For instance, suppose your text editor commonly talks to "updateserver.example.com" to check for app updates. But this morning, it's suddenly trying to chat with "exfiltrator.badhost.ru". Uhh, maybe you want to block that and see what's going on.
And my earlier Chrome example isn't an exaggeration. It's surprising how many websites want to connect to ad or tracking servers on nonstandard ports. I actually appreciate that a lot because those connections stick out like sore thumbs and I can permanently deny them.
Sorry if this reads like an ad pitch for Little Snitch. I'm not associated with them, but I'm a very, very happy customer. I'm very happy to see something like it becoming available for my friends using Linux is awesome.
[+] [-] mrspeaker|6 years ago|reply
I could block it all with Little Snitch - but it's a technical solution to a political problem. I miss a lot of the convenience, and I miss a lot of the slickness/lovely UIs... but Lil' Snitch taught me that that's the price!
[+] [-] castillar76|6 years ago|reply
One frustration I've had lately—and it's not Little Snitch's fault!—is the number of unnamed micro-service endpoints in use. Office365, Dropbox, and others have started using random cloud IPs for their content distribution endpoints, so you get a popup for "OneDrive wants to connect to XXX.YYY.ZZZ.QQQ on port 25427. Allow?" You have no basis for knowing if that IP is legit or not, you can't use the port to judge it, and you know if you cut off too many of them the app will break. Super frustrating, and seems deliberately designed to break things like LS.
[+] [-] kccqzy|6 years ago|reply
See for example this news report[0] or the DEF CON talk[1].
I personally do use Little Snitch, but this is after consideration of my own privacy desire against risk of security holes being exploited. I personally chose the former. You should personally weigh these and decide.
[0]: https://www.theregister.co.uk/AMP/2016/08/03/mac_firewall_li...
[1]: https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20pre...
[+] [-] webmobdev|6 years ago|reply
But a much, much cheaper and much easier and simpler to use software is TripMode - https://www.tripmode.ch/ ...
While it is not marketed as an outbound firewall, it does a great job as one. It isn't as sophisticated as Little Snitch and doesn't offer fine-grained levels of filtering but that's a plus for those who are not advanced users - it simply allows or blocks an "app" from connecting to the internet. It can also monitor your bandwidth usage.
(The Mac version is very stable, but I found the Windows 10 version to be a bit buggy).
[+] [-] c0llision|6 years ago|reply
[+] [-] korethr|6 years ago|reply
[+] [-] kccqzy|6 years ago|reply
Nowadays everyone seems to ask nsurlsessiond to make a connection to AWS on port 443.
[+] [-] hi5eyes|6 years ago|reply
no need, little snitch is one of the most popular programs for power mac users; I've been a fan since at at least 2011
[+] [-] londons_explore|6 years ago|reply
To me it just smells of "we don't have enough public IP's, and still manage our network with port-forwarding rather than a proper application level loadbalancer".
That matches my observations that 'ancilery'services frequently seem to be on non-standard ports - like the employee login portal, the company webchat service, the analytics service, etc.
[+] [-] GeekyBear|6 years ago|reply
It's alarming just how much software starts running in the background after a startup, and starts making connections you didn't know about before you ever open a single user application.
[+] [-] m463|6 years ago|reply
Looking up 2020-01-31-user-kstrauser.example.com might cause a DNS lookup to go out, even though little snitch will block the subsequent web traffic to it.
I think umatrix helps with that.
[+] [-] dzhiurgis|6 years ago|reply
[+] [-] sgsvnk|6 years ago|reply
[+] [-] antiuniverse|6 years ago|reply
I think a better term might be "clone"?
[+] [-] TwoNineFive|6 years ago|reply
It's just a Hyperbolic Headline.
[+] [-] bangonkeyboard|6 years ago|reply
It is annoying that it still calls itself a port three years later.
[+] [-] gruez|6 years ago|reply
On unsandboxed platforms, you either trust an application completely, or you don't. Tools like little snitch don't turn dangerous programs into safe ones; they only give you a false sense of security.
