What I want for all these services (Little Snitch, ESET, etc) is an EasyList-like ... list. A community-aggregated and reviewed list of servers that don't merit my connection. I'd pay a monthly subscription fee for that.<p>I'd also like separate lists for<p>* "this wifi is public, be extra cautious"<p>* "this wifi is public, be nice and don't torrent, do backups, etc"<p>* "I'm on a metered connection (e.g. LTE), don't run torrents, backups, etc"<p>edit: for anyone looking for a monetizable idea: this post has 41, no 42, no 43 points in about an hour. Probably a good idea...
For those on Windows, <a href="http://www.sphinx-soft.com/Vista/index.html" rel="nofollow">http://www.sphinx-soft.com/Vista/index.html</a> does the same using the native firewall (so no 3rd party dependencies, services, or bloat) (though they've ~recently added paid licenses with more features to their basic offering).<p>I only wish it were cleaner and simpler. I don't think the Windows Firewall API is too bad, I should add this to my bucket list of open source software to write that I'll maybe get around to in the next 20 years....
Looks promising. I used to use Little Snitch, but last year they decided to charge for the new version, and I uninstalled it.<p>Little Snitch was effective, but overly complex for the average user. I'm sure it's great for someone who configures networks on a regular basis, but as a Mac user, I just want to use my Mac. If I wanted to twiddle with security settings all day long, I'd still be on Windows.<p>This looks like it might be a good, simple, replacement. Hopefully as it evolves it doesn't get swamped by feature bloat.
Unfortunately, this still has the key flaw that has plagued outbound firewalls since their invention:<p>"Currently, LuLu only supports rules at the 'process level', meaning a process (or application) is either allowed to connect to the network or not. As is the case with other firewalls, this also means that if a legitimate (allowed) process is abused by malicious code to perform network actions, this will be allowed."<p>In other words, it won't stop malicious Javascript running in your browser from making an outbound connection, which is the most common way for malware to do that.<p>It does say "currently", but I'm not sure how you would get around this flaw; at any rate, nobody has yet figured out how.
Unless I'm mistaken, this isn't actually open source, as it's under a non-commercial clause.<p>edit: there is an open issue about it: <a href="https://github.com/objective-see/LuLu/issues/4" rel="nofollow">https://github.com/objective-see/LuLu/issues/4</a>
I'm not personally a mac user, but I'm still very glad to see projects like this being developed as open source. Very cool I hope this goes on to be a really solid piece of software.<p>Does anybody have any recommendations for good ways to get fine-tuned control of Windows' default firewall?
The install page says that `sudo configure.sh -install` is the install command. The command is actually `sudo ./configure.sh -install`. Further, it should probably be `sudo ./configure.sh --install` (with two hyphens), as is convention for named (edit: long-form) options on the command line.
It's good to see another option for an outbound firewall, but as an industry we still have a long way to go. As with many security solutions, there is a conflict between flexibility and usability. I want:<p>1) To be able to choose the exact host/subnet/domain that an application can access with a good UX<p>2) Have someone else curate a list that I subscribe to that handles most cases<p>3) Work on desktop and mobile<p>For choosing the exact host/subnet/domain on a per-application basis, the best UX I've seen on any platform is FirewallIP[1], the unmaintained software on a jailbroken iPhone. So many desktop solutions[2] only let you choose Allow everything or Deny everything, Little Snitch and Windows 10 Firewall Control[3] are exceptions, but even they are limited.<p>The curated list option should be easy enough to support on most platforms. Easylist has shown how well it can work on the browser when combined with uBlock Origin. Install it for someone who is technically naive and they'll just see no ads with no negative experience.<p>The mobile platform is harder to support as under Android you need to root the phone to get access to the underlying iptables firewall with something like Afwall+, or you run a fake VPN back to the device and filter there which is prone to failure (is it working? has it stopped itself for some reason) and has less flexibility. Under unjailbroken IOS, products like Surge, Potatso2 and Shadowrocket run a local proxy that is similar to the fake VPN under Android, but requires manually editing a text file for configuration and seem to be designed to get around the Chinese internet restrictions rather than privacy.<p>[1] <a href="http://r-rill.net/FirewalliP7/FiPDepiction.html" rel="nofollow">http://r-rill.net/FirewalliP7/FiPDepiction.html</a><p>[2] Glasswire on Windows, Douane and OpenSnitch on Linux, AFwall+ on Android<p>[3] <a href="http://www.sphinx-soft.com/Vista/index.html" rel="nofollow">http://www.sphinx-soft.com/Vista/index.html</a>
Breaks networking on High Sierra.
No Browser works anymore.
curl stops working.
git doesn't even trigger its asking window.
Power usage doubles when networking is used too.<p>After uninstalling it the kernel crashes.<p>Sad.
I've been using all Objective See projects, but I have issues with:<p>- stability - often their tools have memory leaks;<p>- consistent UX - each tool looks and behaves differently;<p>- stacking of dialogs - often by the time I click, a new popup replaces the old one, and I approve something I don't even get a chance to see!
What's the CPU usage? I tried Little Snitch, but it was often consuming insane amounts of CPU (40%+) which matters a lot on a 12' Macbook on battery, so I uninstalled it.
The author is not subtle in letting know that this is intended to be open source replacement for Little Snitch (domain!).<p>But at-least macOS has little snitch, closest for Linux was opensnitch which was announced on HN few months back -
<a href="https://github.com/evilsocket/opensnitch/" rel="nofollow">https://github.com/evilsocket/opensnitch/</a> but I'm not sure whether it's actively being developed though.
First, this is awesome. Thank you!<p>Second, is the business model of Objective-See to offer open source alternatives for Objective Development's products (LuLu instead of Little Snitch; OverSight instead of Micro Snitch)?
Windows WARNING:<p>If you plan on doing same thing in windows be aware you need to disable Dnscache service. Its impossible in windows to screen loopback network interface, means you cant filter which programs get DNS access while "DNS Client" is running, its all or nothing. DNS is a very popular covert exfiltration channel.
This project looks awesome. I just looked at the code and it looks like every line of code has a comment. It seems like a bit of overkill in Obj-C being such a verbose language. Aside from that, I'm definitely going to check this out.
has anyone tried both Hands Off[0] and Little Snitch? How is Hands Off compared to LS?<p>Also: Radio Silence[1]?<p>[0]: <a href="https://www.oneperiodic.com/products/handsoff/" rel="nofollow">https://www.oneperiodic.com/products/handsoff/</a>
[1]: <a href="https://radiosilenceapp.com/" rel="nofollow">https://radiosilenceapp.com/</a>
LuLu is a billion dollar hypermarket chain. I think it would be a good idea to rename this project in the beginning if you don't want to get into any copyright issues.<p><a href="https://en.wikipedia.org/wiki/Lulu_Hypermarket" rel="nofollow">https://en.wikipedia.org/wiki/Lulu_Hypermarket</a>