From 76b0298db26aef901b6afddee06c0a8825336044 Mon Sep 17 00:00:00 2001 From: Michele Cereda Date: Wed, 15 Feb 2023 18:07:41 +0100 Subject: [PATCH] Made little snitch's ruleset more manageable --- .hadolint.yaml | 8 +- .pre-commit-config.yaml | 1 + .vscode/settings.json | 1 + knowledge base/jq.md | 8 +- knowledge base/visual studio code.md | 22 +- little snitch/README.md | 0 little snitch/build-full-ruleset.sh | 28 ++ little snitch/parts/bitwarden.lsrules | 37 ++ little snitch/parts/firefox.lsrules | 68 +++ little snitch/parts/gpg-suite.lsrules | 14 + little snitch/parts/iterm2.lsrules | 5 + little snitch/parts/keybase.lsrules | 32 ++ little snitch/parts/little-snitch.lsrules | 23 + little snitch/parts/logi-options-plus.lsrules | 32 ++ .../parts/raspberrypi-imager.lsrules | 14 + little snitch/parts/template.lsrules | 5 + little snitch/parts/vivaldi.lsrules | 48 +++ little snitch/parts/vscode.lsrules | 83 ++++ little snitch/parts/whatsapp.lsrules | 40 ++ .../ruleset.lsrules | 397 +++++++----------- 20 files changed, 607 insertions(+), 259 deletions(-) create mode 100644 little snitch/README.md create mode 100755 little snitch/build-full-ruleset.sh create mode 100644 little snitch/parts/bitwarden.lsrules create mode 100644 little snitch/parts/firefox.lsrules create mode 100644 little snitch/parts/gpg-suite.lsrules create mode 100644 little snitch/parts/iterm2.lsrules create mode 100644 little snitch/parts/keybase.lsrules create mode 100644 little snitch/parts/little-snitch.lsrules create mode 100644 little snitch/parts/logi-options-plus.lsrules create mode 100644 little snitch/parts/raspberrypi-imager.lsrules create mode 100644 little snitch/parts/template.lsrules create mode 100644 little snitch/parts/vivaldi.lsrules create mode 100644 little snitch/parts/vscode.lsrules create mode 100644 little snitch/parts/whatsapp.lsrules rename rules.lsrules => little snitch/ruleset.lsrules (56%) diff --git a/.hadolint.yaml b/.hadolint.yaml index cd07573..c9d7ed1 100644 --- a/.hadolint.yaml +++ b/.hadolint.yaml @@ -3,7 +3,7 @@ override: style: - - DL3006 # always tag the version of an image explicitly - - DL3008 # pin versions in apt get install - - DL3015 # avoid additional packages by specifying `--no-install-recommends` - - DL3018 # pin versions in apk add + - DL3006 # always tag the version of an image explicitly + - DL3008 # pin versions in apt get install + - DL3015 # avoid additional packages by specifying `--no-install-recommends` + - DL3018 # pin versions in apk add diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index aa40f21..4e30897 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -10,6 +10,7 @@ repos: args: - --markdown-linebreak-ext=md # ignore markdown's line break - id: end-of-file-fixer + - id: check-json - id: check-yaml - id: check-added-large-files - repo: https://github.com/markdownlint/markdownlint diff --git a/.vscode/settings.json b/.vscode/settings.json index ccebb80..32a9192 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -25,6 +25,7 @@ "gpgtools", "growpart", "hadolint", + "imager", "jdupes", "kbfs", "keepass", diff --git a/knowledge base/jq.md b/knowledge base/jq.md index 97bfa8f..3e93273 100644 --- a/knowledge base/jq.md +++ b/knowledge base/jq.md @@ -33,13 +33,19 @@ jq '.extensionsGallery + { itemUrl: "https://marketplace.visualstudio.com/items" }' /usr/lib/code/product.json +# Add elements from an array from another file. +jq '.rules=([input.rules]|flatten)' starting-rule-set.json ending-rule-set.json + +# Add elements from an array from multiple files. +jq '.rules=([inputs.rules]|flatten)' starting-rule-set.json parts/*.json + # Put specific keys on top. jq '.objects = [(.objects[] as $in | {type,name,id} + $in)]' prod/dataPipeline_deviceLocationConversion_prod.json # Convert Enpass' JSON export to a YAML file jq '.items[] | {title, fields} | .title + ":", (.fields[] | select(.value != "") | " " + .label + ": " + .value)' test.json -cr -# Refactor a datapipeline definition. +# Refactor an AWS DataPipeline definition. jq --sort-keys '.' datapipeline.json > /tmp/sorted.json \ && jq '.objects = [(.objects[] as $in | {type,name,id} + $in | with_entries(select(.value != null)))]' \ /tmp/sorted.json > /tmp/reordered.json \ diff --git a/knowledge base/visual studio code.md b/knowledge base/visual studio code.md index 851b156..2778d1c 100644 --- a/knowledge base/visual studio code.md +++ b/knowledge base/visual studio code.md @@ -1,5 +1,15 @@ # Visual Studio Code +1. [Network connections](#network-connections) +2. [Troubleshooting](#troubleshooting) + 1. [_No extensions found_ when