TCPBlock

October 22, 2014: TCPBlock is for sale!

If you run a software business and want to include TCPBlock or its technology in your product portfolio then send your offer for the complete source code to tcpblock@delantis.com.

April 26, 2014: Download TCPBlock v4.2


Download the new 4.2 version. It runs on Mac OS X 10.6 or later. With TCPBlock 4.2 you get cryptographical hash network connection filtering for applications, a rather unique feature in the Mac firewall world which provides a greatly enhanced security compared to file name only filtering. See the “Hash Check” section below.

Note that TCPBlock is not compatible with Yosemite.
In OS X 10.10 (Yosemite) Apple has introduced a new security requirement called kext signing (a kext is a kernel extension or a driver). This is a means of enforcing security, but also a way for Apple to control what kernel extensions third party developers can release for OS X.
To continue to use TCPBlock you first need to disable the kext signing security setting.

Download TCPBlock v2.10 if you need support for Mac OS 10.5 or PowerPC.

About

TCPBlock Icon

TCPBlock is a lightweight and fast application firewall for Mac OS X 10.6 or later developed by delantis.com.
The Mac OS X firewall protects you from connections that come from outside of your computer. But what about the software from your computer that opens new connections to the internet? With TCPBlock you can prevent selected applications on your computer from opening connections to the network.
TCPBlock is implemented as a loadable kernel module which contains all the blocking logic. You can configure it in the System Preferences TCPBlock preference pane or with the tcpblock command line utility. All the configuration changes are made persistent in a configuration file on the hard disk. At system boot time the TCPBlock kernel extension reads its configuration from disk and is ready to go.

How to use it

Application List

With TCPBlock you can filter the access of applications to particular IP addresses and ports additionally to just allow or deny an application’s network access at all. It also supports filtering for an IP address range or a port range, for details see the advanced configuration section.
In System Preferences open the TCPBlock preference pane. You can choose to enable the firewall, to block all connections to the network and you can specify if your application list is a black list with items to disallow or a white list with items to allow connecting.
In the Application List tab use the + button to add new applications to the list. Use “Select Applications” from the + button menu to add applications or choose “New Item” and type the Unix command name of the application.
An Application List entry has the format name/address/port, where name means the application’s name, address can be an IPv4 or IPv6 address and port means the TCP or UDP port. You can use “*” to match any address or any port.

Connecting Apps
In the Connecting Apps tab you have a live view of the current network activity. It displays the last up to 100 network connections. To include connecting apps in your application list select one or more items in the connecting apps table and click the “Insert name/*/* into App List” button. By checking the include address or port options you get a new application list item containing the particular address or port your app connects to.

“Insert name/*/* into App List” means: The new rule applies to the inserted app and every address or port it connects to.
“Insert name/*/port into App List” means: The new rule applies to the inserted app, every address and the specified port.
“Insert name/address/* into App List” means: The new rule applies to the inserted app, the specified address and every port.
“Insert name/address/port into App List” means: The new rule applies to the inserted app, the specified address and the specified port.
Note that, due to the limited knowledge of filenames in the Mac OS X kernel only the first 16 characters of the command name are used for name comparisons. Any characters above this limit are truncated.

Hash Check
If you enable the hash check function then for each application binary a cryptographical hash checksum is computed and the connection filtering is done by the app’s name and its hash. This function is especially useful in TCPBlock’s whitelist mode: changing a single byte of the app’s binary leads to a different hash and the app’s network access would not be permitted anymore. Also this implies that if you upgrade an app then you have to recompute its whitelisted hash: use the “Rehash” button to do this.
With hash checking enabled a malicious app can not bypass TCPBlock by renaming and giving itself the name of a whitlisted application because the hash of the malicious app is different to the whitelisted app’s hash.
If you enable hash checking then the new background process tcpblockd is started. tcpblockd makes use of the OS X kqueue feature to get notified by the OS X kernel for every new process which is created or when a process dies. It asynchronously passes this information to the TCPBlock kernel extension. Due to the asynchronous communication the OS X kernel never has to wait for the tcpblockd. Nevertheless the tcpblockd adds some load to your system because it has to read the executable binary file and calculate the cryptographical hash for every process you start on your system.
The tcpblockd is using the SHA 1 algorithm to calculate the hash. It creates the same hash as you would get with the command line tool “shasum” which is part of OS X.

