brandon/oam
1
0
Fork 0
mirror of https://gitea.com/mcereda/oam.git synced 2026-02-08 21:34:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor(littlesnitch): create new, more strict rules

Browse Source
This commit is contained in:
Michele Cereda
2024-02-19 22:50:34 +01:00
parent 16d2affe05
commit 087bdc340d
8 changed files with 341 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
little snitch/README.md
View File

@@ -1,7 +1,5 @@
# Little Snitch # Little Snitch
## Table of contents <!-- omit in toc -->
1. [Rules](#rules) 1. [Rules](#rules)
1. [Further readings](#further-readings) 1. [Further readings](#further-readings)
1. [Sources](#sources) 1. [Sources](#sources)
@@ -14,9 +12,7 @@ Available [complete][full ruleset] or in [parts].
- [Little Snitch] - [Little Snitch]
## Sources ### Sources
All the references in the [further readings] section, plus the following:
- [Commonly whitelisted domains] - [Commonly whitelisted domains]

48
little snitch/rules/all.lsrules
View File

@@ -2,6 +2,30 @@
"description": "Michele Cereda's collection of common Little Snitch rules.\nAssumes a deny-all default policy.", "description": "Michele Cereda's collection of common Little Snitch rules.\nAssumes a deny-all default policy.",
"name": "Michele Cereda's Rules List", "name": "Michele Cereda's Rules List",
"rules": [ "rules": [
{
"action": "allow",
"notes": "Allow Betterbird to connect to Google's mail servers.",
"ports": "993",
"process": "/Applications/Betterbird.app/Contents/MacOS/betterbird",
"protocol": "tcp",
"remote-hosts": "imap.gmail.com"
},
{
"action": "allow",
"notes": "Allow Betterbird to securely connect to websites.\nUsually used by images in email, and feeds.",
"ports": "443",
"process": "/Applications/Betterbird.app/Contents/MacOS/betterbird",
"protocol": "tcp",
"remote": "any"
},
{
"action": "allow",
"notes": "Allow Betterbird to securely connect to websites.\nUsually used by images in email, and feeds.",
"ports": "443",
"process": "/Applications/Betterbird.app/Contents/MacOS/betterbird",
"protocol": "udp",
"remote": "any"
},
{ {
"action": "allow", "action": "allow",
"notes": "Allow Bitwarden to connect to its servers.", "notes": "Allow Bitwarden to connect to its servers.",
@@ -199,6 +223,30 @@
"protocol": "udp", "protocol": "udp",
"remote-addresses": "239.255.255.250" "remote-addresses": "239.255.255.250"
}, },
{
"action": "allow",
"notes": "Allow Thunderbird to connect to Google's mail servers.",
"ports": "993",
"process": "/Applications/Thunderbird.app/Contents/MacOS/thunderbird",
"protocol": "tcp",
"remote-hosts": "imap.gmail.com"
},
{
"action": "allow",
"notes": "Allow Thunderbird to securely connect to websites.\nUsually used by images in email, and feeds.",
"ports": "443",
"process": "/Applications/Thunderbird.app/Contents/MacOS/thunderbird",
"protocol": "tcp",
"remote": "any"
},
{
"action": "allow",
"notes": "Allow Thunderbird to securely connect to websites.\nUsually used by images in email, and feeds.",
"ports": "443",
"process": "/Applications/Thunderbird.app/Contents/MacOS/thunderbird",
"protocol": "udp",
"remote": "any"
},
{ {
"action": "allow", "action": "allow",
"notes": "Allow Vivaldi to gather information about certificates.", "notes": "Allow Vivaldi to gather information about certificates.",

