Block subdomains?

General discussions about Little Snitch
tbone
Posts: 1
Joined: Sat May 15, 2010 6:53 pm

Re: Block subdomains?

Post by tbone » Sat May 15, 2010 7:41 pm

It appears to me that there is a lot of people who just don't understand what Little Snitch does.

Little Snitch allows you to apply rules to IP packets at the application level, you can basically create rules that decide what IP ip addresses and ports an application is allowed (or not) to send (or receive) packets from. That's it. And it does it very well.

A lot of people on this thread want to do http blocking based on hostnames, not IP address or port number. Little Snitch does not do this.

What you want do is what all the parental control programs are doing, you hijack all the browser's interaction with web servers and send them through what is essentially a non-caching proxy server that runs on your own computer.

The best one of these is Privoxy but it's too hard for most users to install on a Mac, so your best choice is GlimmerBlocker http://glimmerblocker.org/. These programs allow you to create the kind of hostname based rules for web traffic that some people think Little Snitch can do.

After installing Privoxy or GlimmerBlocker though you have a new problem. You're going to have to tell Little Snitch to allow Privoxy or GlimmerBlocker to access any website, trust me you don't want to not do this. So any rules for websites have to go into your Privoxy or GlimmerBlocker filters.

The remaining problem now is that any application on your Mac that wants to talk to a website can do it through the proxy so if you want an application to not be allowed to talk to any websites you can't. The Little Snitch developers mention in this thread http://forums.obdev.at/viewtopic.php?f=1&t=2222that they will eventually let you configure what applications can and can not use a proxy server on your Mac. Until that time comes you need to resort to workarounds like described here http://glimmerblocker.org/wiki/LittleSnitch.

This might all be a bit complicated but at the end you have achieved what you wanted, the application level filters of Little Snitch combined with fully flexible hostname based filtering in GlimmerBlocker for web traffic. You also have the added benefit of being able to take advantage of other peoples work in creating filters for GlimmerBlocker so you don't have to do it yourself.

Having said all that though, please think twice before blocking ads. Read this article http://arstechnica.com/business/news/2010/03/why-ad-blocking-is-devastating-to-the-sites-you-love.ars to understand more about how tough it can be on your favorite websites and try to see it from their point of view, after all you want your favorite website to be there tomorrow and still be free don't you? (or maybe you'd prefer to pay for it?).

norbert
Objective Development
Objective Development
Posts: 648
Joined: Thu Nov 09, 2006 6:30 pm

Re: Block subdomains? [SOLVED]

Post by norbert » Fri Oct 15, 2010 5:10 pm

Little Snitch 2.3 adds support for domain rules, allowing you to specify rules that match an entire domain instead of just a particular hostname.

A nightly build of Little Snitch 2.3 is already available and can be downloaded from:

http://www.obdev.at/littlesnitch/nightly.html

farnsworth
Posts: 2
Joined: Mon Mar 02, 2009 1:10 am
Location: MD, USA

Re: Block subdomains?

Post by farnsworth » Mon Oct 25, 2010 1:23 am

HUZZAH! (2.3.1)

It's not wildcards, but it's absolutely all that I needed. My new iTunes ruleset looks like:

Allow TCP connections to port 443 (https) in domain itunes.apple.com
Allow TCP connections to port 443 (https) of securemetrics.apple.com
Allow TCP connections to port 80 (http) in domain itunes.apple.com
Allow TCP connections to port 80 (http) in domain itunes.apple.com.edgesuite.net
Allow TCP connections to port 80 (http) in domain phobos.apple.com.edgesuite.net
Allow TCP connections to port 80 (http) of service.cddb.com

(excluding Genius and Ping). To commemorate this momentous occasion I even tested it with a purchase: http://itunes.apple.com/us/album/pin-dr ... d392652261

Note that what LS calls "domain" actually appears to include arbitrary-level subdomain, precisely what I'd hoped for. Three cheers for christian, norbert, et al! I wish the board software had notified me of followup activity on this thread; I'd have jumped in much earlier.

Post Reply