TCPBlock

April 26, 2014: Download TCPBlock v4.2

Get it from CNET Download.com!

Download the new 4.2 version. It runs on Mac OS X 10.6 or later. With TCPBlock 4.2 you get cryptographical hash network connection filtering for applications, a rather unique feature in the Mac firewall world which provides a greatly enhanced security compared to file name only filtering. See the “Hash Check” section below.

Note that TCPBlock is not compatible with Yosemite.
In OS X 10.10 (Yosemite) Apple has introduced a new security requirement called kext signing (a kext is a kernel extension or a driver). This is a means of enforcing security, but also a way for Apple to control what kernel extensions third party developers can release for OS X.
To continue to use TCPBlock you first need to disable the kext signing security setting.

About

TCPBlock Icon

TCPBlock is a lightweight and fast application firewall for Mac OS X 10.6 or later developed by Jo Delantis.
The Mac OS X firewall protects you from connections that come from outside of your computer. But what about the software from your computer that opens new connections to the internet? With TCPBlock you can prevent selected applications on your computer from opening connections to the network.
TCPBlock is implemented as a loadable kernel module which contains all the blocking logic. You can configure it in the System Preferences TCPBlock preference pane or with the tcpblock command line utility. All the configuration changes are made persistent in a configuration file on the hard disk. At system boot time the TCPBlock kernel extension reads its configuration from disk and is ready to go.

How to use it

Application List

With TCPBlock you can filter the access of applications to particular IP addresses and ports additionally to just allow or deny an application’s network access at all. It also supports filtering for an IP address range or a port range, for details see the advanced configuration section.
In System Preferences open the TCPBlock preference pane. You can choose to enable the firewall, to block all connections to the network and you can specify if your application list is a black list with items to disallow or a white list with items to allow connecting.
In the Application List tab use the + button to add new applications to the list. Use “Select Applications” from the + button menu to add applications or choose “New Item” and type the Unix command name of the application.
An Application List entry has the format name/address/port, where name means the application’s name, address can be an IPv4 or IPv6 address and port means the TCP or UDP port. You can use “*” to match any address or any port.

Connecting Apps
In the Connecting Apps tab you have a live view of the current network activity. It displays the last up to 100 network connections. To include connecting apps in your application list select one or more items in the connecting apps table and click the “Insert name/*/* into App List” button. By checking the include address or port options you get a new application list item containing the particular address or port your app connects to.

“Insert name/*/* into App List” means: The new rule applies to the inserted app and every address or port it connects to.
“Insert name/*/port into App List” means: The new rule applies to the inserted app, every address and the specified port.
“Insert name/address/* into App List” means: The new rule applies to the inserted app, the specified address and every port.
“Insert name/address/port into App List” means: The new rule applies to the inserted app, the specified address and the specified port.
Note that, due to the limited knowledge of filenames in the Mac OS X kernel only the first 16 characters of the command name are used for name comparisons. Any characters above this limit are truncated.

Hash Check
If you enable the hash check function then for each application binary a cryptographical hash checksum is computed and the connection filtering is done by the app’s name and its hash. This function is especially useful in TCPBlock’s whitelist mode: changing a single byte of the app’s binary leads to a different hash and the app’s network access would not be permitted anymore. Also this implies that if you upgrade an app then you have to recompute its whitelisted hash: use the “Rehash” button to do this.
With hash checking enabled a malicious app can not bypass TCPBlock by renaming and giving itself the name of a whitlisted application because the hash of the malicious app is different to the whitelisted app’s hash.
If you enable hash checking then the new background process tcpblockd is started. tcpblockd makes use of the OS X kqueue feature to get notified by the OS X kernel for every new process which is created or when a process dies. It asynchronously passes this information to the TCPBlock kernel extension. Due to the asynchronous communication the OS X kernel never has to wait for the tcpblockd. Nevertheless the tcpblockd adds some load to your system because it has to read the executable binary file and calculate the cryptographical hash for every process you start on your system.
The tcpblockd is using the SHA 1 algorithm to calculate the hash. It creates the same hash as you would get with the command line tool “shasum” which is part of OS X.

Advanced configuration

Use the command line client /usr/local/bin/tcpblock to configure TCPBlock or to monitor its activities.Network Monitor
tcpblock -h lists all the available options.
The TCPBlock configuration is stored in the file /etc/tcpblock.conf. If you edit this file then immediately execute tcpblock -c to load the changed configuration. This file is overwritten if you configure TCPBlock with the preference pane or the tcpblock utility.