96
little snitch/rules/all.strict.lsrules Normal file
View File

@@ -0,0 +1,96 @@
{
"description": "Michele Cereda's collection of common strict Little Snitch rules.\nAssumes a deny-all default policy.",
"name": "Michele Cereda's strict Rules List",
"rules": [
{
"action": "allow",
"notes": "Allow Betterbird to connect to check for updates.",
"ports": "443",
"process": "/Applications/Betterbird.app/Contents/MacOS/betterbird",
"protocol": "tcp",
"remote-hosts": "www.betterbird.eu"
},
{
"action": "allow",
"notes": "Allow Betterbird to connect to Mozilla's servers.",
"ports": "443",
"process": "/Applications/Betterbird.app/Contents/MacOS/betterbird",
"protocol": "tcp",
"remote-domains": "prod.mozaws.net"
},
{
"action": "allow",
"notes": "Allow Betterbird to connect to Mozilla's servers.",
"ports": "443",
"process": "/Applications/Betterbird.app/Contents/MacOS/betterbird",
"protocol": "tcp",
"remote-hosts": [
"autoconfig.thunderbird.net",
"live.thunderbird.net",
"location.services.mozilla.com",
"thunderbird-settings.thunderbird.net"
]
},
{
"action": "allow",
"notes": "Allow Betterbird to connect to Mozilla's servers.",
"ports": "443",
"process": "/Applications/Betterbird.app/Contents/MacOS/betterbird",
"protocol": "udp",
"remote-hosts": [
"autoconfig.thunderbird.net",
"live.thunderbird.net",
"thunderbird-settings.thunderbird.net"
]
},
{
"action": "allow",
"notes": "Allow Betterbird to connect to Google's mail servers.",
"ports": "993",
"process": "/Applications/Betterbird.app/Contents/MacOS/betterbird",
"protocol": "tcp",
"remote-hosts": "imap.gmail.com"
},
{
"action": "allow",
"notes": "Allow Thunderbird to connect to Mozilla's servers.",
"ports": "443",
"process": "/Applications/Thunderbird.app/Contents/MacOS/thunderbird",
"protocol": "tcp",
"remote-domains": "prod.cloudops.mozgcp.net"
},
{
"action": "allow",
"notes": "Allow Thunderbird to connect to Mozilla's servers.",
"ports": "443",
"process": "/Applications/Thunderbird.app/Contents/MacOS/thunderbird",
"protocol": "tcp",
"remote-hosts": [
"autoconfig.thunderbird.net",
"live.thunderbird.net",
"thunderbird-settings.thunderbird.net",
"www.mozorg.moz.works"
]
},
{
"action": "allow",
"notes": "Allow Thunderbird to connect to Mozilla's servers.",
"ports": "443",
"process": "/Applications/Thunderbird.app/Contents/MacOS/thunderbird",
"protocol": "udp",
"remote-hosts": [
"autoconfig.thunderbird.net",
"live.thunderbird.net",
"thunderbird-settings.thunderbird.net"
]
},
{
"action": "allow",
"notes": "Allow Thunderbird to connect to Google's mail servers.",
"ports": "993",
"process": "/Applications/Thunderbird.app/Contents/MacOS/thunderbird",
"protocol": "tcp",
"remote-hosts": "imap.gmail.com"
}
]
}

28
little snitch/rules/build-full-strict-ruleset.sh Executable file
View File

@@ -0,0 +1,28 @@
#!/usr/bin/env bash
WORKDIR=$(dirname "$0")
# Pre-flight checks
# -----------------
# Check files are readable JSON files.
PRE_FLIGHT_CHECKS_RESULT=0
for FILE in "${WORKDIR}/parts.strict/"*.lsrules
do
if ! jq '.' "$FILE" > /dev/null
then
echo "$FILE"
PRE_FLIGHT_CHECKS_RESULT=1
fi
done
[[ "$PRE_FLIGHT_CHECKS_RESULT" -ne 0 ]] && exit "$PRE_FLIGHT_CHECKS_RESULT"
# Actual work
# -----------
jq --indent 4 -M \
'.rules=([inputs.rules]|flatten)' \
"${WORKDIR}/all.strict.lsrules" \
"${WORKDIR}/parts.strict/"*.lsrules \
| sponge "${WORKDIR}/all.strict.lsrules"

57
little snitch/rules/parts.strict/betterbird.lsrules Normal file
View File

@@ -0,0 +1,57 @@
{
"description": "https://www.betterbird.eu/",
"name": "Betterbird",
"rules": [
{
"action": "allow",
"notes": "Allow Betterbird to connect to check for updates.",
"ports": "443",
"process": "/Applications/Betterbird.app/Contents/MacOS/betterbird",
"protocol": "tcp",
"remote-hosts": "www.betterbird.eu"
},
{
"action": "allow",
"notes": "Allow Betterbird to connect to Mozilla's servers.",
"ports": "443",
"process": "/Applications/Betterbird.app/Contents/MacOS/betterbird",
"protocol": "tcp",
"remote-domains": "prod.mozaws.net"
},
{
"action": "allow",
"notes": "Allow Betterbird to connect to Mozilla's servers.",
"ports": "443",
"process": "/Applications/Betterbird.app/Contents/MacOS/betterbird",
"protocol": "tcp",
"remote-hosts": [
"autoconfig.thunderbird.net",
"live.thunderbird.net",
"location.services.mozilla.com",
"thunderbird-settings.thunderbird.net"
]
},
{
"action": "allow",
"notes": "Allow Betterbird to connect to Mozilla's servers.",
"ports": "443",
"process": "/Applications/Betterbird.app/Contents/MacOS/betterbird",
"protocol": "udp",
"remote-hosts": [
"autoconfig.thunderbird.net",
"live.thunderbird.net",
"thunderbird-settings.thunderbird.net"
]
},
{
"action": "allow",
"notes": "Allow Betterbird to connect to Google's mail servers.",
"ports": "993",
"process": "/Applications/Betterbird.app/Contents/MacOS/betterbird",
"protocol": "tcp",
"remote-hosts": "imap.gmail.com"
}
]
}

