MacOS IPSEC VPNs and Little Snitch #134
Description
OS / Environment
MacOS, all versions up to and including Sierra.
Summary of the problem
Little Snitch is a popular host-based firewall for OSX, primarily used for egress filtering: https://www.obdev.at/products/littlesnitch/index.html
There's a known bug with OSX VPNs like IPSEC where the DNS information for a given connection isn't available to LS, which breaks all of the LS rules that rely on hostnames. More information is also discussed in this thread on the LS forums, where the LS devs are quoted:
"We are in fact aware of this issue where for some reason the LS filter does not get incoming packets (including DNS traffic) from a native IPSec VPN connection on OS X Yosemite. Unfortunately there is not much we can do from our side but we already send a bug report to Apple as this has to be fixed on their side, at least we hope that 10.10.3 will fix the issue but we will also do some further investigation."
I'm not aware of a workaround other than to silently accept or deny all connections, but am opening this ticket to document the problem in case anyone else comes searching for it. I expect a userland IPSEC VPN client would not have these same problems.
Steps to reproduce the behavior
Install LS, connect to IPSEC VPN.
Expected behavior
LS behaves.
Actual behavior
LS ignores all your rules, because they're based on hostnames which are unavailable.