running from source](#no-extensions-found-when-running-from-source) +3. [Further readings](#further-readings) +4. [Sources](#sources) + +## Network connections + +See [Network connections in Visual Studio Code]. + ## Troubleshooting ### _No extensions found_ when running from source @@ -20,10 +30,18 @@ jq '.extensionsGallery' /usr/lib/code/product.json and if not, change them. +## Further readings + +- [Network connections in Visual Studio Code] + ## Sources - [using extensions in compiled vscode] -[using extensions in compiled vscode]: https://stackoverflow.com/questions/44057402/using-extensions-in-compiled-vscode#45291490 - + +[network connections in visual studio code]: https://code.visualstudio.com/docs/setup/network [official product.json]: https://github.com/Microsoft/vscode/blob/master/product.json + + + +[using extensions in compiled vscode]: https://stackoverflow.com/questions/44057402/using-extensions-in-compiled-vscode#45291490 diff --git a/little snitch/README.md b/little snitch/README.md new file mode 100644 index 0000000..e69de29 diff --git a/little snitch/build-full-ruleset.sh b/little snitch/build-full-ruleset.sh new file mode 100755 index 0000000..72007b5 --- /dev/null +++ b/little snitch/build-full-ruleset.sh @@ -0,0 +1,28 @@ +#!/usr/bin/env bash + +WORKDIR=$(dirname "$0") + +# Pre-flight checks +# ----------------- + +# Check files are readable JSON files. +PRE_FLIGHT_CHECKS_RESULT=0 +for FILE in "${WORKDIR}/parts/"*.lsrules +do + if ! jq '.' "$FILE" > /dev/null + then + echo "$FILE" + PRE_FLIGHT_CHECKS_RESULT=1 + fi +done + +[[ "$PRE_FLIGHT_CHECKS_RESULT" -ne 0 ]] && exit "$PRE_FLIGHT_CHECKS_RESULT" + +# Actual work +# ----------- + +jq --indent 4 -M \ + '.rules=([inputs.rules]|flatten)' \ + "${WORKDIR}/ruleset.lsrules" \ + "${WORKDIR}/parts/"*.lsrules \ +| sponge "${WORKDIR}/ruleset.lsrules" diff --git a/little snitch/parts/bitwarden.lsrules b/little snitch/parts/bitwarden.lsrules new file mode 100644 index 0000000..5fe6d8e --- /dev/null +++ b/little snitch/parts/bitwarden.lsrules @@ -0,0 +1,37 @@ +{ + "description": "", + "name": "Bitwarden", + "rules": [ + { + "action": "allow", + "notes": "Allow Bitwarden to connect to its servers.", + "ports": "443", + "process": "/Applications/Bitwarden.app/Contents/MacOS/Bitwarden", + "protocol": "tcp", + "remote-hosts": "api.bitwarden.com" + }, + + { + "action": "allow", + "notes": "Allow Bitwarden's Helper to connect to its servers.", + "ports": "443", + "process": "/Applications/Bitwarden.app/Contents/MacOS/Bitwarden", + "protocol": "tcp", + "remote-hosts": [ + "identity.bitwarden.com", + "notifications.bitwarden.com" + ], + "via": "/Applications/Bitwarden.app/Contents/Frameworks/Bitwarden Helper.app/Contents/MacOS/Bitwarden Helper" + }, + + { + "action": "allow", + "notes": "Allow Bitwarden's Helper to gather icons for its entries.", + "ports": "443", + "process": "/Applications/Bitwarden.app/Contents/MacOS/Bitwarden", + "protocol": "tcp", + "remote-hosts": "icons.bitwarden.net", + "via": "/Applications/Bitwarden.app/Contents/Frameworks/Bitwarden Helper.app/Contents/MacOS/Bitwarden Helper" + } + ] +} diff --git a/little snitch/parts/firefox.lsrules b/little snitch/parts/firefox.lsrules new file mode 100644 index 0000000..320e025 --- /dev/null +++ b/little snitch/parts/firefox.lsrules @@ -0,0 +1,68 @@ +{ + "description": "", + "name": "Firefox", + "rules": [ + { + "action": "allow", + "notes": "Allow Firefox to check for captive portals.", + "ports": "80", + "process": "/Applications/Firefox.app/Contents/MacOS/firefox", + "protocol": "tcp", + "remote-hosts": "detectportal.firefox.com" + }, + + { + "action": "allow", + "notes": "Allow Firefox to gather information about certificates.", + "ports": "80", + "process": "/Applications/Firefox.app/Contents/MacOS/firefox", + "protocol": "tcp", + "remote-hosts": [ + "o.lencr.org", + "ocsp.digicert.com", + "ocsp.entrust.net", + "ocsp.globalsign.com", + "ocsp.pki.goog", + "ocsp.r2m01.amazontrust.com", + "ocsp.sca1b.amazontrust.com", + "ocsp.sectigo.com" + ] + }, + + { + "action": "deny", + "notes": "Stop Firefox from connecting to Google's Interactive Media Ads SDK, which allows developers and publishers to show interactive and video ads on their websites and mobile apps.", + "process": "/Applications/Firefox.app/Contents/MacOS/firefox", + "remote-domains": "imasdk.googleapis.com" + }, + { + "action": "deny", + "notes": "Stop Firefox from connecting to google-analytics.com.", + "process": "/Applications/Firefox.app/Contents/MacOS/firefox", + "remote-domains": "google-analytics.com" + }, + { + "action": "deny", + "notes": "Stop Firefox from tracking content from third-party sites.", + "process": "/Applications/Firefox.app/Contents/MacOS/firefox", + "remote-domains": "googletagservices.com" + }, + + { + "action": "allow", + "notes": "Allow Firefox to securely connect to websites.", + "ports": "443", + "process": "/Applications/Firefox.app/Contents/MacOS/firefox", + "protocol": "tcp", + "remote": "any" + }, + { + "action": "allow", + "notes": "Allow Firefox to securely connect to websites.", + "ports": "443", + "process": "/Applications/Firefox.app/Contents/MacOS/firefox", + "protocol": "udp", + "remote": "any" + } + ] +} diff --git a/little snitch/parts/gpg-suite.lsrules b/little snitch/parts/gpg-suite.lsrules new file mode 100644 index 0000000..5bda1bd --- /dev/null +++ b/little snitch/parts/gpg-suite.lsrules @@ -0,0 +1,14 @@ +{ + "description": "", + "name": "GPG Suite", + "rules": [ + { + "action": "allow", + "notes": "Allow the GPG Suite's updater to download updates.", + "ports": "443", + "process": "/Library/Application Support/GPGTools/GPGSuite_Updater.app/Contents/MacOS/GPGSuite_Updater", + "protocol": "tcp", + "remote-hosts": "gpgtools.com" + } + ] +} diff --git a/little snitch/parts/iterm2.lsrules b/little snitch/parts/iterm2.lsrules new file mode 100644 index 0000000..ea25e5f --- /dev/null +++ b/little snitch/parts/iterm2.lsrules @@ -0,0 +1,5 @@ +{ + "description": "", + "name": "iTerm2", + "rules": [] +} diff --git a/little snitch/parts/keybase.lsrules b/little snitch/parts/keybase.lsrules new file mode 100644 index 0000000..2bafa8f --- /dev/null +++ b/little snitch/parts/keybase.lsrules @@ -0,0 +1,32 @@ +{ + "description": "", + "name": "Keybase", + "rules": [ + { + "action": "allow", + "notes": "Allow Keybase to connect to its servers.", + "ports": "443", + "process": "/Applications/Keybase.app/Contents/SharedSupport/bin/keybase", + "protocol": "tcp", + "remote-domains": "core.keybaseapi.com" + }, + + { + "action": "allow", + "notes": "Allow Keybase's updater to download software updates.", + "ports": "443", + "process": "/Applications/Keybase.app/Contents/SharedSupport/bin/updater", + "protocol": "tcp", + "remote-domains": "core.keybaseapi.com" + }, + + { + "action": "allow", + "notes": "Allow the KBFS functionality of Keybase.", + "ports": "443", + "process": "/Applications/Keybase.app/Contents/SharedSupport/bin/kbfs", + "protocol": "tcp", + "remote-domains": "kbfs.keybaseapi.com" + } + ] +} diff --git a/little snitch/parts/little-snitch.lsrules b/little snitch/parts/little-snitch.lsrules new file mode 100644 index 0000000..07340e2 --- /dev/null +++ b/little snitch/parts/little-snitch.lsrules @@ -0,0 +1,23 @@ +{ + "description": "", + "name": "Little Snitch", + "rules": [ + { + "action": "allow", + "notes": "Allow Little Snitch to download software updates.", + "ports": "443", + "process": "/Applications/Little Snitch.app/Contents/Components/Little Snitch Software Update.app/Contents/MacOS/Little Snitch Software Update", + "protocol": "tcp", + "remote-hosts": "sw-update.obdev.at" + }, + + { + "action": "allow", + "notes": "Allow Little Snitch to subscribe to rules groups.", + "ports": "443", + "process": "/Library/Application Support/Objective Development/Little Snitch/Components/at.obdev.littlesnitch.daemon.bundle/Contents/XPCServices/at.obdev.littlesnitch.urldownloader.xpc/Contents/MacOS/at.obdev.littlesnitch.urldownloader", + "protocol": "tcp", + "remote-hosts": "pgl.yoyo.org" + } + ] +} diff --git a/little snitch/parts/logi-options-plus.lsrules b/little snitch/parts/logi-options-plus.lsrules new file mode 100644 index 0000000..6251a03 --- /dev/null +++ b/little snitch/parts/logi-options-plus.lsrules @@ -0,0 +1,32 @@ +{ + "description": "", + "name": "Logi Options Plus", + "rules": [ + { + "action": "allow", + "notes": "Allow the Logi Options+'s updater to download the application's updates.", + "ports": "443", + "process": "/Library/Application Support/Logitech.localized/LogiOptionsPlus/logioptionsplus_agent.app/Contents/Frameworks/logioptionsplus_updater.app/Contents/MacOS/logioptionsplus_updater", + "protocol": "tcp", + "remote-hosts": "updates.optionsplus.logitechg.com" + }, + + { + "action": "allow", + "notes": "Allow Logi Options+ to connect to Logitech's account.", + "ports": "443", + "process": "/Library/Application Support/Logitech.localized/LogiOptionsPlus/logioptionsplus_agent.app/Contents/MacOS/logioptionsplus_agent", + "protocol": "tcp", + "remote-hosts": "accounts.logi.com" + }, + + { + "action": "allow", + "notes": "Allow the Flow functionality of Logi