TCPBlock

April 26, 2014: Download TCPBlock v4.2


Download the new 4.2 version. It runs on Mac OS X 10.6 or later. With TCPBlock 4.2 you get cryptographical hash network connection filtering for applications, a rather unique feature in the Mac firewall world which provides a greatly enhanced security compared to file name only filtering. See the “Hash Check” section below.

Download TCPBlock v2.10 if you need support for Mac OS 10.5 or PowerPC.

TCPBlock needs your help to survive. Support its development with your donation.

About

TCPBlock Icon

TCPBlock is a lightweight and fast application firewall for Mac OS X 10.6 or later developed by delantis.com.
The Mac OS X firewall protects you from connections that come from outside of your computer. But what about the software from your computer that opens new connections to the internet? With TCPBlock you can prevent selected applications on your computer from opening connections to the network.
TCPBlock is implemented as a loadable kernel module which contains all the blocking logic. You can configure it in the System Preferences TCPBlock preference pane or with the tcpblock command line utility. All the configuration changes are made persistent in a configuration file on the hard disk. At system boot time the TCPBlock kernel extension reads its configuration from disk and is ready to go.

How to use it

Application List

With TCPBlock you can filter the access of applications to particular IP addresses and ports additionally to just allow or deny an application’s network access at all. It also supports filtering for an IP address range or a port range, for details see the advanced configuration section.
In System Preferences open the TCPBlock preference pane. You can choose to enable the firewall, to block all connections to the network and you can specify if your application list is a black list with items to disallow or a white list with items to allow connecting.
In the Application List tab use the + button to add new applications to the list. Use “Select Applications” from the + button menu to add applications or choose “New Item” and type the Unix command name of the application.
An Application List entry has the format name/address/port, where name means the application’s name, address can be an IPv4 or IPv6 address and port means the TCP or UDP port. You can use “*” to match any address or any port.

Connecting Apps
In the Connecting Apps tab you have a live view of the current network activity. It displays the last up to 100 network connections. To include connecting apps in your application list select one or more items in the connecting apps table and click the “Insert name/*/* into App List” button. By checking the include address or port options you get a new application list item containing the particular address or port your app connects to.

“Insert name/*/* into App List” means: The new rule applies to the inserted app and every address or port it connects to.
“Insert name/*/port into App List” means: The new rule applies to the inserted app, every address and the specified port.
“Insert name/address/* into App List” means: The new rule applies to the inserted app, the specified address and every port.
“Insert name/address/port into App List” means: The new rule applies to the inserted app, the specified address and the specified port.
Note that, due to the limited knowledge of filenames in the Mac OS X kernel only the first 16 characters of the command name are used for name comparisons. Any characters above this limit are truncated.

Hash Check
If you enable the hash check function then for each application binary a cryptographical hash checksum is computed and the connection filtering is done by the app’s name and its hash. This function is especially useful in TCPBlock’s whitelist mode: changing a single byte of the app’s binary leads to a different hash and the app’s network access would not be permitted anymore. Also this implies that if you upgrade an app then you have to recompute its whitelisted hash: use the “Rehash” button to do this.
With hash checking enabled a malicious app can not bypass TCPBlock by renaming and giving itself the name of a whitlisted application because the hash of the malicious app is different to the whitelisted app’s hash.
If you enable hash checking then the new background process tcpblockd is started. tcpblockd makes use of the OS X kqueue feature to get notified by the OS X kernel for every new process which is created or when a process dies. It asynchronously passes this information to the TCPBlock kernel extension. Due to the asynchronous communication the OS X kernel never has to wait for the tcpblockd. Nevertheless the tcpblockd adds some load to your system because it has to read the executable binary file and calculate the cryptographical hash for every process you start on your system.
The tcpblockd is using the SHA 1 algorithm to calculate the hash. It creates the same hash as you would get with the command line tool “shasum” which is part of OS X.

Advanced configuration

Use the command line client /usr/local/bin/tcpblock to configure TCPBlock or to monitor its activities.Network Monitor
tcpblock -h lists all the available options.
The TCPBlock configuration is stored in the file /etc/tcpblock.conf. If you edit this file then immediately execute tcpblock -c to load the changed configuration. This file is overwritten if you configure TCPBlock with the preference pane or the tcpblock utility.

Range filtering
TCPBlock supports rules for matching an IPv4 address range or a port range. IPv6 range filtering is not supported.
Specify a port range with minPort-maxPort, e.g. 443-445 matches ports 443,444 and 445.
Address matching is supported through octet range addressing with the format minOctet-maxOctet. Rather than specify a normal IP address, you can specify a range for each octet. For example, 192.168.3-5.1 will match the three addresses 192.168.3.1, 192.168.4.1, 192.168.5.1. An octet set to * is translated to the range 0-255, e.g. 192.168.3.* is translated to 192.168.3.0-255 and matches all IP addresses from 192.168.3.0 to 192.168.3.255.

The following are valid range rules:
myApp/*/80-443
myApp/10.11.12.*/80
myApp/10.11.*.42-242/2000-4000

You can add a range rule by editing a rule in TCPBlock’s Application List or from the command line with tcpblock -a.
Note that in the Application List or with tcpblock -g you see the original, unparsed rule string. Use tcpblock -G to check if your range rule is correctly parsed. tcpblock -G returns the range of each octet and the port range like it is recognized by TCPBlock’s parse logic.

Global rules
You can define a global rule by setting the application’s name to “*”. For example, if you have a trusted network like 192.168.42.1/24 you can whitelist it with the rule */192.168.42.*/*. In this way any app can connect to any IP address and any port in your trusted network.

Support for Notification Center

TCPBlockNotifyIn OS X Mountain Lion or later TCPBlock uses the Notification Center instead of Growl notifications. In the TCPBlock Preference Pane you can enable the TCPBlockNotify login item. Click a notification to add or remove the affected app from the Application List.
Authorized means: The notifier is authorized to modify your app list, which is a privileged operation. Therefore it asks you for credentials. It will stay authorized until you uncheck it. If you click a TCPBlock notification in the Notification Center the notifier asks you if you want to add or remove the affected app from your Application List.
The notifier ignores range and global rules.

Support for Growl notifications

Install Growl on your computer if you not already have it. TCPBlock will not install Growl for you.
In the TCPBlock Preference Pane enable the sending of Growl notifications. This will register three types of notifications with Growl: “Block outcon”, “Allow outcon” and “Allow incon”. As default only the “Block outcon” notification is displayed. If you want to see the other types of notifications you have to open the Growl Preference Pane and configure there the notification display options for the TCPBlock application.
If more than one notification of the same type is sent at the same time they are coalesced into a single notification to avoid flooding your display with to many messages. Note that not all Growl display plugins support coalescing.

Logging

You can set the TCPBlock log level with a slider in the preference pane.
Your options are: No logging at all, log only the blocked connections and log all connections. The last option logs both blocked and allowed connections. All the log information is written to the file /var/log/system.log in Leopard and /var/log/kernel.log in Snow Leopard.

