In today's connected world, it is rare to find an application or piece of malware that
+ Firewall protection + Anti-ransomware + Windows, Mac, iOS, Android + Up to 10 devices. Reasons to avoid-Annoying ads. GlassWire is one of the most attractive free firewalls available. Norton 360 Deluxe delivers lab-certified Mac antivirus protection along with a two-way firewall, a password manager, and a full-powered VPN. And Sophos Home Free for Mac are totally free for.
doesn't communicate with a remote server.As Apple continues to improve the stability of this framework, it is recommended you upgrade to the latest version of macOS 11 (Big Sur), before installing LuLu.
Mac Free Firewall Windows 10
To install LuLu, first download the disk archive containing the application. Then double-click LuLu.dmg and drag LuLu.app into the Applications folder:
After copying LuLu.app to the Applications folder, launch it to continue its installation. On a fresh install, LuLu will walk you thru various installation steps, the most important being the manual approval of its System Extension and Network Filter: Once LuLu is installed, it will be running and set to automatically start each time you log in. It will appear in the status bar (unless configured otherwise):
To uninstall LuLu, simply select 'Uninstall LuLu' from the status bar menu:
...and authenticate, to fully remove the application and all its components:
Once LuLu is installed, it aims to alert you anytime a new or unauthorized outgoing network connection is created.
Here's a LuLu alert, displayed when LuLu checks for an update (by requesting the remote products.json file): The alert contains information about the process attempting the connection, as well as information about the connection's destination.
Various elements of the alert are click-able, such as a button to display the process's code signing information: Other elements include of the alert, that onces clicked provide more information, include:
- Virus Total Information:
Contains an anti-virus detection ratio for process that is attempting to create the outgoing connection. - Process Hierarchy:
Display the hierarchy (ancestry) for the process that is attempting to create the outgoing connection.
To approve the outgoing connection, simply click 'Allow' ...or click 'Block' to prevent it.
Unless you click the 'temporarily' button, a persistent rule will be created to remember your decision.
By default, your decision (block or allow) applies to the entire process. That is to say, your decision will be applied to subsequent connections (regardless of their destination) for this process, and any other instances. However, if you select the 'Remote Endpoint' option, your decision will be scoped, and only will be applied subsequent connections that match the same (remote) destination:
Process or connections are either allowed to access the network, or blocked, based on LuLu's rules. The 'Rules' window displays these rules:
Using a code signing identifier (vs. a path), allows the rule to be applied even if the program is moved, or updated.
Want to view a program's path(s)? Simply double click (or ^+click and select '→ Show Path(s)') on any program in the Rules window:
Mac Free Application Firewall
The Rules Window
The Rules window can be accessed either by launching LuLu's application (/Applications/LuLu.app), or by clicking on 'Rules...' in LuLu's status bar menu: There are several tabs in the rules window, aimed at organizing the rules:
- All Rules:
The first tab shows all of LuLu's rules. In other words, it is a combination of the default, apple, baseline, user, and unclassified rules. - Default Rules:
The second tab shows LuLu's default or system rules. These rules (which cannot be deleted via the UI), are for Apple/macOS processes that must be allowed to access to the network in order to preserve system functionality. - Apple Rules:
When the 'Allow Apple Programs' option has been selected (either during installation, or via LuLu's preferences), any process that is signed by Apple proper will be automatically allowed to connect to the network. Also, an 'Allow' rule will be created, and will show up under this tab. - 3rd-Party Program Rules:
When the 'Allow Installed Programs' option has been selected (either during installation, or via LuLu's preferences), any applications or program that was (pre)installed will be automatically allowed to connect to the network. Also, an 'Allow' rule will be created, and will show up under under this tab. - User Rules:
This tab shows rules the user has created, either manually via the 'add rule' button, or by clicking 'Block' or 'Allow' in a LuLu alert window. - Unclassified Rules:
If you are not logged in, and a process attempts to access the network will be automatically allowed. Also, an 'Allow' rule will be created, and will show up under under this tab.
Adding Rules
Generally rules are created in response to an alert (unless the user has selected the 'temporarily' button).
To manually add a rule, click on the 'add rule' button at the bottom of the rules window. This will bring up an 'Add Rule' dialog box:
In this dialog box, enter the path to the program (or click 'Browse' to open a file chooser window). Then, enter the remote address or domain, remote port, and finally select 'Block' or 'Allow'. Click 'Add' to add the rule, which will be persistently saved, and show up as a 'User' rule.
The rule's remote address/domain can also be a regular expression (though make sure to select the 'regex' checkbox if this is the case).
Editing (Updating) Rules
To change a rule, either double click on a rule, or ^+click and select ' → Edit Rule': This will bring up the 'Edit Rule' window. Here you can edit any aspect of the rule:
Deleting Rules
There are several ways to delete a rule. With the rule selected, simply press the 'delete' on your keyboard or, ^+click and select ' → Delete Rule': ...or simply click the 'x' button on the right hand side of the rule.
Also note that default (system) rules cannot be deleted (via the Rules window).
LuLu can be configured via its preferences pane. To open this pane, either in the main LuLu application (/Applications/LuLu.app), or via LuLu's status bar menu, click on 'Preferences...' The preference pane has three tabs: rules, mode, and update.
The rules tab, allows one to configure how LuLu will (automatically) generate rules, as well as how to specify a global block list:
- 'Allow Apple Programs'
When this option is selected any process that is signed by Apple proper will be automatically allowed to connect to the network. Also, an 'allow' rule will be created, and will show up in the Rules window, under 'Apple Rules'. - 'Allow Installed Applications'
When this option is selected any applications (and their components) that were (pre)installed will be automatically allowed to connect to the network. Also, an 'allow' rule will be created, and will show up in the Rules window, under 'Baseline Rules'. - 'Block List'
When this option is selected, LuLu will automatically block any connection that matches any items in specified block list. The block list can be a local file, or remote url (e.g.https://ceadd.ca/blockyouxlist.txt)The block list file should contain a (newline-separated) list of url hosts and/or ip addresses to block.
Items in the block listed are matched and applied regardless of the process creating the connection, or any other rules.
For a free (privacy focused) block list, see: blockyouxlist.Due to limitations of macOS, blocking via host name is only applicable to (as Apple notes) 'Network.frameworkorNSURLSessionconnections'.
As such, for browsers (such as Chrome), that do not leverage these frameworks, only ip address based blocking is supported.
...as Safari and Firefox leverage such frameworks, they are not subject to this limitation.
- 'Passive Mode'
When this option is selected, LuLu will run silently without alerts. Existing rules will be applied, and new connections will be automatically allowed. - 'Block Mode'
When this option is selected, all traffic (that is routed thru LuLu) will be blocked.The OS does not route all traffic through Network Extensions (such as LuLu). As such, such traffic is never seen by LuLu, and be cannot be blocked. - 'No Icon Mode'
When this option is selected, LuLu will run without an icon in the status bar.
You can always manually run /Applications/LuLu.app to disable this preference if you'd like the status bar icon back!
The update tab, allows one to check for new versions, as well as disable the automatic check for new versions of LuLu:
Q: Why is LuLu called LuLu?
A: In Hawaiian, the word 'LuLu' means protection, shield, or peace. As this tool aims to instill peace, by providing a protective shield, it seemed the fitting name. And as LuLu, (along with all of Objective-See's tools) are coded with aloha on the lovely island of Maui, it's the perfect name!
Q: Do I need LuLu if I've turned on the built-in macOS firewall?
A: Yes! Apple's built-in firewall only blocks incoming connections. LuLu is designed to detect and block outgoing connections, such as those generated by malware when the malware attempts to connect to it's command & control server for tasking, or exfiltrates data.
Q: Does LuLu conflict with other (paid) macOS firewalls or security products?
A: Although at this point testing has been limited, LuLu appears to play nice with other tools :)
Q: I found a bug (or issue) with LuLu. Can you fix it?
A: For sure! If you encounter any issues, create an bug report via GitHub.
OS X v10.5.1 and later include an application firewall you can use to control connections on a per-application basis (rather than a per-port basis). This makes it easier to gain the benefits of firewall protection, and helps prevent undesirable apps from taking control of network ports open for legitimate apps.
Configuring the application firewall in OS X v10.6 and later
Use these steps to enable the application firewall:
- Choose System Preferences from the Apple menu.
- Click Security or Security & Privacy.
- Click the Firewall tab.
- Unlock the pane by clicking the lock in the lower-left corner and enter the administrator username and password.
- Click 'Turn On Firewall' or 'Start' to enable the firewall.
- Click Advanced to customize the firewall configuration.
Configuring the Application Firewall in Mac OS X v10.5
Make sure you have updated to Mac OS X v10.5.1 or later. Then, use these steps to enable the application firewall:
- Choose System Preferences from the Apple menu.
- Click Security.
- Click the Firewall tab.
- Choose what mode you would like the firewall to use.
Advanced settings
Block all incoming connections
Selecting the option to 'Block all incoming connections' prevents all sharing services, such as File Sharing and Screen Sharing from receiving incoming connections. The system services that are still allowed to receive incoming connections are:
- configd, which implements DHCP and other network configuration services
- mDNSResponder, which implements Bonjour
- racoon, which implements IPSec
To use sharing services, make sure 'Block all incoming connections' is deselected.
Allowing specific applications
To allow a specific app to receive incoming connections, add it using Firewall Options:
- Open System Preferences.
- Click the Security or Security & Privacy icon.
- Select the Firewall tab.
- Click the lock icon in the preference pane, then enter an administrator name and password.
- Click the Firewall Options button
- Click the Add Application (+) button.
- Select the app you want to allow incoming connection privileges for.
- Click Add.
- Click OK.
You can also remove any apps listed here that you no longer want to allow by clicking the Remove App (-) button.
Automatically allow signed software to receive incoming connections
Applications that are signed by a valid certificate authority are automatically added to the list of allowed apps, rather than prompting the user to authorize them. Apps included in OS X are signed by Apple and are allowed to receive incoming connections when this setting is enabled. For example, since iTunes is already signed by Apple, it is automatically allowed to receive incoming connections through the firewall.
If you run an unsigned app that is not listed in the firewall list, a dialog appears with options to Allow or Deny connections for the app. If you choose Allow, OS X signs the application and automatically adds it to the firewall list. If you choose Deny, OS X adds it to the list but denies incoming connections intended for this app.
If you want to deny a digitally signed application, you should first add it to the list and then explicitly deny it.
Some apps check their own integrity when they are opened without using code signing. If the firewall recognizes such an app it doesn't sign it. Instead, it the 'Allow or Deny' dialog appears every time the app is opened. This can be avoided by upgrading to a version of the app that is signed by its developer.
Enable stealth mode
Enabling stealth mode prevents the computer from responding to probing requests. The computer still answers incoming requests for authorized apps. Unexpected requests, such as ICMP (ping) are ignored.
Firewall limitations
The application firewall is designed to work with Internet protocols most commonly used by applications – TCP and UDP. Firewall settings do not affect AppleTalk connections. The firewall may be set to block incoming ICMP 'pings' by enabling Stealth Mode in Advanced Settings. Earlier ipfw technology is still accessible from the command line (in Terminal) and the application firewall does not overrule any rules set using ipfw. If ipfw blocks an incoming packet, the application firewall does not process it.