Which rules to set for incoming connections

General discussions about Little Snitch
olivierdb
Posts: 8
Joined: Sun Apr 14, 2013 10:49 pm

Which rules to set for incoming connections

Postby olivierdb » Fri Apr 04, 2014 10:42 am

My iMac has recently been hacked into and I'd like to make it more secure by preventing incoming connections from hackers.

I'm not sure how I should setup the rules for this purpose.

Would all protocols and ports be concerned?

By default, LS allows all system and non-system incoming connections via UDP, ICMP and local network. Is that safe?

I have disabled WiFi and am connected via an Ethernet cable to my router. There is no other computer in my local network. I'm also running the Mac firewall.

Ideally, I'd like to be alerted when there is an intrusion attempt, i.e. when an incoming connection is attempted. I'd like to know the source. Is that possible with LS?

Thank you for your help.

rsblanchard
Rank 3
Rank 3
Posts: 111
Joined: Mon Jul 02, 2007 9:25 am

Re: Which rules to set for incoming connections

Postby rsblanchard » Sat Apr 05, 2014 1:34 am

A primer for customizing a firewall:

The purpose of a firewall, and anti-spyware, is to limit illicit traffic from traversing to, and from, the internet from your computer, while allowing legitimate traffic -- the more restrictive the firewall, the better (of course, it must allow proper communication, nevertheless).

The anti-spyware component of the anti-malware-suite controls only the outbound (from a computer to the internet) traffic as generated by various applications/executables on the Mac.

Unless your anti-malware automatically blocks, or does not allow, unusual protocols&data that are incoming to your computer, a computer may be vulnerable to a "back door" exploit that may have been pre-designed into your Operating System.

The following applies to the Mac, and would not be that much different for a PC, as all computers use the underlying TCP/IP protocols for their communication to, and from, the internet.

From a given computer-software-device-source, outgoing (from your computer to the Internet), message-traffic needs (either an IPv4, or (less-often) an IPv6) IP-address (to-be-described next) (to identify the computer to be sent-to), a TCP/IP-protocol-number-corresponding-to-a-TCP/IP-protocol-name (I will be using TCP/IP-protocol-names below -- by simply referring to them as "TCP/IP Internet Protocols"), and a software-Port-or-Type-number (discussed below), along with the actual data-content to-be-sent.

An IP-address is an identifier of a specific computer-or-router, and is either a standard IPv4 IP-address (which is represented by a quadruple-of-(zero-through-255 (decimal)), separated by dots/periods ".",
for a total of 32-bits, for a total of over 4-billion unique possible computer-addresses),
or a newer (less-often-used) IPv6 IP-address (which is an octet-of-(0000-through-ffff (hexadecimal)), separated by colon-characters ":",
for a total of 128-bits, for a total of a gazillion unique possible computer-addresses).

There are 256 different TCP/IP Internet Protocols which facilitates traffic to both IPv4-IP-addresses, and IPv6-IP-addresses.
When sending to an IPv4-address, on each separate "device" (software device; to be discussed later), your Mac uses 5 different TCP/IP IPv4 Internet Protocols. (4 protocols,
if you ignore IGMP-multicast (for multi-person games), which uses IPv4s in the range of 224.*.*.* through 239.*.*.* [???] ):
(In addition to the message below, I have also found possibly a 6th TCP/IP protocol possibly present on my Mac called "DIVERT".
My anti-malware-suite (a suite is a combination of multiple software modules) has only a limited way of controlling either the "RAW" or "DIVERT" protocols,
but do I know much further about these specific protocols). The remaining TCP/IP IPv4 Internet Protocols are:
TCP, UDP, ICMP, (and RAW ([=IPSec ???] used by the rarely-used "traceroute" utility, so now we are down to 3 protocols)).
A TCP/IP IPv4 ICMP message is sent back for "server not responding", "IP-address doesn't exist", "echo (ping) reply", etc., types of control-messages.
Software Port-numbers in a TCP/IP IPv4 ICMP message are called "types", instead, and range from 0 to 255 (so, if we don't consider ICMP, we are now left with 2 protocols to explain).

