Little Snitch
in [UK Mac]
|
Prev: Can Pages in iWork '09 do tables of contents on Page Layout documents?
Next: Replies appearing as new threads. Was Re: So who's getting an iPad?
From: Martin S Taylor on 1 Feb 2010 05:25 Thanks, James, for a very helpful reply. James Taylor wrote > Martin S Taylor wrote: > >> I've just installed Little Snitch, and I'm puzzled by a couple >> of things it's reporting on: >> >> 1. A process called rsmac_3630 keeps talking to cn1.redswoosh.akadns.net. >> (This seems to be connected with my trial version of Adobe CS.) But even >> though I've told LS to block all connections from rsmac_3630, and all >> connections to cn1.redswoosh.akadns.net, it keeps re-connecting. > > Little Snitch prevents things from making outbound connections, but it > does not prevent them from *trying* to connect out. The Little Snitch > network monitor flags up every attempted connection whether it succeeds > or not. Confusingly documented, then. To say "Connection History: cn2.redswoosh.akadns.net" when the process has only *tried* to connect (but failed) is a little confusing, I think. > If commonly occurring notifications in the LS network monitor irritate > you, or cause you to lose the signal in the noise, then you can tell LS > to disable the notification for specific processes. Ctrl-click, or > right-click on the notification itself to find this option on the menu. > >> 2. Skype connects to lots of things, of course: this is how Skype works. >> But >> shortly after Skype connects to some address, processes from VM Fusion and >> Drobo Dashboard kick in, connecting to the same address Skype has just >> spoken >> to. This, even though I haven't used VM Fusion in months. > > That sounds very curious. I would need more information to discover > what's really going on, but I'll hazard a guess that Skype is trying to > use NAT-PMP or UPnP via all available interfaces to open a port on your > router which can then be used by the rest of the Skype network to > forward calls for other Skype users. > > Specifically this helps people behind non-traversable NAT devices make > calls to each other (thus stealing your bandwidth for the commercial > benefit of the already wealthy Skype Ltd). > > Given that an installation of VMware adds some virtual network > interfaces, when Skype tries to send traffic over them, VMware > components are invoked to handle it. Just guessing, but this is probably > why you are seeing VMware realted entries when using Skype. > > Frankly, Skype is a very scary thing to be running on your computer if > you care about security. It's closed proprietary code that may or may > not contain intentional backdoors or unintentional security holes. It > encrypts most of its communications so you have no way of knowing what > kind of information it is sending from your computer out to the cloud of > peers which, rather like a botnet, can pass information back and forth > in so many ways it would be untraceable. There's no way you can keep > track of all the IPs it connects to, or limit their number using Little > Snitch, so if you want to run Skype usefully you have to tell LS to > allow all connections from Skype, and that means you'll never notice > when it does start sending your keystrokes or passwords to ether Skype > Ltd or the hoards of faceless spooks and crooks that would salivate at > the thought of being able to reap such a global harvest. Worst of all, > Skype is, like all IM clients, something you normally keep running all > the time to allow other people to contact you, and this means it is > facing the Internet for longer than any web browser or email client and > would be an ideal target for a fast spreading worm. Thank you. > My advice is that, if you're going to run Skype at all, run it in a > clean VM guest that you keep separate from other VM guests. And make > sure you disable UPnP and NAT-PMP on all your routers, AirPort devices, etc. Not sure what this means, but it seems easier just not to use Skype. Does your second sentence refer to times when I've got Skype running, or do you recommend disabling UPnP and NAT-PMP all the while? MST
From: Rowland McDonnell on 1 Feb 2010 09:10 Jaimie Vandenbergh <jaimie(a)sometimes.sessile.org> wrote: > (Peter Ceresole) wrote: > > >Martin S Taylor <mst(a)hRyEpMnOoVtEiTsHm.cIo.uSk> wrote: > > > >> I've just installed Little Snitch, and I'm puzzled by a couple of > >> things it's reporting on: > > > >I realise that this is not an answer to the specific question you asked, > >but I think, as usual, the best thing to do is to ignore anything Little > >Snitch tells you. Users with that attitude have no use for Little Snitch and should not install it. > Not in Martin's case, since he's trying to get his Mac to not spew > mindless drivel across the network it's on. > > For normal users yes. For a security analyst being stealthy, no. This normal user has for many years been using Little Snitch. As usual, I've not followed Peter C's suggestion (that attitude's generally worked out well - his advice is mostly wrong in some significant way). The point about Little Snitch is that it tells you what's calling home - and I don't want software to call home from my computer. I like to keep private that which I want to keep private. So it's important to *NOT* ignore what Little Snitch says - after all, why bother paying for it if you're not going to pay attention to it, eh? Rowland. -- Remove the animal for email address: rowland.mcdonnell(a)dog.physics.org Sorry - the spam got to me http://www.mag-uk.org http://www.bmf.co.uk UK biker? Join MAG and the BMF and stop the Eurocrats banning biking
