Does anyone know of any good firewalls for macOS? The built in firewall is practically unusable, and if client isolation can be bypassed, the local firewall is more important than ever.
I often have a dev server running bound to 0.0.0.0 as it makes debugging easy at home on the LAN, but then if I connect to a public WiFi I want to know that I am secure and the ports are closed. "Block all incoming connections" on macOS has failed me before when I've tested it.
Little Snitch is a user-friendly, software-level blocker, only – use with caution.
Just FYI: LittleSnitch pre-resolves DNS entries BEFORE you click `Accept/Deny`, if you care & understand this potential security issue. Your upstream provider still knows whether you denied a query. Easily verifiable with a PiHole (&c).
I liken the comparison to disk RAIDs: a RAID is not a true backup; LittleSnitch is not a true firewall.
You need isolated hardware for true inbound/outbound protection.
>Just FYI: LittleSnitch pre-resolves DNS entries BEFORE you click `Accept/Deny`, if you care & understand this potential security issue. Your upstream provider still knows whether you denied a query. Easily verifiable with a PiHole (&c).
This also feels like an exfil route? Are DNS queries (no tcp connect) logged/blocked?
When you see the LittleSnitch dialogue (asking to `Accept/Deny`), whatever hostname is there has already been pre-resolved by upstream DNS provider (does not matter which option you select). This software pares well with a PiHole (for easy layperson installs), but even then is insufficient for OP's attack.
I have just today discovered zmx [1] which is like tmux but I always hated the tmux terminal emulation and how it hijacks scrolling, especially on Termius on my phone. It does session persistence but I think without the terminal emulator side of things, so scrolling works normally.
Been testing it today with Claude Code and it seems to work quite well switching between my laptop and phone.
I also hate how tmux uses alt mode and can never remember all the shortcuts, copy paste is a PITA and just today I had to look up how to dump the scrollback buffer to a file. Named sessions without window management makes a lot more sense these days. Similarly, I'm not a fan of all the ANSI escape codes that CC uses to jump the cursor around and rewrite the display to look like a GUI. I prefer a TUI that doesn't mutate rows after writing them, that's what alt mode is for. CC often clears whatever was in the scrollback buffer before you opened it, it hides bracketed paste, and goes crazy sometimes when content overflows the window and I have to resize the terminal or get blasted with a wall of glitching characters--extra annoying if I'm working from a low bandwidth link. I develop my own agent framework and code agent, and while some features aren't as polished as CC, one of my explicit goals is to preserve the traditional CLI feel, like the python REPL (that's what it's based around). I'll give zmx a try tonight :)
I was travelling a lot a couple of days ago across the countryside just outside of Krakow, and people are definitely burning plastics and trash, you can smell it even inside your car in the early hours of the morning.
It's coming from the surrounding areas, not the city itself.
Also one thing to note is that if pollution is bad in general then nearby fires and local sources of pollution will be much more noticeable. At least in my experience it seems to keep the pollution closer to the ground. Like if you are walking around a city with a lot of traffic on a day with bad pollution you will basically smell car exhaust all day whereas on days with low pollution even with the exact same amount of cars it will be much less noticeable.
Suburbs may be fine, but beyond them there's a ring of small towns and villages, and I bet most of the pollution is flowing from them down into the city.
"A high-latency architect who spends his days documenting every time a CDN sneezes while dreaming of a mountain drive through the Balkans with a fresh burek in hand."
Definitely don't recommend going down this path if you're not already familiar with Nix, but if you are, a strategy that I find works really well is to package your software with Nix, then you can run it easily via systemd but also create super lightweight containers using nix-snapshotter[0] so you don't have to "build" container images if you still want the flexibility of containers. You can then run the containers on Docker or Kubernetes without having to build heavy images.
Not gonna lie Terranix has been working great for us, all our configuration is in Nix files anyway so it's so easy to just pass stuff in rather than using Tf variables etc