[1] https://news.ycombinator.com/item?id=22207089
[2] https://wikileaks.org/ciav7p1/cms/page_3375167.html
[+] [-] bscphil|6 years ago|reply
Even that is difficult to achieve and possibly opens up additional attack surfaces. On Linux, AFAIK, there's no built in method to filter packets on the basis of the path of the sending process, so firewalls like this have to be adding a kernel module (like Douane does), which adds attack surface, or basically attempting to work out the path on a "best effort" basis, which seems to be what OpenSnitch does, with mixed results [1] [2].
Seems like this is probably a useful tool to figure out programs that are talking to servers when they're expected to be silent, but I probably wouldn't rely on it for security, at least until / unless more robust application level filtering is built into the Linux kernel. For better or worse, it seems like the intended approach for Linux systems is to rely on the Unix permissions model: a program running under a user is allowed all the permissions that user has. The fact that this isn't really ideal for single-user desktops notwithstanding.
[1] https://github.com/evilsocket/opensnitch/issues/12
[2] https://github.com/evilsocket/opensnitch/issues/171 <- apparently some applications bypass OpenSnitch by accident, so it wouldn't be surprising to find out that malicious programs could / are doing it on purpose.
[+] [-] bigiain|6 years ago|reply
I think the name carries a great implication here though. It "snitches" on the apps you have running. Mostly it's not practical (or possible) to work out the "trustworthiness" of every application you run. This discussion has several examples of people realising "_Seriously_ chrome/firefox, you're doing _what?_" when they get Snitched on. That seems useful...
[+] [-] goldenkey|6 years ago|reply
[+] [-] jedisct1|6 years ago|reply
[+] [-] chmars|6 years ago|reply
'Predictably, online discussions about problems with app translocation and Little Snitch usually recommend stripping quarantine flags, and from what I can see, this has become quite widespread practice. Yet – just as in the blog article – no one seems to be concerned that what they are doing is bypassing macOS’s primary security defences.'
https://eclecticlight.co/2020/01/26/last-week-on-my-mac-when...
[+] [-] frio|6 years ago|reply
[+] [-] gus_|6 years ago|reply
[+] [-] I_am_tiberius|6 years ago|reply
[+] [-] beagle3|6 years ago|reply
[+] [-] DavideNL|6 years ago|reply
[+] [-] adultSwim|6 years ago|reply
https://github.com/evilsocket/opensnitch/issues/259
[+] [-] squarefoot|6 years ago|reply
[+] [-] beagle3|6 years ago|reply
[+] [-] rufugee|6 years ago|reply
[+] [-] ct0|6 years ago|reply
[+] [-] nathants|6 years ago|reply
https://github.com/nathants/tinysnitch
[+] [-] I_am_tiberius|6 years ago|reply
- There's a countdown when an unknown outgoing connection is discovered - the countdown is currently not being stopped when you focus the countdown window. The countdown is only 15 seconds or so - if the countdown is over, it automatically approves the connection.
- Rules cannot be edited via the python interface. There is one config file per rule though.
- My computer has been freezing sometimes since I started using it. Not sure but that behavior is related to the tool.
- Sometimes high cpu usage.
- It would be great of have some kind of rule-set which can be used as a starting point (optionally).
- Python interface is slow. Generally not a fan of client applications that are based on Python.
[+] [-] beagle3|6 years ago|reply
[+] [-] pjmlp|6 years ago|reply
[+] [-] parvenu74|6 years ago|reply
[+] [-] aargh_aargh|6 years ago|reply
[+] [-] ktta|6 years ago|reply
[+] [-] anaphor|6 years ago|reply
[+] [-] ChrisMarshallNY|6 years ago|reply
[+] [-] eecc|6 years ago|reply
[+] [-] _-___________-_|6 years ago|reply
[+] [-] qwerty456127|6 years ago|reply
[+] [-] m463|6 years ago|reply
[+] [-] jedisct1|6 years ago|reply
As a user, it ruins the usability of the operating system. Having alert boxes constantly popping up feels empowering at first, and eventually becomes really annoying and distracting.
As a developer, it breaks your application's expectations and is the root cause of hard to diagnose bug reports. People don't understand what they do and end up breaking software updates (making applications less secure) or other applications features.
[+] [-] eugeniub|6 years ago|reply
As a developer, you kind of have to just accept users taking back their own privacy and work around it.
[+] [-] mokus|6 years ago|reply
[+] [-] knolax|6 years ago|reply