On 2007-10-25, D P Schreber wrote:
>> The software firewall built into the Mac OS, accessible in the
>> Network preference pane, serves much the same purpose.)
> The kernel firewall in osx can do _far_ more than simply blocking
> incoming traffic. One of the many things it can do is block and
> log all outgoing connection requests except to specific ports.
> The Network Preference gui is simple, the firewall itself is not.
I think the distinction between ipfw and Little Snitch that the
parent poster didn't manage to clearly make is that Little Snitch
integrates into OS X such that it can block or permit outgoing
traffic on a process or application-specific basis, which ipfw
>> You need both. (Well, IMO, anyway.)
> Given the current lack of malware for osx on the one hand, and the
> flexibility of the kernel firewall on the other (if you take the
> time to learn how to use it), I don't see much point to Little
> Snitch. There's nothing wrong this utility and certainly it won't
> do your system any harm. If it gives you the warm-fuzzies to use
> it, by all means do so. But from the security perspective no one
> really needs it.
Little Snitch can be sort of a pain to use, especially for a Unix
guy. For instance, I shelled into my iMac from campus one day to
start a long HTTP download so that it would hopefully be complete by
the time I got home; however, for some reason wget couldn't contact
the Web server. I was confused about this until I got back to my
apartment and saw the Little Snitch dialog box asking me whether
wget had my permission to make said network connection.
Also, interpreted languages provide a problem for Little Snitch (as
well as the various Windows firewalls which do the same thing).
Little Snitch cannot distinguish between Python App A and App B; for
either program, it simply asks whether you give "python" (as in the
Python interpreter) permission to make a network connection. So if
I tell Little Snitch to give BitTorrent (a Python application)
permanent network access, then it won't do anything to block any
potential Python-based malware that I might become infected with.
That's not the only problem with Little Snitch's approach, either.
If a spyware author wanted to be really crafty, he could hijack a
Web browser on the system (already whitelisted by Little Snitch!) to
send your private information to a Web server as part of a GET or
POST request. Or he could even encapsulate such information within
a series of DNS queries (see iodine et al.), in which case it would
pass straight through lookupd without any intervention from Little
Snitch whatsoever. And there are any number of other ways of
smuggling data out of the system, which together become impossible
to entirely guard against on current OS architectures, apart from
denying malware access to your computer in the first place.
All that said, Little Snitch does provide some level of protection
against naïvely-written malware; and sure, there isn't much (any?)
malware targeted at OS X just yet, but if we were to all be
surprised by some Macintosh spyware attack one day, wouldn't it be
nice to have such a line of defense already in place? So, all these
flaws aside, I do use Little Snitch anyway, on top of my Macs' ipfw
firewalls and pf on my OpenBSD gateway -- and, most importantly,
good old-fashioned conscientious use of administrative privileges.
Another brick in the firewall never hurts (if it isn't too
inconvenient for you personally), as long as you don't allow it to
lull you into a false sense of security.
As I understand it, Leopard will incorporate some kind of Little
Snitch-like firewall functionality of its own. This will be an
interesting thing to try when I get around to making the upgrade...
http://markshroyer.com/ >> Stay informed about: Router Firewall and Little Snitch