Options+.", + "ports": "443", + "process": "/Library/Application Support/Logitech.localized/LogiOptionsPlus/logioptionsplus_agent.app/Contents/MacOS/logioptionsplus_agent", + "protocol": "tcp", + "remote-hosts": "flow.logitech.io" + } + ] +} diff --git a/little snitch/parts/raspberrypi-imager.lsrules b/little snitch/parts/raspberrypi-imager.lsrules new file mode 100644 index 0000000..27a2360 --- /dev/null +++ b/little snitch/parts/raspberrypi-imager.lsrules @@ -0,0 +1,14 @@ +{ + "description": "", + "name": "RaspberryPi Imager", + "rules": [ + { + "action": "allow", + "notes": "Allow RaspberryPi Imager to securely connect to websites to download images and their metadata.", + "ports": "443", + "process": "/Applications/Raspberry Pi Imager.app/Contents/MacOS/rpi-imager", + "protocol": "tcp", + "remote": "any" + } + ] +} diff --git a/little snitch/parts/template.lsrules b/little snitch/parts/template.lsrules new file mode 100644 index 0000000..974d5bb --- /dev/null +++ b/little snitch/parts/template.lsrules @@ -0,0 +1,5 @@ +{ + "description": "", + "name": "", + "rules": [] +} diff --git a/little snitch/parts/vivaldi.lsrules b/little snitch/parts/vivaldi.lsrules new file mode 100644 index 0000000..26f4e06 --- /dev/null +++ b/little snitch/parts/vivaldi.lsrules @@ -0,0 +1,48 @@ +{ + "description": "See https://vivaldi.com/blog/decoding-network-activity-in-vivaldi/ for details.", + "name": "Vivaldi", + "rules": [ + { + "action": "allow", + "notes": "Allow Vivaldi to securely sync with its servers.", + "ports": "443", + "process": "/Applications/Vivaldi.app/Contents/MacOS/Vivaldi", + "protocol": "tcp", + "remote-hosts": "bifrost.vivaldi.com" + }, + { + "action": "allow", + "notes": "Allow Vivaldi to sync with its servers.", + "ports": "15674", + "process": "/Applications/Vivaldi.app/Contents/MacOS/Vivaldi", + "protocol": "tcp", + "remote-hosts": "bifrost.vivaldi.com" + }, + + { + "action": "allow", + "notes": "Allow Vivaldi to securely login into the user's account.", + "ports": "443", + "process": "/Applications/Vivaldi.app/Contents/MacOS/Vivaldi", + "protocol": "tcp", + "remote-hosts": "login.vivaldi.com" + }, + + { + "action": "allow", + "notes": "Allow Vivaldi to securely connect to websites.", + "ports": "443", + "process": "/Applications/Vivaldi.app/Contents/MacOS/Vivaldi", + "protocol": "tcp", + "remote": "any" + }, + { + "action": "allow", + "notes": "Allow Vivaldi to securely connect to websites.", + "ports": "443", + "process": "/Applications/Vivaldi.app/Contents/MacOS/Vivaldi", + "protocol": "udp", + "remote": "any" + } + ] +} diff --git a/little snitch/parts/vscode.lsrules b/little snitch/parts/vscode.lsrules new file mode 100644 index 0000000..b94e617 --- /dev/null +++ b/little snitch/parts/vscode.lsrules @@ -0,0 +1,83 @@ +{ + "description": "See https://code.visualstudio.com/docs/setup/network for details.", + "name": "Visual Studio Code", + "rules": [ + { + "action": "allow", + "notes": "Allow VS Code to access its documentation.", + "ports": "443", + "process": "/Applications/Visual Studio Code.app/Contents/MacOS/Electron", + "protocol": "tcp", + "remote-hosts": "code.visualstudio.com" + }, + + { + "action": "allow", + "notes": "Allow VS Code to update itself.", + "ports": "443", + "process": "/Applications/Visual Studio Code.app/Contents/MacOS/Electron", + "protocol": "tcp", + "remote-hosts": "update.code.visualstudio.com" + }, + + { + "action": "allow", + "notes": "Allow VS Code's Helper to access the marketplace and download extensions.", + "ports": "443", + "process": "/Applications/Visual Studio Code.app/Contents/MacOS/Electron", + "protocol": "tcp", + "remote-hosts": [ + "az764295.vo.msecnd.net", + "download.visualstudio.microsoft.com", + "marketplace.visualstudio.com", + "vsmarketplacebadges.dev" + ], + "via": "/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper" + }, + { + "action": "allow", + "notes": "Allow VS Code to download extensions from the marketplace.", + "ports": "443", + "process": "/Applications/Visual Studio Code.app/Contents/MacOS/Electron", + "protocol": "tcp", + "remote-domains": [ + "gallery.vsassets.io", + "gallerycdn.vsassets.io" + ] + }, + + { + "action": "allow", + "notes": "Allow VS Code to sync the user's settings.", + "ports": "443", + "process": "/Applications/Visual Studio Code.app/Contents/MacOS/Electron", + "protocol": "tcp", + "remote-hosts": [ + "vscode-sync-insiders.trafficmanager.net", + "vscode-sync.trafficmanager.net", + "vscode.dev" + ] + }, + + { + "action": "allow", + "notes": "Allow VS Code's Helper to download schemas.", + "ports": "443", + "process": "/Applications/Visual Studio Code.app/Contents/MacOS/Electron", + "protocol": "tcp", + "remote-hosts": [ + "json.schemastore.org", + "www.schemastore.org" + ], + "via": "/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper" + }, + + { + "action": "deny", + "notes": "Stop VS Code's Helper from connecting to dc.services.visualstudio.com.