From 087bdc340d83df1d9e8ebe5df6db8289fc19dd76 Mon Sep 17 00:00:00 2001 From: Michele Cereda Date: Mon, 19 Feb 2024 22:50:34 +0100 Subject: [PATCH] refactor(littlesnitch): create new, more strict rules --- little snitch/README.md | 8 +- little snitch/rules/all.lsrules | 48 ++++++++++ little snitch/rules/all.strict.lsrules | 96 +++++++++++++++++++ .../rules/build-full-strict-ruleset.sh | 28 ++++++ .../rules/parts.strict/betterbird.lsrules | 57 +++++++++++ .../rules/parts.strict/thunderbird.lsrules | 48 ++++++++++ little snitch/rules/parts/betterbird.lsrules | 31 ++++++ little snitch/rules/parts/thunderbird.lsrules | 31 ++++++ 8 files changed, 341 insertions(+), 6 deletions(-) create mode 100644 little snitch/rules/all.strict.lsrules create mode 100755 little snitch/rules/build-full-strict-ruleset.sh create mode 100644 little snitch/rules/parts.strict/betterbird.lsrules create mode 100644 little snitch/rules/parts.strict/thunderbird.lsrules create mode 100644 little snitch/rules/parts/betterbird.lsrules create mode 100644 little snitch/rules/parts/thunderbird.lsrules diff --git a/little snitch/README.md b/little snitch/README.md index 9bd267a..7fedd93 100644 --- a/little snitch/README.md +++ b/little snitch/README.md @@ -1,10 +1,8 @@ # Little Snitch -## Table of contents - 1. [Rules](#rules) 1. [Further readings](#further-readings) -1. [Sources](#sources) + 1. [Sources](#sources) ## Rules @@ -14,9 +12,7 @@ Available [complete][full ruleset] or in [parts]. - [Little Snitch] -## Sources - -All the references in the [further readings] section, plus the following: +### Sources - [Commonly whitelisted domains] diff --git a/little snitch/rules/all.lsrules b/little snitch/rules/all.lsrules index e51fbe4..eb548ce 100644 --- a/little snitch/rules/all.lsrules +++ b/little snitch/rules/all.lsrules @@ -2,6 +2,30 @@ "description": "Michele Cereda's collection of common Little Snitch rules.\nAssumes a deny-all default policy.", "name": "Michele Cereda's Rules List", "rules": [ + { + "action": "allow", + "notes": "Allow Betterbird to connect to Google's mail servers.", + "ports": "993", + "process": "/Applications/Betterbird.app/Contents/MacOS/betterbird", + "protocol": "tcp", + "remote-hosts": "imap.gmail.com" + }, + { + "action": "allow", + "notes": "Allow Betterbird to securely connect to websites.\nUsually used by images in email, and feeds.", + "ports": "443", + "process": "/Applications/Betterbird.app/Contents/MacOS/betterbird", + "protocol": "tcp", + "remote": "any" + }, + { + "action": "allow", + "notes": "Allow Betterbird to securely connect to websites.\nUsually used by images in email, and feeds.", + "ports": "443", + "process": "/Applications/Betterbird.app/Contents/MacOS/betterbird", + "protocol": "udp", + "remote": "any" + }, { "action": "allow", "notes": "Allow Bitwarden to connect to its servers.", @@ -199,6 +223,30 @@ "protocol": "udp", "remote-addresses": "239.255.255.250" }, + { + "action": "allow", + "notes": "Allow Thunderbird to connect to Google's mail servers.", + "ports": "993", + "process": "/Applications/Thunderbird.app/Contents/MacOS/thunderbird", + "protocol": "tcp", + "remote-hosts": "imap.gmail.com" + }, + { + "action": "allow", + "notes": "Allow Thunderbird to securely connect to websites.