48
little snitch/rules/parts.strict/thunderbird.lsrules Normal file
View File

@@ -0,0 +1,48 @@
{
"description": "https://www.thunderbird.net/",
"name": "Thunderbird",
"rules": [
{
"action": "allow",
"notes": "Allow Thunderbird to connect to Mozilla's servers.",
"ports": "443",
"process": "/Applications/Thunderbird.app/Contents/MacOS/thunderbird",
"protocol": "tcp",
"remote-domains": "prod.cloudops.mozgcp.net"
},
{
"action": "allow",
"notes": "Allow Thunderbird to connect to Mozilla's servers.",
"ports": "443",
"process": "/Applications/Thunderbird.app/Contents/MacOS/thunderbird",
"protocol": "tcp",
"remote-hosts": [
"autoconfig.thunderbird.net",
"live.thunderbird.net",
"thunderbird-settings.thunderbird.net",
"www.mozorg.moz.works"
]
},
{
"action": "allow",
"notes": "Allow Thunderbird to connect to Mozilla's servers.",
"ports": "443",
"process": "/Applications/Thunderbird.app/Contents/MacOS/thunderbird",
"protocol": "udp",
"remote-hosts": [
"autoconfig.thunderbird.net",
"live.thunderbird.net",
"thunderbird-settings.thunderbird.net"
]
},
{
"action": "allow",
"notes": "Allow Thunderbird to connect to Google's mail servers.",
"ports": "993",
"process": "/Applications/Thunderbird.app/Contents/MacOS/thunderbird",
"protocol": "tcp",
"remote-hosts": "imap.gmail.com"
}
]
}

31
little snitch/rules/parts/betterbird.lsrules Normal file
View File

@@ -0,0 +1,31 @@
{
"description": "https://www.betterbird.eu/",
"name": "Betterbird",
"rules": [
{
"action": "allow",
"notes": "Allow Betterbird to connect to Google's mail servers.",
"ports": "993",
"process": "/Applications/Betterbird.app/Contents/MacOS/betterbird",
"protocol": "tcp",
"remote-hosts": "imap.gmail.com"
},
{
"action": "allow",
"notes": "Allow Betterbird to securely connect to websites.\nUsually used by images in email, and feeds.",
"ports": "443",
"process": "/Applications/Betterbird.app/Contents/MacOS/betterbird",
"protocol": "tcp",
"remote": "any"
},
{
"action": "allow",
"notes": "Allow Betterbird to securely connect to websites.\nUsually used by images in email, and feeds.",
"ports": "443",
"process": "/Applications/Betterbird.app/Contents/MacOS/betterbird",
"protocol": "udp",
"remote": "any"
}
]
}

31
little snitch/rules/parts/thunderbird.lsrules Normal file
View File

@@ -0,0 +1,31 @@
{
"description": "https://www.thunderbird.net/",
"name": "Thunderbird",
"rules": [
{
"action": "allow",
"notes": "Allow Thunderbird to connect to Google's mail servers.",
"ports": "993",
"process": "/Applications/Thunderbird.app/Contents/MacOS/thunderbird",
"protocol": "tcp",
"remote-hosts": "imap.gmail.com"
},
{
"action": "allow",
"notes": "Allow Thunderbird to securely connect to websites.\nUsually used by images in email, and feeds.",
"ports": "443",
"process": "/Applications/Thunderbird.app/Contents/MacOS/thunderbird",
"protocol": "tcp",
"remote": "any"
},
{
"action": "allow",
"notes": "Allow Thunderbird to securely connect to websites.\nUsually used by images in email, and feeds.",
"ports": "443",
"process": "/Applications/Thunderbird.app/Contents/MacOS/thunderbird",
"protocol": "udp",
"remote": "any"
}
]
}