How to use Little Snitch?

General discussions about Little Snitch
guitar-picker
Posts: 1
Joined: Sun Jan 01, 2012 6:16 pm

How to use Little Snitch?

Postby guitar-picker » Sun Jan 01, 2012 6:45 pm

I've used PCs since the early 1980s, but I am puzzled on how to strategically configure little snitch. I don't understand the bewildering number of ports - so how, when and why should I block any of them? Why are they used, when, for what purposes, by which programs? i don't understand how to tell when a program is attempting to transmit information for a valid reason, versus attempting to do so for some nefarious purpose... so I don't know how or why to agree or not to agree to allow any particular program to do so. I basically don't understand the 50 thousand ways that computer programmers have devised to surreptitiously spy on everything we do online, and/or attempt to steal our information or use us as their data-mining stooges. The instructions for Little Snitch are woefully inadequate because there are no examples to follow. I can only learn from real-world examples. Without examples, all I have is a manual that tells a lot of HOWs but fails to show any WHYs. Am I the only person who feels this way? Is there more information, somewhere, that I have not discovered, that explains this better? Little Snitch is a great little utility, but I feel that it deserves better instructional support.

hagen
Wizard
Wizard
Posts: 594
Joined: Mon Feb 18, 2008 11:05 pm

Re: How to use Little Snitch?

Postby hagen » Sun Jan 01, 2012 11:57 pm

The problem looks overwhelming at first, but I think I can show you a simpler way through it. I'll start with the questions posed, and we can go from there.

I don't understand the bewildering number of ports - so how, when and why should I block any of them? Why are they used, when, for what purposes, by which programs?

Don't think of it as blocking ports, but controlling programs. Example, browsers do almost everything on two ports: 80 and 443, with 443 being encryped. You just have to know that. Every app is similarly simple, and easy enough to figure out.


i don't understand how to tell when a program is attempting to transmit information for a valid reason, versus attempting to do so for some nefarious purpose... so I don't know how or why to agree or not to agree to allow any particular program to do so.

It's a matter of what you need to allow in order to do what you want. Allow what you need, block everything else. The choice of browser is important here, as some have more control options than others.

Some things we don't want simply have to be allowed, otherwise the Internet won't work. Browser controls, and perhaps other options, can mitigate the data mining but not eliminate it.


The instructions for Little Snitch are woefully inadequate because there are no examples to follow. I can only learn from real-world examples. Without examples, all I have is a manual that tells a lot of HOWs but fails to show any WHYs. Am I the only person who feels this way? Is there more information, somewhere, that I have not discovered, that explains this better? Little Snitch is a great little utility, but I feel that it deserves better instructional support.

It doesn't have to be a Littlesnitch instruction manual. Littlesnitch is a reverse firewall, so anything you find, anywhere, about rule-based firewalls will apply to Littlesnitch. That said, I haven't found very much. But, it really isn't that difficult when approached one app at a time.

Maybe that will get you started with a different way of thinking, and you can come back with more focused questions. What application would you like to discuss first? Browsers? Email clients?

TudouQD
Posts: 1
Joined: Wed Mar 13, 2013 9:50 am

Re: How to use Little Snitch?

Postby TudouQD » Wed Mar 13, 2013 12:01 pm

I agree with the OP. Some general context-based guidance would be greatly appreciated. I've had Little Snitch since 2007 and, frankly, still don't know if it's working correctly or not. I'm not a network guy. You can RTFM me all you want. I believe this software has great value and I know I'm generally using it correctly. But most people I've recommended it to give up after the first day or so.

For example, what should we be very wary of? Show me. I have had to go through mountains of forums to get a sense of what some of the Mac's internal processes do. But I still have trouble figuring out what "normal" operation should look like.

Some sort of guide giving Best Practices would be greatly appreciated. Considering all the data that passes through LS it seems it would be easy for ObDev to set up a forum where users could specifically share what they're seeing. Perhaps some consensus could be created on 'what is normal'.