\nUsed by the Application Insights SDK or Application Insights Agent to send data to the vendor's services in Azure.\nSee https://learn.microsoft.com/en-us/azure/azure-monitor/app/ip-addresses for details.", + "process": "/Applications/Visual Studio Code.app/Contents/MacOS/Electron", + "remote-hosts": "dc.services.visualstudio.com", + "via": "/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper" + } + ] +} diff --git a/little snitch/parts/whatsapp.lsrules b/little snitch/parts/whatsapp.lsrules new file mode 100644 index 0000000..1e0d9d8 --- /dev/null +++ b/little snitch/parts/whatsapp.lsrules @@ -0,0 +1,40 @@ +{ + "description": "", + "name": "WhatsApp", + "rules": [ + { + "action": "allow", + "notes": "Allow WhatsApp to authenticate to its servers.", + "ports": "443", + "process": "/Applications/WhatsApp.app/Contents/MacOS/WhatsApp", + "protocol": "tcp", + "remote-hosts": "web.whatsapp.com" + }, + + { + "action": "allow", + "notes": "Allow WhatsApp to securely download media.", + "ports": "443", + "process": "/Applications/WhatsApp.app/Contents/MacOS/WhatsApp", + "protocol": "tcp", + "remote-hosts": "cdn.whatsapp.net" + }, + + { + "action": "allow", + "notes": "Allow WhatsApp to securely connect to websites to get links' previews.", + "ports": "443", + "process": "/Applications/WhatsApp.app/Contents/MacOS/WhatsApp", + "protocol": "tcp", + "remote": "any" + }, + { + "action": "allow", + "notes": "Allow WhatsApp to securely connect to websites to get links' previews.", + "ports": "443", + "process": "/Applications/WhatsApp.app/Contents/MacOS/WhatsApp", + "protocol": "udp", + "remote": "any" + } + ] +} diff --git a/rules.lsrules b/little snitch/ruleset.lsrules similarity index 56% rename from rules.lsrules rename to little snitch/ruleset.lsrules index fd974b1..50f4327 100644 --- a/rules.lsrules +++ b/little snitch/ruleset.lsrules @@ -1,38 +1,14 @@ { - "description": "Michele Cereda's collection of common Little Snitch rules.", + "description": "Michele Cereda's collection of common Little Snitch rules.\nAssumes a deny-all default policy.", "name": "Michele Cereda's Rules List", "rules": [ { "action": "allow", - "notes": "Allow Little Snitch to download rules groups.", + "notes": "Allow Bitwarden to connect to its servers.", "ports": "443", - "process": "/Library/Application Support/Objective Development/Little Snitch/Components/at.obdev.littlesnitch.daemon.bundle/Contents/XPCServices/at.obdev.littlesnitch.urldownloader.xpc/Contents/MacOS/at.obdev.littlesnitch.urldownloader", + "process": "/Applications/Bitwarden.app/Contents/MacOS/Bitwarden", "protocol": "tcp", - "remote-hosts": "github.com" - }, - { - "action": "allow", - "notes": "Allow Little Snitch to download rules groups.", - "ports": "443", - "process": "/Library/Application Support/Objective Development/Little Snitch/Components/at.obdev.littlesnitch.daemon.bundle/Contents/XPCServices/at.obdev.littlesnitch.urldownloader.xpc/Contents/MacOS/at.obdev.littlesnitch.urldownloader", - "protocol": "tcp", - "remote-hosts": "gitlab.com" - }, - { - "action": "allow", - "notes": "Allow Little Snitch to download rules groups.", - "ports": "443", - "process": "/Library/Application Support/Objective Development/Little Snitch/Components/at.obdev.littlesnitch.daemon.bundle/Contents/XPCServices/at.obdev.littlesnitch.urldownloader.xpc/Contents/MacOS/at.obdev.littlesnitch.urldownloader", - "protocol": "tcp", - "remote-hosts": "mek.keybase.pub" - }, - { - "action": "allow", - "notes": "Allow Little Snitch to download rules groups.", - "ports": "443", - "process": "/Library/Application Support/Objective Development/Little Snitch/Components/at.obdev.littlesnitch.daemon.bundle/Contents/XPCServices/at.obdev.littlesnitch.urldownloader.xpc/Contents/MacOS/at.obdev.littlesnitch.urldownloader", - "protocol": "tcp", - "remote-hosts": "pgl.yoyo.org" + "remote-hosts": "api.bitwarden.com" }, { "action": "allow", @@ -40,24 +16,10 @@ "ports": "443", "process": "/Applications/Bitwarden.app/Contents/MacOS/Bitwarden", "protocol": "tcp", - "remote-hosts": "api.bitwarden.com", - }, - { - "action": "allow", - "notes": "Allow Bitwarden's Helper to connect to its