Most TCP/IP IPv4 internet traffic is either TCP, or UDP:
TCP is like a bi-directional telephone connection (with multiple TCP messages sent and received (and re-assembled in sequence)).
UDP is like a letter dropped in a mailbox (with a 98% chance that it will get to its destination, and only a single message).
Port-numbers for TCP, are identical-in-format-to UDP port numbers, in the purpose (application) they serve, and range from 0 (which is reserved) to 65535 (this happens to be the upper-limit of a so-called 16-bit-integer), with 49152 through 65535 reserved for the sending-side (source) (since these are "dynamic" port-numbers, whose particular number cannot be predicted for a given message).
(three-quarters times (the total of) 65536 (unique port-numbers) equals 49152).
1 through 49151 is for the receiving-side (destination), with 1-1023 requiring super-user privileges to serve-up. (Port-number zero, is reserved).
Peer-to-peer connections are rare, but both source, and destination, have similar port-numbers.

For example, you browser may connect to TCP/IP IPv4 TCP ports 80 (http) & 443 (https) on the destination-side, but would never serve-up (open-up) port 80, nor port 443 on the source side (your computer's side) (that is, unless you were hosting a web-site on your local computer (unlikely) ).
Still, your Mac's standard firewall allows for these unlikely connections, but a customized Intego ISB X6 firewall (a 3rd-party firewall for Macs that run anything at, or newer, than the Leopard Operating System) will block them. You can also try to use Little Snitch with Intego's ISB X6 (VBX6).

In an ideal world, all active "services" (your local machine's UDP & TCP ports), as listed in Intego Internet Security Barrier X6's "Services" window, would be 49152, or above (you should not be "hosting" anything) (sadly, even with my customized files, this is not the case) ! Often, services that perform Domain Name Service (DNS) will have your computer receiving messages on UDP & TCP Ports 53 & 5353, with a dynamic-port for the Internet-sending-side.
(DNS is the way in which any domain-name (a portion of a URL (a Universal Resource Locator)) is translated into an IP-address).
Also, a Mac's boot-up will require a send-to-local-router UDP Port 67, with a subsequent message to receiving (local) UDP Port 68.

Now for Mac software/hardware devices:
"en0" should be your software designation for your Ethernet Cable.
"en1" should be your software designation for your Airport wireless (i have blocked this in my files, as everything is hard-wired here, but
wireless can use the IP addresses in the 10.*.*.* range).
"en2" can be for tethering, and, usually, there is no forthright way Apple allows you to control this device.
"lo0" should be your local loopback IP address, usually meaning 127.0.0.1 , in IPv4-terms.
"stf0" is a software tunnel between IPv6 and IPv4 (for the moment, best left totally blocked).
-or-, in Intego ISB X6 for Snow Leopard, you can specify "All", for all devices (the current version of Little Snitch (for Mac) anti-spyware for outgoing communication does not currently accept "devices", so everything is "All").

You should go into the Mac's "Network" System Preferences panel, and re-direct IPv6 for each separate device using the "Advanced" button.
Avoid so-called peer-to-peer music-sharing-sites, and sites that utilize the Limewire, and BitTorrent file-sharing technologies.

If you install Intego ISB X6 on the Mac, you may want to custom-install it, and leave-out ContentBarrier (parental controls). The ISB X6 Anti-Spam program in ISB X6 modifies Apple Mail if you set-up its preferences correctly. Always authorize VirusBarrier in Intego ISB X6 first, before authorizing any other program !



Modem/routers are the first line of defense -- set them not to respond to TCP/IP ICMP "PIng" messages by configuring them with your browser.
Hackers initially find machines by "ping"ing them, and if the machine responds, they hone-in.
Also, most Modem/Routers ship with a default password or two -- CHANGE IT (using your browser), so it is NOT the default "1234", or blank, or "123456" !
Also, disable in the modem/router TCP/IP IPv4 TCP & UDP incoming port 161 (also known as SNTP) -- this is how an Internet Service Provider "takes control" of your machine (and displays your machine's screen on their's) when you need help, but is also an "in" for hackers.

