Little Snitch is probably the most popular one, written my devs who deeply understand macOS firewall architecture.

https://obdev.at/products/littlesnitch/index.html

ProllyInfamous 3 hours ago | parent | next [-]

Little Snitch is a user-friendly, software-level blocker, only – use with caution.

Just FYI: LittleSnitch pre-resolves DNS entries BEFORE you click `Accept/Deny`, if you care & understand this potential security issue. Your upstream provider still knows whether you denied a query. Easily verifiable with a PiHole (&c).

I liken the comparison to disk RAIDs: a RAID is not a true backup; LittleSnitch is not a true firewall.

You need isolated hardware for true inbound/outbound protection.

▲

gruez 3 hours ago | parent [-]

>Just FYI: LittleSnitch pre-resolves DNS entries BEFORE you click `Accept/Deny`, if you care & understand this potential security issue. Your upstream provider still knows whether you denied a query. Easily verifiable with a PiHole (&c).

This also feels like an exfil route? Are DNS queries (no tcp connect) logged/blocked?

	▲	ProllyInfamous 3 hours ago \| parent [-]
		>Are DNS queries blocked? No, not with LittleSnitch (neither in/out-bound). When you see the LittleSnitch dialogue (asking to `Accept/Deny`), whatever hostname is there has already been pre-resolved by upstream DNS provider (does not matter which option you select). This software pares well with a PiHole (for easy layperson installs), but even then is insufficient for OP's attack.

▲

mrexcess 3 hours ago | parent | prev [-]

Little Snitch is commercial. If you want largely similar features (focused on egress), check out LuLu: https://github.com/objective-see/LuLu

	▲	runjake an hour ago \| parent [-]
		+1 Thanks, I forgot about LuLu!