🔥 LuLu Firewall Setup
Outbound Connection Control
Install Objective-See's free, open-source firewall to monitor and block outbound connections. See every app that tries to phone home and stop unauthorized network access.
⚠️ Why LuLu Matters
macOS has no built-in outbound firewall. While Apple's firewall blocks incoming connections, it does nothing to stop apps from sending your data out. LuLu fills this critical gap.
Every app on your Mac can silently connect to the internet without your knowledge. LuLu alerts you to every connection attempt and lets you block unauthorized traffic.
What LuLu Does
LuLu is a free, open-source firewall created by Patrick Wardle (Objective-See) that monitors outbound network connections. Unlike macOS's built-in firewall which only handles incoming connections, LuLu shows you:
- 🔍 Every app that tries to connect to the internet
- 🌐 Where each app is trying to connect (IP addresses and domains)
- 🚫 Block or allow connections on a per-app basis
- 📊 Network activity history for forensic analysis
- 🔓 Open source code you can audit yourself
💡 LuLu vs macOS Firewall
macOS Firewall: Only blocks incoming connections (servers trying to connect to your Mac)
LuLu: Monitors and blocks outbound connections (apps on your Mac trying to connect out)
You should use both - they protect different attack vectors.
Step 1: Download LuLu
1 Visit the official Objective-See website:
🔗 https://objective-see.org/products/lulu.html
Click the "Download" button to get the latest version.
✅ Why Objective-See?
Patrick Wardle is a respected macOS security researcher and former NSA hacker. All Objective-See tools are free, open-source, and trusted by the security community.
Step 2: Install LuLu
2 Open the downloaded LuLu_[version].dmg file.
You'll see the LuLu installer. Double-click LuLu Installer.app to begin.
3 Click "Install" in the installer window.
You'll be prompted for your administrator password. Enter it to continue.
⚠️ System Extension Required
LuLu requires a system extension to monitor network traffic. This is normal and necessary for firewall functionality.
Step 3: Approve System Extension
4 After installation, macOS will show a notification:
"System Extension Blocked"
A program tried to load new system extension(s) signed by "Objective-See, LLC"
Click "Open System Settings" (or "Open Security Preferences" on older macOS).
5 In System Settings > Privacy & Security, scroll down to the Security section.
You'll see a message about LuLu. Click "Allow" next to it.
⚠️ You must do this within 30 minutes of installation or you'll need to reinstall.
Step 4: Configure LuLu
6 Launch LuLu from your Applications folder or menu bar.
You'll see the configuration wizard on first launch.
Choose Your Mode
LuLu offers two operating modes:
🔵 Passive Mode (Recommended for Beginners)
- Monitors connections but doesn't block by default
- You can manually create block rules
- Less intrusive, good for learning
- View network activity without disrupting apps
🟠 Interactive Mode (Maximum Security)
- Alerts you for every new connection attempt
- You must allow or block each app
- More secure but requires more interaction
- Best for high-security environments
Recommendation: Start with Passive Mode to understand your network traffic, then switch to Interactive Mode once you're comfortable.
LuLu Settings showing default allow rules for Apple programs and installed apps
Step 5: Understanding LuLu Rules
LuLu comes with sensible default rules:
✅ Allow Apple Programs
Apple-signed system binaries are allowed by default. This includes:
- macOS system services
- Software Update
- iCloud sync
- App Store
You can disable this for maximum security, but it may break system functionality.
✅ Allow Installed Programs
Previously installed 3rd-party apps are allowed by default. This prevents hundreds of alerts on first launch.
Recommended: Keep this enabled initially, then review and block suspicious apps manually.
🚫 Block DNS Traffic
When disabled, allows DNS queries (port 53). Most users should leave this unchecked (allow DNS).
Step 6: Managing Rules
Click the LuLu icon in your menu bar and select "Rules" to open the Rules window.
LuLu Rules window showing all configured rules with block/allow status
Creating a New Rule
7 Click "Add Rule" (+ button) in the bottom right.
You can create rules for:
- Specific applications - Block/allow an entire app
- Specific destinations - Block connections to certain IPs or domains
- Specific ports - Block certain protocols
Add Rule dialog showing options for blocking or allowing specific connections
8 Configure the rule:
- Program path: Browse to select the app
- Remote address/domain: Specify destination (or use * for any)
- Remote port: Specify port (or use * for any)
- Action: Choose Block or Allow
Click "Add" to save the rule.
Step 7: Monitoring Network Activity
LuLu keeps a log of all connection attempts. This is invaluable for:
- 🔍 Detecting malware - Unknown apps trying to connect out
- 📊 Understanding app behavior - What data apps are sending
- 🕵️ Forensic analysis - Investigating suspicious activity
💡 Pro Tip: Correlate with Activity Monitor
Use LuLu alongside Activity Monitor's Network tab to see which processes are using the most bandwidth. This helps identify suspicious activity.
Step 8: Integration with Activity Monitor
For advanced monitoring, combine LuLu with macOS Activity Monitor:
Activity Monitor showing network usage by process - Safari Networking highlighted
9 Open Activity Monitor (Applications > Utilities).
Click the "Network" tab to see real-time network usage.
10 Sort by "Sent Bytes" or "Received Bytes" to find the most active processes.
If you see an unknown process with high network usage:
- Right-click the process
- Select "Sample Process" to analyze it
- Check the executable path
- Create a LuLu rule to block it if suspicious
Right-click menu in Activity Monitor showing Sample Process option
Sample process details showing executable path and system information
Complete Workflow Example
Here's how to investigate a suspicious process:
Process Inspector window showing detailed information about Safari Networking
Memory tab showing process memory usage details
Complete workflow: Activity Monitor identifies process, LuLu creates blocking rule
Common Use Cases
🚫 Block Telemetry & Analytics
Many apps send usage data without your consent. Use LuLu to block:
- Adobe Creative Cloud telemetry
- Microsoft Office analytics
- Google Chrome usage tracking
- App update checks (if you prefer manual updates)
🔍 Detect Malware
Unknown processes trying to connect out are red flags:
- Processes with suspicious names
- Apps connecting to unusual countries
- High-frequency connection attempts
- Connections to known malicious IPs
🎯 Prevent Data Exfiltration
If your Mac is compromised, LuLu can stop attackers from:
- Uploading stolen files
- Establishing command & control connections
- Downloading additional malware
Troubleshooting
⚠️ App Not Working After Blocking
If you accidentally blocked a legitimate app:
- Open LuLu Rules window
- Find the blocked app in the list
- Click the rule and select "Allow"
- Restart the app
⚠️ Too Many Alerts in Interactive Mode
If you're overwhelmed with alerts:
- Switch to Passive Mode temporarily
- Enable "Allow Installed Programs" to reduce alerts
- Create rules for commonly used apps
- Check "Remember this decision" when allowing trusted apps
✅ LuLu is Now Protecting Your Mac!
You've successfully installed and configured LuLu firewall. Your Mac now monitors all outbound connections and alerts you to suspicious activity.
Next steps: Review your rules regularly and investigate any unknown connection attempts.
