Just installed Little Snitch (are there no good free firewalls for Mac?)
One could say you don't really need a third party firewall for OS X. There's one built in, and while Little Snitch certainly does the job, I don't see lots of practical uses for it. If only, to make users paranoid. Most of the time, you want to check if some application is "phoning home", but after you get hundreds of alerts just to start up a program, it could become more annoying than useful.
If you don't want to spend any money, stick with the built-in one.
CURL is sending to Google every few minutes
This could be almost anything. If you have Google synchronization enabled through Address Book or Calendar, then contactsd
will connect to Google. If not, then it's very likely that any application you have installed pings Google to check whether you're connected to the internet at all. Not very classy, but how often do you find yourself checking ping google.com
in the terminal?
The primary problem here is that Little Snitch doesn't report the process that is calling curl
or ping
. What you can do to find out the parent process is described in this Security.SE answer. Basically, you can create a wrapper script for the binaries to find out who called them:
sudo cp /usr/bin/curl /usr/bin/curl.bin
sudo nano /usr/bin/curl.wrapper
Here, copy this:
#!/bin/sh
date >> /var/tmp/curl_ppid.log
ps -f -p $PPID >> /var/tmp/curl_ppid.log
exec curl.bin "$@"
Save with CtrlO, then press ↩. Now:
sudo chmod 755 /usr/bin/curl.wrapper
sudo touch /var/tmp/curl_ppid.log
sudo chmod a+w /var/tmp/curl_ppid.log
sudo ln -sf /usr/bin/curl.wrapper /usr/bin/curl
Now you can see who called curl
by inspecting the newly created log file in /var/tmp/curl_ppid.log
.
To check which process belongs to a PID, use:
ps -fp <pid>
where <pid>
is the process ID you acquired from the logfile.
If you ever want to reverse this process, this is enough:
sudo cp /usr/bin/curl.bin /usr/bin/curl