Objective-See: LuLu

LuLu

In today's interconnected world, it's uncommon to find an application—or even malware—that doesn't make use of the network.
LuLu is the free, open-source firewall designed to block unknown outgoing connections, safeguarding both your privacy and your Mac!
Supported OS: macOS 10.15+
Current version: 2.9.6 (change log)
DMG's SHA-1: 617C597B090A139C5F04F219B865B6BC138BAB9B
Source Code: LuLu

Note:
LuLu leverages Apple's new Network Extension framework.

As Apple continues to improve the stability of this framework, it is recommended you upgrade to the latest version of macOS, before installing LuLu!

Apple also broke many aspects of networking in macOS 15 (Sequoia). Until Apple releases a fix, the solution for now appears to be to disable the macOS firewall.

Note:
Frequently Asked Questions, and their answers, can be found here.
A LuLu Alert
Installation
To install LuLu, first download the disk archive containing the application. Double-click LuLu.dmg and in the new window that appears drag LuLu.app into the /Applications folder:

Note:
If you already have LuLu installed, make so close it via the "Quit LuLu" option in its status bar menu.

Otherwise you will receive a "LuLu.app is in use" error messages and installation will fail.

After copying LuLu.app to the /Applications folder, launch the copy in the /Applications folder to continue its installation.
Welcome to LuLu
The first time you install LuLu, it will walk you though various installation steps, the most important being the manual approval of its System Extension and Network Filter. This is a multi-step process approval process, that is driven by macOS.

1️⃣ In the first prompt, click, 'Open System Settings':
Click 'Open System Settings'
2️⃣ Then, in the 'System Settings' app, click LuLu's button, to enable it.
Toggle LuLu on
Note:
If LuLu is not showing up, go to the 'Login Items and Extensions' pane in the 'System Settings' and click on '(i)' button of the 'Network Extensions' row. LuLu should now appear, and can be toggled on.

3️⃣ Next, authenticate to approve the installation of LuLu's System Extension:
Authenticate to approve LuLu's System Extension
4️⃣ Finally, click 'Allow' to approve LuLu:
Click 'Allow'
Note:
LuLu only monitors connections. It does not monitor the contents of any network traffic.

Once you have granted LuLu the required approvals, LuLu will display several initial configuration options.
LuLu's default settings
Note:
It is recommend you leave the default options selected which will, for example, allow Apple and already installed programs to (keep) accessing the network without alerting you.

You can later change these settings via LuLu's Settings.

Now that LuLu is configured and installed, it will be running and set to automatically start each time you log in. It will appear in the status bar (unless configured otherwise):
LuLu's Status Bar menu

Note:
Once installed, follow the following steps to test LuLu by using curl to access Objective-See's website:

1. Open a terminal (/System/Applications/Utilities/Terminal.app)
2. Run the following command: curl objective-see.org

This should generate an alert similar to the following (where the IP address likely will be that of the Objective-See website):
Testing LuLu
If you allow the connection, the contents of the site will be shown (in the terminal). If you block the connection, the connection will fail.

Alerts
LuLu's purpose is to alert you anytime a new (unauthorized) outgoing network connection is created. This could be a newly installed application or malware that has surreptitiously infected your system. As there is a lot of information and options in these alerts, it's important to wholly understand them.

The following is a LuLu alert that appears when the program accesses the network to check for updates:
A LuLu Alert
The alert contains the name of the process attempting the connection, as well as the destination its trying to connect to.

Note:
If you "mouse over" the program's name or the connection, it will display either the program's full path, of the full URL that the program is attempting to connect to:
For example, here we can see LuLu is attempting to connect to https://objective-see.org/products.json (in order to see if there is a new version of LuLu):

You can either block, or allow the connection, which by default, will create a general rule for the process either always blocking, or always allow it to access the network. (Shortly, we'll discuss rules in more detail, including how to create more fine-grained ones).

In the alert, there are various elements that if clicked, will provide more information and context about the process. For example, the code signing button, will display code signing information about the process that was responsible for triggering the LuLu alert:
Code Signing Information
Note:
Code Signing information can help you determine if the process is trusted, as it shows who created the program, as well as ensuring that it has not been tampered with.

You can also click on the process hierarchy button to view the origins of the process:
Origins
The VirusTotal button will show the results from VirusTotal. It displays a detection ratio, which indicates how many antivirus engines have flagged the item as malicious out of the total number of engines. If the item is unrecognized, this will be shown.
VirusTotal Results
Note:
VirusTotal is an online service that analyzes files and URLs for malware by scanning them with multiple antivirus engines and security tools.

In order to perform this check, a hash of the program is sent to the VirusTotal.

If you click on 'Details and Options' disclosure button, it will expand the alert:
Detailed Alert
This provide additional details about the program attempting to make the connection, the connection itself, and options that control the behavior of the rule.

