Little Snitch
Martin S Taylor
reporting on:
1. A process called rsmac_3630 keeps talking to cn1.redswoosh.akadns.net.
(This seems to be connected with my trial version of Adobe CS.) But even
though I've told LS to block all connections from rsmac_3630, and all
connections to cn1.redswoosh.akadns.net, it keeps re-connecting.
2. Skype connects to lots of things, of course: this is how Skype works. But
shortly after Skype connects to some address, processes from VM Fusion and
Drobo Dashboard kick in, connecting to the same address Skype has just spoken
to. This, even though I haven't used VM Fusion in months.
What's going on?
Martin S Taylor
Peter Ceresole
> I've just installed Little Snitch, and I'm puzzled by a couple of things it's
> reporting on:
I realise that this is not an answer to the specific question you asked,
but I think, as usual, the best thing to do is to ignore anything Little
Snitch tells you.
--
Peter
Jaimie Vandenbergh
Not in Martin's case, since he's trying to get his Mac to not spew
mindless drivel across the network it's on.
For normal users yes. For a security analyst being stealthy, no.
Cheers - Jaimie
--
"I have an asteroid named after me. Isaac Asimov's got one too.
It's smaller and more eccentric." -- Arthur C. Clarke
James Taylor
> Peter Ceresole wrote:
>
>> Martin S Taylor wrote:
>>
>>> I've just installed Little Snitch, and I'm puzzled by a couple of
>>> things it's reporting on:
>>
>> I realise that this is not an answer to the specific question you asked,
>> but I think, as usual, the best thing to do is to ignore anything Little
>> Snitch tells you.
>
> Not in Martin's case, since he's trying to get his Mac to not spew
> mindless drivel across the network it's on.
>
> For normal users yes. For a security analyst being stealthy, no.
Are you confusing Martin Taylor with me, James Taylor?
--
James Taylor
Jaimie Vandenbergh
Apparently so! Whoops. Well, almost halfway right.
Cheers - Jaimie
--
"The problem with defending the purity of the English language is that English
is about as pure as a cribhouse whore. We don't just borrow words; on occasion,
English has pursued other languages down alleyways to beat them unconscious
and rifle their pockets for new vocabulary." -- James Nicoll, rasfw
James Taylor
> I've just installed Little Snitch, and I'm puzzled by a couple
> of things it's reporting on:
>
> 1. A process called rsmac_3630 keeps talking to cn1.redswoosh.akadns.net.
> (This seems to be connected with my trial version of Adobe CS.) But even
> though I've told LS to block all connections from rsmac_3630, and all
> connections to cn1.redswoosh.akadns.net, it keeps re-connecting.
Little Snitch prevents things from making outbound connections, but it
does not prevent them from *trying* to connect out. The Little Snitch
network monitor flags up every attempted connection whether it succeeds
or not.
If commonly occurring notifications in the LS network monitor irritate
you, or cause you to lose the signal in the noise, then you can tell LS
to disable the notification for specific processes. Ctrl-click, or
right-click on the notification itself to find this option on the menu.
> 2. Skype connects to lots of things, of course: this is how Skype works. But
> shortly after Skype connects to some address, processes from VM Fusion and
> Drobo Dashboard kick in, connecting to the same address Skype has just spoken
> to. This, even though I haven't used VM Fusion in months.
That sounds very curious. I would need more information to discover
what's really going on, but I'll hazard a guess that Skype is trying to
use NAT-PMP or UPnP via all available interfaces to open a port on your
router which can then be used by the rest of the Skype network to
forward calls for other Skype users.
Specifically this helps people behind non-traversable NAT devices make
calls to each other (thus stealing your bandwidth for the commercial
benefit of the already wealthy Skype Ltd).
Given that an installation of VMware adds some virtual network
interfaces, when Skype tries to send traffic over them, VMware
components are invoked to handle it. Just guessing, but this is probably
why you are seeing VMware realted entries when using Skype.
Frankly, Skype is a very scary thing to be running on your computer if
you care about security. It's closed proprietary code that may or may
not contain intentional backdoors or unintentional security holes. It
encrypts most of its communications so you have no way of knowing what
kind of information it is sending from your computer out to the cloud of
peers which, rather like a botnet, can pass information back and forth
in so many ways it would be untraceable. There's no way you can keep
track of all the IPs it connects to, or limit their number using Little
Snitch, so if you want to run Skype usefully you have to tell LS to
allow all connections from Skype, and that means you'll never notice
when it does start sending your keystrokes or passwords to ether Skype
Ltd or the hoards of faceless spooks and crooks that would salivate at
the thought of being able to reap such a global harvest. Worst of all,
Skype is, like all IM clients, something you normally keep running all
the time to allow other people to contact you, and this means it is
facing the Internet for longer than any web browser or email client and
would be an ideal target for a fast spreading worm.
