
LuLu: An open-source macOS firewall that blocks unknown outgoing connections - mcone
https://objective-see.com/products/lulu.html
======
killjoywashere
What I want for all these services (Little Snitch, ESET, etc) is an EasyList-
like ... list. A community-aggregated and reviewed list of servers that don't
merit my connection. I'd pay a monthly subscription fee for that.

I'd also like separate lists for

* "this wifi is public, be extra cautious"

* "this wifi is public, be nice and don't torrent, do backups, etc"

* "I'm on a metered connection (e.g. LTE), don't run torrents, backups, etc"

edit: for anyone looking for a monetizable idea: this post has 41, no 42, no
43 points in about an hour. Probably a good idea...

~~~
lifty
I would pay for such a service as well. In addition to that, I would love if
this service would allow companies like Apple and Google to maintains their
own lists of IP's and update them regularly, so you can be 100% sure that an
IP belongs to them.

~~~
igravious
Is that not somehow auto-discoverable using DNS trickery?

~~~
uxp
Not entirely. From what I understand, these outbound firewalls are working at
the kernel level and interject themselves into a network connection outside of
the DNS lookup process. You could reverse-dns lookup the IP, which Little
Snitch tries, but with things like CDNs and AWS EC2, you end up with a lot of
reports of applications trying to connect to "foo.akamai.com" OR
bar.akamai.com", where foo and bar are entirely separate entities, or just
simply to ec2-0.1.2.3.aws.amazonaws.com or what-have-you. Little Snitch
appears to maintain it's own cache of DNS entries as well, so if you've got
one application that connects to some CDN's IP via it's own CNAME, many times
other applications will appear to be connecting to the first application's
CNAME when they attempt to connect to the same IP because LS has resolved that
IP to the first CNAME more times, or first, or something like that.

It's not perfect, and frequently it isn't even helpful.

------
erAck
Nowadays it's more important to control and restrict outgoing connections than
incoming connections. Who would had thought of that 25 years ago.

~~~
draugadrotten
Give it another 25, and you will have to pay a premium for things which are
stand-alone, disconnected from the net. Want a car which is not navigating
using cloud AI? Only the rich can afford that...

~~~
rubicon33
> Want a car which is not navigating using cloud AI? Only the rich can afford
> that...

Good. I sure hope only a small fraction of the population will be able to
manually drive their car in the future. It would save lives, time, and money
for everyone if the bulk of the idiots were unable to manually drive their
car.

~~~
reaperducer
> It would save lives, time, and money for everyone

I'll give you "lives" and "money," but not necessarily time.

I live in a place where self-driving vehicles can be spotted fairly regularly.
Once a week or so. You can tell by the special license plates. They are always
very ponderous, careful drivers. It's fascinating to see them gently slow to a
stop for a red light, then take off like a jackrabbit when it turns green.

Perhaps as the technology matures, they'll start to keep pace with traffic
better.

I'm actually looking forward to self-driving cars. It's all the personal time
benefits of mass transit (book reading, meditating, general mental health),
without worrying about accidentally sitting in someone else's pee.

~~~
cortesoft
I am pretty sure that is because they have to account for all the non-self-
driving cars. If all cars were self driving, they could co-ordinate and go a
lot faster.

~~~
ksenzee
They'll still have to allow for pedestrians and bikes, for the foreseeable
future.

~~~
zerokernel
We'll just outlaw that. Compare: Jaywalking, avenues.

~~~
killjoywashere
"Machine kills human because human violated traffic law" will never fly.

~~~
jackvalentine
I think it will. The above poster's reference to how 'jaywalking' became a
crime after motor vehicles associations conducted heavy PR campaigns to banish
pedestrians from what once were shared streets is instructive.

------
ComputerGuru
For those on Windows, [http://www.sphinx-
soft.com/Vista/index.html](http://www.sphinx-soft.com/Vista/index.html) does
the same using the native firewall (so no 3rd party dependencies, services, or
bloat) (though they've ~recently added paid licenses with more features to
their basic offering).

I only wish it were cleaner and simpler. I don't think the Windows Firewall
API is too bad, I should add this to my bucket list of open source software to
write that I'll maybe get around to in the next 20 years....

~~~
hs86
When the native firewall in Windows blocks something, doesn't the connection
attempt fail immediately?

For example while the Little Snitch popup dialog is waiting for user input the
affected application just sees an unusual latency spike and it will not
complain immediately that internet access in not available. Afaik, this is not
the case with the Windows Firewall: The connection will fail for the
application while the frontend-app is still waiting for the user's decision.

~~~
hendersoon
Yes, that's correct. MacOS handles this better. But really it only comes up
when you run a _new_ program, so it's not a major problem.

