-
-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MacOS IPSEC VPNs and Little Snitch #134
Comments
I wonder what is it that can be done here? I mean it's clearly an Apple issue. Unless there's something that can be done in IPSEC configs, which doesn't seem to be the case? |
This issue should not be addressed to Algo |
Little Snitch 3 is out today. Maybe it has different behavior? |
Oh darn, I misread. Never mind! |
I've also noticed that Little Snitch bandwidth monitor doesn't account for the traffic inside IPSEC VPN. I wonder if it's connected with this issue. |
Outgoing connections are still filtered...correct? |
Does anyone know if this bug is fixed in macOS 10.13 High Sierra? |
This issue seems to have been fixed on macOS 10.13 High Sierra, using Little Snitch 4.0.3. |
I upgraded to the latest versions of macOS High Sierra 10.13.2 en LS 4.0.6 and in 'Silent Mode: Allow connections' operation mode it seems to work. |
OS / Environment
MacOS, all versions up to and including Sierra.
Summary of the problem
Little Snitch is a popular host-based firewall for OSX, primarily used for egress filtering: https://www.obdev.at/products/littlesnitch/index.html
There's a known bug with OSX VPNs like IPSEC where the DNS information for a given connection isn't available to LS, which breaks all of the LS rules that rely on hostnames. More information is also discussed in this thread on the LS forums, where the LS devs are quoted:
I'm not aware of a workaround other than to silently accept or deny all connections, but am opening this ticket to document the problem in case anyone else comes searching for it. I expect a userland IPSEC VPN client would not have these same problems.
Steps to reproduce the behavior
Install LS, connect to IPSEC VPN.
Expected behavior
LS behaves.
Actual behavior
LS ignores all your rules, because they're based on hostnames which are unavailable.
The text was updated successfully, but these errors were encountered: