wiki:LittleSnitch

Little Snitch

When using Little Snitch you must allow GlimmerBlocker to make network connections as all http requests will be made by GlimmerBlocker instead of e.g. Safari.

During (or right after) installation, you will be promted to permit network access:

OBS:

  1. You must select Forever to permit GlimmerBlocker network access after restarting your mac and after deactivation/activation of GlimmerBlocker.
  2. You must select Any Connection to be able to browse all websites. Just after installation GlimmerBlocker downloads the default filters and therefore it is highly probable that the first permission dialog has "glimmerblocker.org" as the host. Restricting to port 80 does not work for all web sites as some sites use e.g. port 8080.
  3. And you'll need to click Allow

All traffic comes from GlimmerBlocker?

Little Snitch intercepts traffic when it leaves your Mac, and not traffic between applications on your mac. Therefore, it will think that all http traffic now comes from GlimmerBlocker instead of Safari, NetNewsWire, etc.

When you use GlimmerBlocker (without Little Snitch) the flow is: Safari → GlimmerBlocker → website

When you use GlimmerBlocker and Little Snitch the flow is: Safari → GlimmerBlocker → Little Snitch → website

The proper flow would be Safari → Little Snitch → GlimmerBlocker → website
but this requires reengineering of Little Snitch. It is not something GlimmerBlocker can do.

Workaround #1

If you configure the network settings to dynamically select the proxy using a PAC script, you can make Safari use GlimmerBlocker and all other apps use direct connections. (requires GlimmerBlocker version 1.4.4 or later)

There are 5 steps:

Step 1

To do this, create your own filter.

Step 2

Copy the xml snippet below, and paste it into the "Rules in..." for your filter. You will then get a rule which creates such a dynamically script.

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<glimmerblocker-rules>
    <rule priority="2" type="request" host="127.0.0.1" host-type="is" path="/rule/pac" path-type="is">
        <comments><![CDATA[Proxy PAC file.]]></comments>
        <request language="js" version="1"><![CDATA[gb.response.contentType = 'application/x-ns-proxy-autoconfig';
gb.response.headers['Cache-Control'] = 'max-age=1800';
var ua = gb.request.headers['User-Agent'];
ua = ua && ua.length && ua[0] ? ua[0] : 'Unknown'; // safe deref list

//gb.log("127.0.0.1 pac script v2, ua = %o", ua);

var condition;

if (ua.match(/Firefox/)) // Firefox doesn't like HTTPS proxying
{
     condition = "url.match(/^https:/) || host == 'localhost' || host == '127.0.0.1'";
} 
else if (ua.match(/Safari|WebProcess|PluginProcess|Opera|Camino|Chrome|com\.apple\.WebKit\.Networking|CFNetwork/)) 
{
     // Safari uses com.apple.Webkit.Networking as User Agent when requesting proxy autoconfiguration in OS X 10.9 Mavericks
     condition = "host == 'localhost' || host == '127.0.0.1'";
}
else
{
     condition = 'true';
}

t = "function FindProxyForURL(url, host) { return (" + condition + ") ? 'DIRECT' : 'PROXY 127.0.0.1:8228'; }\n";]]></request>
    </rule>
</glimmerblocker-rules>

Filter is updated with support for Lion/Safari 5.1 (thanks to Stefan Schmidt) and for OSX 10.9/Mavericks (thanks to Niklas Bölter).

Step 3

Open the "Network" System Preferences Panel. You need to do step 4 for all of the connections you use (e.g. Ethernet, AirPort).

Step 4

Click the "Advanced" button. Select the "Proxies" tab. Check the "Automatic Proxy Configuration" item, and in the URL field enter "http://127.0.0.1:8228/rule/pac". Uncheck "Web Proxy (HTTP)". Beware that GlimmerBlocker enables it each time you activate GlimmerBlocker unless you perform the following step, and selects "no" each time GlimmerBlocker is activated/deactivated.

Step 5

Open GlimmerBlocker, select the "Network" pane and check "Ask for confirmation of changes to http-proxy".

Workaround #2

macosxhints has published a workaround. This makes Safari use GlimmerBlocker as proxy, and all other applications use a direct connection. This workaround requires you to be able to install a php script on the Mac's local web server.

A more elaborate PAC configuration

This configuration makes Safari bypass GlimmerBlocker for all calls to hosts on the local network. Useful if you have webs-servers (or e.g. printers with web-interface) which should not be handled using GlimmerBlocker.

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<glimmerblocker-rules>
    <rule priority="2" type="request" host="127.0.0.1" host-type="is" path="/rule/pac" path-type="is">
        <comments><![CDATA[Proxy PAC file.]]></comments>
        <request language="js" version="1"><![CDATA[// http://www.proxypacfiles.com/proxypac/index.php?option=com_content&view=article&id=55&Itemid=84

gb.response.contentType = 'application/x-ns-proxy-autoconfig';
gb.response.headers['Cache-Control'] = 'max-age=1800';
var ua = gb.request.headers['User-Agent'];
ua = ua && ua.length && ua[0] ? ua[0] : 'Unknown'; // safe deref list

//gb.log("127.0.0.1 pac script v2, ua = %o", ua);

var prefix = "function FindProxyForURL(url, host) {\n";
var suffix = "}\n";

var cond1 = "isPlainHostName(host) || host.match(/\.local$/)";

var cond2 = "isInNet(ip, '10.0.0.0', '255.0.0.0')" +
    " || isInNet(ip, '172.16.0.0', '255.240.0.0')" +
    " || isInNet(ip, '192.168.0.0', '255.255.0.0')" +
    " || isInNet(ip, '127.0.0.0', '255.255.255.0')";

var ipCheck = "var ip = dnsResolve(host);\n" +
    "return " + cond2 + " ? 'DIRECT' : 'PROXY 127.0.0.1:8228';\n";

if (ua.match(/Firefox/)) // Firefox doesn't like HTTPS proxying
{
     t = prefix + "if (url.match(/^https:/) || " + cond1 + ") return 'DIRECT';\n" + ipCheck + suffix;
} 
else if (ua.match(/Safari|WebProcess|PluginProcess|Opera|Camino|Chrome|com\.apple\.WebKit\.Networking/)) 
{
     // Safari uses com.apple.Webkit.Networking as User Agent when requesting proxy autoconfiguration in OS X 10.9 Mavericks
     t = prefix + "if (" + cond1 + ") return 'DIRECT';\n" + ipCheck + suffix;
}
else
{
     t = prefix + "return 'DIRECT';\n" + suffix;
}]]></request>
    </rule>
</glimmerblocker-rules>

Thanks to Johan Björklund for this addition.

Version 2.0.4 of Little Snitch

If you have version 2.0.4 of Little Snitch installed, please check that you are using "Core System Version" 387 and not 385. The latter is know to crash or completely deny network connections. If you have 385 installed, just download and install 2.0.4 once more as this will upgrade it to 387.

Last modified 8 days ago Last modified on 08/25/14 04:13:10

Attachments (1)

Download all attachments as: .zip