Two further clarifications:

1) The "dynamic"-ports from 49152-through-65535 may have nothing to do with the "C"-language-programming-term called "INADDR_ANY" .
"INADDR_ANY" refers to the software-device (such as "en0" (Ethernet), or "<el><oh><zero>" ("lo0" loopback)) that is allowed to send-or-receive the data-packet: "INADDR_ANY" refers to the allowance of any software-device to send-or-receive the data-packet.

2) The "RAW" protocol is needed on the Mac for the "traceroute" program (this was the only program on my Mac that requested use of the "RAW" protocol).
"traceroute", in actuality on the Mac, also wants to use the "ICMP" protocol.
So, the only mystery protocol left un-discussed is the "DIVERT" protocol.
Under the underlying TCP/IP protocols, did you know that there are actually (at least ) TWO different ways of doing a "ping" ? -- one involves the standard ICMP-type-8 message (receiving back an ICMP-type-zero message), and the other involves sending to IPv4 TCP Port 4 (or is it Port 7 ??? ) .

This means, that if a device (router, or computer) is "stealthed", all methods of "being-pinged" must not be replied-to.

I have tried to turn off all communication to IPv6-IP-addresses (you know, the 128-bit IP-addresses, (like ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff ) ).
You can also try to block the software-device on the Mac, called "stf0:" , which is the "six-to-four-tunneling" (which, I believe, provides a translation of a subset of 128-bit-IPv6-IP-addresses to 32-bit-IPv4-IP-addresses).
Theoretically, when you do this, you miss-out on some websites that have non-IPv4-IP-addresses, but i have not found this to be a problem, yet.

The reason that the web is expanding to IPv6, is that there are only 4-billion-or-so uniquely-identifiable IPv4-IP-addresses, and there are slightly more computers than that !
Last edited by rsblanchard on Wed Sep 17, 2014 11:10 pm, edited 19 times in total.

olivierdb
Posts: 8
Joined: Sun Apr 14, 2013 10:49 pm

Re: Which rules to set for incoming connections

Postby olivierdb » Mon Apr 07, 2014 7:38 pm

Not an easy to understand primer. Honestly don't know what to make of it, but thanks anyway!

hagen
Wizard
Wizard
Posts: 594
Joined: Mon Feb 18, 2008 11:05 pm

Re: Which rules to set for incoming connections

Postby hagen » Tue Apr 08, 2014 8:16 am

olivierdb wrote:My iMac has recently been hacked into and I'd like to make it more secure by preventing incoming connections from hackers.

I'm not sure how I should setup the rules for this purpose.

I believe that the model of inbound connections allowing someone to hack into a computer is incorrect. It doesn't normally work that way. For most people, security is about using safe, trustworthy software and following safe user practices. The value of LS (from a security point of view) is IMHO in controlling outbound connections and watching for unusual activity that shouldn't be happening. Some recent malware is known to delete itself when it finds LS on the machine.

Do you have an unusual application or practice that you believe opens your computer to possibilities of being hacked from outside? Anything that attracts undue attention to yourself? How do you know you've been hacked into, and what was involved?

By default, LS allows all system and non-system incoming connections via UDP, ICMP and local network. Is that safe?

I have disabled WiFi and am connected via an Ethernet cable to my router. There is no other computer in my local network. I'm also running the Mac firewall.

UDP and ICMP are generally recognized as safe. There are a few attack methods, mostly difficult to do and in the "denial of service" category, but again if you're not attracting attention there's little reason for concern.

The OSX firewall will filter out incoming UDP and ICMP, depending on how restrictive the settings.

Your "local network" is defined as everything up to the router. Communication between your own devices shouldn't be a concern either.

olivierdb
Posts: 8
Joined: Sun Apr 14, 2013 10:49 pm

Re: Which rules to set for incoming connections

Postby olivierdb » Mon Apr 21, 2014 8:56 pm

How do you know you've been hacked into, and what was involved?


I was told so by the author of the WordPress theme Cudazi Mono. My browser (Chrome Canary) started behaving in strange ways after I installed MAMP, WordPress and the Cudazi Mono WP theme. I was creating a WordPress site locally on my machine. Suddenly ads started appearing everywhere. They were labeled OffersWizard which, after some Google searching, I understood came from superfish (http://malwaretips.com/blogs/offerswizard-removal/). I first thought that the ads were bundled with the theme because the theme was free, so I contacted the author and he told me that my web site had been hacked into.

My browser's homepage was also being hijacked and I was being redirected to different sites. I can't remember which ones though, because I immediately deleted MAMP, WordPress, Cudazi Mono and Chrome Canary. I then removed all cookies, cleared the browser caches and ran a full scan with the Kaspersky anti-virus, but no malware was found. I re-installed everything including the latest version of Chrome (but not Canary as I suspected that it could have some security holes). I also remember that one of the websites I was redirected to included a dozen iframes (revealed by the developer tools), some containing a one pixel image and a link ending in .ru !

Then, I decided to purchase LS hoping that someone would explain in plain English what rules I should use for safe browsing and to prevent unwarranted incoming connections. For my browsers, I'm wondering if I should allow all outgoing connections on ports 80 and 443 in order not to get hundreds of alerts, which is annoying. [UPDATE 2014-04-21: Thank you for answering my other post, hagen!] Furthermore, what am I supposed to do when I get an IP address (such as 81.19.182.226 on port 2083) instead of a readable address? Or what to do when your browser or other software wants to connect to s3.amazon.com, cloudfront.net, cdn stuff or googleadservices.com? Sometimes blocking ad or analytics services will prevent a web page from displaying properly. This happened to me with the Chrome Web Store where all the images wouldn't display.

Unfortunately, LS isn't very helpful there because AFAIK users can't easily import shared sets of rules, e.g. white and black lists, to avoid ad, tracking and malware infested sites. Why isn't there anything equivalent to EasyList (https://easylist.adblockplus.org/en/) for LS that would allow users to block unwanted addresses? [UPDATE 2014-04-21: some good ideas have been posted under my 'another feature request' post!]

hagen
Wizard
Wizard
Posts: 594
Joined: Mon Feb 18, 2008 11:05 pm

Re: Which rules to set for incoming connections

Postby hagen » Wed Apr 23, 2014 2:09 am

Okay, I see better what you're asking now. I agree that Offerswizard probably came in with some other software download; that seems to be its usual method of infection from what I've read. Redirecting browsers to other sites is also one of the things it reportedly does.

What to do with a connection request such as 81.19.182.226 on port 2083? If this is the first time you have seen this type of connection, you'll have to do some research. The next time that application asks, you'll know what it is.

Using Network Utility > lookup, I find that IP address is uk14.myserverhosts.com, which might mean something to you.

From a 'net search, port 2083 appears to be used by something called RADIUS, for remote login authentication.
http://www.speedguide.net/port.php?port=2083
https://en.wikipedia.org/wiki/RADIUS

CDN means Content Delivery Network. Websites that direct the browser to CDN sites are usually storing page elements on those sites. S3.amazon.com and and cloudfront.net are web storage and CDN sites from Amazon.

And yes, blocking ad or analytics services will often prevent a web page from displaying properly. It's just the way it is, if we want the page, we have to allow it to load. It's not a security issue, just a privacy nuisance.