servers.", - "ports": "443", - "process": "/Applications/Bitwarden.app/Contents/MacOS/Bitwarden", - "protocol": "tcp", - "remote-hosts": "identity.bitwarden.com", - "via": "/Applications/Bitwarden.app/Contents/Frameworks/Bitwarden Helper.app/Contents/MacOS/Bitwarden Helper" - }, - { - "action": "allow", - "notes": "Allow Bitwarden's Helper to connect to its servers.", - "ports": "443", - "process": "/Applications/Bitwarden.app/Contents/MacOS/Bitwarden", - "protocol": "tcp", - "remote-hosts": "notifications.bitwarden.com", + "remote-hosts": [ + "identity.bitwarden.com", + "notifications.bitwarden.com" + ], "via": "/Applications/Bitwarden.app/Contents/Frameworks/Bitwarden Helper.app/Contents/MacOS/Bitwarden Helper" }, { @@ -69,22 +31,6 @@ "remote-hosts": "icons.bitwarden.net", "via": "/Applications/Bitwarden.app/Contents/Frameworks/Bitwarden Helper.app/Contents/MacOS/Bitwarden Helper" }, - { - "action": "allow", - "notes": "Allow Firefox to gather information about certificates.", - "ports": "80", - "process": "/Applications/Firefox.app/Contents/MacOS/firefox", - "protocol": "tcp", - "remote-hosts": "ocsp.sca1b.amazontrust.com" - }, - { - "action": "allow", - "notes": "Allow Firefox to gather information about certificates.", - "ports": "80", - "process": "/Applications/Firefox.app/Contents/MacOS/firefox", - "protocol": "tcp", - "remote-hosts": "ocsp.digicert.com" - }, { "action": "allow", "notes": "Allow Firefox to check for captive portals.", @@ -99,15 +45,16 @@ "ports": "80", "process": "/Applications/Firefox.app/Contents/MacOS/firefox", "protocol": "tcp", - "remote-hosts": "ocsp.pki.goog" - }, - { - "action": "allow", - "notes": "Allow Firefox to gather information about certificates.", - "ports": "80", - "process": "/Applications/Firefox.app/Contents/MacOS/firefox", - "protocol": "tcp", - "remote-domains": "o.lencr.org" + "remote-hosts": [ + "o.lencr.org", + "ocsp.digicert.com", + "ocsp.entrust.net", + "ocsp.globalsign.com", + "ocsp.pki.goog", + "ocsp.r2m01.amazontrust.com", + "ocsp.sca1b.amazontrust.com", + "ocsp.sectigo.com" + ] }, { "action": "deny", @@ -145,53 +92,12 @@ }, { "action": "allow", - "notes": "Allow the GPG Suite updater to download updates.", + "notes": "Allow the GPG Suite's updater to download updates.", "ports": "443", "process": "/Library/Application Support/GPGTools/GPGSuite_Updater.app/Contents/MacOS/GPGSuite_Updater", "protocol": "tcp", "remote-hosts": "gpgtools.com" }, - { - "action": "allow", - "notes": "Allow Homebrew to download updates.", - "ports": "443", - "process": "/Applications/iTerm.app/Contents/MacOS/iTerm2", - "protocol": "tcp", - "remote-hosts": "ghcr.io" - }, - { - "action": "allow", - "notes": "Allow Macports to download updates.", - "ports": "873", - "process": "/Applications/iTerm.app/Contents/MacOS/iTerm2", - "protocol": "tcp", - "remote-hosts": "rsync.macports.org" - }, - { - "action": "allow", - "notes": "Allow Macports to download updates.", - "ports": "80", - "process": "/Applications/iTerm.app/Contents/MacOS/iTerm2", - "protocol": "tcp", - "remote-domains": "packages.macports.org", - "via": "/opt/local/libexec/macports/bin/tclsh8.6" - }, - { - "action": "allow", - "notes": "Allow iTerm2 to securely connect to websites.", - "ports": "443", - "process": "/Applications/iTerm.app/Contents/MacOS/iTerm2", - "protocol": "tcp", - "remote": "any" - }, - { - "action": "allow", - "notes": "Allow the KBFS functionality of Keybase.", - "ports": "443", - "process": "/Applications/Keybase.app/Contents/SharedSupport/bin/kbfs", - "protocol": "tcp", - "remote-domains": "kbfs.keybaseapi.com" - }, { "action": "allow", "notes": "Allow Keybase to connect to its servers.", @@ -202,12 +108,44 @@ }, { "action": "allow", - "notes": "Allow Little Snitch to get software updates.", + "notes": "Allow Keybase's updater to download software updates.", + "ports": "443", + "process": "/Applications/Keybase.app/Contents/SharedSupport/bin/updater", + "protocol": "tcp", + "remote-domains": "core.keybaseapi.com" + }, + { + "action": "allow", + "notes": "Allow the KBFS functionality of Keybase.", + "ports": "443", + "process": "/Applications/Keybase.app/Contents/SharedSupport/bin/kbfs", + "protocol": "tcp", + "remote-domains": "kbfs.keybaseapi.com" + }, + { + "action": "allow", + "notes": "Allow Little Snitch to download software updates.", "ports": "443", "process": "/Applications/Little Snitch.app/Contents/Components/Little Snitch Software Update.app/Contents/MacOS/Little Snitch Software Update", "protocol": "tcp", "remote-hosts": "sw-update.obdev.at" }, + { + "action": "allow", + "notes": "Allow Little Snitch to subscribe to rules groups.", + "ports": "443", + "process": "/Library/Application