My advice is that, if you're going to run Skype at all, run it in a
clean VM guest that you keep separate from other VM guests. And make
sure you disable UPnP and NAT-PMP on all your routers, AirPort devices, etc.
--
James Taylor
Martin S Taylor
James Taylor wrote
> Martin S Taylor wrote:
>
>> I've just installed Little Snitch, and I'm puzzled by a couple
>> of things it's reporting on:
>>
>> 1. A process called rsmac_3630 keeps talking to cn1.redswoosh.akadns.net.
>> (This seems to be connected with my trial version of Adobe CS.) But even
>> though I've told LS to block all connections from rsmac_3630, and all
>> connections to cn1.redswoosh.akadns.net, it keeps re-connecting.
>
> Little Snitch prevents things from making outbound connections, but it
> does not prevent them from *trying* to connect out. The Little Snitch
> network monitor flags up every attempted connection whether it succeeds
> or not.
Confusingly documented, then. To say "Connection History:
cn2.redswoosh.akadns.net" when the process has only *tried* to connect (but
failed) is a little confusing, I think.
Thank you.
> My advice is that, if you're going to run Skype at all, run it in a
> clean VM guest that you keep separate from other VM guests. And make
> sure you disable UPnP and NAT-PMP on all your routers, AirPort devices, etc.
Not sure what this means, but it seems easier just not to use Skype. Does
your second sentence refer to times when I've got Skype running, or do you
recommend disabling UPnP and NAT-PMP all the while?
MST
Rowland McDonnell
> (Peter Ceresole) wrote:
>
> >Martin S Taylor <m...@hRyEpMnOoVtEiTsHm.cIo.uSk> wrote:
> >
> >> I've just installed Little Snitch, and I'm puzzled by a couple of
> >> things it's reporting on:
> >
> >I realise that this is not an answer to the specific question you asked,
> >but I think, as usual, the best thing to do is to ignore anything Little
> >Snitch tells you.
Users with that attitude have no use for Little Snitch and should not
install it.
> Not in Martin's case, since he's trying to get his Mac to not spew
> mindless drivel across the network it's on.
>
> For normal users yes. For a security analyst being stealthy, no.
This normal user has for many years been using Little Snitch.
As usual, I've not followed Peter C's suggestion (that attitude's
generally worked out well - his advice is mostly wrong in some
significant way).
The point about Little Snitch is that it tells you what's calling home -
and I don't want software to call home from my computer. I like to keep
private that which I want to keep private.
So it's important to *NOT* ignore what Little Snitch says - after all,
why bother paying for it if you're not going to pay attention to it, eh?
Rowland.
--
Remove the animal for email address: rowland....@dog.physics.org
Sorry - the spam got to me
http://www.mag-uk.org http://www.bmf.co.uk
UK biker? Join MAG and the BMF and stop the Eurocrats banning biking
James Taylor
> Thanks, James, for a very helpful reply.
My pleasure.
> James Taylor wrote
>
>> My advice is that, if you're going to run Skype at all, run it in a
>> clean VM guest that you keep separate from other VM guests. And
>> make sure you disable UPnP and NAT-PMP on all your routers, AirPort
>> devices, etc.
>
> Not sure what this means, but it seems easier just not to use Skype.
Skype is exceedingly useful. I run it, even though it gives me the
heebie-jeebies and I therefore spend a lot of my time watching every
move it makes, but it's useful nonetheless.
> Does your second sentence refer to times when I've got Skype running,
> or do you recommend disabling UPnP and NAT-PMP all the while?
UPnP = Universal Plug'n'Play. A Microsoft protocol.
NAT-PMP = NAT Port Mapping Protocol. An Apple and IETF protocol.
Guess which one is more widely supported on routers, the Microsoft
version or the IETF standardised and Apple version? ;-)
Both protocols allow software running on your computer, whether it be
legitimate such as Transmission, or malware such as a spam relay bot, to
open ports through the NAT firewall on your router without your
knowledge, or permission, and without needing to be given the admin
password of the router, and usually with no indication in the router
interface of the auto-port-forwards thus created. If that doesn't cause
you to experience an instinctive recoil of horror, like it does me, then
perhaps you are fine to enjoy the convenience of automatic port
forwarding. If, on the other hand, you are quite capable of setting up
port forwards on your own NAT router when required, then there is no
reason to leave UPnP or NAT-PMP enabled.
--
James Taylor
Martin S Taylor
I took your advice and disabled UPnP. As you say, I'm capable of setting up
port forwards on my own. (I think.)
I'm still fascinated by the process vmnet-natd, though. According to Little
Snitch It belongs to VMware Fusion, yet I haven't run this program in months,
and I haven't run Skype since I last booted the computer. Yet vmnet-natd is
still trying to call a wide range of IP addresses.