Donate

TCPBlock is donationware.
If you use it please consider supporting its maintenance with a donation to delantis.com.
Donate $10 via PayPal to tcpblock@delantis.com.
Thank you for supporting TCPBlock!

Changelog


October 20, 2011

TCPBlock v2.10 is released. What’s new:

Filter UDP Protocol
Additionally to the TCP protocol TCPBlock filters and blocks the UDP protocol. UDP provides a minimal, unreliable, best-effort, message-passing transport to applications and upper-layer protocols. As we know from the Windows world many trojans are using UDP to communicate. With TCPBlock you can filter the two most widely used internet communication protocols.
For blacklist users no configuration changes are required. If you are using a TCPBlock whitelist then you may wish to include in the list some basic system services like NTP or DNS, which are using UDP.

Report if apps are connecting over TCP or UDP
In the Connecting Apps tab and in the TCPBlock Network Monitor you can see which communication protocol is used.

Improved logging
You can set the TCPBlock log level with a slider in the preference pane. Your options are: No logging at all, log only the blocked connections and log all connections. The last option logs both blocked and allowed connections. All the log information is written to the file /var/log/system.log in Leopard and /var/log/kernel.log in Snow Leopard.

Incompatibility with nginx resolved
An incompatibility which causes your Mac to crash if the nginx web server is used together with TCPBlock is resolved.


September 25, 2011

TCPBlock v2.9 is released. Here you have a summary of the new features:

Support for Growl notifications
Install Growl on your computer if you not already have it. TCPBlock will not install Growl for you.
In the TCPBlock Preference Pane enable the sending of Growl notifications. This will register three types of notifications with Growl: “Block outcon”, “Allow outcon” and “Allow incon”. As default only the “Block outcon” notification is displayed. If you want to see the other types of notifications you have to open the Growl Preference Pane and configure there the notification display options for the TCPBlock application.
If more than one notification of the same type is sent at the same time they are coalesced into a single notification to avoid flooding your display with too many messages. Note that not all Growl display plugins support coalescing.
The notifications will give you a quick overview of the current network activity of your Mac.

Option tcpblock -mt displays a timestamp when network activity occurs
You can let the command line network monitor work unattendedly overnight, and write all network activity into a log file. With the timestamp you can see when the connection happens.

Improved detection of the process name an incoming connection connects to
TCPBlock now maintains a list of all programs on your Mac as soon as they are listening for incoming connections. If an incoming connection is made then TCPBlock looks in its list for the program which is serving the new connection and display its name. You can configure TCPBlock to notify you about incoming connections.

TCPBlock Kernel Module stability improvements
Kernel programming is an immense responsibility. You must be exceptionally careful to ensure that your code does not cause the system to crash, does not provide any unauthorized user access to someone else’s files or memory, does not introduce remote or local root exploits, and does not cause inadvertent data loss or corruption. The TCPBlock kernel code has been carefully reviewed and improved.


Date Version What’s new
April 26, 2014 4.2 Solved an error related to connecting apps display.
April 12, 2014 4.0 Cryptographical hash filtering.
Optionally block incoming connections too.
Support for Mac OS 10.5 removed.
January 15, 2014 3.0 Support for Notification Center added.
Notifier resolves hostnames.
Added ignore list to notifier.
Preference Pane authorization timeout removed.
Block incoming connections too.
Improved filtering of UDP connections.
Filtering of specific addresses for each app.
Filtering of specific ports for each app.
Filtering for an IP address range or a port range.
Global rules.
Support for PowerPC removed.
Support for Mac OS 10.5 removed.
October 20, 2011 2.10 Filter UDP Protocol.
Report if apps are connecting over TCP or UDP.
Improved logging.
Incompatibility with nginx resolved.
September 25, 2011 2.9 Support for Growl notifications.
Option tcpblock -mt displays a timestamp when network activity occurs.
Improved detection of the process name an incoming connection connects to.
TCPBlock Kernel Module stability improvements.
December 8, 2010 2.8 Network Monitor shows incoming connections too.
Connecting Apps tab shows incoming network connections in light gray
and apps already included the Application List in dark gray.
Connecting Apps table automatically scrolls to the end of the list.
The configuration of the previous version is reused.
Minor GUI changes.
December 1, 2010 2.7 Support for 64-bit kernels added.
November 26, 2010 2.6 Initial setup simplified.
Set application to be blocked within few mouse clicks.
Connecting Apps tab shows live network activity.
November 13, 2010 2.5 Sort application list.
Edit the application name.
November 4, 2010 2.4 Public release.
About these ads

About Jo Delantis
Jo Delantis is the developer of TCPBlock.

188 Responses to TCPBlock

  1. Puk Puzzoli says:

    Is this compatible with Lion?

    • Jo Delantis says:

      I have never tested it with Lion. It should be compatible. I would appreciate it a lot if somebody can test it with Lion and write me the results.
      RoaringApps says it works fine.

      • neugierig14109 says:

        TCPBlock runs flawless in MacOS X Lion.
        Installer, restart, add application in Lion´s system preferences (TCPBlock).
        Simple, efficient – excellent alternative to LittleSnitch!

        Thank you very much!

  2. Lionuser says:

    I have Lion, and it seems to work fine. At least so far

  3. JeePee says:

    I tested it on two machines with Lion, works great! Thanks a lot!!

  4. The][nquisitoR says:

    Every time I restart my computer (not including the restart after installation) I get the following error message:
    “Connection to the TCPBlock Kernel Extension failed! Please reinstall the TCPBlock.pkg to make shure you get not only this Preference Pane but also the required components.”

    And every time I reinstall from the .pkg and every time this error returns =/ It’s a shame because it’s GREAT.

    I’m running OS X 10.7.1 on a MacBook Pro 15″, dual-booted (via bootcamp) with Windows 7. Any idea what’s going on?

    • Jo Delantis says:

      You get this error because the TCPBlock Preference Pane can not communicate with its kernel extension, most likely because the kernel extension is not loaded.
      You can check with the command line client if the communication with the kernel extension works by opening a Terminal and type: /usr/local/bin/tcpblock -s
      By typing “kextstat” in a Terminal you get the list of all loaded kernel extensions. Look if the extension com.delantis.kext.tcpblocknke is in the list.
      You can open the file /var/log/kernel.log and search for tcpblocknke related error messages.

      • The][nquisitoR says:

        The kernel wasn’t there. So I’m wondering why it wouldn’t be there if it works when I first install it. Any ideas? As I said, it works the first time after installation, but when I restart the computer again, it stops working.

      • Jo Delantis says:

        If after the first reboot TCPBlock works and after the second not, then may be something on your system is changing the required TCPBlock start files.

        You can start the kernel extension manually with the comand:
        osx:~> sudo /usr/local/bin/tcpblocknke

      • skzskz says:

        Hi!

        I’ve got the same problem. I can manage to get it back on working via terminal with
        sudo /usr/local/bin/tcpblocknke
        but then after I restart the machine it stops again.
        Any idea how to fix this?
        Many thanks!

      • Mike Umland says:

        I tried to install V3.0 on OS X 10.5 but I get the following error message:
        “Connection to the TCPBlock Kernel Extension failed! Please reinstall the TCPBlock.pkg to make shure you get not only this Preference Pane but also the required components.”

