Note, as with any security tool, direct or proactive attempts to specifically bypass LuLu's protections will likely succeed. By design, LuLu (currently) implements only limited 'self-defense' mechanisms. If you're interested in this topic, I'll be giving a talk, "Fire & Ice: Making and Breaking MacOS Firewalls" at VirusBulletin 2018!

What's to like about LuLu? Lots!

100% free

LuLu is the free, shared-source firewall for macOS. It's goal is simple; block any unknown outgoing connections, until approved by the user. While it was designed to generically detect malware by flagging unauthorized networking connections, LuLu can also be used to block OS components or 3rd-party applications from transmitting information to remote servers.

As in no ads, no time trials, no missing features. Because why not!?

And no, it doesn't track, monitor, or spy on you - as that'd just be pure evil!

shared source

The full source code for LuLu is available on GitHub . Such transparency allows anybody to audit its code, or understand exactly what is going on.

protects

LuLu aims to alert you whenever an unauthorized network connection is attempted. As such, it can generically detect malware, or be used to block legitimate applications that may be transmitting private data to remote servers.

simple

"Do one thing, do it well!" LuLu is designed as simply as possible. Sure this means complex features may not be available, but it also means it's easier to use and has a smaller attack surface!

enterprise friendly

Want to know what network events are being detected? Or rules your users have added? LuLu provides simple mechanisms to subscribe to such events, and stores data such as rules in an open, easily digestible manner.







Want to support LuLu? ...you can via my patreon page! Mahalo ♡

Network Monitoring

By design, LuLu only monitors for outgoing network connections. Apple's built in firewall does a great job blocking unauthorized incoming connections.

By design, LuLu only monitors for outgoing network connections. Apple's built in firewall does a great job blocking unauthorized incoming connections.

Rules

Currently, LuLu only supports rules at the 'process level', meaning a process (or application) is either allowed to connect to the network or not. As is the case with other firewalls, this also means that if a legitimate (allowed) process is abused by malicious code to perform network actions, this will be allowed.

Currently, LuLu only supports rules at the 'process level', meaning a process (or application) is either allowed to connect to the network or not. As is the case with other firewalls, this also means that if a legitimate (allowed) process is abused by malicious code to perform network actions, this will be allowed.

Single User

For now, LuLu can only be installed for a single user. Future versions will likely allow it to be installed by multiple users on the same system.

For now, LuLu can only be installed for a single user. Future versions will likely allow it to be installed by multiple users on the same system.

Self-Defense

Legitimate attackers/security professionals know that any security tool can be trivially bypassed if specifically targeted - even if the tool employs advanced self-defense mechanisms. Such self-defense mechanisms are often complex to implement and in the end, almost always futile. As such, by design LuLu (currently) implements few self-defense mechanisms. For example, an attacker could enumerate all running processes to find the LuLu component responsible for displaying alerts and terminate it (via a sigkill ).

Installing LuLu

'LuLu Installer.app'

install all LuLu components (kernel extension, launch daemon, login item, etc.)



enumerate all (pre)installed applications:







rebuild the kernel cache:







Uninstalling LuLu

'LuLu Installer.app'

Using LuLu (Alerts)

process icon

It's also important to understand LuLu's limitations! Some of these will be addressed as the software matures, while others are design decisions (mostly with the goal of keeping things simple).To install LuLu, first download the zip archive containing the application. Depending on your browser, you may need to manually unzip the application by double-clicking on the zipped archive.Then, simply double-click on. Click 'Install' to install the tool:During installation, LuLu will perform the following:Note that these last two steps may take a few minutes, so please be patient!Also in order to complete the install, you must reboot your Mac:Upon reboot, LuLu will display a 'welcome' window with various click-thru screens. For example, these allow one to configure the firewall:On versions of macOS High Sierra (10.13)+, in order to load the firewall's kernel extension, user assistance is required.Click on the 'Open System Preferences' button. This will load the System Preferences application, and then open the 'General' tab under 'Security and Privacy' pane. At the bottom, click the 'allow' button to allow the Objective-See LuLu kernel extension to load. (For more details on "User-Approved Kernel Extension Loading" see Apple's documentation ).Once LuLu is installed, it will be running and is set to automatically start each time you log in. Unless configured to run without a status-bar icon, it will appear in the status bar:. Click 'Uninstall' to completer remove the tool:Note that this also requires a reboot to complete. 'XAgent' attempts to connect out to its command and control server for tasking:The alert is designed to be fairly self-explanatory, but let's discuss some of its elements:

The icon of the process is displayed in the top right of the alert window. If the process does not have an icon (i.e. its a command-line utility or a background daemon) a default system icon will be displayed.

signing status

signed by Apple proper (i.e. core OS X/macOS binary)



signed via a developer ID, or ad-hoc



not signed ("code object is not signed at all") To view more information about the code-signing status of the process, click on the icon:





The 'signing status' of the process that is attempting to create a remote connection is also displayed in the LuLu alert window. The lock icon can be one of the following three images:To view more information about the code-signing status of the process, click on the icon:

virus total information







Click the 'details' link in the popup, to open the VirusTotal report in a browser.

