Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
madjam002 4 hours ago

Does anyone know of any good firewalls for macOS? The built in firewall is practically unusable, and if client isolation can be bypassed, the local firewall is more important than ever.

I often have a dev server running bound to 0.0.0.0 as it makes debugging easy at home on the LAN, but then if I connect to a public WiFi I want to know that I am secure and the ports are closed. "Block all incoming connections" on macOS has failed me before when I've tested it.

runjake 4 hours ago | parent | next [-]

Little Snitch is probably the most popular one, written my devs who deeply understand macOS firewall architecture.

https://obdev.at/products/littlesnitch/index.html

ProllyInfamous 3 hours ago | parent | next [-]

Little Snitch is a user-friendly, software-level blocker, only – use with caution.

Just FYI: LittleSnitch pre-resolves DNS entries BEFORE you click `Accept/Deny`, if you care & understand this potential security issue. Your upstream provider still knows whether you denied a query. Easily verifiable with a PiHole (&c).

I liken the comparison to disk RAIDs: a RAID is not a true backup; LittleSnitch is not a true firewall.

You need isolated hardware for true inbound/outbound protection.

gruez 3 hours ago | parent [-]

>Just FYI: LittleSnitch pre-resolves DNS entries BEFORE you click `Accept/Deny`, if you care & understand this potential security issue. Your upstream provider still knows whether you denied a query. Easily verifiable with a PiHole (&c).

This also feels like an exfil route? Are DNS queries (no tcp connect) logged/blocked?

ProllyInfamous 3 hours ago | parent [-]

>Are DNS queries blocked?

No, not with LittleSnitch (neither in/out-bound).

When you see the LittleSnitch dialogue (asking to `Accept/Deny`), whatever hostname is there has already been pre-resolved by upstream DNS provider (does not matter which option you select). This software pares well with a PiHole (for easy layperson installs), but even then is insufficient for OP's attack.

mrexcess 3 hours ago | parent | prev [-]

Little Snitch is commercial. If you want largely similar features (focused on egress), check out LuLu: https://github.com/objective-see/LuLu

runjake an hour ago | parent [-]

+1 Thanks, I forgot about LuLu!

roflchoppa 3 hours ago | parent | prev | next [-]

https://objective-see.org/products/lulu.html

tiger3 4 hours ago | parent | prev [-]

LittleSnitch