        When I try to start the extension manually with
        sudo /usr/local/bin/tcpblocknke

        an error message occurs.

        Is V3.0 still running on OS X 10.5?

      • Jo Delantis says:

        It’s compiled to work on 10.5 but I don’t have a Leopard system to test it.
        Could anyone confirm that it works on 10.5?
        What error message do you get at the manual start attempt?

      • Mike Umland says:

        The error message is as follows:

        kld(): Undefined symbols:
        _lck_mtx_unlock_darwin10
        kextload: kld_load_from_memory() failed for module /System/Library/Extensions/tcpblocknke.kext/Contents/MacOS/tcpblocknke
        kextload: a link/load error occured for kernel extension

      • Jo Delantis says:

        I will try to solve this bug in the next version.

      • Jo Delantis says:

        Sorry, I can not solve this bug. Just compiling the source code with backwards compatibility is not enough for kernel extensions to solve it. I would have to setup a Leopard system and compile the code with the Leopard development tools in order to create a separate Leopard version. As I do not have the resources for this I unfortunately have to drop Mac OS 10.5 support.

  5. Julian says:

    Thankyouthankyouthankyou. I restarted the kernel extension manually and it did the trick. Not sure if it will keep it working, but in future I’ll just run that command (which is easier than re-installing it each time >_>)

    This problem hasn’t lessened my love for this software, though, because it’s so simple to use, yet it’s 100% effective for what I need it for ^_^

  6. Simon says:

    I am using tcpblock (white list) with Snow Leopard 10.6.8 so should I disable the Mac OS X firewall or do they work well together ?

    • Jo Delantis says:

      You should not disable the Mac OS X firewall. They work together. Really important from a security point of view it is to monitor and block incoming connections. This is done very reliably by the Mac OS X firewall.
      If you are interested in what programs are phoning home in the background you need an outbound firewall like TCPBlock. With TCPBlock you can deny outgoing connections of selected apps.

      • mike says:

        Can I use this with LS and something like NoobProof (eg. another ipfw application) simultaneously Jo? Or do I need to disable one or both of these to get the best out of TCP Block (yes I tend to err on the side of “more is better” when it comes to net security:) Thanks, M

      • Jo Delantis says:

        You can use it together with this programs. TCPBlock does not limit you to use other security tools. Use their features as you need to satisfy your security requirements.

  7. JEAN CLAUDE MOULIN says:

    Bonjour,
    Comment sont effectuer les mises à jour?
    Merci pour votre application

  8. AlexS says:

    Hi Jo,
    I’ve downloaded TCPBlock and its perfect for me!
    One thing however is not working- I click on ‘Enable Growl Notifications’ and an error message comes up- ‘The operation could not be completed. Permission Denied’.
    I then click ok, then deselect ‘Enable Growl Notifications’. A different error message pops up- ‘launchctl failed to unload /Users/alex/Library/LaunchAgents/com.delantis.tcpblock.plist with status 1′
    I checked in the Library and the folder mentioned above, and there is no file ‘com.delantis.tcpblock.plist’
    I have deinstalled and reinstalled twice, with no difference. Any ideas or advice on what’s happening and what to do would be great, thanks!

    • Jo Delantis says:

      When you click ‘Enable Growl Notifications’ then the file /Library/PreferencePanes/TCPBlock.prefPane/Contents/Resources/com.delantis.tcpblock.plist is copied into your home directory to /Users/alex/Library/LaunchAgents/com.delantis.tcpblock.plist. This copy fails on your computer either because the source file can not be read or the destination file can not be written.

      • AlexS says:

        Okay, thanks for the quick reply! I went to the first folder and copied the file to the second file, so it works now! Thanks a lot!

  9. Ben says:

    TCPBlock (2.9) doesn’t play nice with nginx (1.0.7); starting nginx while TCPBlock is running invariably leads to a kernel panic. I’ve dug into the system logs, but I couldn’t tell what the culprit is, exactly.

    I updated both TCPBlock and nginx on the same day, so I’m not entirely certain which one’s to blame, but I think TCPBlock is more likely.

  10. Neon says:

    Hi,
    i’m using TCPBlock (2.9) on Lion. It won’t growl. I installed growl, enabled the growl notification, but TCPBlock is not listed in the Growl Preferences -> Applications. What can i do?

    • Jo Delantis says:

      Generate some network activity, by starting your browser and surfing the web. When TCPBlock sees the network activity it will register with Growl and will get listed in the Growl preference pane.

      • Neon says:

        Nope, i have tried blocking apps i have tried allowing apps using either block or whitelisting them. I can see the activity in the “Connecting Apps” windows and nothing happens. Growl keeps quiet. Other apps can growl. Any ideas?

      • Jo Delantis says:

        Which Growl version do you use? Do you see in the Console.app some TCPBlock or Growl related messages?

    • No Notifications On Growl 1.2.2 On Lion? says:

      I have the same problem on Lion with Growl 1.2.2. TCPBlock 2.10 won’t appear in Growl’s preferences.

      • Stan Lee says:

        I had the same problem and it was caused by an incorrect permission on the folder containing the tcpblock executable. I ran “sudo chmod 0755 /usr/local/bin” in the shell and after that growl notifications started working (Growl 1.2.2 / TCPBlock 2.10 on Lion). Hope that helps.

  11. Neon says:

    Hi,

    i use growl 1.3. Fresh downloaded from the appstore. The system.log is full with the following. I marked one line that may be of interest.:

    Oct 8 06:57:02 USERS-MAC com.apple.launchd.peruser.501[239] (com.delantis.tcpblock): Throttling respawn: Will start in 10 seconds
    Oct 8 06:58:42 USERS-MAC com.apple.launchd.peruser.501[239] (com.delantis.tcpblock[6601]): posix_spawn(“/usr/local/bin/tcpblock”, …): No such file or directory
    Oct 8 06:58:42 USERS-MAC com.apple.launchd.peruser.501[239] (com.delantis.tcpblock[6601]): Exited with code: 1

    But blocking seems to be working just fine. Just no growl.

    • Jo Delantis says:

      /usr/local/bin/tcpblock is a part of TCPBlock and required for sending the Growl notifications. Please check if the file is on your Mac. If not then reinstall the TCPBlock_v2.9.pkg. If so, then check if you can access the file and if the file is an Unix Executable File.

  12. Neon says:

    no, no new errors just no growling

    • Jo Delantis says:

      I have heard rumors that some apps have trouble to send notifications with Growl 1.3. As I don’t use Lion I can not test it. The notifications should work if you downgrade to Growl 1.2.2 which is running on Lion. I would be grateful if you can test whether you get notifications with the downgraded Growl version.

  13. Heather K says:

    Jo,
    I just wanted to say thank you for this brilliant app. Its just perfect. So simple and intuitive to use. Keep up the great work !!! Thank you

  14. ***warning***

    Seems to mess really bad with vmware fusion (newest version on lion). I had hard freezes when starting vmware only until I uninstalled TCPBlock 2.9 completely.