VirusTotal is cloud service that, given a file hash, will return the number of anti-virus engines that have flagged the file as malicious. Clicking the 'virus total' button in LuLu's alert window, will reveal a popover that contains this detection ratio for the process that is attempting to create a remote connection:Click the 'details' link in the popup, to open the VirusTotal report in a browser.

process hierarchy

Click the 'process hierarchy' button in the LuLu alert to view the hierarchy for the process that is attempting to create a remote connection.



process information (pid & path)

The LuLu alert window also contains the process id (pid) and full path of the process that is attempting to create a remote connection.



(attempted) connection information

The remote endpoint information, specifically the ip address, port & and protocol that the process that is attempting connect to, are also displayed in the LuLu alert window.



block or allow



Clicking the 'block' button: prevents the process from establishing the outgoing connection

creates a rule for the process, disallowing it from establishing any network connections

Clicking the 'allow' button:

allows the process to establishing the outgoing connection

creates a rule for the process, allowing it to establishing any network connections Clicking the 'block' button:Clicking the 'allow' button:

Using LuLu (Rules)

/Applications/LuLu.app

All Rules

The 'rules' window displays these rules, as well as allows one to manually create or delete rules:This window can be access either by launching LuLu's application (), or by clicking on 'Rules' in LuLu's status bar menu.There are five tabs in the rules window:

The first tab shows all of LuLu's rules. In other words, it is a combination of the default, apple, baseline, and user rules.

Default Rules

The second tab shows LuLu's default or system rules. These rules (which cannot be deleted via the UI), are for Apple/macOS processes that must be allowed communicate with the network in order to preserve system functionality.

Apple Rules

When the 'Allow Apple Programs' option has been selected (either in the welcome configuration screen, or LuLu's preferences), any process that is signed by Apple proper will be automatically allowed to connect to the network. Also, an 'allow' rule will be created, and will show up under here, under 'Apple Rules'.

Baseline Rules

When the 'Allow Installed Applications' option has been selected (either in the welcome configuration screen, or LuLu's preferences), any applications (and their components) that were (pre)installed will be automatically allowed to connect to the network. Also, an 'allow' rule will be created, and will show up under here, under 'Baseline Rules'.

User Rules

The fifth and final tab shows rules the user has created, either manually via the 'add rule' button, or by clicking 'block' or 'allow' in a LuLu connection alert window.

/Library/Objective-See/LuLu/rules.plist

To manually add a rule, click on the 'add rule' button at the bottom of the rules window. This will bring up an 'Add Rule' dialogue box:In this dialog box, enter the path to the target application or process (or click 'browse' to open a file chooser window). Then, select 'block' or 'allow', and finally click 'add' to add the rule. The new rule will be added as a 'user rule':Note that if a rule already exists for the process or application, that 'add rule' will fail. In other word, the existing rule has to be deleted first.To delete a rule, simply click the 'x' button on the right hand side of the rule, in the rules window. If the 'x' button is disabled, it means the rule cannot be deleted via the UI (i.e. default/system rules).Also, one can right or control click on a selected rule, and click on the 'delete' rule:LuLu's rules are stored in. If one has root privileges, by design, the rules can be directly read, and/or modified:

$ cat /Library/Objective-See/LuLu/rules.plist



<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" ...>

<plist version="1.0">

<dict>

<key>/Applications/App Store.app</key>

<dict>

<key>action</key>

<integer>1</integer>

<key>type</key>

<integer>0</integer>

<key>user</key>

<integer>0</integer>

</dict>

...



Import Rules

Rules can also be imported or exported via the UI:

To import a new set of rules, simply click the 'import' button at the bottom left of the Rules window. In the file selection panel, choose the file that contains the rules to import. Note that importing a rules is 'global' - it will fully replace all existing rules!

Export Rules

To export, or save, the existing rules, simply click the 'export' button at the bottom left of the Rules window. In the 'save' panel, choose the location where you'd like to save the rules.

Using LuLu (Preferences)

/Applications/LuLu.app

Rules

'Allow Apple Programs'

When this option is selected any process that is signed by Apple proper will be automatically allowed to connect to the network. Also, an 'allow' rule will be created, and will show up in the Rules window, under 'Apple Rules'.

When this option is selected any process that is signed by Apple proper will be automatically allowed to connect to the network. Also, an 'allow' rule will be created, and will show up in the Rules window, under 'Apple Rules'.

'Allow Installed Applications'

When this option is selected any applications (and their components) that were (pre)installed will be automatically allowed to connect to the network. Also, an 'allow' rule will be created, and will show up in the Rules window, under 'Baseline Rules'.

Visuals

Update

FAQs

Why is LuLu called LuLu?

), or via LuLu's status bar menu, click on 'Preferences'The preference pane has three tabs.

In Hawaiian, the word 'LuLu' means protection, shield, or peace. As this tool aims to instill peace, by providing a protective shield, it seemed the fitting name. And as LuLu, (along with all of Objective-See's tools) are coded with aloha on the lovely island of Maui, it's the perfect name!

Do I need LuLu if I've turned on the built-in macOS firewall?

Yes! Apple's built-in firewall only blocks incoming connections. LuLu is designed to detect and block outgoing connections, such as those generated by malware when the malware attempts to connect to it's command & control server for tasking, or exfiltrates data.

Does LuLu conflict with other (paid) macOS firewalls or security products?

Although at this point testing has been limited, LuLu appears to play nice with other tools :)

I found a bug (or issue) with LuLu. Can you fix it?