TCPBlock
April 17, 2011 108 Comments
Download TCPBlock v2.10
About
TCPBlock is a lightweight and fast application firewall for Mac OS X 10.5 or later developed by delantis.com.
The Mac OS X firewall protects you from connections that come from outside of your computer. But what about the software from your computer that opens new connections to the internet? With TCPBlock you can prevent selected applications on your computer from opening connections to the network.
TCPBlock is implemented as a loadable kernel module which contains all the blocking logic. You can configure it in the System Preferences TCPBlock preference pane or with the tcpblock command line utility. All the configuration changes are made persistent in a configuration file on the hard disk. At system boot time the TCPBlock kernel extension reads its configuration from disk and is ready to go.
How to use it
In System Preferences open the TCPBlock preference pane. You can choose to enable the firewall, to block all connections to the network and you can specify if your application list is a black list with items to disallow or a white list with items to allow.
In the Application List tab use the + button to add new applications to the list. Use “Select Applications” from the + button menu to add applications or choose “New Item” and type the Unix command name of the application.
In the Connecting Apps tab you have a live view of the current network activity. It displays the last up to 100 network connections. To include connecting apps in your application list select one or more items in the connecting apps table and click the button “Insert into Application List”.
Note that, due to the limited knowledge of filenames in the Mac OS X kernel only the first 16 characters of the command name are used for name comparisons. Any characters above this limit are truncated.
Advanced configuration
Use the command line client /usr/local/bin/tcpblock to configure TCPBlock or to monitor its activities.
tcpblock -h lists all the available options.
The TCPBlock configuration is stored in the file /etc/tcpblock.conf. If you edit this file then execute tcpblock -c to load the changed configuration. This file is overwritten if you configure TCPBlock with the preference pane or the tcpblock utility.
To get the Unix command name you need if you have chosen “New Item” to add a new application to the application list open a Terminal and type “/usr/local/bin/tcpblock -m” to start the TCPBlock network monitor. As soon as your application tries to establish a network connection it is listed in the network monitor. Copy the application name from the network monitor and paste it into the preference pane application list.
Support for Growl notifications
Install Growl on your computer if you not already have it. TCPBlock will not install Growl for you.
In the TCPBlock Preference Pane enable the sending of Growl notifications. This will register three types of notifications with Growl: “Block outcon”, “Allow outcon” and “Allow incon”. As default only the “Block outcon” notification is displayed. If you want to see the other types of notifications you have to open the Growl Preference Pane and configure there the notification display options for the TCPBlock application.
If more than one notification of the same type is sent at the same time they are coalesced into a single notification to avoid flooding your display with too many messages. Note that not all Growl display plugins support coalescing.
Logging
You can set the TCPBlock log level with a slider in the preference pane.
Your options are: No logging at all, log only the blocked connections and log all connections. The last option logs both blocked and allowed connections. All the log information is written to the file /var/log/system.log in Leopard and /var/log/kernel.log in Snow Leopard.
Donate $10
TCPBlock is donationware.
If you use it please consider supporting its maintenance with a donation to delantis.com.
Donate $10 via PayPal to tcpblock@delantis.com.
Thank you for supporting TCPBlock!
Changelog
*******************************************************************************
October 20, 2011
TCPBlock v2.10 is released. What’s new:
Filter UDP Protocol
Additionally to the TCP protocol TCPBlock filters and blocks the UDP protocol. UDP provides a minimal, unreliable, best-effort, message-passing transport to applications and upper-layer protocols. As we know from the Windows world many trojans are using UDP to communicate. With TCPBlock you can filter the two most widely used internet communication protocols.
For blacklist users no configuration changes are required. If you are using a TCPBlock whitelist then you may wish to include in the list some basic system services like NTP or DNS, which are using UDP.
Report if apps are connecting over TCP or UDP
In the Connecting Apps tab and in the TCPBlock Network Monitor you can see which communication protocol is used.
Improved logging
You can set the TCPBlock log level with a slider in the preference pane. Your options are: No logging at all, log only the blocked connections and log all connections. The last option logs both blocked and allowed connections. All the log information is written to the file /var/log/system.log in Leopard and /var/log/kernel.log in Snow Leopard.
Incompatibility with nginx resolved
An incompatibility which causes your Mac to crash if the nginx web server is used together with TCPBlock is resolved.
*******************************************************************************
September 25, 2011
TCPBlock v2.9 is released. Here you have a summary of the new features:
Support for Growl notifications
Install Growl on your computer if you not already have it. TCPBlock will not install Growl for you.
In the TCPBlock Preference Pane enable the sending of Growl notifications. This will register three types of notifications with Growl: “Block outcon”, “Allow outcon” and “Allow incon”. As default only the “Block outcon” notification is displayed. If you want to see the other types of notifications you have to open the Growl Preference Pane and configure there the notification display options for the TCPBlock application.
If more than one notification of the same type is sent at the same time they are coalesced into a single notification to avoid flooding your display with too many messages. Note that not all Growl display plugins support coalescing.
The notifications will give you a quick overview of the current network activity of your Mac.
Option tcpblock -mt displays a timestamp when network activity occurs
You can let the command line network monitor work unattendedly overnight, and write all network activity into a log file. With the timestamp you can see when the connection happens.
Improved detection of the process name an incoming connection connects to
TCPBlock now maintains a list of all programs on your Mac as soon as they are listening for incoming connections. If an incoming connection is made then TCPBlock looks in its list for the program which is serving the new connection and display its name. You can configure TCPBlock to notify you about incoming connections.
TCPBlock Kernel Module stability improvements
Kernel programming is an immense responsibility. You must be exceptionally careful to ensure that your code does not cause the system to crash, does not provide any unauthorized user access to someone else’s files or memory, does not introduce remote or local root exploits, and does not cause inadvertent data loss or corruption. The TCPBlock kernel code has been carefully reviewed and improved.
*******************************************************************************
| Date | Version | What’s new |
|---|---|---|
| October 20, 2011 | 2.10 | Filter UDP Protocol. Report if apps are connecting over TCP or UDP. Improved logging. Incompatibility with nginx resolved. |
| September 25, 2011 | 2.9 | Support for Growl notifications. Option tcpblock -mt displays a timestamp when network activity occurs. Improved detection of the process name an incoming connection connects to. TCPBlock Kernel Module stability improvements. |
| December 8, 2010 | 2.8 | Network Monitor shows incoming connections too. Connecting Apps tab shows incoming network connections in light gray and apps already included the Application List in dark gray. Connecting Apps table automatically scrolls to the end of the list. The configuration of the previous version is reused. Minor GUI changes. |
| December 1, 2010 | 2.7 | Support for 64-bit kernels added. |
| November 26, 2010 | 2.6 | Initial setup simplified. Set application to be blocked within few mouse clicks. Connecting Apps tab shows live network activity. |
| November 13, 2010 | 2.5 | Sort application list. Edit the application name. |
| November 4, 2010 | 2.4 | Public release. |
