LuLu is the shared-source firewall for macOS. It’s goal is simple; block any unknown outgoing connections, until approved by the user. While it was designed to generically detect malware by flagging unauthorized networking connections, LuLu can also be used to block OS components or 3rd-party applications from transmitting information to remote servers.
What’s to like about LuLu? Lots!
The full source code for LuLu is available on GitHub. Such transparency allows anybody to audit its code, or understand exactly what is going on.
LuLu aims to alert you whenever an unauthorized network connection is attempted. As such, it can generically detect malware, or be used to block legitimate applications that may be transmitting private data to remote servers.
“Do one thing, do it well!” LuLu is designed as simply as possible. Sure this means complex features may not be available, but it also means it’s easier to use and has a smaller attack surface!
Want to know what network events are being detected? Or rules your users have added? LuLu provides simple mechanisms to subscribe to such events, and stores data such as rules in an open, easily digestible manner.
It’s also important to understand LuLu’s limitations! Some of these will be addressed as the software matures, while others are design decisions (mostly with the goal of keeping things simple).
By design, LuLu only monitors for outgoing network connections. Apple’s built in firewall does a great job blocking unauthorized incoming connections.
Currently, LuLu only supports rules at the ‘process level’, meaning a process (or application) is either allowed to connect to the network or not. As is the case with other firewalls, this also means that if a legitimate (allowed) process is abused by malicious code to perform network actions, this will be allowed.
For now, LuLu can only be installed for a single user. Future versions will likely allow it to be installed by multiple users on the same system.
Legitimate attackers/security professionals know that any security tool can be trivially bypassed if specifically targeted – even if the tool employs advanced self-defense mechanisms. Such self-defense mechanisms are often complex to implement and in the end, almost always futile. As such, by design LuLu (currently) implements few self-defense mechanisms. For example, an attacker could enumerate all running processes to find the LuLu component responsible for displaying alerts and terminate it (via a sigkill).
Compatibility OS X 10.11 or later, 64-bit processor