By default, your decision (block or allow) applies to the entire program. That is to say, your decision will be applied to subsequent connections (regardless of their destination) for this process, and any other instances. However, using the 'Rule Scope' and 'Rule Duration' options, you can create fine-grained rules.

The 'Rule Scope' offers two options: apply the rule to the entire process, or just to the remote destination its currently attempting to connect to.
Rule Scope Options
If you select the 'Remote Endpoint' option, your decision will be scoped, and a rule will be created that only will be applied subsequent connections that match the same (remote) destination.

The 'Rule Duration' options allow you to specify whether the rule will last always, just for instance of this process' lifetime, or be valid up to some future time.

Note:
The 'Valid until' option expects a future time (in 24-hour format), up to a day ahead. For example, if it's currently nine in the morning and you want a rule to last until five in the evening, you would enter 17:00.

When specified time is hit, the rule is automatically deleted.


Rules
Process or connections are either allowed to access the network, or blocked, based on LuLu's rules. These rules are most commonly created in a response to an alert that is shown to the user (though as we'll show, can also be manually created).

The 'Rules' window displays these rules:
Rules Window
Note:
If signed, a program is identified in the Rules window by name and its code signing (bundle) identifier (e.g. com.objective-see.lulu).

Using a code signing identifier (vs. a path), allows the rule to be applied even if the program is moved, or updated.

If you want to view a program's path(s), simply double click (or ^+click and select "→ Show Path(s)") on any program in the Rules window:

The Rules Window
The Rules window can be accessed by clicking on 'Rules' and then 'Show...' in LuLu's status bar menu:
Showing LuLu's Rules
From a drop-down menu in the Rule's window you can filter rules based on their type that include:
Menu to Filter Rules by Type
  • All Rules:
    This shows all of LuLu's rules. In other words, it is a combination of the default, apple, baseline, user, and recent rules.

  • Default Rules:
    This view shows LuLu's default or system rules. These rules are for Apple/macOS processes that should be allowed to access to the network in order to preserve system functionality.

  • Apple Rules:
    When the 'Allow Apple Programs' option has been selected (either during installation, or via LuLu's settings), any process that is signed (solely) by Apple proper will be automatically allowed to connect to the network. Also, an 'Allow' rule will be created, and will show up in this view.

  • 3rd-Party Program Rules:
    When the 'Allow Installed Programs' option has been selected (either during installation, or via LuLu's settings), any applications or program that was (pre)installed will be automatically allowed to connect to the network. Also, an 'Allow' rule will be created, and will show in this view.

  • User Rules:
    This view shows rules the user has created, either manually via the 'Add Rule' button, or by clicking 'Block' or 'Allow' in a LuLu alert.

  • Recent Rules:
    This view shows all rules that have been created in the last 24 hours. In this view, you'll see each rule's creation time.

Via the Filter box, you can also filter rules by a custom string (for example, to match on certain program names, endpoints, etc).

Adding Rules
Rules are created in response to an alert (unless the user has selected the "temporarily" button in the alert). However, you can also manually add rules.

To manually add a rule, while in the 'All' or 'User' rules view, click on the 'Add Rule' button at the bottom of the rules window. This will bring up an 'Add Rule' dialog box:
The 'Add Rule' Window
In this dialog box, enter the path to the program (or click 'Browse' to open a file chooser window). Then, enter the remote address or domain, remote port, and finally select 'Block' or 'Allow'. Click 'Add' to add the rule, which will be persistently saved, and show up as a 'User' rule.

Note:
Enter * for "any" (e.g. a program path of * will globally match all programs).

The rule's remote address/domain can also be a regular expression (though make sure to check the "regex" checkbox if this is the case).

Also note that as LuLu only monitors outgoing traffic, rules only apply to outgoing connections.


Editing (Updating) Rules
To change a rule, either double click on a rule, or ^+click and select ' → Edit Rule':
Editing a Rule
This will bring up a window where you can edit any aspect of the rule:
Editing a Rule
Deleting Rules
There are several ways to delete a rule. With the rule selected, simply press the "delete" on your keyboard or, ^+click and select ' → Delete Rule':
Deleting a Rule
...or simply click the 'x' button on the right hand side of the rule.

Note:
Deleting a row that contains program, will remove all its rules.

Also note that is not recommended that you delete any default (system) rules, as this will impact legitimate functionality of the your computer!


Settings
LuLu can be configured via its Settings window. To open this, click 'Setting...' in LuLu's status bar menu (Or just open the main LuLu application (/Applications/LuLu.app)).
Opening LuLu's Settings
The Settings window has four tabs: Rules, Mode, Lists, and Update.

Settings: Rules
Via the Rules pane, you can configure how LuLu will (automatically) generate rules, as well as other rule-related settings:
LuLu's Settings for Rules
  • 'Allow Apple Programs'
    When this option is selected any process that is signed solely by Apple will be automatically allowed to connect to the network. Also, an 'allow' rule will be created, and will show up in the Rules window, under 'Apple Rules'.

  • 'Allow Installed Applications'
    When this option is selected any applications (and their components) that were (pre)installed will be automatically allowed to connect to the network. Also, an 'allow' rule will be created, and will show up in the Rules window, under '3rd-party Rules'.

  • 'Allow DNS Traffic'
    When this option is selected any UDP traffic over port 53 will be allowed.

  • 'Allow Simulator Applications'
    When this option is selected, traffic any applications running within a simulator will be allowed. This is useful if you are developing applications and testing them within (iOS/iPad) simulator.

Settings: Modes
Via the 'Modes' pane, you can configure various modes that dictate how LuLu runs.
LuLu's Settings for 'Modes'
  • 'Passive' Mode:
    When 'Passive' mode is enabled, LuLu will run silently without alerts, applying existing rules. And what about for new connections? Well, via the drop down menu in the 'Passive Mode' pane, you can select whether they should allowed or denied, and also whether or not rules for these new connects should be automatically created (or not).

  • 'Block' Mode:
    When this option is selected, all traffic (that is routed thru LuLu) will be blocked.
    Note:
    Some network traffic may not be routed through Network Extensions (such as LuLu). As such, such traffic is never seen by LuLu, and be cannot be blocked.

    If you have specified an 'Allow List' (discussed shortly), traffic destined to locations on the allow list, will still be allowed.

  • 'No Icon Mode'
    When this option is selected, LuLu will run without an icon in the status bar.
    You can always manually run /Applications/LuLu.app to disable this preference if you'd like the status bar icon back.
Settings: Lists
Via the 'List' pane, you specify 'Allow' or 'Block' lists that contain endpoints that supersede any rules.
LuLu's Settings for 'Lists'
Note:
The list can be a local file, or remote url (e.g. https://ceadd.ca/blockyouxlist.txt).

It should contain a (newline-separated) list of hosts and/or IPs addresses.

If a local file is specified, LuLu will (re)load it whenever modifications are detected, whereas remote files will be (re)loaded once a day.

If both an allow and a block list are specified, items in the block list take priority.

Note:
Due to limitations of macOS, blocking via host name is only applicable to (as Apple notes) "Network.framework or NSURLSession connections".

As such, for browsers (such as Chrome), that do not leverage these frameworks, only ip address based blocking is supported.

...as Safari and Firefox leverage such frameworks, they are not subject to this limitation.
  • 'Allow' List:
    When an allow list is specified, any connection to any endpoint on the allow list will be allowed. A match, supersedes any rules, or even when the 'Block' mode is enabled.

  • 'Block' List
    When a block list is specified, any connection to any endpoint on the block list will be block. A match, supersedes any rules.
Settings: Update
Via the 'Update' pane, allows one to check for new versions, as well as disable the automatic check for new versions of LuLu.
LuLu's Settings for Updates


Network Monitor
Interested in seeing the current network activity on your system? Simply click the 'Network Monitor' menu option in LuLu's status bar menu:
Opening LuLu's Network Monitor
This will launch Objective-See's Netiquette, a network monitor application, that has been packaged into LuLu.
Netiquette: a Network Monitor
Note:
You read more about Netiquette (which also can be downloaded/run as a standalone application), on it's "tool page" on the Objective-See website.

Exiting or Uninstalling
You can quit or fully uninstall LuLu via its status bar menu:
To either exit or unistall Lulu, you will be required to authenticate:

Note:
To uninstall an older version (v1.*), first download LuLu (v1.2.3). Then launch it and click "Uninstall".


Frequently Asked Questions

Q: Do I need LuLu if I've turned on the built-in macOS firewall?
A: Yes! Apple's built-in firewall only blocks incoming connections. LuLu is designed to detect and block outgoing connections, for example when malware attempts to connect to it's command & control server for tasking, or exfiltrating data.

Q: Does LuLu conflict with other (paid) macOS firewalls or security products?
A: Although at this point testing has been limited, LuLu appears to play nice with other tools.

Q: I found a bug (or issue) with LuLu. Can you fix it?
A: For sure! If you encounter any issues, create an bug report via GitHub.

Q: Why does LuLu try to access the network?
A: When LuLu is started it connects to Objective-See.org to check if there is a new version of the product. Specifically, it reads the file products.json, which contains the latest version number of LuLu. No user or product information is collected nor transmitted. Note that this automated version checking can be disabled via the 'Disable Update Checks' option in LuLu's settings.

LuLu may generate network traffic related to its integration with VirusTotal. As described above, when (only when) a user clicks the 'Virus Total' button in the alert window, this will generate a request which contains the file's path, name, and hash.