Any thoughts?
MST
James Taylor
> I took your advice and disabled UPnP.
Good.
> I'm still fascinated by the process vmnet-natd, though.
My understanding is that it behaves in much the same way as the standard
natd (which is used to setup "Internet Sharing" when enabled in the
Sharing section of System Prefs) but the vmnet-natd sits on the VMware
virtual interface named vmnet8 and is used by the VM guests when you
configure their net connection to be NATted. In contrast the vmnet1
interface provides a private network with no Internet connection, which
is what guests use when you configure their net connection to be host
only. There is also a virtual DHCP server on both virtual networks
(vmnet-dhcpd). As the vmnet-natd is mediating all VM guest network
connections it is the process that Little Snitch sees trying to connect
out to the Internet when a VM guest behind the virtual NAT tries to
connect out.
> According to Little Snitch It belongs to VMware Fusion, yet I haven't
> run this program in months,
The vmnet interfaces are present at all times, whether the VMware front
end is running or not. I guess they must be installed in the kernel
somehow by the VMware installer, but I haven't looked into it further
than that.
> and I haven't run Skype since I last booted the computer. Yet
> vmnet-natd is still trying to call a wide range of IP addresses.
That seems odd. I can't say what's causing that. I do not get that
behaviour on my machine, but then I don't have Skype installed either.
Does this only occur as you start Skype, or is it happening from the
moment that the computer is booted? Maybe you could capture some of the
traffic for analysis:
Inside the virtual network:
sudo tcpdump -i vmnet8 -s0 -w inside.pcap
and outside:
sudo tcpdump -i en0 -s0 -w outside.pcap
(replace en0 with the interface actually in use, eg. en1 for wi-fi)
or use Wireshark to do the equivalent if you have it.
--
James Taylor
David Empson
Well, not why it is doing that, but I can at least give you a little
background on what it does.
VMware Fusion (and the other virtual machine solutions) have several
ways of interfacing the networking between the virtual and host
machines. I mainly use VMware (still on version 2) but I've had a brief
look at Parallels (4).
VMware has three major modes of network operation for a virtual machine:
- Share the Mac's network connection (NAT).
- Connect directly to the physical network (Bridged).
- Create a private network available only to the Mac (Host Only).
The network functionality is implemented by a kernel extension installed
by VMware Fusion. It is running all the time. I expect vmware-natd is
part of this.
I use Bridged mode. This results in the Virtual Machine appearing as if
it is a separate computer on the same local network as the Mac. This
allows the virtual machine to interact with a network of real Windows
PCs, and also effectively gives you two independent networked computers
if you want to test any networked software between the Mac and virtual
PC.
In NAT mode, I expect the Mac acts like a NAT router, so the virtual
machine is on an independent network and can only make outgoing
connections (I have no idea how you would set up inbound port mappings).
VMware's kernel extension also sets up at least two additional network
interfaces seen by the Mac (these are called "vmnet1" and "vmnet8" on my
computer). They are invisible in System Preferences > Network but can be
seen via 'ifconfig' in Terminal.
These networks have automatically created addresses in the 172.16 range
and appear to be active.
These networks are used to communcate between the Mac and the virtual
machine.
I think what is happening in your case is:
1. You have a configured virtual machine which is set to use NAT mode
for its networking.
2. Software you are running on the Mac is trying to establish a
connection to a server on the Internet. As part of this it is trying all
active network interfaces (including the VMware one).
3. The VMware network interface is somehow translating this into an
outgoing connection via its NAT support, resulting in Little Snitch
warning you about vmware-natd making an outgoing connection. (This is
the bit I don't understand.)
If you think that is bad, Parallels Desktop is worse. It also creates
two virtual network interfaces, but they appear to the Mac as if they
were real Ethernet ports, so they show up in System Preferences and
cause confusion in various parts of the system due to having extra
Ethernets which are connected but can't talk to the Internet. If you
uninstall Parallels and reinstall it later, you end up with
non-sequential numbered Ethernet ports. (I currently have en8 and en9
for Parallels, en6 for iPhone Tethering, and the standard en0 and en1
for Ethernet and Airport.)
In Parallels, one is the "Shared" network adapter and the other is the
"Host Only" network adapter, so I expect this is also what is going on
with VMware Fusion.
--
David Empson
dem...@actrix.gen.nz
Daniel Cohen
> Martin S Taylor <m...@hRyEpMnOoVtEiTsHm.cIo.uSk> wrote:
>
> > James:
> >
> > I took your advice and disabled UPnP. As you say, I'm capable of setting
> > up port forwards on my own. (I think.)