\nUsually used by images in email, and feeds.", + "ports": "443", + "process": "/Applications/Thunderbird.app/Contents/MacOS/thunderbird", + "protocol": "tcp", + "remote": "any" + }, + { + "action": "allow", + "notes": "Allow Thunderbird to securely connect to websites.\nUsually used by images in email, and feeds.", + "ports": "443", + "process": "/Applications/Thunderbird.app/Contents/MacOS/thunderbird", + "protocol": "udp", + "remote": "any" + }, { "action": "allow", "notes": "Allow Vivaldi to gather information about certificates.", diff --git a/little snitch/rules/all.strict.lsrules b/little snitch/rules/all.strict.lsrules new file mode 100644 index 0000000..8bbc2a5 --- /dev/null +++ b/little snitch/rules/all.strict.lsrules @@ -0,0 +1,96 @@ +{ + "description": "Michele Cereda's collection of common strict Little Snitch rules.\nAssumes a deny-all default policy.", + "name": "Michele Cereda's strict Rules List", + "rules": [ + { + "action": "allow", + "notes": "Allow Betterbird to connect to check for updates.", + "ports": "443", + "process": "/Applications/Betterbird.app/Contents/MacOS/betterbird", + "protocol": "tcp", + "remote-hosts": "www.betterbird.eu" + }, + { + "action": "allow", + "notes": "Allow Betterbird to connect to Mozilla's servers.", + "ports": "443", + "process": "/Applications/Betterbird.app/Contents/MacOS/betterbird", + "protocol": "tcp", + "remote-domains": "prod.mozaws.net" + }, + { + "action": "allow", + "notes": "Allow Betterbird to connect to Mozilla's servers.", + "ports": "443", + "process": "/Applications/Betterbird.app/Contents/MacOS/betterbird", + "protocol": "tcp", + "remote-hosts": [ + "autoconfig.thunderbird.net", + "live.thunderbird.net", + "location.services.mozilla.com", + "thunderbird-settings.thunderbird.net" + ] + }, + { + "action": "allow", + "notes": "Allow Betterbird to connect to Mozilla's servers.", + "ports": "443", + "process": "/Applications/Betterbird.app/Contents/MacOS/betterbird", + "protocol": "udp", + "remote-hosts": [ + "autoconfig.thunderbird.net", + "live.thunderbird.net", + "thunderbird-settings.thunderbird.net" + ] + }, + { + "action": "allow", + "notes": "Allow Betterbird to connect to Google's mail servers.", + "ports": "993", + "process": "/Applications/Betterbird.app/Contents/MacOS/betterbird", + "protocol": "tcp", + "remote-hosts": "imap.gmail.com" + }, + { + "action": "allow", + "notes": "Allow Thunderbird to connect to Mozilla's servers.", + "ports": "443", + "process": "/Applications/Thunderbird.app/Contents/MacOS/thunderbird", + "protocol": "tcp", + "remote-domains": "prod.cloudops.mozgcp.net" + }, + { + "action": "allow", + "notes": "Allow Thunderbird to connect to Mozilla's servers.", + "ports": "443", + "process": "/Applications/Thunderbird.app/Contents/MacOS/thunderbird", + "protocol": "tcp", + "remote-hosts": [ + "autoconfig.thunderbird.net", + "live.thunderbird.net", + "thunderbird-settings.thunderbird.net", + "www.mozorg.moz.works" + ] + }, + { + "action": "allow", + "notes": "Allow Thunderbird to connect to Mozilla's servers.", + "ports": "443", + "process": "/Applications/Thunderbird.app/Contents/MacOS/thunderbird", + "protocol": "udp", + "remote-hosts": [ + "autoconfig.thunderbird.net", + "live.thunderbird.net", + "thunderbird-settings.thunderbird.net" + ] + }, + { + "action": "allow", + "notes": "Allow Thunderbird to connect to Google's mail servers.", + "ports": "993", + "process": "/Applications/Thunderbird.app/Contents/MacOS/thunderbird", + "protocol": "tcp", + "remote-hosts": "imap.gmail.com" + } + ] +} diff --git a/little snitch/rules/build-full-strict-ruleset.sh b/little snitch/rules/build-full-strict-ruleset.sh new file mode 100755 index 0000000..7fceb53 --- /dev/null +++ b/little snitch/rules/build-full-strict-ruleset.sh @@ -0,0 +1,28 @@ +#!