Advanced configuration

Use the command line client /usr/local/bin/tcpblock to configure TCPBlock or to monitor its activities.Network Monitor
tcpblock -h lists all the available options.
The TCPBlock configuration is stored in the file /etc/tcpblock.conf. If you edit this file then immediately execute tcpblock -c to load the changed configuration. This file is overwritten if you configure TCPBlock with the preference pane or the tcpblock utility.

Range filtering
TCPBlock supports rules for matching an IPv4 address range or a port range. IPv6 range filtering is not supported.
Specify a port range with minPort-maxPort, e.g. 443-445 matches ports 443,444 and 445.
Address matching is supported through octet range addressing with the format minOctet-maxOctet. Rather than specify a normal IP address, you can specify a range for each octet. For example, 192.168.3-5.1 will match the three addresses 192.168.3.1, 192.168.4.1, 192.168.5.1. An octet set to * is translated to the range 0-255, e.g. 192.168.3.* is translated to 192.168.3.0-255 and matches all IP addresses from 192.168.3.0 to 192.168.3.255.

The following are valid range rules:
myApp/*/80-443
myApp/10.11.12.*/80
myApp/10.11.*.42-242/2000-4000

You can add a range rule by editing a rule in TCPBlock’s Application List or from the command line with tcpblock -a.
Note that in the Application List or with tcpblock -g you see the original, unparsed rule string. Use tcpblock -G to check if your range rule is correctly parsed. tcpblock -G returns the range of each octet and the port range like it is recognized by TCPBlock’s parse logic.

Global rules
You can define a global rule by setting the application’s name to “*”. For example, if you have a trusted network like 192.168.42.1/24 you can whitelist it with the rule */192.168.42.*/*. In this way any app can connect to any IP address and any port in your trusted network.

Support for Notification Center

TCPBlockNotifyIn OS X Mountain Lion or later TCPBlock uses the Notification Center instead of Growl notifications. In the TCPBlock Preference Pane you can enable the TCPBlockNotify login item. Click a notification to add or remove the affected app from the Application List.
Authorized means: The notifier is authorized to modify your app list, which is a privileged operation. Therefore it asks you for credentials. It will stay authorized until you uncheck it. If you click a TCPBlock notification in the Notification Center the notifier asks you if you want to add or remove the affected app from your Application List.
The notifier ignores range and global rules.

Support for Growl notifications

Install Growl on your computer if you not already have it. TCPBlock will not install Growl for you.
In the TCPBlock Preference Pane enable the sending of Growl notifications. This will register three types of notifications with Growl: “Block outcon”, “Allow outcon” and “Allow incon”. As default only the “Block outcon” notification is displayed. If you want to see the other types of notifications you have to open the Growl Preference Pane and configure there the notification display options for the TCPBlock application.
If more than one notification of the same type is sent at the same time they are coalesced into a single notification to avoid flooding your display with to many messages. Note that not all Growl display plugins support coalescing.

Logging

You can set the TCPBlock log level with a slider in the preference pane.
Your options are: No logging at all, log only the blocked connections and log all connections. The last option logs both blocked and allowed connections. All the log information is written to the file /var/log/system.log in Leopard and /var/log/kernel.log in Snow Leopard.

Donate

TCPBlock is donationware.
If you use it please consider supporting its maintenance with a donation to delantis.com.
Donate $10 via PayPal to tcpblock@delantis.com.
Thank you for supporting TCPBlock!

Changelog


October 20, 2011

TCPBlock v2.10 is released. What’s new:

Filter UDP Protocol
Additionally to the TCP protocol TCPBlock filters and blocks the UDP protocol. UDP provides a minimal, unreliable, best-effort, message-passing transport to applications and upper-layer protocols. As we know from the Windows world many trojans are using UDP to communicate. With TCPBlock you can filter the two most widely used internet communication protocols.
For blacklist users no configuration changes are required. If you are using a TCPBlock whitelist then you may wish to include in the list some basic system services like NTP or DNS, which are using UDP.