  15. Kevin Watt says:

    I’m on the old growl, but aren’t seeing any growls. Some apps dont seem to show up in “Connecting Apps’ either, like spotify.

    The system log shows:
    Nov 2 17:27:18 everybean GrowlHelperApp[1209]: TCPBlock registered
    Nov 2 17:27:18 everybean GrowlHelperApp[1209]: —
    Nov 2 17:27:18 everybean GrowlHelperApp[1209]: TCPBlock: Allow outcon (helpd -> 184.85.108.244:443) – Priority 0
    Nov 2 17:27:20 everybean GrowlHelperApp[1209]: TCPBlock registered
    Nov 2 17:27:20 everybean GrowlHelperApp[1209]: —
    Nov 2 17:27:20 everybean GrowlHelperApp[1209]: TCPBlock: Allow outcon (helpd -> 184.85.108.244:443) – Priority 0

    • Jo Delantis says:

      This is because as default the “Allow outcon” messages are not displayed with Growl. If you want to see this type of notification you have to open the Growl Preference Pane and configure there the notification display options for the TCPBlock application.
      I will check why spotify does not show up.

  16. Hugo says:

    growl 1.3.1 on Lion 10.7.2 does not show any notifications and does not list TCPBlock in its app list so it is not possible to configure it.

  17. andrea says:

    How do you uninstall this app ?
    Thanks
    a.

    • Jo Delantis says:

      Use the uninstaller UninstallTCPBlock.app included in the TCPBlock dmg.

      • Sascha says:

        i cant uninstall this, all the rules remain, the configuration app is gone but all my programms do not have access to anything, only my chrome browser, i reinstalled app and all my configuration was still there, i disabled the app with the enable checkbox, used the uninstaller again , restarted and still only my chrome has access to network. i cant even ping anything using bash. This really sucks more than pain in the ass, could you please tell me how to complete remove this app ? im running mac osx 10.9.4 and my whole system is messed up right now :/ for any help thanks in advance

  18. Nico says:

    Hi Jo,

    Sorry I’m new to this. Been running LS for a few years but am very happy to find your software Many thanks for your effort!

    I’m just trying to learn how to use things at the moment. I’m not sure what I am looking at in the connecting apps window. I can see many kernel-tasks being blocked but have no idea what they are, also helps pops up a lot. Can you explain what these things are please?

    Also I opted to use a white list and allow software bit by bit. With safari, although I allowed it TCPBlock blocked download of any page until I inserted a blocked web process into the application list. This was not the case with firefox. I’m just a little aware that I might miss the point of the connecting apps window.

    Once again many thanks

    Nico

  19. Nico says:

    just a correction, in the connecting apps I am seeing “helpd” notifications (not “helps”)

  20. Christoph says:

    Using the growl 1.2.2 Fork called 1.2.2f I do not get growl notifications. Monitor has log entries saying:

    (com.delantis.tcpblock[954]) posix_spawn(“/usr/local/bin/tcpblock”, …): No such file or directory

    • neon says:

      Hi,

      i get a similar error. If i try to enable growl notifications i get a popupmessage “The operation couldn’t be completed. No such file or directory”

      I use Snow Leopard on an Macbook 1,1

      Greetings

      • Christoph says:

        you an fix that by fixing permissions on /usr/local. sudo chmod go+rx /usr/local in my case.

  21. Gary says:

    I have been using TCPBlock and it was working quite nicely until I did a clean install and started to use 2.10. Now the blocked apps list is no longer there after I restart. PPC G4 OSX 10.5.8. I have uninstalled and reinstalled and the same continues. No offense, but it’s a real pain in the ass to redo all of the apps each time after a restart. Is there anything I can try? As I said it was holding the apps list before.

  22. Menno says:

    Hi, would it be possible to allow traffic to localhost (127.0.0.1 and ::1), even if the application is blocked? That way, e.g. I could allow my browser to access a local website for test/development, but block outgoing traffic.

    Another use would be to disallow outgoing traffic, but allow a proxy process to control the (dis)allowed traffic.

    For your information. I use TCPblock when I’m on GPRS to reduce traffic, but would like to work with local applications like tomcat for development. Start/stop is controlled by ControlPlane and a script.

    Thanks,

    Menno

  23. hans says:

    Hi Jo,

    First of all, many thanks for making such an excellent program available for free! :)

    I had some questions about the advanced configuration by changing /etc/tcpblock.conf – where can I find the advanced options that are available?

    and, one of the advanced possibilities I’m after…: is it possible to allow a program access to a specific remote address (range) only?

    Thanks in advance.

  24. rené says:

    will tcpblock work with mountain-lion?

    • Jo Delantis says:

      TCPBlock uses the Network Kernel Extension programming API which is pretty stable between the various OS X releases therefore the chance for it to run with Mountain Lion is high… and if it does not I will try to fix it. Unfortunately I have no possibility to test it with Mountain Lion right now.

    • Rob says:

      The current version (2.10) is fully functional in Mountain Lion 12A154q.

  25. Andrew Ziobro says:

    Is there a way to block only outgoing communication and not local (127.0.0.1) communication for an app?

    For example. I would like to run dansguardian and squid on the local host and allow communication to them over 127.0.0.1 from any web application running, butI want to block any application from trying to talk to the external interface except for squid.

    When I block the webprocess for safari it blocks ALL communication. I want to allow it to speak to dansguardian.

    Thank you,

  26. Glenn says:

    Thank you for making a free alternative out there.
    One question though;

    Is it possible to make it block SOME connections for an application only? F.ex. if it is a software using the internet connection to work properly, but I don’t want it to update itself?

  27. hermit says:

    Hi,

    I love TCPBlock, especially the growl notifications. There’s a small problem though, as soon as I use a script that checks for changes, like livejs ( http://livejs.com ) using a local development server tcpblock starts using lots of resources (jumps between 8 and 15% on my MBA 2011). It happens especially when running Internet Explorer in a virtual machine.
    When running Tcpblock in the terminal I see IE generates about 1 connection per second.

    It shouldn’t take that much resources to inspect some packages. There’s something else going on, probably. If you need more info I’m happy to help.

  28. Reiner Staude says:

    “Note that, due to the limited knowledge of filenames in the Mac OS X kernel only the first 16 characters of the command name are used for name comparisons. Any characters above this limit are truncated”

    Does the term “filename” in this case in include the directory path, i.e. if I allow for example the app “iTunes” would another app named “iTunes” automatically be allowed as well? Additionally are technics like hashing used to make sure that the right app is trying to connect?

  29. JC says:

    This made it all work:

    Stan Lee says:
    January 30, 2012 at 22:04
    I had the same problem and it was caused by an incorrect permission on the folder containing the tcpblock executable. I ran “sudo chmod 0755 /usr/local/bin” in the shell and after that growl notifications started working (Growl 1.2.2 / TCPBlock 2.10 on Lion). Hope that helps.

  30. Can you improve the growl messages that it opens the tcpblock-prefpane when the user clicks on a “tcp connection blocked” message? this would be very nice, so that we dont have to go over the menu to the prefpane…

    thanks, really good work! thank you really much! i hope you continue with development!

