Can't block incoming connections?

General discussions about Little Snitch
d1rewolf
Posts: 3
Joined: Wed Jan 10, 2018 11:23 pm

Can't block incoming connections?

Postby d1rewolf » Wed Jan 10, 2018 11:28 pm

I have disabled all incoming rules, and explicitly added a block for ssh. However, little snitch blocks absolutely nothing.

Rules:

https://imgur.com/kCXPFSY

However, from another host on my network:

Code: Select all

pi@raspberrypi:~ $ nmap 192.168.2.2

Starting Nmap 6.47 ( http://nmap.org ) at 2018-01-10 16:26 EST
Nmap scan report for my-mac (192.168.2.2)
Host is up (0.0027s latency).
Not shown: 967 closed ports, 28 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
3283/tcp open  netassistant
5060/tcp open  sip
5061/tcp open  sip-tls
5900/tcp open  vnc

Nmap done: 1 IP address (1 host up) scanned in 6.07 seconds
pi@raspberrypi:~ $ ssh user@192.168.2.2
Password:
Last login: Wed Jan 10 16:20:54 2018 from 172.16.1.7
➜  ~


What makes it worse it that I was trusting Little Snitch to block this for some time, and I realized today I can even ssh into my machine from a machine I've connected to via an openvpn connection....so I've been exposing myself to that entire network on the other side.

Help please!

Thanks in advance.

d1rewolf

christian
Objective Development
Objective Development
Posts: 1379
Joined: Thu Nov 09, 2006 11:46 am

Re: Can't block incoming connections?

Postby christian » Fri Jan 12, 2018 11:37 am

You are denying port 22 for your own processes only, not for system processes. Ssh runs as system process. Double-click the rule and change the process owner in the pop-up right to the process name.

Regards, Christian.

d1rewolf
Posts: 3
Joined: Wed Jan 10, 2018 11:23 pm

Re: Can't block incoming connections?

Postby d1rewolf » Fri Jan 12, 2018 2:42 pm

Actually, that rule is set to "Any Process". Wouldn't that cover system processes? And why would disabling all other incoming rules not work?

Thanks Christian.

marco
Objective Development
Objective Development
Posts: 41
Joined: Mon Jul 28, 2014 3:00 pm
Location: Vienna, Austria

Re: Can't block incoming connections?

Postby marco » Fri Jan 12, 2018 2:47 pm

Regarding your question to Christian: “Any Process” simply means that it doesn’t matter where the process’ executable is located on disk. It still matters which user runs that process.

Back to your original question, could it be that Silent Mode is enabled and set to allow new connections? You can check that by clicking Little Snitch’s menu item in the top right area of the screen and checking what is selected in “Operation Mode”.

Regardless, you can always check Little Snitch Network Monitor to see which rules allow or deny a particular connection.

christian
Objective Development
Objective Development
Posts: 1379
Joined: Thu Nov 09, 2006 11:46 am

Re: Can't block incoming connections?

Postby christian » Fri Jan 12, 2018 2:57 pm

I've looked as your screen shot and it does not show the "any owner" icon for the rule. This means that it affects processes owned by you only. The owner pop-up is right to the "Any Process" selection in the rule inspector.

d1rewolf
Posts: 3
Joined: Wed Jan 10, 2018 11:23 pm

Re: Can't block incoming connections?

Postby d1rewolf » Fri Jan 12, 2018 3:08 pm

Thanks guys. I do have silent mode enabled, and it is indeed set to "Allow connection attempts". I'd like to allow all outbound in silent mode, but block certain inbound (specifically, allow ssh and vnc from just local net). Does silent mode in allow block incoming connections, or does it allow both inbound/outbound?

marco
Objective Development
Objective Development
Posts: 41
Joined: Mon Jul 28, 2014 3:00 pm
Location: Vienna, Austria

Re: Can't block incoming connections?

Postby marco » Fri Jan 12, 2018 3:19 pm

Silent Allow Mode allows connections in both directions (incoming and outgoing).

Existing allow and deny rules are still honored in Silent Mode, though, so you could create three rules: one that denies any incoming connection, one that allows SSH connections from the local network and one that allows VNC connections from the local network. For example, you could copy the following text and paste it in Little Snitch Configuration. Note that on newer versions of macOS, launchd (not sshd) accepts connections for SSH.

action: deny
direction: incoming
process: any
owner: any
destination: any

action: allow
direction: incoming
process: /sbin/launchd
owner: system
destination: local-net
port: 22
protocol: TCP

action: allow
direction: incoming
process: /System/Library/CoreServices/RemoteManagement/screensharingd.bundle/Contents/MacOS/screensharingd
owner: system
destination: local-net
port: 5900
protocol: TCP

Neil_Hines
Posts: 5
Joined: Fri Dec 15, 2017 9:49 am

Re: Can't block incoming connections?

Postby Neil_Hines » Wed Jan 17, 2018 12:55 pm

Thanks for the guidance fried its really acknowledgeable thread. :)


Return to “Little Snitch General”

Who is online

Users browsing this forum: Roadsider and 7 guests