/usr/bin/env bash + +WORKDIR=$(dirname "$0") + +# Pre-flight checks +# ----------------- + +# Check files are readable JSON files. +PRE_FLIGHT_CHECKS_RESULT=0 +for FILE in "${WORKDIR}/parts.strict/"*.lsrules +do + if ! jq '.' "$FILE" > /dev/null + then + echo "$FILE" + PRE_FLIGHT_CHECKS_RESULT=1 + fi +done + +[[ "$PRE_FLIGHT_CHECKS_RESULT" -ne 0 ]] && exit "$PRE_FLIGHT_CHECKS_RESULT" + +# Actual work +# ----------- + +jq --indent 4 -M \ + '.rules=([inputs.rules]|flatten)' \ + "${WORKDIR}/all.strict.lsrules" \ + "${WORKDIR}/parts.strict/"*.lsrules \ +| sponge "${WORKDIR}/all.strict.lsrules" diff --git a/little snitch/rules/parts.strict/betterbird.lsrules b/little snitch/rules/parts.strict/betterbird.lsrules new file mode 100644 index 0000000..1e01952 --- /dev/null +++ b/little snitch/rules/parts.strict/betterbird.lsrules @@ -0,0 +1,57 @@ +{ + "description": "https://www.betterbird.eu/", + "name": "Betterbird", + "rules": [ + { + "action": "allow", + "notes": "Allow Betterbird to connect to check for updates.", + "ports": "443", + "process": "/Applications/Betterbird.app/Contents/MacOS/betterbird", + "protocol": "tcp", + "remote-hosts": "www.betterbird.eu" + }, + + { + "action": "allow", + "notes": "Allow Betterbird to connect to Mozilla's servers.", + "ports": "443", + "process": "/Applications/Betterbird.app/Contents/MacOS/betterbird", + "protocol": "tcp", + "remote-domains": "prod.mozaws.net" + }, + { + "action": "allow", + "notes": "Allow Betterbird to connect to Mozilla's servers.", + "ports": "443", + "process": "/Applications/Betterbird.app/Contents/MacOS/betterbird", + "protocol": "tcp", + "remote-hosts": [ + "autoconfig.thunderbird.net", + "live.thunderbird.net", + "location.services.mozilla.com", + "thunderbird-settings.thunderbird.net" + ] + }, + { + "action": "allow", + "notes": "Allow Betterbird to connect to Mozilla's servers.", + "ports": "443", + "process": "/Applications/Betterbird.app/Contents/MacOS/betterbird", + "protocol": "udp", + "remote-hosts": [ + "autoconfig.thunderbird.net", + "live.thunderbird.net", + "thunderbird-settings.thunderbird.net" + ] + }, + + { + "action": "allow", + "notes": "Allow Betterbird to connect to Google's mail servers.", + "ports": "993", + "process": "/Applications/Betterbird.app/Contents/MacOS/betterbird", + "protocol": "tcp", + "remote-hosts": "imap.gmail.com" + } + ] +} diff --git a/little snitch/rules/parts.strict/thunderbird.lsrules b/little snitch/rules/parts.strict/thunderbird.lsrules new file mode 100644 index 0000000..1ee7eef --- /dev/null +++ b/little snitch/rules/parts.strict/thunderbird.lsrules @@ -0,0 +1,48 @@ +{ + "description": "https://www.thunderbird.net/", + "name": "Thunderbird", + "rules": [ + { + "action": "allow", + "notes": "Allow Thunderbird to connect to Mozilla's