  31. Tom McIntosh says:

    Is there a way to have tcpblock pause an offending process when a block occurs so I can determine the source of the program that is causing the outside access. Right now there is a routine ksfetch that seems to have been inserted by Google Chrome that is getting its access blocked every hour. After the accesses are blocked, the routine terminates on its own so I can find what started the routine. Tried tcpblock -m but that just logs the access and ksfetch is long gone by then.

  32. zethraeus says:

    I’m running Lion with Growl 1.3.3 (the mac app store version) and TCPBlock does not appear to successfully register as an application with it.
    Do you / does anyone know if that is a problem others have experienced?

    Best regards.

    • Tom McIntosh says:

      Running Lion 10.7.4, Growl 1.3.3 and TCPBlock 2.10 KEXT 2.2.6 and they are work together as expected. TCPBlock is in the list of Growl Applications in the Growl Pref panel and checked as enabled. Logging is set in the Notifications tab.

      • Thanks. Since you have it working, I gave it a go again. It works, but I know no technical info, so here’s the rambled report back on the brute forcing.

        (The mac app store version is now 1.4, but I still had the issue.)
        I ended up installing the old non-appstore one (1.2.2) *which I’d previously never installed,* then uninstalling them both with http://growl.info/growlinstallcorrupt, then re-installing the appstore version.
        (I also installed hardware growler (the appstore version) at the very beginning.)

        For some reason, it now works. I think it is strongly unlikely that it was a misconfiguration on my end. So if anyone else has an issue, perhaps just try toggling your installs.

  33. Koen Beerens says:

    Thank you all for solving the Growl problem. I installed Growl 1.2.2 and did the sudo trick. TCPBlock registered with Growl. Then I uninstalled Growl 1.2.2 and launched Growl 1.4. TCPBlock works now with Growl 1.4 notifications. I am running Mountain Lion dp4 and I can confirm that TCPBlock runs fine on it.

  34. sakoula says:

    Hi I am on 10.8 Mountain Lion (fresh install) with growl 1.4 (from app store)
    and TcpBlock 2.10

    When try to check on growl enabled I get the message:
    8/23/12 5:26:19.687 PM com.apple.launchd.peruser.501[125]: (com.delantis.tcpblock[555]) Job failed to exec(3). Setting up event to tell us when to try again: 2: No such file or directory
    8/23/12 5:26:19.687 PM com.apple.launchd.peruser.501[125]: (com.delantis.tcpblock[555]) Job failed to exec(3) for weird reason: 2

    Any idea? Thanks!

  35. JeffreyHK says:

    Hi, similar problem… I’m using version 2.10 KEXT 2.2.6, Mountain Lion 10.8.1 and Growl 1.4. When I select “Enable Growl notifications” nothing happens and the program doesn’t appear in my Growl applications list. Anyone have any ideas? Thanks.

  36. How do you uninstall TCPBlock? It’s a nice piece of software, but I need to take it off my machine for a little while.

  37. Emil says:

    I have been using TCPBlock with Leopard (10.5) for a long time now. However, something recently has changed. All of my apps are being blocked and I when I go to the Connecting Apps tab to unblock them, they are greyed out and cannot be inserted into the Application List. Has anyone seen this occur before?

    I am using the latest version of TCPblock v.2.1.0 KEXT 2.2.6

    Thanks.

    • Jo Delantis says:

      The apps are greyed out because they are already in your Application List. If you have White List enabled then make sure that Block all outgoing is disabled in order that you apps are not being blocked anymore.

  38. Hi I am on 10.8 Mountain Lion (fresh install) with growl 2.0 (from app store)
    and TcpBlock 2.10 kext 2.2.6

    When try to check on growl enabled I get the message:
    8/23/12 5:26:19.687 PM com.apple.launchd.peruser.501[125]: (com.delantis.tcpblock[555]) Job failed to exec(3). Setting up event to tell us when to try again: 2: No such file or directory
    8/23/12 5:26:19.687 PM com.apple.launchd.peruser.501[125]: (com.delantis.tcpblock[555]) Job failed to exec(3) for weird reason: 2

    I tried also with the command line tcpblock -n and get the following
    ~ root# tcpblock -n
    2012-08-25 06:56:56.341 tcpblock[337:707] could not find local GrowlApplicationBridgePathway, falling back to NSDNC

    I assume I get this message because tcpblock cannot register with growl.

    What exactly does tcpblock tries to run in order to register with Growl. Perhaps I can create a wrapper script in order to correctly connect to the new growl API. It seems that it does this
    using a system command?
    Thanks!

    • Jo Delantis says:

      The first error happens because on the fresh install in Lion and later the directory /Users/your_username/Library/LaunchAgents does not exists. You have to create it manually in order that TCPBlock can write its LaunchAgent.
      Registering and communication with Growl is done using Objective C methods, so a wrapper would not work.

  39. Thanks!
    So I put together a fast hack to connect it with notification center in 10.8 (do not want to have a terminal on continuously to monitor this):

    1) install terminal-notifier (http://osxdaily.com/2012/08/03/send-an-alert-to-notification-center-from-the-command-line-in-os-x/)

    2) write script @ /Users/XXX/bin/tcpblock_notify.sh
    #!/bin/bash
    tail -1 -f /var/log/system.log | while read line
    do
    [[ "$line" == *tcpblock*block*connection* ]] && ( terminal-notifier -title tcpblock -message “$(echo $line | cut -d\ -f7- | cut -d: -f1)” 1>/dev/null)
    done

    3) use launchd to start @ /Users/XXX/Library/LaunchAgents/com.delantis.tcpblock_notify.plist
    start it doing: launchctl load com.delantis.tcpblock_notify.plist

    Label
    com.delantis.tcpblock_notify
    ProgramArguments

    /Users/XXX/bin/tcpblock_notify.sh

    KeepAlive

    • Jo Delantis says:

      That’s a cool hack. Thanks!

    • mike galicki says:

      You have a typo in the first cut command. The delimiter for space needs two white spaces after the \ or its even maybe easier to use the ‘ ‘. So i.e.

      #!/bin/bash
      tail -1 -f /var/log/system.log | while read line
      do
      [[ "$line" == *tcpblock*block*connection* ]] && ( terminal-notifier -title tcpblock -message “$(echo $line | cut -d ‘ ‘ -f7- | cut -d: -f1)” 1>/dev/null)
      done

      Also, the ” ‘s didn’t paste properly into terminal. I was just getting the first field “Block” and nothing else until i overwrote all the ” characters in terminal.

      Also, here is my plist file if someone wants to take it:

      KeepAlive

      OnDemand

      RunAtLoad

      Label
      com.YOURNAME.tcpblock_notify
      ProgramArguments

      /Users/YOURNAME/bin/tcpblock_notify.sh

      remember to chmod +x both files.

      Thanks to the OP.

    • Andre says:

      To add to this – those who use the whitelist: I created an AppleScript bundle that you can launch when you’re notified of a blocked connection. You enter the application’s name (exactly as shown in the Growl notification/TCPBlock log) in the popup, enter your password, and it’s added to your whitelist! Even supports Growl notifications! Pretty straight forward.

      How to do it: Open the AppleScript app (everyone has it), paste the code below, save as “Application” format, change the icon if you like :D

      It’s not pretty but works – no issues so far:

      ############### Add2TCPBlock ########################
      # Adds a new rule to TCPBlock’s whitelist, allowing an outgoing connection.
      # Executes shell command “tcpblock -a ” to add to whitelist
      # and then “tcpblock -c” to update ruleset
      # Support for Growl notifications
      ################################################

      # add inputed application name to tcpblock config
      ##############################
      set appName to “”
      try
      set diagIn to (display dialog “Enter app name to allow connections: ” with title “TCPBlock – Allow?” default answer “” buttons {“Always Allow”, “Nevermind”} default button 1 with icon stop)
      set appName to the text returned of diagIn
      set buttName to the button returned of diagIn

      if (appName is equal to “” or buttName is equal to “Nevermind”) then
      display dialog “ABORTED: no changes made” with title “TCPBlock – Failure” buttons {“okay”} with icon caution
      return — ***exit script***
      else — where it’s at: two turn tables and a microphone
      do shell script “/usr/local/bin/tcpblock -a ‘” & appName & “‘” with administrator privileges — requires admin password, to skip password entry
      do shell script “/usr/local/bin/tcpblock -c” ——————————————– each time (unsecure!) add: password “yourpassword” above before “with administrator privileges”
      end if
      end try

      # display notification through Growl
      # catch if not installed or open and use Apple dialog
      ###############################
      tell application “System Events”
      set isRunning to (count of (every process whose bundle identifier is “com.Growl.GrowlHelperApp”)) > 0
      end tell

      if isRunning then
      tell application id “com.Growl.GrowlHelperApp”
      — Make a list of all the notification types
      — that this script will ever send:
      set the allNotificationsList to ¬
      {“Application set to allow outgoing connections”}

      — Make a list of the notifications
      — that will be enabled by default.
      — Those not enabled by default can be enabled later
      — in the ‘Applications’ tab of the Growl preferences.
      set the enabledNotificationsList to ¬
      {“Application set to allow outgoing connections”}

      — Register our script with growl.
      — You can optionally (as here) set a default icon
      — for this script’s notifications.
      register as application ¬
      “Add2TCPBlock” all notifications allNotificationsList ¬
      default notifications enabledNotificationsList ¬
      icon of application “Finder”

      — Send a Notification…
      notify with name ¬
      “Application set to allow outgoing connections” title ¬
      “TCPBlock – ” & appName description ¬
      “Application set to allow outgoing connections” application name “Add2TCPBlock”
      end tell
      else
      # growl not installed/running – use Apple dialog
      display dialog “Application ” & appName & ” set to allow outgoing connections.” with title “TCPBlock success” buttons {“OKAY”} with icon caution
      end if

  40. If I knew this existed I wouldn’t have bought little snitch… I can’t see that this is as feature filled but it seems pretty good anyways. It’s been a year since a new version…

  41. bastsik8 says:

    Thanks for this great software! I wonder why only few people seem to know about this. Will there be a new version with notification center support on Mountain Lion somewhen?

  42. mrcube2u says:

    TCPBlock is fantastic. Simple and effective. I too am having the issue with Growl 2.0 on Mountain Lion. Installing the older non app store version has not solved the problem in my case. I also wonder where the log file is kept on mountain lion? Mine isn’t located at var/log/system.log or /var/log/kernel.log. Keep up the good work. My donation is on its way.

  43. Raunak Agarwal says:

    Great application Sir. I am new to mac and love your firewall. However, it locks automatically each time I close the preference pane. Its annoying to enter password each time. Is there any way to prevent that. I am using OSX 10.8 Snow Leopard.

  44. Andre says:

    Do you have intentions of developing this into a paid app? If not have you considered opening the source? I have many ideas I’d like to try and implemented (processing Growl feedback/banner clicks?) as do others. The added development could really help the app take off and do so much more! Please consider it!

  45. Scott says:

    What do you think of the following error? I will leave the craziness for another time but suffice to say tcpblock worked flawlessly, I thought it my savior against the “evildoers” who attempt to infiltrate our systems. It was such a good watchdog I forgot all about the many firewalls implemented previously. Forgot how Norton stopped blocking and little snitches rules bouncing back and forth giving permission to those who would do us harm. Forgot about the many months banging my head against the wall Until the inevitable happened. The preference pane was the first to go, then this error below. Could be permissions, could be replaced files, could be missing files, who knows, but it signals the end of another firewall. Thanks for putting in the time to code it though. Big gold medal for that…

    localhost:~ ck$ tcpblock -c
    2013-03-30 03:32:10.587 tcpblock[1680:707] ioctl CTLIOCGINFO: No such file or directory
    connection to the tcpblock kernel extension failed

    I have a screen capture of the error in the preferences if you’d like to see it. The verbiage in the dialog goes like this:

    Connection to the TCPBlock Kernel Extension failed!
    Please reinstall the TCPBlock.pkg to make shure you
    get not only this Preference Pane but also the
    required components.

    Despite removing and re-installing, including re-install with a freshly downloaded tcpblock it never repairs that preference payne, what a pain.

    Thanks

    S

    • Jo Delantis says:

      Sounds like if the TCPBlock kernel extension is not loaded… You cat try to load it with “sudo /usr/local/bin/tcpblocknke”.
      At system boot time the kernel extension is automatically started by launchd using the file /Library/LaunchDaemons/com.delantis.tcbblocknke_load_kext.plist. Does this file exists and looks ok?

      • Dan says:

        Hi Jo,
        as others stated before: superb app!
        But I’m always running into the same error as Scott. Strangely enough, the error often occurs every third or fourth boot. Then I ave to apply this sudo command which works.
        But have you got at solution that avoids this manual input every time? Because I’m not notified that TCPBlock is out of order.
        What’s the solution concerning your second statement? I’ve only got the file “com.delantis.TCPBlock.plist” in the folder mentioned. Obviously, com.delantis.tcbblocknke_load_kext.plist is not existant on the device. Where and how do I get this? And why wasn’t that installed on my device (10.8.3)?
        Thanks for your support!

      • Jo Delantis says:

        com.delantis.tcbblocknke_load_kext.plist is part of the TCPBlock installer package. Reinstall TCPBlock and if the file is still not existent then you may get some error hints in the Installer log.

        Or create the file /Library/LaunchDaemons/com.delantis.tcbblocknke_load_kext.plist with the following content:

        <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd&quot; >
        <plist version="1.0">
        <dict>
        <key>KeepAlive</key>
        <false/>
        <key>Label</key>
        <string>com.delantis.tcpblocknke_load_kext</string>
        <key>ProgramArguments</key>
        <array>
        <string>/usr/local/bin/tcpblocknke</string>
        </array>
        <key>RunAtLoad</key>
        <true/>
        <key>StandardErrorPath</key>
        <string>/dev/null</string>
        <key>StandardOutPath</key>
        <string>/dev/null</string>
        <key>UserName</key>
        <string>root</string>
        </dict>
        </plist>

        Make sure the file has the same owner, group and permissions like the other files lying around in the LaunchDaemons directory.

        com.delantis.TCPBlock.plist is for managing TCPBlocks Privileged Helper Tool:
        If you open the TCPBlock PrefPane in order to change its configuration you must authenticate yourself as your Macs superuser, root. Only root has the rights to change the config file of TCPBlock. Instead of running the entire PrefPane as root, which means giving tons of lines of code privileged access to your system and is a security nightmare, only a small, separated helper tool is started and only the helper tool gets superuser privs. The helper tool contains only a few lines of code for writing TCPBlocks config file.

