Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

How have you configured Little Snitch?

steve62388

steve62388

macrumors 68040
Original poster
Apr 23, 2013
3,100
1,962
I picked up Little Snitch the other day. I think (I hope?) I have pretty much got the hang of it and seem to be getting on well with most settings.

What's causing me grief is Safari. I can't decide whether to just open up everything in Safari, but that defeats the purpose of Little Snitch a bit.

Or I can configure every site manually, but that's incredibly laborious. I have discovered by starting from a blank slate and then approving each site as I go is a crazy amount of work. Each site opens multiple connections and by defaulting to blocking all of them you often discover a feature on the site doesn't work properly. It then takes a while to figure out which connection you blocked that caused the problem.

How do you have Little Snitch configured for Safari?
 
Last edited:
I just approve as they pop up, which is only a little work up front, and shove those rules into All Applications once in a while. Except Safari, because apparently All Applications doesn't apply to anything that connects through Websockets, but I don't use Safari very often.
 
Sorry, I don't understand your comment. What do you mean 'shove those rules into All Applications'? You mention 'except Safari' but that's what I am having difficulty with, I'm pretty much on top of my apps.

I find sites open perhaps ten different links each and most of them seem like they could be undesirable. Block them all and the website stops operating properly, spend 20 minutes trying to figure out what rule block broke which part of the website. Multiply that by every website I visit (it's a lot) and I'll be an old man by the time I have got LS setup correctly. I find it hard to believe that LS makes browser configuration such a difficult chore, so I assume I'm doing something wrong.
 
I allow all HTTP/HTTPS connections in Safari and use a content blocker for the trackers.
 
KALLT said:
I allow all HTTP/HTTPS connections in Safari and use a content blocker for the trackers.
Click to expand...
This ^^^. Allow Safari to access any address on ports 80 (http) and 443 (https). It's a web browser, that's what it's designed to access. Run a separate content blocker if you wish to block trackers. I take a very dim view of web pages that want to open up connections to other ports (besides 80/443), and normally deny those.

Little Snitch is good, but it takes a lot of dealing with its pop-up dialogs initially, to get it reasonably configured. Get used to going into the "Rules..." page periodically to clean things up (look at the "Unapproved Rules" section to see if there are rules you want to make permanent, and the "Duplicate Rules" section for things you can delete).

Also, I frequently find myself switching rules in the pop-up dialog from, say, "hostname www.example.com" to "domain example.com" to avoid all the subsequent requests for "foo.example.com, "bar.example.com", etc. - if I trust the app to talk to one of them, I probably trust it to talk to all of them.
 
Right, that makes sense. My philosophy of trying to manage all browser connections manually was wrong. That's an easy enough change to make.

So how do you go about reigning in your MacOS dial outs? Are you pretty relaxed about it and let all of them through? Or do you try and restrict as many as possible, leaving only the bare minimum that macOS needs?
 
steve23094 said:
Right, that makes sense. My philosophy of trying to manage all browser connections manually was wrong. That's an easy enough change to make.

So how do you go about reigning in your MacOS dial outs? Are you pretty relaxed about it and let all of them through? Or do you try and restrict as many as possible, leaving only the bare minimum that macOS needs?
Click to expand...

I usually let it through if it makes sense to me and I understand the program. If I question where it is going, I will do an IP lookup to determine my thoughts on allowing or not allowing the connections. I tell my family to use the deny button by default. It only denies until the process quits by default, so it won't do any permanent blocking if they do that.

Nabby
 
  • Like
Reactions: OLDCODGER
There's probably a balance.. On one hand u wanna be pestered with every connection to know what is making that hidden call to server... On the other hand, u don't want it getting in the way too much either..

Same things can be said about firewalls .... It's just the act of not knowing which kind of scares u.. so therefore u should be alerted..
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back