I went through a period where a PC-user got on my local network and one Mac in particular began to receive hundreds of netbiosd connection requests from numerous non-local IPs. The process of figuring out what was going on was incredibly frustrating. In the end, I just blocked them all. But I believe it would be much more constructive to see a discussion about "what is happening". ObDev's experts would seem to be the ideal folks to lead this discussion.

If this sort of thing exists, it needs to be better flagged.

gollum
Posts: 3
Joined: Mon Apr 01, 2013 4:30 pm

Re: How to use Little Snitch?

Postby gollum » Mon Apr 01, 2013 6:01 pm

Being a newbie, it looks like this is the place for me to start. I was not seeing LS status in toolbar and just updated to 3.04 from .03. immediately following this post. You will have to dumb down for this. Are redirects after every post and registering for the first time normal? I'm definately not doing something right because >100 "allow till quit" s are normal for me daily and can finally divert some attention to fixing that. I get Finder via nmblookup to port 137 (netbios-ns) of 192.168.1.255 requests from 192.168.1.255 , and some are totally different IP addresses, and have them blocked, because I've never seen them before. The exact same requests from Firefox 19.0.2. I'm using ethernet hard wired. I'm still not seeing LS status in toolbar either. Did I just answer my own question? Or is there a problem?, I'm seeing other sites filled with these port 137 (netbios-ns) user requests and people panicking everywhere about a "china cyber attack". Also, I very recently joined a LinkedIn group, and a China site.and still getting redirects after every post. I also have a "ghost" proxy I catch now and then using 127.0.0.1, which I've read is and is not apple, and I'm just trying to learn what to avoid, having never made anything permanent after a maliscious attack from that address.
Last edited by gollum on Mon Apr 01, 2013 8:47 pm, edited 2 times in total.

motti.shneor
Posts: 1
Joined: Sat Mar 25, 2017 11:37 am

Re: How to use Little Snitch?

Postby motti.shneor » Tue Apr 18, 2017 8:20 am

I agree with the OP, and totally do not agree with the first answer, telling us it is "simple enough you can finally get it". I'm a Mac software programmer for over 30 years, been writing networking code for at least 20 years, and even worked in cyber-security startups for the last 3 years, and I'm stumped when I come to configure Little Snitch.

The very idea of "let programs connect for things you need or want" is sheer deception. How on earth can I tell what a program does when it connects to some obscure server (one of 30) in a complicated workflow it performs? What do I do with MacOS daemons (such as netbiosd) that bomb me with hundreds of outgoing connections to suspicious IP's around the world, and with seemingly random ports? No application package I know provides a set of rules or explanations to its network behavior - and deciphering this, is the work of a reverse-engineer, or a very well educated hacker.

The vast majority of Mac users are very far from grasping this, and more important, the whole thing about Mac is user's ability to "Use a device for your work and pleasure, WITHOUT understanding the underpinning of the technologies under the hood". Little Snitch was nice at the beginning, but now - it is simply a distracting, annoying, ever-nudging succession of popup alerts, that block your work, frighten you, and leave you with no way to reasonably react.

I think Objective Development would do much better to EXPLAIN their decisions for the default rules, they must improve their rules often and adapt them to changes in the Mac OS, and they must provide much better documentation and help for the "Why"s.

I'm struggling with netbiosd rules for 6 months now, and I just can't figure it out. I have Windows-file-sharing off, I have router that does not forward ports, I do not run any special services (at least I don't know of any), still my netbiosd - Mac OS software - attempts at least a few dozen outbound connections to arbitrary IPs and ports each day, and blocks my (and my kids's) work with those dialogs we just can't correctly answer.

I'm not phobic, and I WANT to allow those connections, if they're harmless. I trust Apple implementations to deny malicious requests sent to the OS's internal services - but I don't know WHICH are "part of the official game" and which are not. By no means can I invest the time to understand Microsofts' networking protocols, and the ways of netbios. This is a work for experts - namely - Objective Development's engineers.

hagen
Wizard
Wizard
Posts: 594
Joined: Mon Feb 18, 2008 11:05 pm

Re: How to use Little Snitch?

