Comment by madjam002

1 day ago

Does anyone know of any good firewalls for macOS? The built in firewall is practically unusable, and if client isolation can be bypassed, the local firewall is more important than ever.

I often have a dev server running bound to 0.0.0.0 as it makes debugging easy at home on the LAN, but then if I connect to a public WiFi I want to know that I am secure and the ports are closed. "Block all incoming connections" on macOS has failed me before when I've tested it.

8 comments

madjam002

runjake 1 day ago

Little Snitch is probably the most popular one, written my devs who deeply understand macOS firewall architecture.

https://obdev.at/products/littlesnitch/index.html

ProllyInfamous 1 day ago
Little Snitch is a user-friendly, software-level blocker, only – use with caution.
Just FYI: LittleSnitch pre-resolves DNS entries BEFORE you click `Accept/Deny`, if you care & understand this potential security issue. Your upstream provider still knows whether you denied a query. Easily verifiable with a PiHole (&c).
I liken the comparison to disk RAIDs: a RAID is not a true backup; LittleSnitch is not a true firewall.
You need isolated hardware for true inbound/outbound protection.
- gruez 1 day ago
  
  >Just FYI: LittleSnitch pre-resolves DNS entries BEFORE you click `Accept/Deny`, if you care & understand this potential security issue. Your upstream provider still knows whether you denied a query. Easily verifiable with a PiHole (&c).
  This also feels like an exfil route? Are DNS queries (no tcp connect) logged/blocked?
  
  1 reply →
mrexcess 1 day ago
Little Snitch is commercial. If you want largely similar features (focused on egress), check out LuLu: https://github.com/objective-see/LuLu
- runjake 21 hours ago
  
  +1 Thanks, I forgot about LuLu!

roflchoppa 1 day ago

https://objective-see.org/products/lulu.html

tiger3 1 day ago

LittleSnitch