This wouldn't improve with implementing block lists. If anything, blocking more sites could make it worse.

mrstevey
Posts: 2
Joined: Sun Oct 05, 2014 8:09 am

Re: Which rules to set for incoming connections

Postby mrstevey » Wed Oct 08, 2014 12:09 am

WTF!?!?!?!


rsblanchard wrote:A primer for customizing a firewall:

The purpose of a firewall, and anti-spyware, is to limit illicit traffic from traversing to, and from, the internet from your computer, while allowing legitimate traffic -- the more restrictive the firewall, the better (of course, it must allow proper communication, nevertheless).

The anti-spyware component of the anti-malware-suite controls only the outbound (from a computer to the internet) traffic as generated by various applications/executables on the Mac.

Unless your anti-malware automatically blocks, or does not allow, unusual protocols&data that are incoming to your computer, a computer may be vulnerable to a "back door" exploit that may have been pre-designed into your Operating System.

The following applies to the Mac, and would not be that much different for a PC, as all computers use the underlying TCP/IP protocols for their communication to, and from, the internet.

From a given computer-software-device-source, outgoing (from your computer to the Internet), message-traffic needs (either an IPv4, or (less-often) an IPv6) IP-address (to-be-described next) (to identify the computer to be sent-to), a TCP/IP-protocol-number-corresponding-to-a-TCP/IP-protocol-name (I will be using TCP/IP-protocol-names below -- by simply referring to them as "TCP/IP Internet Protocols"), and a software-Port-or-Type-number (discussed below), along with the actual data-content to-be-sent.

An IP-address is an identifier of a specific computer-or-router, and is either a standard IPv4 IP-address (which is represented by a quadruple-of-(zero-through-255 (decimal)), separated by dots/periods ".",
for a total of 32-bits, for a total of over 4-billion unique possible computer-addresses),
or a newer (less-often-used) IPv6 IP-address (which is an octet-of-(0000-through-ffff (hexadecimal)), separated by colon-characters ":",
for a total of 128-bits, for a total of a gazillion unique possible computer-addresses).

There are 256 different TCP/IP Internet Protocols which facilitates traffic to both IPv4-IP-addresses, and IPv6-IP-addresses.
When sending to an IPv4-address, on each separate "device" (software device; to be discussed later), your Mac uses 5 different TCP/IP IPv4 Internet Protocols. (4 protocols,
if you ignore IGMP-multicast (for multi-person games), which uses IPv4s in the range of 224.*.*.* through 239.*.*.* [???] ):
(In addition to the message below, I have also found possibly a 6th TCP/IP protocol possibly present on my Mac called "DIVERT".
My anti-malware-suite (a suite is a combination of multiple software modules) has only a limited way of controlling either the "RAW" or "DIVERT" protocols,
but do I know much further about these specific protocols). The remaining TCP/IP IPv4 Internet Protocols are:
TCP, UDP, ICMP, (and RAW ([=IPSec ???] used by the rarely-used "traceroute" utility, so now we are down to 3 protocols)).
A TCP/IP IPv4 ICMP message is sent back for "server not responding", "IP-address doesn't exist", "echo (ping) reply", etc., types of control-messages.
Software Port-numbers in a TCP/IP IPv4 ICMP message are called "types", instead, and range from 0 to 255 (so, if we don't consider ICMP, we are now left with 2 protocols to explain).

Most TCP/IP IPv4 internet traffic is either TCP, or UDP:
TCP is like a bi-directional telephone connection (with multiple TCP messages sent and received (and re-assembled in sequence)).
UDP is like a letter dropped in a mailbox (with a 98% chance that it will get to its destination, and only a single message).
Port-numbers for TCP, are identical-in-format-to UDP port numbers, in the purpose (application) they serve, and range from 0 (which is reserved) to 65535 (this happens to be the upper-limit of a so-called 16-bit-integer), with 49152 through 65535 reserved for the sending-side (source) (since these are "dynamic" port-numbers, whose particular number cannot be predicted for a given message).
(three-quarters times (the total of) 65536 (unique port-numbers) equals 49152).
1 through 49151 is for the receiving-side (destination), with 1-1023 requiring super-user privileges to serve-up. (Port-number zero, is reserved).
Peer-to-peer connections are rare, but both source, and destination, have similar port-numbers.