~~~
tetraodonpuffer
it is because one of the major use cases for an outgoing firewall is when
installing new software, which is where you also want to be careful what the
application connects to, which does not work very well at all compared to
Little Snitch

------
reaperducer
Looks promising. I used to use Little Snitch, but last year they decided to
charge for the new version, and I uninstalled it.

Little Snitch was effective, but overly complex for the average user. I'm sure
it's great for someone who configures networks on a regular basis, but as a
Mac user, I just want to use my Mac. If I wanted to twiddle with security
settings all day long, I'd still be on Windows.

This looks like it might be a good, simple, replacement. Hopefully as it
evolves it doesn't get swamped by feature bloat.

~~~
ballenf
That comment makes me chuckle. These days, I have close to zero faith in
commercial software that is "free", assuming that the business model is
selling my data.

I happily paid for Little Snitch and was comforted by the fact that I was the
customer.

~~~
icelancer
This comment makes me chuckle. The idea that since you pay for something means
that the company won't sell your data.

~~~
coding123
[https://www.obdev.at/privacy-policy.html](https://www.obdev.at/privacy-
policy.html)

------
kozhevnikov
It's on Homebrew as a Cask

    
    
      brew cask install lulu

------
pdonis
Unfortunately, this still has the key flaw that has plagued outbound firewalls
since their invention:

"Currently, LuLu only supports rules at the 'process level', meaning a process
(or application) is either allowed to connect to the network or not. As is the
case with other firewalls, this also means that if a legitimate (allowed)
process is abused by malicious code to perform network actions, this will be
allowed."

In other words, it won't stop malicious Javascript running in your browser
from making an outbound connection, which is the most common way for malware
to do that.

It does say "currently", but I'm not sure how you would get around this flaw;
at any rate, nobody has yet figured out how.

~~~
willstrafach
> In other words, it won't stop malicious Javascript running in your browser
> from making an outbound connection, which is the most common way for malware
> to do that.

This might be possible, if you start off with deny-all as the default and then
start manually adding exceptions as you browse.

~~~
flanbiscuit
I would like to see internet access treated as an OS permission that need to
be expressly granted by the user, same goes for iOS and Android. I wish this
was part of the OS and not something I need to go and install 3rd party apps
for. I like the idea of deny all by default.

~~~
pdonis
_> I would like to see internet access treated as an OS permission._

That would be nice, but it wouldn't fix the problem I've been talking about,
because you would have to give your browser the internet access permission,
and the OS has no way of knowing which of the connections your browser is
making are legitimate and which are not. Only you know that, which means you
would have to continually be interrupting your browsing to approve or
disapprove connections.

------
jle17
Unless I'm mistaken, this isn't actually open source, as it's under a non-
commercial clause.

edit: there is an open issue about it: [https://github.com/objective-
see/LuLu/issues/4](https://github.com/objective-see/LuLu/issues/4)

~~~
skue
1\. The OSI tried to get a trademark for “open source” in their early days and
failed.[1] They don’t own the term, and arguing fine distinctions like this
does nothing but promote flame wars.[2]

2\. The developer put a lot of effort into this and was generous enough to
make this available for free with the source code open. Please be gracious,
because belligerent feedback like this is what causes people to sometimes
reconsider making software free or open source.[3]

3\. You also falsely claim Patrick Wardle is aware of the issue and refuses to
change it, even though he hasn’t commented on the issue you cited, at least as
I write this.

[1] [https://opensource.org/pressreleases/certified-open-
source.p...](https://opensource.org/pressreleases/certified-open-source.php)

[2] cf. every discussion board or mailing list where issues like this have
come up.

[3]
[https://www.reddit.com/r/Clojure/comments/73yznc/comment/do1...](https://www.reddit.com/r/Clojure/comments/73yznc/comment/do1olag)

~~~
jle17
1\. Whether or not the OSI has a trademark doesn't seem relevant to me, they
coined a term which wasn't used before and associated it with a well known
definition. The distinction seems more significant than fine to me and causes
confusion about what kind of license I (and others, as evidenced by the open
issue on the subject) expect the software to be under. That a subject is
source of disagreement is certainly not a valid reason not to discuss it.