From: Martin S Taylor on 2 Feb 2010 10:15 James: I took your advice and disabled UPnP. As you say, I'm capable of setting up port forwards on my own. (I think.) I'm still fascinated by the process vmnet-natd, though. According to Little Snitch It belongs to VMware Fusion, yet I haven't run this program in months, and I haven't run Skype since I last booted the computer. Yet vmnet-natd is still trying to call a wide range of IP addresses. Any thoughts? MST
From: James Taylor on 2 Feb 2010 12:55 Martin S Taylor wrote: > I took your advice and disabled UPnP. Good. > I'm still fascinated by the process vmnet-natd, though. My understanding is that it behaves in much the same way as the standard natd (which is used to setup "Internet Sharing" when enabled in the Sharing section of System Prefs) but the vmnet-natd sits on the VMware virtual interface named vmnet8 and is used by the VM guests when you configure their net connection to be NATted. In contrast the vmnet1 interface provides a private network with no Internet connection, which is what guests use when you configure their net connection to be host only. There is also a virtual DHCP server on both virtual networks (vmnet-dhcpd). As the vmnet-natd is mediating all VM guest network connections it is the process that Little Snitch sees trying to connect out to the Internet when a VM guest behind the virtual NAT tries to connect out. > According to Little Snitch It belongs to VMware Fusion, yet I haven't > run this program in months, The vmnet interfaces are present at all times, whether the VMware front end is running or not. I guess they must be installed in the kernel somehow by the VMware installer, but I haven't looked into it further than that. > and I haven't run Skype since I last booted the computer. Yet > vmnet-natd is still trying to call a wide range of IP addresses. That seems odd. I can't say what's causing that. I do not get that behaviour on my machine, but then I don't have Skype installed either. Does this only occur as you start Skype, or is it happening from the moment that the computer is booted? Maybe you could capture some of the traffic for analysis: Inside the virtual network: sudo tcpdump -i vmnet8 -s0 -w inside.pcap and outside: sudo tcpdump -i en0 -s0 -w outside.pcap (replace en0 with the interface actually in use, eg. en1 for wi-fi) or use Wireshark to do the equivalent if you have it. -- James Taylor
From: David Empson on 14 Feb 2010 07:44
Martin S Taylor <mst(a)hRyEpMnOoVtEiTsHm.cIo.uSk> wrote: > James: > > I took your advice and disabled UPnP. As you say, I'm capable of setting up > port forwards on my own. (I think.) > > I'm still fascinated by the process vmnet-natd, though. According to Little > Snitch It belongs to VMware Fusion, yet I haven't run this program in months, > and I haven't run Skype since I last booted the computer. Yet vmnet-natd is > still trying to call a wide range of IP addresses. > > Any thoughts? Well, not why it is doing that, but I can at least give you a little background on what it does. VMware Fusion (and the other virtual machine solutions) have several ways of interfacing the networking between the virtual and host machines. I mainly use VMware (still on version 2) but I've had a brief look at Parallels (4). VMware has three major modes of network operation for a virtual machine: - Share the Mac's network connection (NAT). - Connect directly to the physical network (Bridged). - Create a private network available only to the Mac (Host Only). The network functionality is implemented by a kernel extension installed by VMware Fusion. It is running all the time. I expect vmware-natd is part of this. I use Bridged mode. This results in the Virtual Machine appearing as if it is a separate computer on the same local network as the Mac. This allows the virtual machine to interact with a network of real Windows PCs, and also effectively gives you two independent networked computers if you want to test any networked software between the Mac and virtual PC. In NAT mode, I expect the Mac acts like a NAT router, so the virtual machine is on an independent network and can only make outgoing connections (I have no idea how you would set up inbound port mappings). VMware's kernel extension also sets up at least two additional network interfaces seen by the Mac (these are called "vmnet1" and "vmnet8" on my computer). They are invisible in System Preferences > Network but can be seen via 'ifconfig' in Terminal. These networks have automatically created addresses in the 172.16 range and appear to be active. These networks are used to communcate between the Mac and the virtual machine. I think what is happening in your case is: 1. You have a configured virtual machine which is set to use NAT mode for its networking. 2. Software you are running on the Mac is trying to establish a connection to a server on the Internet. As part of this it is trying all active network interfaces (including the VMware one). 3. The VMware network interface is somehow translating this into an outgoing connection via its NAT support, resulting in Little Snitch warning you about vmware-natd making an outgoing connection. (This is the bit I don't understand.) If you think that is bad, Parallels Desktop is worse. It also creates two virtual network interfaces, but they appear to the Mac as if they were real Ethernet ports, so they show up in System Preferences and cause confusion in various parts of the system due to having extra Ethernets which are connected but can't talk to the Internet. If you uninstall Parallels and reinstall it later, you end up with non-sequential numbered Ethernet ports. (I currently have en8 and en9 for Parallels, en6 for iPhone Tethering, and the standard en0 and en1 for Ethernet and Airport.) In Parallels, one is the "Shared" network adapter and the other is the "Host Only" network adapter, so I expect this is also what is going on with VMware Fusion. -- David Empson dempson(a)actrix.gen.nz |