For example, you browser may connect to TCP/IP IPv4 TCP ports 80 (http) & 443 (https) on the destination-side, but would never serve-up (open-up) port 80, nor port 443 on the source side (your computer's side) (that is, unless you were hosting a web-site on your local computer (unlikely) ).
Still, your Mac's standard firewall allows for these unlikely connections, but a customized Intego ISB X6 firewall (a 3rd-party firewall for Macs that run anything at, or newer, than the Leopard Operating System) will block them. You can also try to use Little Snitch with Intego's ISB X6 (VBX6).

In an ideal world, all active "services" (your local machine's UDP & TCP ports), as listed in Intego Internet Security Barrier X6's "Services" window, would be 49152, or above (you should not be "hosting" anything) (sadly, even with my customized files, this is not the case) ! Often, services that perform Domain Name Service (DNS) will have your computer receiving messages on UDP & TCP Ports 53 & 5353, with a dynamic-port for the Internet-sending-side.
(DNS is the way in which any domain-name (a portion of a URL (a Universal Resource Locator)) is translated into an IP-address).
Also, a Mac's boot-up will require a send-to-local-router UDP Port 67, with a subsequent message to receiving (local) UDP Port 68.

Now for Mac software/hardware devices:
"en0" should be your software designation for your Ethernet Cable.
"en1" should be your software designation for your Airport wireless (i have blocked this in my files, as everything is hard-wired here, but
wireless can use the IP addresses in the 10.*.*.* range).
"en2" can be for tethering, and, usually, there is no forthright way Apple allows you to control this device.
"lo0" should be your local loopback IP address, usually meaning 127.0.0.1 , in IPv4-terms.
"stf0" is a software tunnel between IPv6 and IPv4 (for the moment, best left totally blocked).
-or-, in Intego ISB X6 for Snow Leopard, you can specify "All", for all devices (the current version of Little Snitch (for Mac) anti-spyware for outgoing communication does not currently accept "devices", so everything is "All").

You should go into the Mac's "Network" System Preferences panel, and re-direct IPv6 for each separate device using the "Advanced" button.
Avoid so-called peer-to-peer music-sharing-sites, and sites that utilize the Limewire, and BitTorrent file-sharing technologies.

If you install Intego ISB X6 on the Mac, you may want to custom-install it, and leave-out ContentBarrier (parental controls). The ISB X6 Anti-Spam program in ISB X6 modifies Apple Mail if you set-up its preferences correctly. Always authorize VirusBarrier in Intego ISB X6 first, before authorizing any other program !



Modem/routers are the first line of defense -- set them not to respond to TCP/IP ICMP "PIng" messages by configuring them with your browser.
Hackers initially find machines by "ping"ing them, and if the machine responds, they hone-in.
Also, most Modem/Routers ship with a default password or two -- CHANGE IT (using your browser), so it is NOT the default "1234", or blank, or "123456" !
Also, disable in the modem/router TCP/IP IPv4 TCP & UDP incoming port 161 (also known as SNTP) -- this is how an Internet Service Provider "takes control" of your machine (and displays your machine's screen on their's) when you need help, but is also an "in" for hackers.

Two further clarifications:

1) The "dynamic"-ports from 49152-through-65535 may have nothing to do with the "C"-language-programming-term called "INADDR_ANY" .
"INADDR_ANY" refers to the software-device (such as "en0" (Ethernet), or "<el><oh><zero>" ("lo0" loopback)) that is allowed to send-or-receive the data-packet: "INADDR_ANY" refers to the allowance of any software-device to send-or-receive the data-packet.

2) The "RAW" protocol is needed on the Mac for the "traceroute" program (this was the only program on my Mac that requested use of the "RAW" protocol).
"traceroute", in actuality on the Mac, also wants to use the "ICMP" protocol.
So, the only mystery protocol left un-discussed is the "DIVERT" protocol.
Under the underlying TCP/IP protocols, did you know that there are actually (at least ) TWO different ways of doing a "ping" ? -- one involves the standard ICMP-type-8 message (receiving back an ICMP-type-zero message), and the other involves sending to IPv4 TCP Port 4 (or is it Port 7 ??? ) .

