Firewalls, phoning home and whitelists

A few years ago, most Mac users had firewalls in their routers which blocked all incoming connections, and that was all they wanted. Over those years, we’ve increasingly installed software firewalls on our Macs to block outgoing connections. This article looks at some of the issues that arise from doing that.

There are several potentially good reasons for wanting to block specific outgoing connections from your Mac. These include:

  • preventing legitimate apps from ‘phoning home’ to send personal data to a remote server;
  • preventing malware from sending data to remote servers;
  • limiting transfers over capped or expensive connections, such as mobile data connections when travelling.

Different apps are tailored for those purposes. For example, Lulu and Little Snitch are primarly targeted at the first two, while TripMode is aimed at those who use mobile data connections and need to manage their cost. But each of those apps can be used broadly for all three, and more if you wish.

All effective software firewalls require (at least up as far as Mojave) a kernel extension in order to do their work. As far as I’m aware, that prevents any effective firewall from being offered in the Mac App Store. However, currently App Store searches for the term ‘firewall’ return several products which might appear to be functioning as firewalls. Don’t believe them.

Reliance on a kernel extension also brings its own woes. They aren’t easy to install, and in Catalina that’s getting significantly harder. When they are installed, they can cause compatibility issues and may prove a maintenance headache or worse. A proper firewall isn’t something to toy around with: it needs to be configured and maintained, and may well need updating when macOS is updated.

The biggest issue with these firewalls is their configuration. They do self-configure, in that when an app attempts to make an outgoing connection, the firewall informs you, and you can add that to its whitelist. But steadfastly doing that for everything that needs to make such connections can be tiresome and prone to error: you could easily block part of macOS which throws all sorts of other problems.

Apple provides some valuable information to get you started. It lists its well-known ports, for example, which is an important reference for anything networking. It has also recently published a detailed listing of hosts and ports. If you use Adobe Creative Cloud, Adobe provides its current requirements here, although it also advises that these may change without warning. A similar listing for Dropbox is given here.

If you use other cloud-based services, you should be able to obtain similar detailed listings from their providers.

My own free software also makes outgoing connections. Apps which automatically check for updates connect to via port 443. SilentKnight and silnite also connect to my GitHub databases at via port 443. SilentKnight, silnite and LockRattler run the softwareupdate tool to check for and download Apple’s updates, which requires general access to Apple’s services. Cirrus and Bailiff work with your Mac’s iCloud connection.

Most Mac users will want to ensure that all outgoing connections are permitted to * or This is particularly important now that Mojave and Catalina check for notarization as well as certificate validation. Running a notarized app for the first time on macOS is now largely dependent on external ticket and certificate checks.

Of course what none of these products can tell you is whether the data being transmitted externally contains private information, nor whether the receiving server is going to allow its abuse.