Comment by runjake

20 hours ago

Little Snitch is probably the most popular one, written my devs who deeply understand macOS firewall architecture.

https://obdev.at/products/littlesnitch/index.html

5 comments

runjake

Little Snitch is a user-friendly, software-level blocker, only – use with caution.

Just FYI: LittleSnitch pre-resolves DNS entries BEFORE you click `Accept/Deny`, if you care & understand this potential security issue. Your upstream provider still knows whether you denied a query. Easily verifiable with a PiHole (&c).

I liken the comparison to disk RAIDs: a RAID is not a true backup; LittleSnitch is not a true firewall.

You need isolated hardware for true inbound/outbound protection.

gruez 20 hours ago
>Just FYI: LittleSnitch pre-resolves DNS entries BEFORE you click `Accept/Deny`, if you care & understand this potential security issue. Your upstream provider still knows whether you denied a query. Easily verifiable with a PiHole (&c).
This also feels like an exfil route? Are DNS queries (no tcp connect) logged/blocked?
- ProllyInfamous 19 hours ago
  
  >Are DNS queries blocked?
  No, not with LittleSnitch (neither in/out-bound).
  When you see the LittleSnitch dialogue (asking to `Accept/Deny`), whatever hostname is there has already been pre-resolved by upstream DNS provider (does not matter which option you select). This software pares well with a PiHole (for easy layperson installs), but even then is insufficient for OP's attack.

mrexcess 20 hours ago

Little Snitch is commercial. If you want largely similar features (focused on egress), check out LuLu: https://github.com/objective-see/LuLu

runjake 18 hours ago

+1 Thanks, I forgot about LuLu!