Support/Objective Development/Little Snitch/Components/at.obdev.littlesnitch.daemon.bundle/Contents/XPCServices/at.obdev.littlesnitch.urldownloader.xpc/Contents/MacOS/at.obdev.littlesnitch.urldownloader", + "protocol": "tcp", + "remote-hosts": "pgl.yoyo.org" + }, + { + "action": "allow", + "notes": "Allow the Logi Options+'s updater to download the application's updates.", + "ports": "443", + "process": "/Library/Application Support/Logitech.localized/LogiOptionsPlus/logioptionsplus_agent.app/Contents/Frameworks/logioptionsplus_updater.app/Contents/MacOS/logioptionsplus_updater", + "protocol": "tcp", + "remote-hosts": "updates.optionsplus.logitechg.com" + }, { "action": "allow", "notes": "Allow Logi Options+ to connect to Logitech's account.", @@ -226,144 +164,11 @@ }, { "action": "allow", - "notes": "Allow the Logi Options+'s updater to get updates.", + "notes": "Allow RaspberryPi Imager to securely connect to websites to download images and their metadata.", "ports": "443", - "process": "/Library/Application Support/Logitech.localized/LogiOptionsPlus/logioptionsplus_agent.app/Contents/Frameworks/logioptionsplus_updater.app/Contents/MacOS/logioptionsplus_updater", + "process": "/Applications/Raspberry Pi Imager.app/Contents/MacOS/rpi-imager", "protocol": "tcp", - "remote-hosts": "updates.optionsplus.logitechg.com" - }, - { - "action": "allow", - "notes": "Allow Keybase to get software updates.", - "ports": "443", - "process": "/Applications/Keybase.app/Contents/SharedSupport/bin/updater", - "protocol": "tcp", - "remote-domains": "core.keybaseapi.com" - }, - { - "action": "allow", - "notes": "Allow VS Code's Helper to download repositories from Github.", - "ports": "443", - "process": "/Applications/Visual Studio Code.app/Contents/MacOS/Electron", - "protocol": "tcp", - "remote-hosts": "github.com", - "via": "/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper" - }, - { - "action": "allow", - "notes": "Allow VS Code's Helper to download repositories from Gitlab.", - "ports": "443", - "process": "/Applications/Visual Studio Code.app/Contents/MacOS/Electron", - "protocol": "tcp", - "remote-hosts": "gitlab.com", - "via": "/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper" - }, - { - "action": "allow", - "notes": "Allow VS Code's Helper to get the user's information from Gravatar.", - "ports": "443", - "process": "/Applications/Visual Studio Code.app/Contents/MacOS/Electron", - "protocol": "tcp", - "remote-hosts": "www.gravatar.com", - "via": "/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper" - }, - { - "action": "allow", - "notes": "Allow VS Code's Helper to download schemas.", - "ports": "443", - "process": "/Applications/Visual Studio Code.app/Contents/MacOS/Electron", - "protocol": "tcp", - "remote-hosts": "json.schemastore.org", - "via": "/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper" - }, - { - "action": "allow", - "notes": "Allow VS Code's Helper to download schemas.", - "ports": "443", - "process": "/Applications/Visual Studio Code.app/Contents/MacOS/Electron", - "protocol": "tcp", - "remote-hosts": "www.schemastore.org", - "via": "/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper" - }, - { - "action": "allow", - "notes": "Allow VS Code's Helper to gather extensions.", - "ports": "443", - "process": "/Applications/Visual Studio Code.app/Contents/MacOS/Electron", - "protocol": "tcp", - "remote-hosts": "marketplace.visualstudio.com", - "via": "/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper" - }, - { - "action": "allow", - "notes": "Allow VS Code to sync the user's settings.", - "ports": "443", - "process": "/Applications/Visual Studio Code.app/Contents/MacOS/Electron", - "protocol": "tcp", - "remote-hosts": "vscode-sync.trafficmanager.net" - }, - { - "action": "allow", - "notes": "Allow VS Code to look for updates.", - "ports": "443", - "process": "/Applications/Visual Studio Code.app/Contents/MacOS/Electron", - "protocol": "tcp", - "remote-hosts": "update.code.visualstudio.com" - }, - { - "action": "allow", - "notes": "Allow VS Code to download Terraform's extension.", - "ports": "443", - "process": "/Applications/Visual Studio Code.app/Contents/MacOS/Electron", - "protocol": "tcp", - "remote-hosts": "checkpoint-api.hashicorp.com" - }, - { - "action": "allow", - "notes": "Allow VS Code to download repositories from Github.", - "ports": "22", - "process": "/Applications/Visual Studio Code.app/Contents/MacOS/Electron", - "protocol": "tcp", - "remote-hosts": "github.com" - }, - { - "action": "allow", - "notes": "Allow VS Code to sync with its