🛡️ Murus Firewall
Principle of Least Privilege
Professional-grade PF firewall control for macOS. Implement network-level least privilege with custom rulesets, port blocking, and protocol filtering.
⚠️ Why Murus Matters
Murus gives you control over macOS's built-in PF (Packet Filter) firewall - the same powerful firewall used by enterprise networks and security professionals.
While LuLu monitors outbound connections, Murus implements principle of least privilege at the network level - blocking everything by default and only allowing what you explicitly permit.
What is Murus?
Murus is a GUI (Graphical User Interface) for macOS's built-in PF (Packet Filter) firewall. It transforms the complex command-line PF into an easy-to-use application with:
- 🎯 Network profiles - Different rules for Home, Work, Public WiFi
- 🔒 Port-based blocking - Block specific ports and protocols
- 📱 Application filtering - Control which apps can use the network
- 📊 Real-time logging - See blocked and allowed connections
- ⚡ Preset templates - Quick setup for common scenarios
- 🔧 Advanced PF control - For power users who know PF syntax
💡 Murus vs LuLu - When to Use Each
LuLu: Application-level outbound firewall. Alerts you when apps try to connect out. Great for detecting malware and blocking telemetry.
Murus: Network-level firewall. Blocks by port, protocol, and IP address. Great for implementing security policies and network segmentation.
Best practice: Use both together! LuLu for application control, Murus for network control.
Murus Lite vs Murus Pro
| Feature | Murus Lite ($20) | Murus Pro ($40) |
|---|---|---|
| PF Firewall Control | ✅ Yes | ✅ Yes |
| Network Profiles | ✅ 3 profiles | ✅ Unlimited |
| Preset Rules | ✅ Basic | ✅ Advanced |
| Application Filtering | ✅ Yes | ✅ Yes |
| Port Blocking | ✅ Yes | ✅ Yes |
| Real-time Logging | ❌ No | ✅ Yes |
| VPN Support | ❌ No | ✅ Yes |
| Advanced PF Editing | ❌ No | ✅ Yes |
| Price | $20 | $40 |
💡 Which Version Should You Get?
Murus Lite ($20): Perfect for most users. Gives you firewall control, profiles, and basic rules. Great starting point.
Murus Pro ($40): For security professionals and power users. Real-time logging, unlimited profiles, VPN support, and raw PF editing.
Recommendation: Start with Lite. You can upgrade to Pro later if you need advanced features.
Understanding Principle of Least Privilege
Murus implements principle of least privilege - a security concept where you:
- Block everything by default
- Only allow what's necessary
- Minimize attack surface
Example: Public WiFi Profile
When connected to public WiFi at a coffee shop:
- ❌ Block all incoming connections
- ❌ Block file sharing (SMB, AFP)
- ❌ Block SSH, VNC, remote desktop
- ✅ Allow only HTTPS (port 443) and DNS (port 53)
- ✅ Allow VPN connections if needed
This ensures even if malware gets on your Mac, it can't communicate out or accept incoming attacks.
Step 1: Purchase and Download Murus
1 Visit the Murus website:
🔗 https://www.murusfirewall.com/
Choose between Murus Lite ($20) or Murus Pro ($40).
After purchase, download the DMG installer.
✅ Why Murus is Trusted
Murus has been around since 2011 and is developed by Objective Development (makers of Little Snitch). It's used by security professionals and enterprises worldwide.
Step 2: Install Murus
2 Open the downloaded Murus_[version].dmg file.
Drag Murus.app to your Applications folder.
3 Launch Murus from Applications.
You'll be prompted for your administrator password - Murus needs this to control the PF firewall.
⚠️ Murus Controls System Firewall
Murus directly controls macOS's PF firewall. When Murus is active, it takes over firewall management. You can disable it anytime to return to normal.
Step 3: Initial Setup
4 On first launch, Murus will show the Setup Assistant.
Choose your initial security level:
- Permissive: Allow most traffic (good for learning)
- Balanced: Block incoming, allow outgoing (recommended)
- Restrictive: Block everything except essentials (advanced)
⚠️ Start with Balanced Mode
If you jump straight to Restrictive mode, you may break internet access for apps. Start with Balanced and tighten security gradually.
Step 4: Understanding the Interface
Murus has several key sections:
📊 Dashboard
Shows firewall status, current profile, and quick controls.
- ON/OFF toggle for firewall
- Current profile indicator
- Quick stats (rules active, connections blocked)
🎯 Profiles
Create different firewall configurations for different networks.
- Home: Relaxed rules, allow file sharing
- Work: Moderate rules, allow work apps
- Public WiFi: Strict rules, block everything unnecessary
📝 Rules
Create custom firewall rules:
- Block/allow specific ports
- Block/allow specific IP addresses
- Block/allow specific applications
- Set rule priority
📚 Presets
Pre-configured rules for common scenarios:
- Block all incoming connections
- Allow web browsing only
- Enable file sharing
- VPN configurations
Step 5: Creating Network Profiles
Network profiles let you switch firewall rules based on where you are.