Report if apps are connecting over TCP or UDP
In the Connecting Apps tab and in the TCPBlock Network Monitor you can see which communication protocol is used.

Improved logging
You can set the TCPBlock log level with a slider in the preference pane. Your options are: No logging at all, log only the blocked connections and log all connections. The last option logs both blocked and allowed connections. All the log information is written to the file /var/log/system.log in Leopard and /var/log/kernel.log in Snow Leopard.

Incompatibility with nginx resolved
An incompatibility which causes your Mac to crash if the nginx web server is used together with TCPBlock is resolved.


September 25, 2011

TCPBlock v2.9 is released. Here you have a summary of the new features:

Support for Growl notifications
Install Growl on your computer if you not already have it. TCPBlock will not install Growl for you.
In the TCPBlock Preference Pane enable the sending of Growl notifications. This will register three types of notifications with Growl: “Block outcon”, “Allow outcon” and “Allow incon”. As default only the “Block outcon” notification is displayed. If you want to see the other types of notifications you have to open the Growl Preference Pane and configure there the notification display options for the TCPBlock application.
If more than one notification of the same type is sent at the same time they are coalesced into a single notification to avoid flooding your display with too many messages. Note that not all Growl display plugins support coalescing.
The notifications will give you a quick overview of the current network activity of your Mac.

Option tcpblock -mt displays a timestamp when network activity occurs
You can let the command line network monitor work unattendedly overnight, and write all network activity into a log file. With the timestamp you can see when the connection happens.

Improved detection of the process name an incoming connection connects to
TCPBlock now maintains a list of all programs on your Mac as soon as they are listening for incoming connections. If an incoming connection is made then TCPBlock looks in its list for the program which is serving the new connection and display its name. You can configure TCPBlock to notify you about incoming connections.

TCPBlock Kernel Module stability improvements
Kernel programming is an immense responsibility. You must be exceptionally careful to ensure that your code does not cause the system to crash, does not provide any unauthorized user access to someone else’s files or memory, does not introduce remote or local root exploits, and does not cause inadvertent data loss or corruption. The TCPBlock kernel code has been carefully reviewed and improved.


Date Version What’s new
April 26, 2014 4.2 Solved an error related to connecting apps display.
April 12, 2014 4.0 Cryptographical hash filtering.
Optionally block incoming connections too.
Support for Mac OS 10.5 removed.
January 15, 2014 3.0 Support for Notification Center added.
Notifier resolves hostnames.
Added ignore list to notifier.
Preference Pane authorization timeout removed.
Block incoming connections too.
Improved filtering of UDP connections.
Filtering of specific addresses for each app.
Filtering of specific ports for each app.
Filtering for an IP address range or a port range.
Global rules.
Support for PowerPC removed.
Support for Mac OS 10.5 removed.
October 20, 2011 2.10 Filter UDP Protocol.
Report if apps are connecting over TCP or UDP.
Improved logging.
Incompatibility with nginx resolved.
September 25, 2011 2.9 Support for Growl notifications.
Option tcpblock -mt displays a timestamp when network activity occurs.
Improved detection of the process name an incoming connection connects to.
TCPBlock Kernel Module stability improvements.
December 8, 2010 2.8 Network Monitor shows incoming connections too.
Connecting Apps tab shows incoming network connections in light gray
and apps already included the Application List in dark gray.
Connecting Apps table automatically scrolls to the end of the list.
The configuration of the previous version is reused.
Minor GUI changes.
December 1, 2010 2.7 Support for 64-bit kernels added.
November 26, 2010 2.6 Initial setup simplified.
Set application to be blocked within few mouse clicks.
Connecting Apps tab shows live network activity.
November 13, 2010 2.5 Sort application list.
Edit the application name.
November 4, 2010 2.4 Public release.
Follow

Get every new post delivered to your Inbox.