servers.", - "ports": "443", - "process": "/Applications/Visual Studio Code.app/Contents/MacOS/Electron", - "protocol": "tcp", - "remote-hosts": "api.github.com", - }, - { - "action": "allow", - "notes": "Allow VS Code to download repositories from Gitlab.", - "ports": "22", - "process": "/Applications/Visual Studio Code.app/Contents/MacOS/Electron", - "protocol": "tcp", - "remote-hosts": "gitlab.com" - }, - { - "action": "deny", - "notes": "Stop VS Code's Helper from connecting to dc.services.visualstudio.com.", - "process": "/Applications/Visual Studio Code.app/Contents/MacOS/Electron", - "remote-hosts": "dc.services.visualstudio.com", - "via": "/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper" - }, - { - "action": "allow", - "notes": "Allow VS Code to download extensions.", - "ports": "443", - "process": "/Applications/Visual Studio Code.app/Contents/MacOS/Electron", - "protocol": "tcp", - "remote-domains": "gallery.vsassets.io" - }, - { - "action": "allow", - "notes": "Allow VS Code to download extensions.", - "ports": "443", - "process": "/Applications/Visual Studio Code.app/Contents/MacOS/Electron", - "protocol": "tcp", - "remote-domains": "gallerycdn.vsassets.io" + "remote": "any" }, { "action": "allow", @@ -407,7 +212,79 @@ }, { "action": "allow", - "notes": "Allow WhatsApp to authenticate.", + "notes": "Allow VS Code to access its documentation.", + "ports": "443", + "process": "/Applications/Visual Studio Code.app/Contents/MacOS/Electron", + "protocol": "tcp", + "remote-hosts": "code.visualstudio.com" + }, + { + "action": "allow", + "notes": "Allow VS Code to update itself.", + "ports": "443", + "process": "/Applications/Visual Studio Code.app/Contents/MacOS/Electron", + "protocol": "tcp", + "remote-hosts": "update.code.visualstudio.com" + }, + { + "action": "allow", + "notes": "Allow VS Code's Helper to access the marketplace and download extensions.", + "ports": "443", + "process": "/Applications/Visual Studio Code.app/Contents/MacOS/Electron", + "protocol": "tcp", + "remote-hosts": [ + "az764295.vo.msecnd.net", + "download.visualstudio.microsoft.com", + "marketplace.visualstudio.com", + "vsmarketplacebadges.dev" + ], + "via": "/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper" + }, + { + "action": "allow", + "notes": "Allow VS Code to download extensions from the marketplace.", + "ports": "443", + "process": "/Applications/Visual Studio Code.app/Contents/MacOS/Electron", + "protocol": "tcp", + "remote-domains": [ + "gallery.vsassets.io", + "gallerycdn.vsassets.io" + ] + }, + { + "action": "allow", + "notes": "Allow VS Code to sync the user's settings.", + "ports": "443", + "process": "/Applications/Visual Studio Code.app/Contents/MacOS/Electron", + "protocol": "tcp", + "remote-hosts": [ + "vscode-sync-insiders.trafficmanager.net", + "vscode-sync.trafficmanager.net", + "vscode.dev" + ] + }, + { + "action": "allow", + "notes": "Allow VS Code's Helper to download schemas.", + "ports": "443", + "process": "/Applications/Visual Studio Code.app/Contents/MacOS/Electron", + "protocol": "tcp", + "remote-hosts": [ + "json.schemastore.org", + "www.schemastore.org" + ], + "via": "/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper" + }, + { + "action": "deny", + "notes": "Stop VS Code's Helper from connecting to dc.services.visualstudio.com.\nUsed by the Application Insights SDK or Application Insights Agent to send data to the vendor's services in Azure.\nSee https://learn.microsoft.com/en-us/azure/azure-monitor/app/ip-addresses for details.", + "process": "/Applications/Visual Studio Code.app/Contents/MacOS/Electron", + "remote-hosts": "dc.services.visualstudio.com", + "via": "/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper" + }, + { + "action": "allow", + "notes": "Allow WhatsApp to authenticate to its servers.", "ports": "443", "process": "/Applications/WhatsApp.app/Contents/MacOS/WhatsApp", "protocol": "tcp", @@ -419,7 +296,23 @@ "ports": "443", "process": "/Applications/WhatsApp.app/Contents/MacOS/WhatsApp", "protocol": "tcp", - "remote-domains": "cdn.whatsapp.net" + "remote-hosts": "cdn.whatsapp.net" + }, + { + "action": "allow", + "notes": "Allow WhatsApp to securely connect to websites to get links' previews.", + "ports": "443", + "process": "/Applications/WhatsApp.app/Contents/MacOS/WhatsApp", + "protocol": "tcp", + "remote": "any" + }, + { + "action": "allow", + "notes": "Allow WhatsApp to securely connect to websites to get links' previews.", + "ports": "443", + "process": "/Applications/WhatsApp.app/Contents/MacOS/WhatsApp", + "protocol": "udp", + "remote": "any" } ] }