5 Click "Profiles" in the sidebar.
Click the "+" button to create a new profile.
Example: Public WiFi Profile
6 Create a profile named "Public WiFi".
Add these rules:
- Block all incoming connections (default)
- Allow HTTPS (port 443) outbound
- Allow DNS (port 53) outbound
- Block SMB (ports 139, 445) - file sharing
- Block SSH (port 22) incoming
- Block VNC (port 5900) incoming
💡 Profile Switching
You can manually switch profiles or set Murus to auto-switch based on WiFi network name (SSID). This way, your Mac automatically applies strict rules when you connect to public WiFi.
Step 6: Creating Custom Rules
Let's create a rule to block a specific port:
7 Go to "Rules" section.
Click "Add Rule" (+ button).
8 Configure the rule:
- Action: Block or Allow
- Direction: Incoming, Outgoing, or Both
- Protocol: TCP, UDP, ICMP, or Any
- Port: Specific port number or range
- Source/Destination: Any, specific IP, or IP range
Example Rules
✅ Allow SSH from Specific IP
- Action: Allow
- Direction: Incoming
- Protocol: TCP
- Port: 22
- Source: 192.168.1.100 (your trusted computer)
This allows SSH only from your trusted IP, blocking all other SSH attempts.
🚫 Block Telemetry Servers
- Action: Block
- Direction: Outgoing
- Protocol: Any
- Destination: telemetry.example.com
This blocks connections to known telemetry servers.
Step 7: Using Preset Rules
Murus includes preset rules for common scenarios:
9 Click "Presets" in the sidebar.
Browse available presets:
- Block All Incoming: Maximum security
- Web Browsing Only: Allow HTTP/HTTPS, block everything else
- File Sharing: Enable SMB, AFP, AirDrop
- Remote Access: Allow SSH, VNC, Screen Sharing
10 Click a preset to apply it to your current profile.
You can customize the preset after applying it.
Step 8: Monitoring (Murus Pro Only)
If you have Murus Pro, you get real-time logging:
Go to "Log" section to see:
- 🔴 Blocked connections - What was denied
- 🟢 Allowed connections - What was permitted
- 📊 Connection details - Source, destination, port, protocol
- ⏰ Timestamps - When each connection occurred
💡 Use Logs to Refine Rules
Review logs regularly to see what's being blocked. If a legitimate app is blocked, create an allow rule for it. If you see suspicious blocked connections, investigate further.
Step 9: Integration with LuLu
For maximum security, use Murus and LuLu together:
🔄 How They Work Together
Murus (Network Layer):
- Blocks by port, protocol, IP address
- Implements network-level security policies
- Controls what can reach your Mac from outside
LuLu (Application Layer):
- Monitors which apps are connecting out
- Alerts on suspicious application behavior
- Blocks malware and telemetry at app level
✅ Defense in Depth
Using both firewalls creates defense in depth - multiple layers of security. If one layer fails, the other catches threats.
Common Use Cases
🏠 Home Network
- ✅ Allow file sharing (SMB, AFP)
- ✅ Allow AirDrop and Handoff
- ✅ Allow printer access
- ❌ Block incoming SSH (unless you use it)
- ❌ Block incoming VNC (unless you use it)
💼 Work Network
- ✅ Allow VPN connections
- ✅ Allow work-related ports
- ✅ Allow SSH from specific IPs
- ❌ Block personal file sharing
- ❌ Block gaming ports
☕ Public WiFi
- ❌ Block ALL incoming connections
- ❌ Block file sharing completely
- ❌ Block SSH, VNC, remote access
- ✅ Allow only HTTPS and DNS
- ✅ Force VPN for all traffic
Troubleshooting
⚠️ App Not Working After Enabling Murus
If an app stops working:
- Check Murus logs (Pro) or temporarily disable Murus
- Identify which port/protocol the app needs
- Create an allow rule for that port/protocol
- Re-enable Murus and test
⚠️ Internet Not Working
If you lose internet access:
- Disable Murus temporarily
- If internet returns, your rules are too restrictive
- Make sure you allow DNS (port 53) and HTTPS (port 443)
- Start with a preset like "Web Browsing Only"
⚠️ Can't Access Local Network
If you can't access printers, file shares, or other local devices:
- Add allow rules for your local network range (e.g., 192.168.1.0/24)
- Allow SMB (ports 139, 445) for file sharing
- Allow mDNS (port 5353) for device discovery
Advanced: Raw PF Editing (Murus Pro)
Murus Pro lets you edit raw PF rules for maximum control:
⚠️ Advanced Users Only
Raw PF editing requires knowledge of PF syntax. Incorrect rules can break network connectivity. Only use this if you understand PF firewall configuration.
Example PF rule to block a specific IP:
block drop from 192.0.2.1 to anyThis blocks all traffic from IP 192.0.2.1.
✅ Murus is Now Protecting Your Mac!
You've successfully installed and configured Murus firewall. Your Mac now has professional-grade network-level protection with principle of least privilege.
Next steps: Create profiles for different networks, review logs regularly, and combine with LuLu for complete protection.
