Explanations for protected rules

General discussions about Little Snitch
jumboconcussion
Posts: 9
Joined: Wed Oct 14, 2015 2:47 pm

Explanations for protected rules

Postby jumboconcussion » Wed Oct 14, 2015 3:03 pm

Hi everyone,

I was wondering if someone could explain the protected rules at the top of the LS configuration, and why I would enable or disable them?

What are ICMP/UDP incoming connections? I know the right hand side of the LS configuration provides a little explanation for both, but I would like some more information on it. Would my internet experience suffer if I were to disable them? What's the risk, in terms of malware/remote access, if I kept them enabled?

Also - allowing outgoing or incoming connections to my local network - why would I or wouldn't I need to do that? Does it open me up to infecting my system if other machines on the network are infected (especially if I'm using public wi-fi)? I'm on the home wi-fi and I tried testing it out just then by disabling the incoming connections from local network rule. Within 5 minutes LS notified me that my Macbook (system, not me) tried to establish incoming connections to mDNSResponder, port 5353:

- from the IPv4 address associated with my Macbook on the home wifi
- from fe##::####:#$$$:$$$#:##$$
- from fe##::$$$$:##$$:$$#$:##$#

(I figured I should disguise it just in case? Anyway, hashes are numbers, dollar signs are letters)

I feel comfortable using LS but my knowledge of networking/IP stuff is basic at best, so I need some assistance in understanding the protected rules.

Medic427
Posts: 13
Joined: Tue Jul 22, 2014 5:02 am
Location: Northport, New York
Contact:

Re: Explanations for protected rules

Postby Medic427 » Thu Oct 15, 2015 11:08 pm

The explanations are that I really hope someone besides telling what each connection is to do something about it. Then tell me exactly what each rule is for despite being "Protected Rules" if you do not want a connection or service on my system or systems then I do not want that connection. I would like the ability to know what every single rule and process does. If anyone has a list of all mac connections and processes associated with it please post them here or share them via a link by reply thanks in advance.

Rich

hagen
Wizard
Wizard
Posts: 594
Joined: Mon Feb 18, 2008 11:05 pm

Re: Explanations for protected rules

Postby hagen » Fri Oct 16, 2015 7:47 pm

jumboconcussion wrote:I was wondering if someone could explain the protected rules at the top of the LS configuration, and why I would enable or disable them?

What are ICMP/UDP incoming connections? I know the right hand side of the LS configuration provides a little explanation for both, but I would like some more information on it. Would my internet experience suffer if I were to disable them? What's the risk, in terms of malware/remote access, if I kept them enabled?

Simple question, complex answers.

It depends on your configuration and usage. The short answer is to allow what you need, and block everything else. Testing can be done by blocking a particular connection and finding out what happens - if nothing breaks then the connection wasn't necessary and it might as well be blocked. If something doesn't work anymore, the purpose of the connection is revealed.

This gets rather complicated with ICMP and UDP, however. Here are some old threads that should help explain what's going on.
viewtopic.php?f=1&t=6936
viewtopic.php?f=1&t=9283
viewtopic.php?f=1&t=7219


Also - allowing outgoing or incoming connections to my local network - why would I or wouldn't I need to do that? Does it open me up to infecting my system if other machines on the network are infected (especially if I'm using public wi-fi)? I'm on the home wi-fi and I tried testing it out just then by disabling the incoming connections from local network rule. Within 5 minutes LS notified me that my Macbook (system, not me) tried to establish incoming connections to mDNSResponder, port 5353:

- from the IPv4 address associated with my Macbook on the home wifi
- from fe##::####:#$$$:$$$#:##$$
- from fe##::$$$$:##$$:$$#$:##$#

Port 5353 is used by mDNSResponder for Bonjour and what's called "advertising services". I'm not sure exactly what that means, other than communication between network devices. People disabling mDNSResponder's bonjour functions find that the network printer won't work, for instance.

Uberpotentate
Posts: 1
Joined: Wed Jan 25, 2017 1:09 pm

Re: Explanations for protected rules

Postby Uberpotentate » Wed Jan 25, 2017 1:50 pm

Port 5353 is used by mDNSResponder for Bonjour and what's called "advertising services". I'm not sure exactly what that means, other than communication between network devices. People disabling mDNSResponder's bonjour functions find that the network printer won't work, for instance.


I find the mDNSResponder Port 5353 is used for hackers to gain access to your MAC via your network devices. This is happening to me via my iPad and android streaming devices in my home. Has happened through my wireless router too. It can happen through my iPhone also, just not right now. He can change my Apple ID passwords by remotely accessing my iPad and going to iCloud and going to change your password. lesson learned hard. Don't jailbreak your devices.

There are ways to get you with out jail breaking and that's going straight through your network or Bluetooth but unless they are next door like my hacker is, that isn't likely. I got little snitch for just this reason. I block everything until I look it up, auto deny everything go back and fix later. Do a Whois on the domain name that's trying to open and do a trace route or even search for the site on google and see what you find. You can usually get a hint what you want to deny.

In the trial and error period I have had to turn my network connection off , securely erase my drive and start over because I didn't know what to block and my hacker got in. I have that fixed now. Good luck to each of you in your endeavor to stay safe on the internet

dmg15
Posts: 1
Joined: Sun Feb 11, 2018 1:33 am

Re: Explanations for protected rules

Postby dmg15 » Sun Feb 11, 2018 1:55 am

I agree with the above. DNS and MDNS ports are a common route for hackers to gain access to your network because it is almost certain that a network will have that port open or filtered. I found that setting DNS server addresses at gateway level and then using little snitch to block all communication by mdns responder except for dirctly with your gateway IP address, was the most secure i could come up with.

It sounds like I have a similar ‘hacker next door’ to the person above and i infact did those same steps to get a better understanding. It’s a tedious process and its made more frustrating by the fact little snitch doesnt block connections through bluetooth as mentioned, but if you start by blocking all IPV6 traffic in and out it will be much less overwhelming!

FYI - I found its also common that a hacker might try to gain access to a network through broadcast addresses and IPV6 which are often ignored by routers builtin firewalls.


Return to “Little Snitch General”

Who is online

Users browsing this forum: No registered users and 5 guests