The rule set
Little Snitch’s behavior is predominantly defined by a set of rules. When Little Snitch sees a new connection attempt, it first consults the rule set. If any matching rules are found, the one with the highest precedence determines the action taken. If none is found, the default action is taken: In Alert Mode, a connection alert is shown and in Silent Mode the connection is immediately allowed or denied.
In order to learn whether a rule matches a particular connection, see section Anatomy of a rule. It describes the rule’s properties and explains how they relate to connections.
In the rest of this section we'll explain what happens if multiple rules in the rule set match the connection. The general concept is that more specific rules take precedence over (they override) more general rules. This concept is easy to remember and in most cases it’s obvious which rule is more specific.
Comparing precedence of two rules
In order to find the rule with the highest precedence among matching rules, it must be possible to compare rules by precedence. The algorithm is as follows:
- Rules with different Connect Direction property cannot match the same connection, this property is irrelevant for precedence comparison.
- If the Priority property differs, the one which has Priority set wins.
- The Server properties are compared. The rule with the higher precedence Server property wins. The types have the following precedence (high to low):
- Internet address or ranges thereof.
- Full host names or lists thereof.
- Domain names or lists thereof.
- DNS Servers.
- Broadcast addresses.
- Multicast addresses.
- Bonjour addresses.
- Local Network addresses.
- Any Server.
- Berkeley Packet Filter — Precedence is irrelevant because it cannot match the same connection as the other types above.
- If both rules have the same precedence until now (and thus the same type of Server property). the server properties are compared further. Shorter lists win over longer, shorter ranges win over longer, domains with less labels win over domains with more labels.
- The rule with the shorter port range wins. Any Port is translated to 0-65535. If they have the same length, the one which starts at a lower port number wins.
- If the Protocol properties differ, the one with a specific protocol wins over a rule with Any Protocol. Rules with different specific protocols cannot match the same connection and precedence is irrelevant.
- Rules matching a particular process win over rules for Any Process.
- Rules for a via-construction (process via tool) win over single process rules (just process or just tool).
- Rules with a specific Process Owner win over global rules. Rules for different specific owners cannot match the same connection and precedence is irrelevant.
- Deny rules win over allow rules.
- Allow rules win over ask-for rules.
Sort by precedence
Determining rule precedence by hand may be tedious. Little Snitch Configuration can help. See section Inspect and analyze rules for more information about analyzing rule precedence with Little Snitch Configuration.
Was this help page useful? Send feedback.
© 2016-2021 by Objective Development Software GmbH