When we talk about rules and connections in the Connection List, you should keep one thing in mind: A line in Network Monitor does not really represent one connection, it represents a class of connections matching the line’s criteria.
On the first level, the class consists of all connections established by instances of the same program. On the second level, the class is restricted to servers in a particular domain. And on the third level, it’s restricted to particular server names or addresses. That can still be a bunch of connections with various protocols, to various ports and different Internet addresses for the same name.
The Rule Management Button is part of every line in the Connection List. It displays whether all or any connections represented by the line are covered by an allow or deny rule.
When you click the allow- or deny-part of the button, you create a rule which matches exactly the same class of connections as the line represents. We call it an associated rule. This is a very quick and convenient way to create rules for all your connections at any hierarchy level.
The button can have the following states:
|None of the connections represented by the line is matched by a rule (button is only shown when hovering with the mouse). Any new connections in its class trigger a connection alert or Silent Mode Activity Indication (see below).|
|There is an allow rule associated with the line. It matches the same class of connections as represented by the line.|
|There is a deny rule associated with the line.|
|Connections represented by this line are matched by an allow rule. The rule may match more connections than represented by the line or it may match only a subset. You may find the allow rule at a deeper or higher level, if it can be represented in Network Monitor (port- or protocol-specific rules, rules for “Any Process” cannot be represented).|
|Connections represented by this line are matched by a deny rule, analogous to above.|
|There is an associated allow rule for the line, but some or all connections are also matched by a deny rule which takes precedence over the allow rule. You may find it at a deeper level, if it can be represented in Network Monitor.|
|Analogous to above, but deny and allow exchanged.|
|Some of the connections represented by the line are matched by an allow rule, some by a deny rule. Neither the allow, nor the deny rule matches the same class of connections as represented by the line.|
|At least some of the connections represented by the line are not covered by a rule and had activity during Silent Mode. They would have triggered a connection alert without Silent Mode. Click disclosure triangles to see more properties of the not-yet-covered connections and decide at which level you want to create a rule.|
|A (possibly minimized) connection alert is pending for at least one of the connections represented by the line. The connection is said to be stalled because it’s waiting for you to create a rule, either directly in Network Monitor by clicking the Rule Management Button or via the connection alert. Click disclosure triangles to see more details and create a more specific rule.|
|An extra-high priority deny rule isolates the process from the Internet. This rule was created as a consequence of a failed process identity check. Click the button to delete the rule and accept the modification to the process.|
All lines in the Connection List have a context menu shown on right-click. The following options are relevant for rule management:
- Delete Rule — If there is a rule associated with the line, an option to delete it.
- Allow Connection — An option to create an associated allow rule. When the option key is held, the rule is created in the current profile. If the connection is stalled, an until-quit-rule can be created by holding the shift key.
- Deny Connection — An option to create an associated deny rule. Same option and shift key modifications as above.
- Remove “Unconfirmed” Indication — If the connection had activity in Silent Mode, this option removes the indication without creating any rules.
- Make Connections Private… — Creates a “Private Connections” rule for a process. If such a rule is in effect, Network Monitor does not show individual connection data for the process. All statistics are summarized in a “Private Connections” line.
- Show Corresponding Rule — The Rule Management Button shows whether rules for the line exist, but it can’t show details. This option opens Little Snitch Configuration and focuses on all rules matching connections represented by the line. Note that only rules matching actually represented connections are shown. Connections which never occurred, but would be represented by the line, are not taken into account.
- Show Recently Used Rule — This entry reveals rules in Little Snitch Configuration which have been used within the last 10 minutes to decide whether or not to allow connections represented by the line. It is only available if new connections were made within the last 10 minutes.
If an application does not perform as expected and you suspect that Little Snitch may be blocking a connection which is essential for the app, you can analyze the issue in Network Monitor.
Check the Rule Management Button for the application. Is the deny-part red or gray, indicating the existence of a deny rule affecting it? Choose Show Corresponding Rule… from the context menu to see all rules affecting the application at the respective level. Or use Show Recently Used Rule if you see that a connection was blocked and you want to see the responsible rule.
Was this help page useful? Send feedback.
© 2016-2021 by Objective Development Software GmbH