Page 1 of 1

2.3 domain name matching failure

Posted: Wed Oct 20, 2010 12:05 pm
by dbayly
Hello, I was pleased to see this rule type added. Great addition.

However there seems to be at least one case where it doesn't work as expected.

I entered (actually I edited an existing rule)

action: allow
process: /Applications/Second Life/Imprudence.app/Contents/MacOS/../Resources/SLVoice
destination: domain vivox.com
port: any
protocol: any


but I had to allow the following

action: allow
process: /Applications/Second Life/Imprudence.app/Contents/MacOS/../Resources/SLVoice
destination: 74.201.99.128
port: 15178
protocol: 17
help: wants to connect to mph5yb.vivox.com on UDP port 15178


So far all else has worked, I surmise its to be with being a UDP packet?

Re: 2.3 domain name matching failure

Posted: Wed Oct 20, 2010 4:10 pm
by norbert
In this case SLVoice connected directly to the IP address 74.201.99.128 instead of a hostname in the vivox.com domain. Therefore it didn't match your existing domain rule.

The displayed hostname is just the reverse name for this IP address, but it's not used for filtering purposes. Reverse lookups are slow and you cannot rely on the returned name, i.e. it's not guaranteed that the reverse name is actually in the domain that it claims to be.

I have to admit that the display of the reverse name is a bit misleading in this context. We'll address this in the next update.

Re: 2.3 domain name matching failure

Posted: Wed Oct 20, 2010 4:36 pm
by dbayly
That's logical as far as it goes. Vivox has a a number of ranges of IP addresses, is there a way , or can there be, to just say "allow all these IP addresses .. followed by a list of ranges"?

Re: 2.3 domain name matching failure

Posted: Wed Oct 20, 2010 6:33 pm
by norbert
You can specify a block of IP addresses in CIDR notation, or you can enter a list of IP addresses (separated by comma or whitespace).

Re: 2.3 domain name matching failure

Posted: Fri Oct 22, 2010 8:34 pm
by ricardsonwilliams
After upgrade to version 2.3.1 the Domain and Hostname feature its not working any more... before(verson 2.2.4) working ok but still slow to insert the rules the first time...

This feature its very interesting for me, please check ASAP.



Thanks,
Ricardson

Re: 2.3 domain name matching failure

Posted: Sat Oct 23, 2010 12:14 am
by norbert
Ricardson, I've just replied to your support request in this regard.

If you do have a rule that denies connections to a particular host for "All Applications", and another rule that allows port 80 (http) connections for Safari, the Safari rule will win, and you will be able to connect to this host on port 80 via Safari. But connections made from other applications to this host will still be denied.

Since the "Safari" rule is more specific it takes precedence over the more general "All Applications" rule. Rule precedence was always handled that way in Little Snitch. It allows you to specify a general rule that affects all applications, and override it with another, more specific rule that only affects a particular application.

Re: 2.3 domain name matching failure

Posted: Sat Oct 23, 2010 5:58 am
by ricardsonwilliams
Why not put "Safari's" rules on the TOP even before "All Applications"? I understand "Firewall" rules by LINE like Linux do, if "Safari"(http access) rules its more important than the "Domain Rule" why not put on the TOP? I think will be easy to understand.


Thank you!
Ricardson