> >
> > I'm still fascinated by the process vmnet-natd, though. According to
> > Little Snitch It belongs to VMware Fusion, yet I haven't run this
> > program in months, and I haven't run Skype since I last booted the
> > computer. Yet vmnet-natd is still trying to call a wide range of IP
> > addresses.
> >
> > Any thoughts?
>
> Well, not why it is doing that, but I can at least give you a little
> background on what it does.
>
> VMware Fusion (and the other virtual machine solutions) have several ways
> of interfacing the networking between the virtual and host machines. I
> mainly use VMware (still on version 2) but I've had a brief look at
> Parallels (4).
>
> VMware has three major modes of network operation for a virtual machine:
>
> - Share the Mac's network connection (NAT). Connect directly to the
> - physical network (Bridged). Create a private network available only to
> - the Mac (Host Only).
>
> The network functionality is implemented by a kernel extension installed
> by VMware Fusion. It is running all the time. I expect vmware-natd is part
> of this.
>
> I use Bridged mode. This results in the Virtual Machine appearing as if it
> is a separate computer on the same local network as the Mac. This allows
> the virtual machine to interact with a network of real Windows PCs, and
> also effectively gives you two independent networked computers if you want
> to test any networked software between the Mac and virtual PC.
>
> In NAT mode, I expect the Mac acts like a NAT router, so the virtual
> machine is on an independent network and can only make outgoing
> connections (I have no idea how you would set up inbound port mappings).
>
> VMware's kernel extension also sets up at least two additional network
> interfaces seen by the Mac (these are called "vmnet1" and "vmnet8" on my
> computer). They are invisible in System Preferences > Network but can be
> seen via 'ifconfig' in Terminal.
>
> These networks have automatically created addresses in the 172.16 range
> and appear to be active.
>
> These networks are used to communcate between the Mac and the virtual
> machine.
>
Part of the issue, I think, is in the name vmnet-natD. AIUI, the d at
the end suggests that the process is a daemon, and these usually run
continuously, checking to see if they are needed.
See <http://communities.vmware.com/thread/85143> for more info.
--
<http://www.decohen.com>
Send e-mail to the Reply-To address.
Mail to the From address is never read.
Martin S Taylor
Okay, since it's doing stuff I don't really understand, but certainly don't
need, can I turn it off (by force if necessary) without impairing VM's
ability to emulate a PC? I emphatically don't need VM to do any networking.
MST
Chris Ridd
> Daniel Cohen wrote
>> Part of the issue, I think, is in the name vmnet-natD. AIUI, the d at
>> the end suggests that the process is a daemon, and these usually run
>> continuously, checking to see if they are needed.
>>
>> See <http://communities.vmware.com/thread/85143> for more info.
>>
>
> Okay, since it's doing stuff I don't really understand, but certainly don't
> need, can I turn it off (by force if necessary) without impairing VM's
> ability to emulate a PC? I emphatically don't need VM to do any networking.
When you log in to your Mac, a VMware launchd job gets run called
"/Library/Application Support/VMware Fusion/boot.sh". (With an argument
of --start)
Having a look at that script, it tries to start the vmnet daemons and
if they fail to start, VMware itself will not run:
ret=`"$LIBDIR/vmnet-bridge" -d /var/run/vmnet-bridge-vmnet.pid`
if [ "$ret" = "0" ]; then
logger -s -t "VMware Fusion 215242" \
"Error: Unable to start the bridge daemons. Error: $?"
exit 1
fi
ret=`"$LIBDIR/vmnet-cli" --start`
if [ "$ret" = "0" ]; then
logger -s -t "VMware Fusion 215242" \
"Error: Unable to start the network daemons. Error: $?"
exit 1
fi
I think you're out of luck and the daemons *have* to run even if they
end up not doing anything. (Which is slightly annoying; you could raise
a bug with vmware and ask them to start them on-demand.)
Why do you think they're harmful?
--
Chris
David Empson
I don't know if you can turn them off completely without causing
problems for VMware Fusion, but you should be able to minimise what they
are doing by changing the network configuration of your virtual
machine(s).
For VMware Fusion 2.x:
1. If your virtual machine(s) have saved state, open them and shut down
the guest operating system.
2. In the VMware Fusion "Virtual Machine Library" window, repeat for
each virtual machine:
Click on Settings, then Network.
Change the setting from "Share the Mac's network connection (NAT)" to
"Create a private network available only to the Mac (Host Only)".
This should stop VMware trying to do NAT, but will still allow
communication between the guest operating system and the Mac.
You could go one step further and experiment with unchecking the
"Connected" option. I expect it will behave like the Ethernet cable is
unplugged, but the guest OS will still see a network interface adapter
so Windows won't throw a hissy fit about hardware changing.
--
David Empson
dem...@actrix.gen.nz