A few years ago, most Mac users had firewalls in their routers that blocked all incoming connections, and that was all they wanted. Over these years, we have increasingly installed software firewalls on our Macs to block outgoing connections. This article looks at some of the issues that arise from doing so.
There are several potentially good reasons to block specific outbound connections from your Mac. These include:
- prevents legitimate apps from calling home to send personal data to a remote server;
- prevent malicious software from sending data to external servers;
- restrict transmissions over closed or expensive connections, such as mobile data connections when traveling.
Various apps are tailor made for these purposes. For example, Lulu and Little Snitch are primarily targeted to the first two, while TripMode is aimed at those who use mobile data connections and need to manage costs. But each of these apps can be used widely for all three, and more if you like.
All effective firewalls in the software require (at least up to Mojave) a core extension to do their job. As far as I know it is prevented from providing an effective firewall in the Mac App Store. However, App Store searches for the term 'firewall' return several products that may appear to work as firewalls. Don't believe them.
Dependence on a core extension also causes its own disorders. They are not easy to install, and in Catalina it becomes much more difficult. Once installed, they can cause compatibility issues and can be a maintenance headache or worse. A proper firewall is nothing to play with: it needs to be configured and maintained, and may need to be updated when macOS is updated.
The biggest problem with these firewalls is their configuration. They self-configure, in that when an app tries to establish an outgoing connection, the firewall notifies you and you can add it to the whitelist. But by doing so for everything that needs to make such connections, it can be tiring and prone to errors: you can easily block a part of macOS that throws all kinds of other problems.
Apple gives you valuable information to get you started. It shows, for example, the well-known ports, which are an important reference for any network. It has also recently published a detailed list of hosts and ports. If you use Adobe Creative Cloud, Adobe sets the applicable requirements here, although it also recommends that these be changed without notice. A similar list for Dropbox is provided here.
If you use other cloud-based services, you should be able to get similar detailed listings from their providers.
My own free software also makes outgoing connections. Apps that automatically check for updates connect to raw.githubusercontent.com through port 443. SilentKnight and
silnite also connect to my GitHub databases at raw.githubusercontent.com via port 443. SilentKnight,
silnite and LockRattler run the
software update to check for and download Apple updates, which require general access to Apple services. Cirrus and Bailiff work on your Mac with your iCloud connection.
Most Mac users want to make sure all outbound connections are allowed to * .apple.com or 1
Of course, what none of these products can tell you is whether the data transmitted remotely contains private information, or whether the receiving server will allow abuse.