This means, that if a device (router, or computer) is "stealthed", all methods of "being-pinged" must not be replied-to.

I have tried to turn off all communication to IPv6-IP-addresses (you know, the 128-bit IP-addresses, (like ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff ) ).
You can also try to block the software-device on the Mac, called "stf0:" , which is the "six-to-four-tunneling" (which, I believe, provides a translation of a subset of 128-bit-IPv6-IP-addresses to 32-bit-IPv4-IP-addresses).
Theoretically, when you do this, you miss-out on some websites that have non-IPv4-IP-addresses, but i have not found this to be a problem, yet.

The reason that the web is expanding to IPv6, is that there are only 4-billion-or-so uniquely-identifiable IPv4-IP-addresses, and there are slightly more computers than that !

RLD
Rank 1
Rank 1
Posts: 24
Joined: Sun Aug 10, 2014 8:45 pm

Re: Which rules to set for incoming connections

Postby RLD » Wed Oct 08, 2014 5:57 am

my typical modis operandi no matter what operating system I set up; Mac, Windows, or *nix distro.

I will disable 50% of LS default rule set and use my version of the rule. Mac only of course.
Since ipv6 is not the universal standard as yet I disable all ipv6 rules and disable it in my network.

Allow all incoming connections from local network me
Allow all incoming connections from local network system
Allow all outgoing connections to local network me
Allow all outgoing connections to local network system
Block all incoming ports udp/tcp 0-1030 system
Block all outgoing ports udp/tcp 0-1030 me
Block all OS programs I do not use such as icloud, netbiosd, itunes, etc
Allow outgoing connections to DNS servers me via ipv4 ips
Allow outgoing connections to broadcast addresses

Quite often I will create separate rules for udp and tcp for the same program

All programs outside of your OS should never need to use ports below port 1030 unless they are a replacement for the OS program.... i.e. mail, ftp, browsers, etc

I then start with individual programs as I use them and block or allow as needed.

I only allow ports 0-1030 to be used by programs that absolutely needs them.... i.e. mail, browsers, dns, ssl, etc


My only prolonging issue is Battle.net which OBdev is already aware.

I use both Firefox and Safari with ad/noscript/bug blockers.

Very few websites are allowed total ad/nocript/bug access in my browsers and I enable/disable ad/noscipt/bug access on a session by session basis.
Granted a I do a lot of clicking but I'm much more safe than most users and go to a lot of sketchy sites.

All of the above is done in "Effective in all profiles" preset.

I also use vpn and torrent programs. Each has its own profile that is activated when in use with its own set of rules.

hedgert
Posts: 3
Joined: Sat Nov 23, 2013 5:31 pm

Re: Which rules to set for incoming connections

Postby hedgert » Sat Jan 20, 2018 7:28 pm

Interesting thread!
I've used Little Snitch for a long time and think it's great.
After a recent OSX upgrade (to 10.13.2) I'm noticing quite regular incoming connections from my local network to Google Chrome. I use Safari most of the time, only when I find an awkward website that doesn't work on Safari do I switch - so maybe this has always been happening (not just after the OSX upgrade). LS is set to block these incoming connections - and reading the post here I see incoming connections from local network are usually permitted - and I agree my local network (which is me, my wife and our various devices) should be pretty safe. But my question is what would generate an incoming local network connections to Google Chrome?
When I look further, the incoming connection is from 192.168.49.1 - now my two subnets on my internal network are 192.168.0.x and 192.168.1.x
So does this mean that the "49" address is actually outside my network - and perhaps some hack attempting to appear like my local network?


Return to “Little Snitch General”

Who is online

Users browsing this forum: No registered users and 4 guests