2\. I'm very aware of the efforts of free or open source software authors and
I'm grateful for them. In fact, I occasionally take time to thank them and
make donations to them (although I should do it more). This doesn't mean that
inaccurate statements should not be corrected and I don't see anything
`belligerent` about reporting them, as would be the case for reporting a bug.

3\. You're right on this, I wrongfully assumed one of the person answering in
the issue was the author. I changed my comment.

------
stryk
I'm not personally a mac user, but I'm still very glad to see projects like
this being developed as open source. Very cool I hope this goes on to be a
really solid piece of software.

Does anybody have any recommendations for good ways to get fine-tuned control
of Windows' default firewall?

------
333c
The install page says that `sudo configure.sh -install` is the install
command. The command is actually `sudo ./configure.sh -install`. Further, it
should probably be `sudo ./configure.sh --install` (with two hyphens), as is
convention for named (edit: long-form) options on the command line.

~~~
craftyguy
> as is convention for named options on the command line.

Gosh, I really wish that people would follow a convention for named options on
the command line. I don't even really care which one, as long as they were all
consistent in picking one.

~~~
reaperducer
I've seen /, -, --, and +. Any other ones leap to mind?

I wonder if there's a complete list somewhere.

~~~
pash
The usual convention is a single hyphen for short-form (single-letter)
options, and a double hyphen for long-form options:

    
    
        > python -v
    

or

    
    
        > python —-version
    

It’s good practice to offer both. It should also be possible to set multiple
options at once by appending one after another in short form following a
single hyphen:

    
    
        > ls -alR
    

is the same as

    
    
        > ls -a -l -R
    

Long-form options are technically a GNU thing [0] and are not mentioned in the
POSIX standard, but they’re conventional enough now that I think it’s good
practice to include them in any CLI program.

There are also a number of looser conventions about the meaning of certain
short-form options [1].

0\.
[https://www.gnu.org/prep/standards/html_node/Command_002dLin...](https://www.gnu.org/prep/standards/html_node/Command_002dLine-
Interfaces.html)

1\.
[http://www.catb.org/esr/writings/taoup/html/ch10s05.html](http://www.catb.org/esr/writings/taoup/html/ch10s05.html)

~~~
333c
Thanks, this is what I meant in my original comment. I said "named" when I
really meant "long-form," as you said.

------
casca
It's good to see another option for an outbound firewall, but as an industry
we still have a long way to go. As with many security solutions, there is a
conflict between flexibility and usability. I want:

1) To be able to choose the exact host/subnet/domain that an application can
access with a good UX

2) Have someone else curate a list that I subscribe to that handles most cases

3) Work on desktop and mobile

For choosing the exact host/subnet/domain on a per-application basis, the best
UX I've seen on any platform is FirewallIP[1], the unmaintained software on a
jailbroken iPhone. So many desktop solutions[2] only let you choose Allow
everything or Deny everything, Little Snitch and Windows 10 Firewall
Control[3] are exceptions, but even they are limited.

The curated list option should be easy enough to support on most platforms.
Easylist has shown how well it can work on the browser when combined with
uBlock Origin. Install it for someone who is technically naive and they'll
just see no ads with no negative experience.

The mobile platform is harder to support as under Android you need to root the
phone to get access to the underlying iptables firewall with something like
Afwall+, or you run a fake VPN back to the device and filter there which is
prone to failure (is it working? has it stopped itself for some reason) and
has less flexibility. Under unjailbroken IOS, products like Surge, Potatso2
and Shadowrocket run a local proxy that is similar to the fake VPN under
Android, but requires manually editing a text file for configuration and seem
to be designed to get around the Chinese internet restrictions rather than
privacy.

[1]
[http://r-rill.net/FirewalliP7/FiPDepiction.html](http://r-rill.net/FirewalliP7/FiPDepiction.html)

[2] Glasswire on Windows, Douane and OpenSnitch on Linux, AFwall+ on Android

[3] [http://www.sphinx-soft.com/Vista/index.html](http://www.sphinx-
soft.com/Vista/index.html)

------
Asmod4n
Breaks networking on High Sierra. No Browser works anymore. curl stops
working. git doesn't even trigger its asking window. Power usage doubles when
networking is used too.

After uninstalling it the kernel crashes.

Sad.

------
nikolay
I've been using all Objective See projects, but I have issues with:

\- stability - often their tools have memory leaks;

\- consistent UX - each tool looks and behaves differently;

\- stacking of dialogs - often by the time I click, a new popup replaces the
old one, and I approve something I don't even get a chance to see!

~~~
DavideNL
You should report the problems to the Developer, he's very responsive...

------
calebm
Very cool! So this is an open-source Little Snitch then?

~~~
devin
Certainly looks that way

------
bringtheaction
> This work is licensed under a Creative Commons Attribution-NonCommercial 4.0
> International License.

Weird choice of license.

~~~
cheeze
As someone unfamiliair, what is weird about the choice?

~~~
hoistbypetard
The people who developed the creative commons licenses recommend against using
them for software. [From their FAQ]([https://creativecommons.org/faq/#can-i-
apply-a-creative-comm...](https://creativecommons.org/faq/#can-i-apply-a-
creative-commons-license-to-software)):

> We recommend against using Creative Commons licenses for software. Instead,
> we strongly encourage you to use one of the very good software licenses
> which are already available. We recommend considering licenses made
> available by the Free Software Foundation or listed as “open source” by the
> Open Source Initiative.

~~~
torstenvl
That's because we treat software very differently from most other content
subject to copyright.

As in this case, (reading the above threads) there's confusion as to the no
commercial use clause extends to the content or the outcome of its processes.
That is to say, NoCommercialUse for a book clearly means for derivative works.
_Nobody would ever suggest you can 't read a book while in a commercial
establishment._ But in software we routinely place use restrictions on the
end-user. Kind of bizarre, when you think about it.

~~~
hoistbypetard
I completely agree with your first sentence. But I think your interpretation
of NonCommercial is a bit off. NonCommercial in the context of a book does not
refer to "using" the book or to creating derivatives. You don't need a license
to read a book. Rather, it refers to _copying_ the book. They have a separate
clause that refers to creating derivative works from the book. If you have a
CC-BY-NC book, that means you're allowed to copy the book as much as you want
as long as it's not for commercial purposes. If you have a CC-BY book, that
means you can copy it as much as you want, even if it's for commercial
purposes. If you have CC-BY-ND, that means even though you can copy the book
as much as you want, even for commercial purposes, the author is not granting
you the right to make derivatives.

Software is different because copying software is a _necessary_ part of using
it. So CC-BY-NC for software could quite reasonably be read to restrict its
use in a commercial environment because you (notionally) need a license to
make that copy from the internet to your hard drive, and from your hard drive
to system RAM so that you can use it.

~~~
torstenvl
You're distinguishing more finely than I am between exact copies and modified
copies. Fair enough. My use of "derivative" above is intended to encompass
deriving copies from an original, with or without modification.

To the extent using software inherently means creating copies - so does
reading. The image of the page is transferred to my retinas and encoded in the
volatile storage of an organic neural network.

~~~
hoistbypetard
(I'm making the same distinction between exact and modified copies that the
Creative Commons folks make...)

As to your second point... Ha! Fair enough. But IIRC case law has actually
recognized that the copies created on a computer as you install and execute a
program count as "copies" for the purpose of needing a license for an activity
that would otherwise violate copyright. That is why EULAs are, to some extent,
considered valid and enforceable. No such case has been made for your retinas
encoding the light bouncing off a page and transferring that pattern to your
neurons.

------
kristofferR
What's the CPU usage? I tried Little Snitch, but it was often consuming insane
amounts of CPU (40%+) which matters a lot on a 12' Macbook on battery, so I
uninstalled it.

~~~
killjoywashere
Long time Little Snitch user here, that seems ... high

~~~
kristofferR
Yeah, I though so too. I even tried a complete reinstall, but that didn't
improve the situation.

It's probably due to the absurd amounts of logging it does (every single
connection tracked on a world map), which I didn't find a way to disable... I
probably have an abnormal number of connections too due to torrenting (only
Linux distros obviously). The Macbook CPU isn't high performance either.

------
Abishek_Muthian
The author is not subtle in letting know that this is intended to be open
source replacement for Little Snitch (domain!).

But at-least macOS has little snitch, closest for Linux was opensnitch which
was announced on HN few months back -
[https://github.com/evilsocket/opensnitch/](https://github.com/evilsocket/opensnitch/)
but I'm not sure whether it's actively being developed though.

~~~
bmaupin
Douane[0] is another application firewall for Linux that's still active as far
as I can tell.

[0] [http://douaneapp.com/](http://douaneapp.com/)

~~~
Abishek_Muthian
Yes, but package managers for it for non debian based distro's are bit of a
mess.

------
kstrauser
First, this is awesome. Thank you!

Second, is the business model of Objective-See to offer open source
alternatives for Objective Development's products (LuLu instead of Little
Snitch; OverSight instead of Micro Snitch)?

------
galonk
So even open source projects are doing that thing where they immediately cover
the page you're trying to read with an annoying spam box?

~~~
reaperducer
Wasn't there a note form the Google search team not too long ago that they
were going to demote sites that use the splash divs?

How do I know if I want to sign up for your newsletter if I haven't been able
to look at your site yet?

------
doctoboggan
Does anyone know how this compares to Little Snitch?

~~~
skue
Based only on glancing through the linked product page... here are some LS
features LuLu currently lacks:

* Reporting domain names rather than just reporting destination IPs.

* Inbound monitoring & rules

* Temporary rules that auto-expire (e.g. Once, next 15 mins, etc.)

* Fine-grained control over protocol/domain/subdomain in blocking rules (at least when prompted)

* Graphical monitor of recent blocked/allowed traffic

* Profiles to easily change rule sets based on network, etc.

* Unclear whether LuLu provides special handling of connection attempts during startup, software updates, etc.

* Graphical installer, polish, support, etc.

...OTOH, LuLu does provide features I don’t recall seeing in LS:

* Icon indicating whether originating binary has been signed by system/third party/unsigned

* Button to optionally check binary hash against VirusTotal

------
viach
Are you sure it won't interfere with required system connections? Like updates
etc, all this boring stuff Mac users tied to?

------
endlessvoid94
Dumb question: is something about OS X’s built in firewall that’s
insufficient?

Always love new projects like this, just curious though.

~~~
skue
In the FAQ, bottom of page:

 _> Do I need LuLu if I've turned on the built-in macOS firewall?

> Yes! Apple's built-in firewall only blocks incoming connections. LuLu is
> designed to detect and block outgoing connections, such as those generated
> by malware when the malware attempts to connect to it's command & control
> server for tasking, or exfiltrates data._

~~~
petee
Confusing, since they use the PF filter, you can absolutely block outgoing
connections, atleast by port, app or user

------
rasz
Windows WARNING:

If you plan on doing same thing in windows be aware you need to disable
Dnscache service. Its impossible in windows to screen loopback network
interface, means you cant filter which programs get DNS access while "DNS
Client" is running, its all or nothing. DNS is a very popular covert
exfiltration channel.

------
omidraha
I need something like this for Ubuntu

------
joeblau
This project looks awesome. I just looked at the code and it looks like every
line of code has a comment. It seems like a bit of overkill in Obj-C being
such a verbose language. Aside from that, I'm definitely going to check this
out.

------
tuananh
has anyone tried both Hands Off[0] and Little Snitch? How is Hands Off
compared to LS?

Also: Radio Silence[1]?

[0]:
[https://www.oneperiodic.com/products/handsoff/](https://www.oneperiodic.com/products/handsoff/)
[1]: [https://radiosilenceapp.com/](https://radiosilenceapp.com/)

------
Khaine
If you are looking to block IP addresses, you can always use pf. Its built
into macOS. It does require some command line knowledge.

------
vesche
Please remove the popup email signup.

------
chisleu
Is the author associated with CrowdStrike? I noticed he/she was using
FancyBear

~~~
chisleu
Why downvote a legit question on topic? The term FancyBear came from the
cofounder of crowdstrike: Dmitri Alperovitch.

[http://www.esquire.com/news-politics/a49902/the-russian-
emig...](http://www.esquire.com/news-politics/a49902/the-russian-emigre-
leading-the-fight-to-protect-america/)

------
nthompson
Really cool tool thanks!

One problem to maybe take care of next iteration:

$ top -o cpu LuluDaemon 29.5%

------
fishmeat
Why does macOS need this? (Asking because I'm not a mac user)

------
zipotm
sudo ./configure.sh -install

------
danjoc
False advertising. Nothing can stop an AMT process running in ring -3.

------
blocked_again
LuLu is a billion dollar hypermarket chain. I think it would be a good idea to
rename this project in the beginning if you don't want to get into any
copyright issues.

[https://en.wikipedia.org/wiki/Lulu_Hypermarket](https://en.wikipedia.org/wiki/Lulu_Hypermarket)

~~~
a_t48
Doesn't that only apply if they are competing businesses?

~~~
guan
Many countries have a “well-known trademark” doctrine where a mark can be so
famous that any business using it could be a source of consumer confusion. For
example, if you see that Coca-Cola has released a firewall, you might well
think it has some connection to Coca-Cola, even if you know they are not
currently in the software business. Lulu supermarket may not be well known
enough to enjoy that kind of protection.

