Snitchery
Mapspushd Little Snitch Movie
![Mapspushd Mapspushd](/uploads/1/2/6/0/126068168/337434023.png)
Oct 26, 2019 I've been noticing Little Snitch always having a bar or two of activity (up and down) and decided to look into it. What I found was locationd has sent nearly 8GB of data to a variety of IP addresses (100+) over 54 hours. Not in bursts, but as a slow, steady trickle - About 35KB/s on average. I installed Little Snitch a long time ago but haven't really paid much attention to creating the configuration and generally tend to allow any connection it asks, as long as it sounds legit, but.
Little snitch Rule set(s)
Installation:
- Open Littledsnitch config
- Place hot_pocket in wave: do
- cook on high for 2.5 min
- click import rules (where applicable i.e. 'all over')
Theory / Mechanics / General Thoughts
Litle snitch has some really amazing features, namely, auto profile switching for different networks.
I always begin with setting a 'deny connections' for everything, then, allowing what I need. It took me a long time to figure this part out. This will save you from having a pop up every goddamn second when you fire this baby up.
When you import these rules you'll most certainly have applications that I don't and vice versa. You will see this expressed in the approprate menu on the left side of the Little Snitch config.
This set is nowhere near finished but it's a great starting point for someone to 'train' their own firewall. My general 'rule of thumb' (sorry ladies) has been to adhere to the rule of least permissions. This is great in theory but unfortunately in the real world it becomes extrememly annoying to approve rules on a domain by domain basis. So, I have been training the snitch via Port and Protocol and not the full-on, super annoying, domain based rules.
Rules and Profiles
Profiles:
- Home
- Obviously, home network with very permissive rules.
- Hotspot
- This one is a work in progress as I rarely use 'hotspots'
- iPoop (iPhone)
- This is similar to the Hotspot but should be used with a 'trusted device'
- Public
- Super strict ruleset for public networks.
- Public +
- Similar to Public but a bit more permissive in order to get work done.
- Vadded (VPN)
- I used mullvad as my preferred VPN provider for a long time. Now, I configure my own VPN's through digital ocean. The idea is the same either way, because of encryption, we can use this as the permissive set.
Rules:
- Effective in all profiles
- Only the default system bits and VPN connectivity.
- Home
- accountsd (443)
- Addressbook (443)
- Adobe desktop service (DENY) (I HATE THE AMOUNT OF ADOBE BS.)
- AGS (see above)
- Airplay (7000)
- AKD (443)
- Alfred (443)
- Atom (443)
- Calender Agent (443)
- Clip Menu (DENY)
- CloudD (443)
- com.geod (80, 443) (For device tracking)
- Safe Browsing (443)
- Contacts (443)
- Core Sync (Adobe) (DENY)
- Creative Cloud (443)
- Docker (443)
- Firefox (ANY)
- Gamed (DENY) (I fucking hate gamed!)
- Google Update (DENY) (I prefer to do this manually)
- helpd (DENY) (i google anyway)
- imagent (5523) (This is for messages to work)
- iStat Menus (443)
- iTerm2 (ALLOW ALL)
- iTunes (443)
- ksfetch (DENY) (This is for google update and I have no faith in google. Again. Manually take care of updates. Also, when / if you use Chrome it will tell you there're updates anyway.)
- Little Snitch Update (443)
- locationd (443) (This is for find my mac to work. I always keep this enabled for all profiles because if my laptop is ever stolen, i'd hate to have little snitch block me from finding it! (this HAS happened to me!))
- Scott storch vst cracked download. Mail (443, 585, 143, 993, 465)
- mapspushd (443 to domain: apple)
- MEGAclient (ANY)
- Messages (DENY 80, ALLOW 443)
- nbagent (ANY) (This is for NETBIOS and the Bonjour service as far as I have read.. I need to play with this one a bit more)
- node (ANOTHER ADOBE BS.. DENY)
- node (for creative cloud allow 443)
- nsurlsessiond (ANY) (This is for proper name server addressing. I need to investigate this one as well)
- OPENVPN (ALLOW ANY) (both user processes and system)
- photolibraryd (DENY) (I don't use the photo cloud BS.. so.. deny.)
- Photos Agent (443) (as far as I can tell, this one is just for photo app updates and the like.)
- Safari (ANY)
- Slack (443)
- SoftwareUpdateD (deny) (i need to revisit this one)
- Spectacle (443) (another one I need to revisit)
- Stocks (443)
- Store Accountsd (ANY)
- Store Assets D (443)
- Thunderbird (DENY 80, ALLOW mail protocol ports only)
- Transmission (DENY) (We don't want un-encrypted torrents on our home network do we?)
- Unity (443)
- User event agent (80) (revisit)
- Weather (443 to apple only)