      • Dan says:

        Hi Jo,
        after some days of testing: Your solution works…but only for a couple of days. And then, I don’t know why, the plist file I created disappears, i.e. it’s deleted from this folder. No TCPBlock plist file exists there any more. Have you got a further solution?

  46. Chris says:

    @Dan

    The file must be created as plain text and before you move it to /Library/LaunchDaemons/ you have to change the owner and the group otherwise launchd will not accept it.

    Something like …

    cd $HOME
    pico com.delantis.tcbblocknke_load_kext.plist

    or you use Xcode to create the file … insert the content from above

    Save with ctrl + o, RETURN and quit pico with ctrl + x.

    sudo chown root:wheel com.delantis.tcbblocknke_load_kext.plist
    sudo cp ./com.delantis.tcbblocknke_load_kext.plist /Library/LaunchDaemons/com.delantis.tcbblocknke_load_kext.plist

    After a reboot you can check whether the .plist file is loaded or not using

    sudo launchctl list
    ps -u root

    @ Jo

    Are this project still under development (I use 10.8.3) ? Do you put it in the App Store or use code signing ?

  47. James says:

    I’m seeing this as well on Mountain Lion:

    Jun 26 06:36:04 Mac com.apple.launchd.peruser.501[146] (com.delantis.tcpblock[357]): Job failed to exec(3). Setting up event to tell us when to try again: 2: No such file or directory

    Jun 26 06:36:04 Mac com.apple.launchd.peruser.501[146] (com.delantis.tcpblock[357]): Job failed to exec(3) for weird reason: 2

    Jun 26 06:37:46 Mac System Preferences[329]: open on /Users/me/Library/LaunchAgents/com.delantis.tcpblock.plist: File exists

    The first two I see out of the box when enabling Growl, the last is after I change permissions on /Users/me/Library/LaunchAgents/com.delantis.tcpblock.plist to everyone read/write access. Growl still doesn’t see TCPBlock. Also, is this going to get developed further? More then happy to donate…but if this won’t be working on Mavericks then I’d rather not waste the money (no offense). Thank you.

    • James says:

      This is a reply from Growl support:

      After doing a little research it looks like TCPBlock has not been updated in quite some time. TCPBlock uses a very old version of the Growl Framework and likely needs to use our old free version of Growl 1.2.2. Reports are it doesn’t work with Growl 1.3 or newer. You will need to contact the developer and see if they can upgrade to the latest version.

      What say you Jo….any chance we could get a Growl update? Other than that the app works great.

  48. James says:

    So I’ve tested and tested some more and with Growl 1.2.2 this works all the way to Mountain Lion (make sure to enable logging of blocked connections). My suggestions Jo is to scrap Growl and go with the native Notification API, allow per connection blocking per application (I want it to go to here for updates, but I don’t want it to go there for ads), then make it a shareware app and undercut LS by charging $20 and I think you’ll see a fair amount of people want this app.

    • Andre says:

      I really wish this would happen. Or throw it on github for us novices to tinker with :D
      Kernel extensions are beyond my abilities atm or else I’d be moving in this direction.

  49. Will TCPblock still work with Maverick?

  50. ShelaghD-B says:

    In any event wondering if anyone here can help me with this one problem I have using it?

    I have 2 Macbook Pros
    1 is running 10.84 and the other I havet yet moved up to that but at present is on 10.75

    10.84 is using TCP Block and mac firewall is enabled
    10.75 is using Lil Snitch and mac firewall is enabled

    I tend to use AIRDROP a lot between the 2 but since installing TCP Block, I can no longer do it and I am not sure how to open it up again so I may!

    When trying to send a file from the 10.75 using Lil Snitch to the 10.84 using TCPBlock, I can send a file and the other Mac will receive it

    When tring it the other way, from 10.84 using TCPBlock to 10.75 it won’t let it through and says, “The Transfer Failed. Try Again”

    ANY ideas what I need to type into TCPBlock so that I will be able to transfer files through Air Drop both ways?

    THANKS IN ADVANCE

  51. Marc says:

    Perhaps they should go away from growl and use the mac notification center instead. Is there anything planned?

  52. trrfx says:

    I combined Mike Galicki’s&Sakoula’s terminal-notifier shell script with Andre’s Add to Whitelist Applescript. Works like a charm. With the -execute option of terminal-notifier and an osascript command you can pass a variable with the name of the blocked application to the Applescript which will open when you click on the message in notification center.

    But there’s one feature I’d like to add: As stated, I run TCPblock in whitelist-mode. But I’d like to have a blacklist the terminal-notifier script checks to see if it’s an app that should be blocked permanently (so notifications don’t pop up everytime).

    Any suggestions?

    • trrfx says:

      i’ve created a little hack (based on sakoula’s and mike galicki’s contribution) that somehow emulates little snitch’s behavior. when application is blocked notification center will inform you which app tries to connect. by clicking on the notification a pop up window will appear giving you following options: cancel (just quits), whitelist (will add app to tcpblock’s whitelist), blacklist (will write name of app to a simple plain text log file. this file will be checked again next time the same app tries to connect and if it is on the blacklist already no message will appear in notification center. put simply: it stops bugging you). here’s the (maybe not elegant but working) how-to:

      1) install tcpblock and set it to whitelist mode

      2) install terminal-notifier (details: https://github.com/alloy/terminal-notifier) by starting terminal and
      sudo gem install terminal-notifier

      3) download my files(*) and extract the zip file to ~/bin/ (~ = home folder)

      http://www.filedropper.com/tcpblockaddon

      4) edit com.tcpblock.radar.plist with plain text editor and change YOURUSERNAMEHERE to – well – your user name. then put the file in ~/Library/LaunchAgents

      5) open the terminal and make the .sh files executable with the commands
      sudo chmod +x ~/bin/tcpblock_radar.sh
      sudo chmod +x ~/bin/tcpblock_handler.sh

      6) laod the plist file with terminal command
      launchctl load ~/Library/LaunchAgents/com.tcpblock.radar.plist

      i hope it works for you!

      (*) the zip package contains TCPBlock.app and TCPBlock.icns. these are just “carriers” of the fancy icon. terminal-notifier will only work in Mavericks when -sender option is given, therefore the .app file. the .icns is used by the applescript dialog.

      if you’d rather like to have the raw code and play with it go here:
      tcpblock_radar.sh | http://pastebin.com/Fby66TmP
      tcpblock_handler.sh | http://pastebin.com/Ua1dNGzm
      com.tcpblock.radar.plist | http://pastebin.com/qkAnLawG
      tcpblock_dialog.scpt | http://pastebin.com/h9xJKSsu

      • Andre says:

        Ignore my post – Looks like you already did all of it, even the blacklist! Nice work! Trying it all out atm

      • Andre says:

        For some reason tcpblock_radar.sh isn’t returning the right string. $VAR is being set to “onnection of ” and for larger names, the app name is cut off.

