Incoming Rule Assistance Needed - Dynamic IP

General discussions about Little Snitch
Post Reply
KShapiro
Posts: 3
Joined: Thu Feb 19, 2015 1:10 pm

Incoming Rule Assistance Needed - Dynamic IP

Post by KShapiro » Tue Feb 24, 2015 9:29 am

Hi,

I have my desktop at home where I am doing a project with a few other people. My machine is basically going to be the machine that we all log into to get some work done. I am running OS X 10.10.2 and the latest LS. I am getting lots of undesired incoming connection attempts via sshd and launchd, and screen sharing bundle. I currently have everything set to deny, and have not needed to do any work outside, so that hasn't been an issue until now.

I may wish to Remote Desktop or VNC, as well as ssh, etc. Which would use ports 3283, 5900, 22 etc.. No problem port forwardg the router. I also will be taking my laptop with me to do work at their homes. This is where the issue comes from. I have a DynDNS Pro (Dyn.com) account, which updates my laptop ip address to Dyn.com regularly. I have set a hostname for my laptop, and I can also have hostnames for the other people and their IP addresses if needed.

I would like to set deny rules for the general case for (sshd, launchd, and screen sharing bundle), from everyone except these hostnames. When I create the rule, I can put in the hostname (even where it says IP address, since there is no hostname or domain offering), and it gets the correct IP address, but I won't be at that address guaranteed when I am somewhere else, and it converts the hostname to the ip address (Not dynamic. doesn't look up the hostname at the time of the connection to get the IP address). Also, I can't just use the other people's IP addresses to make additional rules since they are dynamic IPs as well, and will change their IP addresses at unknown times.

Is there a way to setup these rules? (Or do I have to allow all connections, since I don't know from what IP adores I will be attempting to connect when I am away from my home)? I really don't want all of these undesired ssh and screen sharing bundle connections being allowed.

Someone please help.

Thank you.

Best Regards,
Kevin Shapiro

jmyera
Posts: 1
Joined: Sun Mar 15, 2015 1:01 pm

Re: Incoming Rule Assistance Needed - Dynamic IP

Post by jmyera » Sun Mar 15, 2015 1:05 pm

I have the same problem, please help. Thanks.

dberry
Posts: 1
Joined: Tue Oct 28, 2014 2:54 pm

Re: Incoming Rule Assistance Needed - Dynamic IP

Post by dberry » Tue Mar 17, 2015 10:42 pm

I have had this problem for years and haven't found a satisfactory solution yet. The closest thing is to use "back-to-my-mac" (bttm), a setting in the iCloud system preferences, and setup rules to allow incoming connections from the apple bttm servers. This used to work very well when I've traveled all over the world, including from my house to my office. Although you can set up services like ssh etc to work directly through bttm, I also like to set "static" rules between my home and office - and these need to be manually changed when when my home (FIOS) DCHP changes every 6 months or so. I would typically just connect via VNC (screen sharing) to work via BTTM, and update the 3-4 rules that need the new IP address for home. Since this wasn't necessary more than once or twice a year, I could live with it.

Unfortunately, BTTM has been very flakey ever since I updated the OS to Yosemite last fall (and through the most recent non-beta release, 10.10.2). All my remote devices show up under "shared" in the Finder sidebar only about 50% of the time, unless I manually turn BTTM off then on again in the system preferences. It's POSSIBLE that some of my LittleSnitch rules are messing up the way BTTM works, but it wasn't an issue before 10.10.

Sadly, my home IP changed last night, and BTTM isn't working, so I can't connect remotely to my office desktop by any means at the moment. Well, I DID ssh from home into a different unix box at work (non-Mac, no little snitch), then ssh'd from there into my desktop Mac (allowed because the work machine had it's own rule in little snitch.) This is ok for ssh-type stuff, but doesn't fly for VNC to share the desktop, etc. from home.

To the OP: There is a good explanation in the FAQ about why rules for incoming connections require specific IP addresses and not domains, or cnames (for those of us who a freeDNS domain.) Basically, there is no DNS resolution when checking incoming connection rules (easy to spoof, etc).

Ideally, I think the solution we would all like is a script that runs on the remote machine that can sense when the local DHCP address has changed and updates the remote Little Snitch rules by substituting either a variable for the new local IP assigned by DHCP, or just writing a new permission rule. Yes, this does represent some level of security hole, but would be one I can live with.

OBTW, there is a setting in the LS preferences to allow/disallow GUI scripting. This implies that a macro running in the GUI can be allowed to modify LS (turn it off, maybe write rules?) I suppose it might be possible with automator or apple script, but I haven't gotten desperate enough yet. I'll just fix it when I go into my office tomorrow...

A very good solution, IMO, is just to use BTTM - IF it would go back to working like it used to pre-Yosemite.

sims10
Posts: 13
Joined: Wed Nov 10, 2010 4:55 am

Re: Incoming Rule Assistance Needed - Dynamic IP

Post by sims10 » Thu Apr 23, 2015 4:23 am

After at least two hours of time wasted I landed here. My BTTM is not working either.
I hope somebody from Little Snitch will comment here...

Post Reply