21

Every now and then I browse through software you must have on your mac type lists and more often than not somebody mentions Little Snitch as a must-have application.

Now what I think that many people ignore or aren’t aware of is that in fact OS X itself has an application firewall built-in (though hidden and the application layer inactivated).

I understand that Little Snitch maybe allows for a more fine-grained selection of ports and one may exclude only specific addresses from the traffic per application. However, I wonder if this is really needed for the average (and better-than-average) type of desktop user.

So my question would be in which cases is the built-in firewall not sufficient and when would one have to choose an external tool like Little Snitch.

(Note: I’m not speaking about controlling the traffic in a web or database server setup in which cases I thoroughly understand blocking certain connections whilst allowing only a small set.)

Debilski
  • 722

2 Answers2

22

Little Snitch offers three features that aren't available in MacOS' built-in ipfw firewall. (It does this by loading a custom kernel module.)

  1. Little Snitch allows you to block outgoing connections; the MacOS firewall only blocks incoming connections. Handy if you're running some untrusted program and aren't sure what it's going to do, or if you want to disable a program for updating itself, or if you want to prevent access to a specific resource. Also, I suspect many people use Little Snitch to block pirated software from checking their license.
  2. Little Snitch lets you configure the firewall per application, not just address or port. Ie: you can configure it so one web browser can access a web site but not another.
  3. Little Snitch also monitors network traffic on a per-application basis. It's easy on MacOS to see how much bandwidth you're using but much harder to see which program is using that bandwidth. The Little Snitch shows network usage for each application, albeit in a limited way.

That being said, I don't think Little Snitch is "must have" software; these features are fairly esoteric. There are also several alternatives: TCPBlock and glowworm for the firewall and Rubbernet (now defunct) for the monitoring.

2016 Update: MacOS now has the per-application monitoring built into Activity Monitor.

Nelson
  • 1,094
  • Yeah, I also think the blocking of outgoing connections is probably the key point for many. (But I still suspect many just use it out of habit because they don’t know about the incoming blocking feature of the ipfw.) – Debilski Jan 16 '12 at 10:34
  • @Nelson You said it has monitoring built into Activity Monitor? Where is that? Or are you just talking about number of bytes transferred? – SilverWolf Dec 04 '18 at 23:40
  • That Rubbernet link now links to a malware site. – Jay Jun 02 '20 at 13:49
19

Basic differences

The basic task of the MacOSX Firewall is to monitor incoming network connections. HandsOff and LittleSnitch also allow to monitor outgoing network connections. The latter functionality is essential for various reasons like spyware and privacy.

Because LittleSnitch does not monitor incoming connections (unlike HandsOff!) it cannot replace the MacOX Firewall but is a companion to optimize network security.

Important features

Unlike the MacOSX Firewall both programs offer a much higher degree of differentiation when defining rules to network traffic:

  • Rules can be applied for a limited time (e.g. until applications quits, until reboot, forever)
  • Rules can block user defined (sub-)domains and ports for applications and processes

You basically define your own firewall step-by-step using such rules.

Both programs also include a network monitor that can show detailed information about your network traffic on the desktop.

Important to know

Keep in mind that these programs do not offer 100% network security. Little Snitch cannot monitor software that uses it's own kernel-extension. Moreover, there is no implementation for a behavioral analysis of potentially malicious software. (source, German)

enter image description hereenter image description here

Left picture: Real Time Monitor. Right picture: Rules set in the preferences.

Community
  • 1
gentmatt
  • 49,722
  • 1
    Someone please explain the down vote so that I can improve the answer. – gentmatt Jan 15 '12 at 21:14
  • 1
    I don't know who downvoted or why (I upvoted it), but if I had to guess, it is that your answer is very informative and helpful, but doesn't directly answer the posted question. Personally, I think that it is a very useful answer, and good answers aren't always literal responses to the stated question, but the OP didn't ask for software recommendations, or other alternatives, but for reasons to prefer Little Snitch over the default firewall. – Daniel Jan 16 '12 at 07:08
  • @Daniel Thanks for the feedback! I'll try then to edit the answer in order to provide more reasons to prefer LS and Hands Off over the default firewall. – gentmatt Jan 16 '12 at 07:17
  • Which one do you prefer: HandsOff or Little Snitch? HandsOff can be got in this bundle here. – hhh Mar 08 '13 at 15:44
  • 1
    @hhh Little Snitch's networking configurability has been improved a lot in version 3. Now it can also monitor incoming network connections. My knowledge is that that both applications are now on par regarding network monitoring configurabilities. Except that Little Snitch also supports profiles for different network locations which HandsOff does not. However, only HandsOff allows to control write access of applications. Therefore, I would still go with HandsOff. – gentmatt Mar 09 '13 at 10:11