In macOS, you may like to use Little Snitch to control app-specific Internet access; meanwhile the proxy app may also be used, which raises troubles on access leaking. The blog provides a good practice for your reference.

My Practice

Apps

Little Snitch: Firewall app, using the app-specific rules to control Internet access.

ClashX: proxy app, using the IP/domain-specific rules to control Internet access.

This is why we like to use both of them.

Practice

  1. Block apps accessing sensitive websites/domains via Little Snitch rules.

  2. Set up proxy supports via ClashX.

    Warning: DO NOT turn on set as system proxy. Since the system proxy has the highest priority, any apps can access these IPs that are not blocked/rejected in the ClashX rules. The app-specific access control of Little Snitch FAILS due to its lower priority.

  3. Internet browsers use ClashX proxy via proxy plugins, e.g. SwitchyOmega for Google Chrome.

Tip: You actually do not need to turn on the system-level proxy, since terminal commands need specific proxy environment variable setup to work (like ALL_PROXY, HTTP_PROXY), so does Emacs. Turning on system-level proxy does not gain much except allowing browsers to access Internet via proxy without plugins. Whereas this is dangerous, since we don't know what IPs an app may access thus you are never able to block them precisely in ClashX rules.

Tip: If you like a new app to use proxy, configure its own proxy setup. Most apps have their own proxy settings.

Little Snitch

After testing, we figure out that:

  • Little Snitch cannot block app-specific access to localhost (that is built for system proxy), via neither IP nor port.

  • Little Snitch cannot capture all activities of ClashX. Adding rules for ClashX to block specific domains may not stop apps to access Internet, since ClashX set up the proxy host as system proxy; it seems IP visiting via proxy may not always be identified as activities of ClashX.