The .lsrules file format
Remote rule gropus use a .lsrules
file, which is in JSON syntax as specified in this chapter. Such files can be exported using Little Snitch or created using a text editor or a script.
A simple example
Let’s start with a simple example that specifies a single rule for allowing software updates for LaunchBar:
{
"name": "LaunchBar Software Update",
"description": "This rule allows LaunchBar to check for updates.",
"rules": [
{
"action": "allow",
"process": "/Applications/LaunchBar.app/Contents/MacOS/LaunchBar",
"remote-hosts": "sw-update.obdev.at"
}
]
}
Blocklists
Before Little Snitch was able to read various blocklist formats, blocklists had to be represented as remote rule groups. The .lsrules
file still supports shortcuts for this type of blocklist. Using the above syntax, you’d have to repeat "process": "any"
and "action": "deny"
for each domain, host, or IP address. For thousands of rules, that can lead to unnecessarily large files which in turn lead to unnecessarily large downloads for every single subscriber.
Starting in Little Snitch 4.2, you can use a more compact format that looks like this:
{
"name": "Social Media Block List",
"description": "Blocks access to popular social media sites.",
"denied-remote-domains": ["facebook.com", "twitter.com", "youtube.com"]
}
Top-level keys
The top level of an .lsrules
file is a JSON dictionary with the following keys:
Key | Type | Description |
---|---|---|
name |
String | The name of the group. |
description |
String | A description of the rule group. |
rules |
Array of Dictionaries | The list of rules. See below for rule-level keys. |
To efficiently support blocklists, the following keys were added in Little Snitch 4.2:
Key | Type | Description |
---|---|---|
denied-remote-domains |
Array of Strings | A list of domain names. |
denied-remote-hosts |
Array of Strings | A list of hostnames. |
denied-remote-addresses |
Array of Strings | A list of IP addresses or ranges. |
denied-remote-notes |
String | The notes that should be repeated for each rule. The placeholder %REMOTE% will be replaced with the respective domain, host, or IP-address for each rule. |
You can mix all of these keys in a single .lsrules
file, i.e. you can define arbitrary rules in a rules
array next to a list of domains in denied-remote-domains
and a list of IP addresses in denied-remote-addresses
.
Rule keys
Each rule defined in the file is a JSON dictionary with the following keys:
Specifying the process
To define which processes a rule should match, you specify the executable of the process using the following keys:
- To match any process, use:
"process": "any"
- To match a specific process, use:
"process"
(String): A String containing the full path to the executable. For apps, this is path to the app’s executable, not the app wrapper. For example:/Applications/Safari.app/Contents/MacOS/Safari
"via"
(String, optional): If the rule should only match if the executable uses a specific helper tool, you can specify its path. For example, you could create a rule that matches “Terminal via ping” by setting"path"
to Terminal’s path and"via"
to ping’s path. Note that a rule for Terminal that has no"via"
will also match connections of “Terminal via ping”.
Processes can be specified by their absolute path (path based rules) or by their code ID. Code IDs are given as identifier.DEV_TEAM_ID/IDENTIFIER
. For Little Snitch, that would be identifier.MLZF7K7B5R/at.obdev.littlesnitch
.
Specifying the remote
The remote for the rule can be specified in multiple ways. You can only provide one of the following keys:
"remote-addresses"
: A String containing one or more IP addresses or ranges."remote-hosts"
: Either a String with a hostname, or an Array of Strings of hostnames."remote-domains"
: Either a String with a domain name, or an Array of Strings of domain names."remote"
: A String with exactly one of the following values."any"
"local-net"
"multicast"
"broadcast"
"bonjour"
"dns-servers"
"bpf"
(Berkeley Packet Filter, available starting in Little Snitch 4.4.3)
Other keys
Key | Type | Description |
---|---|---|
direction |
String, optional | The connection direction. "incoming" or "outgoing" , defaults to "outgoing" . |
action |
String, optional | The rule action. "allow" , "deny" , or "ask" . Defaults to "ask" . |
priority |
String, optional | The rule priority. "regular" or "high" . Defaults to "regular" . |
disabled |
Boolean, optional | Whether or not the rule is disabled by default. Defaults to false . |
ports |
String, optional | The ports the rule matches. Can be "any" for any port (the default), a single port (e.g. "443" ), or a range of ports (e.g. "123-456" ). |
protocol |
String, optional | The protocol the rule matches. Can be a numeric value as defined in /etc/protocols , like "6" for TCP, or the actual protocol name, like "tcp" . Defaults to any protocol. |
notes |
String, optional | The notes for the rule. |
Was this help page useful? Send feedback.
© 2016-2024 by Objective Development Software GmbH