A firewall is software that allows you to allow or deny network connections on your device. You can block ads and tracking, control what apps can use the internet when you’re on public WiFi, or minimise data usage while tethering to a phone.
Websites aren’t the only way your online activities are tracked and monetised. Desktop apps and the OS itself are constantly sending and receiving data when you are connected to the internet, a lot of which contain ways to identify you, like device identifiers. If you are on public WiFi like at a coffee shop everyone else on that same network can potentially see your device and the traffic running through it, making it possible to compromise you in some way.
Little Snitch is a firewall app for Mac that allows you to control any kind of network connection that any app can make. Don’t want Spotify to connect to it’s ad servers? Block it. Want Chrome to only make secure connections? Done. Don’t want Zoom to track your activity? Taken care of. I would personally never use a Mac without this kind of software, it’s that important to me.
When you first turn on Little Snitch you will get alerts that ask you to allow or deny a connection every time an app tries to make one.
Lets use Safari as an example. One of the connections Safari attempts to make when opened is to configutration.apple.com
and it wants to make this connection on port 443
(https
- web secured). Little Snitch gives you an alert with a number of options to control the connection attempt that are used to create a “rule”.
The drop down menu is to specify how long this rule should remain in effect.
The first tab beside the dropdown menu is the “Internet Access Policy (IAP)” - “a document, that allows software vendors to declare and describe the Internet usage of their programs” (emphasis mine). This information can be helpful in making a decision about whether to deny or allow a connection.
The next tab provides more details about the connection.
The list of options below the dropdown menu increase in specificity as you move down the list, from most to least permissive, in the case of allowing the connection, or from most to least restrictive, in the case of denying it.
1. “Any connection”
For connections to any server, on any application protocol/port (http
, https
, etc.), and over any transport protocol (TCP
, UDP
).
2. “Only TCP port 443 (https)”
For connections to any server but only on port 443
and over TCP
3. “Only configuration.apple.com”
For connections to configuration.apple.com
only but on any port and over any transport protocol
4. “Only configuration.apple.com and TCP port 443 (https)”
For connections to configuration.apple.com
only and only over TCP
and only on port 443
(https
)
Finally, you can “Deny” or “Allow” the app to make the connection, and for how long, based on how you have defined the rule.
Rules
Little Snitch generally runs in the background and presents alerts to define rules when needed. The main app is used to manage all of the rules you’ve defined and group them based on contexts referred to as “Profiles”.
Here is an example of a profile I have called “Untrusted”. I use this profile for when I’m on public WiFi.
Rules are grouped by the app or “process” (fancy name for apps on your system that you can’t see).
Selecting a rule gives you more information on the right hand side.
Examples
Firefox - least amount of noise/alerts but only standard secure traffic port (port 443/https
), then allow or deny video/streaming data (UDP
) on a case-by-case basis, being mindful of the domains being requested and whether or not standard/well known ports are being used, as indicated by brackets next to the port number - e.g. “port 443 (https
)”.
- General (secure) web traffic always: Allow “Only TCP port 443 (https)” - Forever
- General (insecure) web traffic case-by-case basis: Allow or deny “Only TCP port 80 (https)” - Once
- Voice over IP, online games: Allow or deny “Only some.domain.com and UDP port 1194 (OpenVPN)” - Until Quit
Public WiFi - If VPN isn’t an option, create a new profile then block anything that broadcasts information (e.g. AirPlay, AirSharing, File Sharing, VoIP, Screen Sharing), and block anything with payments associated with it (e.g. appstoreagent
). If using a VPN, setup a profile for that and activate it once you’ve connected to the public WiFi network.
Tethering to phone (hotspot) - Block all software updates and other apps/connections that use a lot of data (e.g. Spotify, YouTube, etc.)
At first, setting up a firewall like Little Snitch (or LuLu) can be overwhelming but it won’t take long before you’ve built up a set of rules that take care of 99% of possible connections and the alerts will show up less and less. It’s normal for some apps to occasionally appear to be unresponsive. If that happens, just delete rules from your list until the problem resolves itself.
Now you have full control over what apps can and can’t send data to the places you choose and can minimise surveillance of your online (and offline) actions. Congrats 😀.
See how well you're doing and learn how to improve in other privacy & security areas The Privacy Checkup.
Get the best privacy tips and news delivered to your inbox every week.
I'll never share or sell your email address. Use an email alias anyway.