Postby hagen » Tue Apr 18, 2017 10:01 am

motti.shneor wrote:I'm struggling with netbiosd rules for 6 months now, and I just can't figure it out. I have Windows-file-sharing off, I have router that does not forward ports, I do not run any special services (at least I don't know of any), still my netbiosd - Mac OS software - attempts at least a few dozen outbound connections to arbitrary IPs and ports each day, and blocks my (and my kids's) work with those dialogs we just can't correctly answer.

My netbiosd has one rule: Deny any outgoing connection. It never bothers me.

What happens if you try that?

Webblekit
Posts: 2
Joined: Mon Aug 01, 2016 12:26 am

Re: How to use Little Snitch?

Postby Webblekit » Thu May 04, 2017 4:40 am

hagen wrote:My netbiosd has one rule: Deny any outgoing connection. It never bothers me.

What happens if you try that?


I want to say a word of praise for what you've written in this thread, Hagen, cogently and informatively.

Many want handholding. That's one consequence of Apple making the OS seamless in the GUI: it gives the illusion of being a college safe space. Hence all Apple experiences should be as painlessly gratifying as building a selfie collection.

But underneath: heh. There are no safe spaces in networking.

That's what Little Snitch brilliantly exposes. To peer under the glossy, Jobsian surface of OS X and discover what a busy little hive of surreptitiousness is underfoot. . .welcome to the spying device you thought was your friend. Time to come to terms with it.

hummingdrone
Posts: 11
Joined: Fri Jan 06, 2017 6:04 pm

Re: How to use Little Snitch?

Postby hummingdrone » Thu May 04, 2017 12:27 pm

Still, I think Little Snitch would become 10x more valuable and usable if it incorporated some way for the community to together decide on which things to allow and which not to.

This is not a strange idea. Take for example the blacklists of dubious advertising/tracking domains that are created for things like PiHole. Most startups and service are about more than a piece of software nowadays, they are about a platform and a community.

Even if we could just up-or-down vote things, that could be a powerful indicator.

JammieR
Posts: 8
Joined: Thu Aug 17, 2017 4:52 pm

Re: How to use Little Snitch?

Postby JammieR » Fri Aug 18, 2017 9:18 am

Recently, I started using Little Snitch since I believe that a little control over outgoing connections would be a good idea. After two days of constantly clicking 'allow', 'forever', 'until next restart" on so many popups, I am starting to question whether this is actually worth it. Sure control is nice, but this kind of extra work is annoying as hell! Some URLs and port access requests have actually re-occured, although I have already allowed access forever yesterday... :roll:

ctwise
Posts: 12
Joined: Tue Apr 14, 2009 3:19 pm

Re: How to use Little Snitch?

Postby ctwise » Fri Aug 18, 2017 2:18 pm

First off. You are all correct. If you don't know anything about networking, then Little Snitch isn't very useful to you as it sits. Even those of us who do, can get confused. I'm still struggling with priorities in Little Snitch.

I would love for Little Snitch to have more "intelligence" about it's rules.

- For software built-in to macOS, there should be "classes" of rules: 'Normal', 'Paranoid', and 'I Know What I'm Doing'. 'Normal' should set up rules for all the built-in software like 'smbd', 'netbiosd', 'raccoon', etc. that let them work normally. 'Paranoid' should alert on anything even remotely concerning. 'IKWID' won't add rules at all.

- For other software, Little Snitch should build up a collection of user-supplied and user-audited rules (for Google Chrome, Microsoft Office, etc.) that do the same thing.

With this setup, most people will go with 'Normal'. They won't get alerts unless they're using software that isn't recognized or if the software they do have installed does something unexpected.

I'd also like Little Snitch to maintain a list of known problem DNS names, e.g., DNS entries used in malware. Those should be permanently blocked.


Return to “Little Snitch General”

Who is online

Users browsing this forum: Baidu [Spider] and 9 guests