Little snitch started blocking all traffic

General discussions about Little Snitch
shakelogy
Posts: 3
Joined: Wed Sep 21, 2016 6:08 am

Little snitch started blocking all traffic

Postby shakelogy » Sun Jul 16, 2017 6:35 am

I've had little snitch installed and running without issues for 2-3 years now. I reinstalled OSX from a time machine backup 2 weeks ago, and after booting up reimported a backup of the little snitch rule set. All has been well until 2 days ago when all web browsing started being blocked.

The current situation is that when I turn off the network filter I can browse the web, but as soon as I turn the filter back on, all web browsing is blocked. I tried restoring the rule set again from the known good backup, but it's still blocking.

There haven't been any changes to the networking or OS that I am aware of.

Little snitch 3.7.4
OS X El Capitan 10.11.6

How should I troubleshoot the problem? Thanks

Doctor X
Posts: 3
Joined: Sat Nov 18, 2017 7:23 am

Re: Little snitch started blocking all traffic

Postby Doctor X » Sat Nov 18, 2017 7:26 am

Sadly, this was not answered.

With the latest Nightly Update--LS 4.0.4 (5102)--having Network Filter on starts blocking favorite and safe webpages. I have had to shut it off. I have searched for a guide on configuring it, but cannot find on.

OS 10.13.1

--J.D.

christian
Objective Development
Objective Development
Posts: 1369
Joined: Thu Nov 09, 2006 11:46 am

Re: Little snitch started blocking all traffic

Postby christian » Tue Nov 21, 2017 2:57 pm

When something is blocked, Network Monitor flashes the connection line in red. Drill down to a specific connection line by clicking disclosure triangles. Then right-click the line to get a context menu. Choose "Show corresponding rules" to see all rules which match the line, or hold down the option key and choose "Show recently used rules" to see which rules caused the connection to be blocked.

This SHOULD give you some insight. If it does not, please come back with more details (what was blocked, why should it be allowed etc...).

Doctor X
Posts: 3
Joined: Sat Nov 18, 2017 7:23 am

Re: Little snitch started blocking all traffic

Postby Doctor X » Tue Nov 21, 2017 4:40 pm

We may have just corresponded on this issue. I have a "solution" of sorts.

Short Quick Slightly Painful Answer:

    1. Download the Current LS from obdev: as of writing it is 4.0.3
    2. Allow it to replace the Nightly--as of writing is it 4.0.4 (5102)
    3. Reboot as instructed
    4. Confirm it works--yay! If not, then you have a different problem
    5. Allow to Update to Nightly

and that worked. However, the situation is a bit weird so onto:

Long-Winded More Complete Answer:

One may try to just download the Nightly Build again and install rather than go through the bother of downgrading, rebooting, upgrading, rebooting, scaring the neighborhood children.

In e-mails from obdev staff, we went through what christian suggests plus other things. Here is the problem: Network Monitor did not show anything blocked. :shock:

However, up on that top menu bar, where the LS real time monitor sits, when I tried to visit favorite webpages now blocked, there would be the Red X flash that indicates "something" got blocked. Refresh --> same thing.

Yay! Something is being blocked. :D

Problem: in Network Monitor nothing is indicated as blocked. Even as you refresh, see the Red X, there would be none in the Network Monitor nor would the Denied section indicate anything. :?

I decided to downgrade to LS 4.0.3--one Staff member did not believe this would change anything--but it WORKED. No block.

So I booted to my hour-old Clone of my main HD--which included 4.0.4 (5102) version with all of the same rules--and figured I would [CENSORED--Ed.] with LS rules and see if I could find where the problem is.

Now, for those who do clone, you know that your Clone is never perfect--LS will recognize a miss-match and ask if you want to go to Default OR retain your cloned rules. One of the things I was going to try was Default, but I figured I would see if I could try to find the offending rule.





It worked without an issue.

Wrap your mind around that: a clone of my HD with the LS 4.0.4 that DID NOT work . . . worked.

