Review: Little Snitch 3 two-way firewall for Macs

A firewall between you and the outside world makes your computer a bit safer. Usually however, firewalls check and block incoming traffic and leave you in the dark about traffic going out. When does your Mac “contact” the outside world to send information, or to get a reply back? Little Snitch tells you; it did from day one its developer released it. Shortly, Little Snitch will be at version 3, and it will do it better, more complete (incoming as well) and user-friendlier than ever before.

IT Enquirer rating


  • interface
  • network monitor
  • firewall
  • ease-of-use
  • silent mode without losing rule-creation capability
  • capturing traffic to a standardized log file
  • user-friendly enough for novices
  • none
Price (approx.): €30.00

I tested Little Snitch 3′s pre-release version, which is stable enough to be used for you to try it out, in my opinion. If you have been running Little Snitch 2.x, like I have, for some time, there are immediately three improvements/new features that pop out:

  • The connection alert or “request-permission” dialogue has been vastly simplified
  • The Network Monitor is now a real network observation tool
  • The Configuration screen has more efficient tools added to it.

I found the previous version of Little Snitch to be near-perfect, except for one thing: when Little Snitch alerts you of network traffic that could require your attention, its rule options are a bit daunting. With Little Snitch 3, the dialogue has been simplified without sacrificing security! You can still get to all the granular options of allowing or disallowing traffic as before, but new users will only see a couple of options.

The Network Monitor now shows you the application with incoming or outgoing traffic, with a triangle next to each app. The bottom of Little Snitch 3′s Network Monitor shows a network traffic graph, which reveals extra information when hovering over it with the mouse.

The triangle next to each app reveals all servers which the app connected to in the past period (which you can define yourself). This is extremely useful to determine whether you want to block an app from connecting in future, but also purely for documentation purposes and for keeping an eye on connections that are dodgy. For documentation purposes, you can take snapshots!

By right-clicking, you can block the traffic that you’re seeing from this app, you can capture the traffic to a “.pcap” file, and you can show the rules that correspond to this app.

The network graph is a gem. It shows you the incoming/outgoing traffic in bytes/second on a traditionally coloured histogram, while hovering with the mouse on the graph itself shows you the exact time of the traffic as it occurs at the cursor position and the exact number of bytes at that moment. If there were applications being launched or displaying activity, the exact moment of launch (and termination) pop up in callouts. Except for its gorgeous design, this graph is an example of how you can represent complex information in a very user-friendly way.

These are the new features that will immediately catch your attention. However, there is a much more important new functionality Obdev has added to Little Snitch 3: a firewall for incoming traffic. This one works in the same way as the outgoing traffic monitor; i.e. it is rule based. But instead of having all sorts of rules for all sorts of usage scenarios, you can now also arrange rules in profiles.

The profile feature in Little Snitch 3 is optional, but if you want more granular control over when specific rules are tested against, profiles are great. Obdev gives the following examples: profiles for “Home”, “Office” or “Internet Cafe”, but it’s clear that you can do a lot more with them — e.g. creating a profile for working with groups of specific applications. Rules that are assigned to a particular profile are only effective if that profile is active. The active profile can be chosen from the status menu.

Creating rules has become easier too, with a more intuitive interface. There are domain-based rules from within the connection alert — for example, you can select to allow connections from specific subdomains (if they’re listed) only, or just the opposite: from the top domain.

Little Snitch 3 comes with a dazzling array of features; much more so than the previous versions. I couldn’t yet try them all out myself, but above are the most powerful that immediately struck me. There’s plenty more, though. Little Snitch 3 can suggest rules based on previous network usage (expired temporary rules, Silent Mode connections, etc.).

A number of grouping options (by process, by domain, etc.) allow you to specify how fine grained these suggestions should be.

With Silent Mode you can quickly choose to silence all connection warnings for a while. You can then later review the Silent Mode Log to define permanent rules for connection attempts that occurred during that time.

If security and an audit trail are important to you — and they should matter to all of us! — then take a look at Little Snitch 3. There is literally nothing that comes close. Oh, and I did I mention Little Snith 3 has a gorgeous new icon, designed by the IconFactory?