servers.", + "ports": "443", + "process": "/Applications/Thunderbird.app/Contents/MacOS/thunderbird", + "protocol": "tcp", + "remote-domains": "prod.cloudops.mozgcp.net" + }, + { + "action": "allow", + "notes": "Allow Thunderbird to connect to Mozilla's servers.", + "ports": "443", + "process": "/Applications/Thunderbird.app/Contents/MacOS/thunderbird", + "protocol": "tcp", + "remote-hosts": [ + "autoconfig.thunderbird.net", + "live.thunderbird.net", + "thunderbird-settings.thunderbird.net", + "www.mozorg.moz.works" + ] + }, + { + "action": "allow", + "notes": "Allow Thunderbird to connect to Mozilla's servers.", + "ports": "443", + "process": "/Applications/Thunderbird.app/Contents/MacOS/thunderbird", + "protocol": "udp", + "remote-hosts": [ + "autoconfig.thunderbird.net", + "live.thunderbird.net", + "thunderbird-settings.thunderbird.net" + ] + }, + + { + "action": "allow", + "notes": "Allow Thunderbird to connect to Google's mail servers.", + "ports": "993", + "process": "/Applications/Thunderbird.app/Contents/MacOS/thunderbird", + "protocol": "tcp", + "remote-hosts": "imap.gmail.com" + } + ] +} diff --git a/little snitch/rules/parts/betterbird.lsrules b/little snitch/rules/parts/betterbird.lsrules new file mode 100644 index 0000000..269684e --- /dev/null +++ b/little snitch/rules/parts/betterbird.lsrules @@ -0,0 +1,31 @@ +{ + "description": "https://www.betterbird.eu/", + "name": "Betterbird", + "rules": [ + { + "action": "allow", + "notes": "Allow Betterbird to connect to Google's mail servers.", + "ports": "993", + "process": "/Applications/Betterbird.app/Contents/MacOS/betterbird", + "protocol": "tcp", + "remote-hosts": "imap.gmail.com" + }, + + { + "action": "allow", + "notes": "Allow Betterbird to securely connect to websites.\nUsually used by images in email, and feeds.", + "ports": "443", + "process": "/Applications/Betterbird.app/Contents/MacOS/betterbird", + "protocol": "tcp", + "remote": "any" + }, + { + "action": "allow", + "notes": "Allow Betterbird to securely connect to websites.\nUsually used by images in email, and feeds.", + "ports": "443", + "process": "/Applications/Betterbird.app/Contents/MacOS/betterbird", + "protocol": "udp", + "remote": "any" + } + ] +} diff --git a/little snitch/rules/parts/thunderbird.lsrules b/little snitch/rules/parts/thunderbird.lsrules new file mode 100644 index 0000000..c1ac3cb --- /dev/null +++ b/little snitch/rules/parts/thunderbird.lsrules @@ -0,0 +1,31 @@ +{ + "description": "https://www.thunderbird.net/", + "name": "Thunderbird", + "rules": [ + { + "action": "allow", + "notes": "Allow Thunderbird to connect to Google's mail servers.", + "ports": "993", + "process": "/Applications/Thunderbird.app/Contents/MacOS/thunderbird", + "protocol": "tcp", + "remote-hosts": "imap.gmail.com" + }, + + { + "action": "allow", + "notes": "Allow Thunderbird to securely connect to websites.\nUsually used by images in email, and feeds.", + "ports": "443", + "process": "/Applications/Thunderbird.app/Contents/MacOS/thunderbird", + "protocol": "tcp", + "remote": "any" + }, + { + "action": "allow", + "notes": "Allow Thunderbird to securely connect to websites.\nUsually used by images in email, and feeds.", + "ports": "443", + "process": "/Applications/Thunderbird.app/Contents/MacOS/thunderbird", + "protocol": "udp", + "remote": "any" + } + ] +}