So I booted back to my main HD with LS 4.0.3, let it upgrade . . . rebooted . . . and it works.

So I do not know what that all means. Perhaps the first upgrade failed in some fashion, but why by selectively blocking some webpages and not others--on all browsers so this is not a browser-specific rule!--I have no frelling idea.

Hope the short answer helps other people.

--J.D.

christian
Objective Development
Objective Development
Posts: 1369
Joined: Thu Nov 09, 2006 11:46 am

Re: Little snitch started blocking all traffic

Postby christian » Tue Nov 21, 2017 4:57 pm

Very interesting. I have no explanation for this. Note that the traffic meter in the menu bar is driven by Network Monitor as a summary of all items. You might have had a filter active so that not all items were visible, or you might have had the mouse in the window so that animations are paused and the red flashing line does not come to the top.

But all that does not explain why the connections were blocked and were not blocked before and not blocked after an upgrade.

If you find out anything, please let us know!

Doctor X
Posts: 3
Joined: Sat Nov 18, 2017 7:23 am

Re: Little snitch started blocking all traffic

Postby Doctor X » Wed Nov 22, 2017 10:51 am

Boring Explanation:

One thing I have noticed is either Little Snitch wants confirmation on renewing a rule after cloning/update OR some rules do not carry over. What I mean is, after some upgrades and a restoration from a clone I will get what appear to be "first time" alerts from particularly background programs like Undercover, which is a venerable anti-theft program for Macs.

Just now, I started VLC to watch some highly educational French lichen porn :wink: . . . and I got the Alert to allow VLC to connect to itself for updates. That is something I always allow, but I have noticed that after some updates OR restoration from a clone, I have to re-allow that.

Therefore, I suspect what happened is some rules either do not all carry over for whatever reason OR LS wants reconfirmation for the first time AND I--and others--may have inadvertently blocked something without realizing this. I actually just did this with Mail: Google wanted to connect to something that seemed suspiciously advertisement . . . and I lost Gmail!

Here is the odd thing on that--it took a bit to "find" that mistake. It was not listed in the "24 Rules" even though I had just done it. I did find it, and it MAY be that I and others did that which somehow block some sites on the Internet.

Now why sites located in different IPs far away . . . and not others? I do not know.

Another Solution:

    1. Screen capture your Rules.
    2a. Replace Little Snitch from either a Clone/Back Up or direct replacement from a download . . . OR . . .
    2b. Simply Reset your rules to "factory default" as in, basically, no rules. If you have it set to Alert you with connection requests:
    3. Simply recreate your rules as needed. Check your screen capture to see if something is missing.

The "Good News" is LS in Alert Mode, will ask as each application tries to connect somewhere.

Hope that helps people.

--J.D.

christian
Objective Development
Objective Development
Posts: 1369
Joined: Thu Nov 09, 2006 11:46 am

Re: Little snitch started blocking all traffic

Postby christian » Wed Nov 22, 2017 5:25 pm

I think we get closer to the cause of the problem.

When you restore from a clone, Little Snitch notices that the configuration was changed. Since such a change may be done by a malicious program, it asks the user for confirmation. Until the change is confirmed, factory rules are in effect.

Little Snitch Daemon, the daemon which notices the change, cannot ask by itself because it runs outside your console session. It asks Little Snitch Agent (the program running in your console session) to show the alert. Little Snitch Agent is responsible for showing alerts of all types (connection alerts and the alert just mentioned).

For reasons we do not understand yet, there seems to be a bug which prevents the "confirm new configuration" alert from being shown. The same bug may (or may not) prevent connection alerts from being shown, or at least delay all these alerts.

You can verify this hypothesis by starting Little Snitch Configuration. Does it show the factory rule set? What happens if you kill Little Snitch Agent? Does it come up with alerts previously not seen? Is this theory consistent with your observations?


Return to “Little Snitch General”

Who is online

Users browsing this forum: No registered users and 7 guests