Range filtering
TCPBlock supports rules for matching an IPv4 address range or a port range. IPv6 range filtering is not supported.
Specify a port range with minPort-maxPort, e.g. 443-445 matches ports 443,444 and 445.
Address matching is supported through octet range addressing with the format minOctet-maxOctet. Rather than specify a normal IP address, you can specify a range for each octet. For example, 192.168.3-5.1 will match the three addresses 192.168.3.1, 192.168.4.1, 192.168.5.1. An octet set to * is translated to the range 0-255, e.g. 192.168.3.* is translated to 192.168.3.0-255 and matches all IP addresses from 192.168.3.0 to 192.168.3.255.

The following are valid range rules:
myApp/*/80-443
myApp/10.11.12.*/80
myApp/10.11.*.42-242/2000-4000

You can add a range rule by editing a rule in TCPBlock’s Application List or from the command line with tcpblock -a.
Note that in the Application List or with tcpblock -g you see the original, unparsed rule string. Use tcpblock -G to check if your range rule is correctly parsed. tcpblock -G returns the range of each octet and the port range like it is recognized by TCPBlock’s parse logic.

Global rules
You can define a global rule by setting the application’s name to “*”. For example, if you have a trusted network like 192.168.42.1/24 you can whitelist it with the rule */192.168.42.*/*. In this way any app can connect to any IP address and any port in your trusted network.

Support for Notification Center

TCPBlockNotifyIn OS X Mountain Lion or later TCPBlock uses the Notification Center instead of Growl notifications. In the TCPBlock Preference Pane you can enable the TCPBlockNotify login item. Click a notification to add or remove the affected app from the Application List.
Authorized means: The notifier is authorized to modify your app list, which is a privileged operation. Therefore it asks you for credentials. It will stay authorized until you uncheck it. If you click a TCPBlock notification in the Notification Center the notifier asks you if you want to add or remove the affected app from your Application List.
The notifier ignores range and global rules.

Support for Growl notifications

Install Growl on your computer if you not already have it. TCPBlock will not install Growl for you.
In the TCPBlock Preference Pane enable the sending of Growl notifications. This will register three types of notifications with Growl: “Block outcon”, “Allow outcon” and “Allow incon”. As default only the “Block outcon” notification is displayed. If you want to see the other types of notifications you have to open the Growl Preference Pane and configure there the notification display options for the TCPBlock application.
If more than one notification of the same type is sent at the same time they are coalesced into a single notification to avoid flooding your display with to many messages. Note that not all Growl display plugins support coalescing.

Logging

You can set the TCPBlock log level with a slider in the preference pane.
Your options are: No logging at all, log only the blocked connections and log all connections. The last option logs both blocked and allowed connections. All the log information is written to the file /var/log/system.log in Leopard and /var/log/kernel.log in Snow Leopard.

Changelog

Date Version What’s new
April 26, 2014 4.2 Solved an error related to connecting apps display.
April 12, 2014 4.0 Cryptographical hash filtering.
Optionally block incoming connections too.
Support for Mac OS 10.5 removed.
January 15, 2014 3.0 Support for Notification Center added.
Notifier resolves hostnames.
Added ignore list to notifier.
Preference Pane authorization timeout removed.
Block incoming connections too.
Improved filtering of UDP connections.
Filtering of specific addresses for each app.
Filtering of specific ports for each app.
Filtering for an IP address range or a port range.
Global rules.
Support for PowerPC removed.
Support for Mac OS 10.5 removed.
October 20, 2011 2.10 Filter UDP Protocol.
Report if apps are connecting over TCP or UDP.
Improved logging.
Incompatibility with nginx resolved.
September 25, 2011 2.9 Support for Growl notifications.
Option tcpblock -mt displays a timestamp when network activity occurs.
Improved detection of the process name an incoming connection connects to.
TCPBlock Kernel Module stability improvements.
December 8, 2010 2.8 Network Monitor shows incoming connections too.
Connecting Apps tab shows incoming network connections in light gray
and apps already included the Application List in dark gray.
Connecting Apps table automatically scrolls to the end of the list.
The configuration of the previous version is reused.
Minor GUI changes.
December 1, 2010 2.7 Support for 64-bit kernels added.
November 26, 2010 2.6 Initial setup simplified.
Set application to be blocked within few mouse clicks.
Connecting Apps tab shows live network activity.
November 13, 2010 2.5 Sort application list.
Edit the application name.
November 4, 2010 2.4 Public release.
Follow

Get every new post delivered to your Inbox.