Rules
Rules are the basic building blocks used to describe what to do with a connection. A rule consists of the following groups of properties:
- Condition properties: These properties determine whether the rule matches a given connection.
- Action property: This property determines what to do when the rule matches.
- Annotation properties: These properties keep track of when the rule was created or modified. They also contain a short text maintained by the user.
- Other properties: Miscellaneous other things.
Rule actions fall into three categories:
- Filter actions: whether to allow or deny the connection or to ask the user.
- Notification actions: whether to play a sound or show a user notification.
- Hide from Network Monitor: whether to suppress recording of connection history in Network Monitor.
A connection can be matched by more than one rule, but only one action in each category can be applied. Little Snitch chooses the action from the most specific matching rule in each action category. See the section about rule precedence below to learn what “more specific” means.
Condition properties
Connect direction
Connections can be initiated by your local computer (outgoing connection, the usual case), or by a remote computer (incoming connections, primarily seen on servers). Regardless of which computer initiated the connection (local or remote), data is exchanged in both directions.
A rule can be made to match only incoming, only outgoing or both types of connections.
Process pair
The process (usually an app) is the local endpoint of a connection. A rule can match a specific process, any process in a group of processes (e.g. all simulator processes or all processes which are part of the core Unix operating system) or any process.
We talk about process pairs because processes initiating or receiving connections may do that on behalf of other processes. When you use ping
in a Terminal window, rules for just “Terminal” will match, but you can be more specific and make a rule which requires “Terminal via ping”.
Processes can be recognized:
- by their file system path, or
- by their code ID
If a process is identifies by its path, Little Snitch can optionally verify the code identity (based on code signature) to ensure that the program was not replaced.
Process owner
Processes have an owner who is usually the user who started the process. Rules can be made to match only for processes with a particular owner, or they can match any owner.
The owner can also be the operating system (denoted as “System” by Little Snitch). System processes provide services to all users on the computer. Rules for system processes are therefore global. Technically speaking, Little Snitch treats all accounts with a user ID below 500 as system user, except 201 (which is the guest account) and -2 (nobody).
System processes and rules for system processes are marked with a gear wheel icon:
Server (remote computer)
This property can be one of:
- A list of domains — Matches remote computers where Little Snitch knows the name and the name is in any of the domains listed.
- A list of hostnames — Matches remote computers where Little Snitch knows the name and the name is listed exactly.
- IP addresses — Matches remote computers by Internet address. This property can contain individual IPv4 and IPv6 addresses and ranges of these addresses.
- Local network — Matches computers on [private networks], Bonjour addresses and Broadcast addresses. Usually these are your printer, your router and other computers in your house. But be careful: In an Internet Café, it also matches the computers of all the other people in the café.
- Broadcast addresses — Matches an address in your local network which is used for broadcasts. Messages sent to this address can be received by all computers in the network. Primarily used to find resources in your local network.
- Bonjour addresses — Similar to Broadcast Addresses, used to find resources in your local network.
- Multicast addresses — Matches Internet addresses in a particular range which is used to send data to multiple computers not necessarily in your local network.
- Berkeley Packet Filter — The Berkeley Packet Filter is a low level service of the operating system which can be used to eavesdrop all network communication of your computer or even other computers in your network. It can also be used to inject and receive any type of network packets.
While all of these options can be used to match outgoing connections, incoming connections cannot be matched by name or domain because the remote name is never known reliably.
Protocol
A rule can match on particular protocols only (such as TCP, UDP or ICMP) or on any protocol.
Port
Some protocols (notably UDP and TCP) allow multiple simultaneous connections between the same two computers. These connections are distinguished by port numbers. For outgoing connections, the rule matches if its port matches the connection’s remote port. For incoming connections, the rules’s port must match the local port where the connection is accepted.
Rules can match either a single port or a range of port numbers (e.g. 137-139) or any port.
Profile
A rule may be effective only when a particular profile is active. If this property is not set, the rule is effective in all profiles. Although this property has no connection counterpart, it determines whether the rule is consulted for matching or not.
Enabled
Rules can be enabled or disabled. Disabled rules never match, they behave as if they had been deleted. However, the information stored in the rule is not lost. The rule can be re-enabled at any time.
Action property
Actions affecting the network filter:
- Allow: Allow the connection. Neither the app nor the remote server notice that Little Snitch inspected the connection.
- Deny: Deny the connection. The app receives a network error.
- Ask: Pause the connection and ask the user. This is the same as if no rule had matched in alert mode.
Actions causing notifications:
- Play sound: Plays the sound chosen by the user.
- User Notification: Shows a user notification in the top right corner of the screen.
Actions affecting privacy:
- Hide from Network Monitor: Connections matched by these rules are not shown by Network Monitor and not recorded in the connection history.
Other properties
Lifetime
Rules can be set to expire at a particular time or event. This property describes when the rule expires. Possible options are:
- Never, the rule is permanent.
- When the process quits.
- When user logs out.
- When the system restarts.
- After a period of time.
Priority
If this property is set, it lifts the rule’s [precedence][precedence] over all other rules that don’t have it set. We recommend that you use priority rules sparingly.
Protected
Protected rules cannot be edited or deleted, but they can be disabled. Little Snitch Configuration uses a lock icon to indicate a protected rule.
Unapproved
This is an annotation property, it has no effect on rule matching. It lets you know that this rule is new and you have not marked it as “seen” yet. By convention, rules created in the Little Snitch app are always approved at creation time.
Rule precedence
We have already mentioned above that more specific rules have precedence over general rules. But when is a rule more specific?
- If the Priority property differs, the rule which has Priority set wins.
- The Server properties are compared. The rule with the higher precedence Server property wins. These types have the following precedence (high to low):
- Internet address or ranges thereof
- Full host names or lists thereof
- Domain names or lists thereof
- DNS servers
- Broadcast addresses
- Multicast addresses
- Bonjour addresses
- Local Network addresses
- Any Server
- Berkeley Packet Filter — Precedence is irrelevant because it cannot match the same connection as the other types above.
- If both rules have the same precedence until this point (and thus the same type of Server property), the server properties are compared further. Shorter lists win over longer lists, shorter ranges win over longer ranges, domains with less labels win over domains with more labels.
- The rule with the shorter port range wins. Any Port is translated to 0-65535. If they have the same length, the one which starts at a lower port number wins.
- If the Protocol properties differ, the one with a specific protocol wins over a rule with Any Protocol. Rules with different specific protocols cannot match the same connection and precedence is irrelevant.
- Rules matching a particular process win over rules for Any Process.
- Rules for a via-construction (process via tool) win over single process rules (just process or just tool).
- Rules with a specific Process Owner win over global rules. Rules for different specific owners cannot match the same connection and therefore precedence is irrelevant.
- Rules with a specific direction win over bidirectional rules.
- Deny-rules win over Allow-rules.
- Allow-rules win over Ask-rules.
Sort by precedence
Determining rule precedence by hand may be tedious. Little Snitch Configuration can help. See section Inspect and analyze rules for more information about analyzing rule precedence with Little Snitch Configuration.
Was this help page useful? Send feedback.
© 2016-2024 by Objective Development Software GmbH