←back to thread

Apple's apps bypass firewalls like LittleSnitch and LuLu on macOS Big Sur

(twitter.com)
1183 points robenkleene | 4 comments | 20 Oct 20 15:51 UTC | HN request time: 0.749s | source
Show context
rootusrootus ◴[20 Oct 20 16:09 UTC] No.24839054[source]
Hasn't this always been a bit of an issue? Apps with root privileges have been able to get around Little Snitch for as long as I can recall. Some software relies specifically on that ability.
replies(1): >>24839142 #
1. Wowfunhappy ◴[20 Oct 20 16:17 UTC] No.24839142[source]
...no, I don't think they could. Is there an example you're thinking of?

Up until recently, Little Snitch monitored network traffic in kernel space.

replies(2): >>24839691 #>>24840817 #
2. frankjr ◴[20 Oct 20 16:56 UTC] No.24839691[source]
Not OP but one example is bridged networking. I discovered this while trying Parallels Lite from the App Store. I was used to being prompted for every connection attempt VirtualBox was making but I was not getting any when using Parallels. I contacted Little Snitch's support and they acknowledged the issue but said that there's not much they can do because Little Snitch works on "application level" and Parallels uses bridged mode of networking that Little Snitch is unable to intercept. Note that the Lite version of Parallels doesn't require any kernel extensions (even on older macOS releases).

If an application is running as root, you are similarly able to use the lower level APIs and completely "bypass" Little Snitch. I cannot find a good alternative source for this other than the Security and Privacy Guide [0]:

It is worth noting that these firewalls can be bypassed by programs running as root or through OS vulnerabilities (pdf), but they are still worth having - just don't expect absolute protection.

[0] https://github.com/drduh/macOS-Security-and-Privacy-Guide#th...

3. rootusrootus ◴[20 Oct 20 18:32 UTC] No.24840817[source]
Off the top of my head, I think it was Photoshop or something else along those lines (it's been a few years). It installed itself a little helper tool that ran as root which could talk to the licensing servers without tripping Little Snitch.

I don't run Little Snitch any more, so it may no longer work that way. Some software (games seem to be an egregiously bad offender) insists on communicating with seemlingly random IP addresses and not using DNS to resolve them, and it's hard to run any kind of filtering software or parental controls such as Screen Time successfully. I make do with outbound filtering at my router.

replies(1): >>24841105 #
4. Wowfunhappy ◴[20 Oct 20 18:58 UTC] No.24841105[source]
I definitely needed to let Photoshop CS6 through Little Snitch to activate a few years ago. (but frankjr also brought up a situation that I wasn't aware of.)