Little Snitch 6 Help

Rules

Rules are the basic building blocks used to describe what to do with a connection. A rule consists of the following groups of properties:

Rule actions fall into three categories:

  1. Filter actions: whether to allow or deny the connection or to ask the user.
  2. Notification actions: whether to play a sound or show a user notification.
  3. Hide from Network Monitor: whether to suppress recording of connection history in Network Monitor.

A connection can be matched by more than one rule, but only one action in each category can be applied. Little Snitch chooses the action from the most specific matching rule in each action category. See the section about rule precedence below to learn what “more specific” means.

Condition properties

Connect direction

Connections can be initiated by your local computer (outgoing connection, the usual case), or by a remote computer (incoming connections, primarily seen on servers). Regardless of which computer initiated the connection (local or remote), data is exchanged in both directions.

A rule can be made to match only incoming, only outgoing or both types of connections.

Process pair

The process (usually an app) is the local endpoint of a connection. A rule can match a specific process, any process in a group of processes (e.g. all simulator processes or all processes which are part of the core Unix operating system) or any process.

We talk about process pairs because processes initiating or receiving connections may do that on behalf of other processes. When you use ping in a Terminal window, rules for just “Terminal” will match, but you can be more specific and make a rule which requires “Terminal via ping”.

Processes can be recognized:

If a process is identifies by its path, Little Snitch can optionally verify the code identity (based on code signature) to ensure that the program was not replaced.

Process owner

Processes have an owner who is usually the user who started the process. Rules can be made to match only for processes with a particular owner, or they can match any owner.

The owner can also be the operating system (denoted as “System” by Little Snitch). System processes provide services to all users on the computer. Rules for system processes are therefore global. Technically speaking, Little Snitch treats all accounts with a user ID below 500 as system user, except 201 (which is the guest account) and -2 (nobody).

System processes and rules for system processes are marked with a gear wheel icon:

System process indication

Server (remote computer)

This property can be one of:

While all of these options can be used to match outgoing connections, incoming connections cannot be matched by name or domain because the remote name is never known reliably.

Protocol

A rule can match on particular protocols only (such as TCP, UDP or ICMP) or on any protocol.

Port

Some protocols (notably UDP and TCP) allow multiple simultaneous connections between the same two computers. These connections are distinguished by port numbers. For outgoing connections, the rule matches if its port matches the connection’s remote port. For incoming connections, the rules’s port must match the local port where the connection is accepted.

Rules can match either a single port or a range of port numbers (e.g. 137-139) or any port.

Profile

A rule may be effective only when a particular profile is active. If this property is not set, the rule is effective in all profiles. Although this property has no connection counterpart, it determines whether the rule is consulted for matching or not.

Enabled

Rules can be enabled or disabled. Disabled rules never match, they behave as if they had been deleted. However, the information stored in the rule is not lost. The rule can be re-enabled at any time.

Action property

Actions affecting the network filter:

Actions causing notifications:

Actions affecting privacy:

Other properties

Lifetime

Rules can be set to expire at a particular time or event. This property describes when the rule expires. Possible options are:

Priority

If this property is set, it lifts the rule’s [precedence][precedence] over all other rules that don’t have it set. We recommend that you use priority rules sparingly.

Protected

Protected rules cannot be edited or deleted, but they can be disabled. Little Snitch Configuration uses a lock icon to indicate a protected rule.

Unapproved

This is an annotation property, it has no effect on rule matching. It lets you know that this rule is new and you have not marked it as “seen” yet. By convention, rules created in the Little Snitch app are always approved at creation time.

Rule precedence

We have already mentioned above that more specific rules have precedence over general rules. But when is a rule more specific?

Sort by precedence

Determining rule precedence by hand may be tedious. Little Snitch Configuration can help. See section Inspect and analyze rules for more information about analyzing rule precedence with Little Snitch Configuration.


Was this help page useful? Send feedback.
© 2016-2024 by Objective Development Software GmbH