Absolut minimum rules to go online

General discussions about Little Snitch
Post Reply
Posts: 6
Joined: Tue Feb 28, 2012 8:16 pm

Absolut minimum rules to go online

Post by mkalina » Thu Jan 09, 2014 7:09 pm


Little Snitch comes with a set of rules to allow access to a lot of services (like iCloud, AppStore) activated by default. This set, however, is not at all necessary to establish and keep alive an internet connection. It is a comfortable choice to have Mac OS X well integrating with Apple's infrastructure. Sometimes, however, one needs purity.

I tried to deactivate all of the rules and activate one after the other (without really knowing about dependencies, etc.). This was a big failure and I had to reset everything. Now my question is: What is a minimum ruleset that needs to be active and configured (in what way) so that I can establish and keep an internet connection?

Thank you,

Posts: 594
Joined: Mon Feb 18, 2008 11:05 pm

Re: Absolut minimum rules to go online

Post by hagen » Fri Jan 10, 2014 9:54 pm

I think this is best approached from the other direction than what you tried: Start with a working setup, and disable one rule at a time and observe what happens. It will take a while, but it's a lot easier and you'll end up with a ruleset that meets your specific needs.

That said, here are some thoughts that might make things easier:

The browser will need outbound access to ports 80 (http) and 443 (https), so keep those two rules. Add blocking rules to specific sites or domains as desired.

The default rule for mDNSResponder should be left as is, at least at first. It does DNS lookups, among other things.

Some browsers like to do their own DNS lookups, in which case they will ask for outbound connections on port 53 (domain) to a DNS server. It's an alternate way to get IP addresses and is OK to allow.

The boot process will probably need connections to port 67 (bootps) and port 68 (bootpc) to your ISP. I would allow whatever process asks for these connections (configd on Snow Leopard and earlier, don't know about newer OSes).

Under "Any Process", allow incoming UDP and ICMP, otherwise things get messy.

Post Reply