        Also when added to the blacklist/whitelist, the entire $VAR string above is added rather than just the app name. Must be something with the formatting you’ve got there. If I understood string manipulation in bash better, I’d help out! Everything works great otherwise.

      • trrfx says:

        Hi Andre!
        yes, i think it will depend on how exactly the log entry looks like. i thought it’ll be the same for everyone. but it shouldn’t be to difficult to adapt the script.

        here’s the juice:
        VAR=”$(echo $line | cut -c 64- | sed -E ‘s/ to[ 0-9.:a-z=]*//g’)” sh ~/bin/./tcpblock_handler.sh

        “cut -c 64-” just deletes a certain amount of characters (in this case 64) from the start of the string. so adjust to the point you reach the start of the app name in the output.

        the rest is then passed on to “sed -E ‘s/ to[ 0-9.:a-z=]*//g'”. this deletes everything from ” to” (that is the “[space]to” after the app name). so unless there’s an app that contains this certain string (not bullet proof, but probability not very high i guess) it should be fine.

        BTW: the icon of TCPBlock.app seems to got striped off by zipping or whatever. but one can manage to paste it from the icns file in the info screen of the app file (cmd-i). just to make it look a bit better.

        cheers!

    • Andre says:

      What does your bash script look like? I’ve got the notification working, but the click does nothing. This is one of my many attempts to get it to work:

      [[ "$line" == *tcpblock*block*connection* ]] && ( terminal-notifier -title tcpblock -message “$(echo $line | cut -d\ -f7- | cut -d: -f1)” -execute osascript myscript “$line” 1>/dev/null)

      This is the part I need. I know nothing about bash and have been going off of what is written in the script so far. This is a great idea though!

      As for the blacklist idea to keep down on notifications… The best I can think of would be a separate file that the bash script checks for programs that have been blacklisted. If the app name is present, it doesn’t send the notification. Then whenever called, the Applescript can be modified to ask if the user wants to blacklist the program or accept access. Which would in turn modify our list that is checked each time. If that all makes sense.

      Of course I cannot figure out bash well enough to do this. I may look into providing an Applescript solution if I don’t hear from you guys. Really wish this were open sourced!

  53. sakoula says:

    hi!

    I am thinking of upgrading to Mavericks this weekend.
    Does tcpblock work for 10.9?

    A proposal: How about releasing the code as open source?

    Thanks for the great piece of software!

  54. Hi,

    For those who have problems with tcpblock not working after a restart of the machine. I noticed that Clean My Mac (and probably other similar softwares) was trying to delete “com.delantis.tcbblocknke_load_kext.plist” treating it as a broken login item. Beware about this, because once it is deleted for the first time there’s no way to have it working properly again even you’re going to reinstall tcpblock.

  55. stephan says:

    Hi,

    thanks for that powerful and useful app! It would be very nice if there will be an update with notification center support!

    Greetings from Germany

  56. sakoula says:

    Hi,
    Due to the incompatibility of tcpblock with growl in 10.8 and 10.9, I end up using
    a hack to integrate it with notification center instead.

    I put together a github page based on the code in this thread. The only addition to my previous attempt is the behaviour that whenever you click on the notification message the script adds the blocked application automatically in the whitelist.

    The code is very basic and does not have the features of trrfx’s.

    If anyone is interested:

    https://github.com/sakoula/tcpblock-notify

    At some point tcpblock will get the native notification center support but until then :(

    thx!

    • Hi! I don’t get any notification so everything stay blocked. Any help? Thanks!

      • sakoula says:

        which OSX version? You can always check Console.app for the tcpblock messages

      • Mavericks and I believe I did install everything as you said in the read me. So I don’t really understand what’s going on. Shouldn’t be an exception for the terminal-notifier somewhere in the notification system preferences?

    • Ok, I’ve blocked Mail.app and this is the output from the Console right after I’ve checked for emails:

      13/11/2013 21:04:11.000 kernel[0]: tcpblock: block connection of com.apple.iCloud to 17.172.208.83:443 uid=501 pid=579 proto=6

      13/11/2013 21:04:19.000 kernel[0]: tcpblock: block connection of Mail to 68.232.35.121:80 uid=501 pid=11175 proto=6

      13/11/2013 21:04:20.000 kernel[0]: tcpblock: block connection of Mail to 23.21.190.1t72:8c0 puibldock=5: 0bl1 pocid=k 11co17nn5 ecprtotioon =6

      Is that normal?

  57. Roscoe says:

    Is there a reason that my applications list has “(ignored)” next to the name and they’re all oranged out?

    • Jo Delantis says:

      If you check the “Block all outgoing” option then all outgoing connections are blocked regardless of the content of your application list. Your app list is ignored and therefore oranged out.

      • Roscoe says:

        Much thanks, Jo. I realized that shortly after I posted when fiddling around.

        I thought the option was to block all outgoing connections from apps on the list (or not if whitelisted), silly me.

  58. Vincent says:

    Hey, is there any way to not just block IP-Connections, but connections made via specific ports? For example: I use the TCPBlock White List Option, so all programs/connections are blocked besides the ones whitelisted. But now I want Mail.app to make connections to every server/* (because esp. Gmail Server change a lot) but I don’t want Mail.app to make any connections via Port:80 or Port:443, because I don’t want it to load Photos or external ad stuff.
    It would be very handy to have an option like this, to block specific ports. I can work the other way around, too: whitelist specific ports like 143 and 587 and then block all others.
    Is it possible to do that with TCPBlock?
    Besides, great software. I really like it and hope it will be developed continuously.

    • vincent says:

      Jo, it’s great that you added the Port-Feature! This makes TCPBlock so much more powerfull! Thanks a lot for this && keep up the good work! Regards, vincent

  59. Frank says:

    Dear Jo Delantis:

    Thank you for your effort to keep updated this nice and useful application. I really appreciate your work and sharing. Hope you keep developing succesfully this software for mac users.

    Installed TCP Block v3.0b5 Beta Version. My iMac is running under OSX Mavericks 10.9.

    Sometimes when restart my computer (not including the restart after installation)
    I get the following error message:

    “Connection to the TCPBlock Kernel Extension failed! Please reinstall the TCPBlock.pkg to make sure you get not only this Preference Panel but also the required components.”

    I started the kernel extension manually with the command in terminal: sudo /usr/local/bin/tcpblocknke. Of course after that things become normal.

    Questions:
    How can be solve this situation? Some ideas? Some relation with Avast antivirus installed in iMac?

    Your comments and detailed instructions are very welcome.

    • Jo Delantis says:

      It may be the same problem like here: see t_kore’s message.
      Check if the file /Library/LaunchDaemons/com.delantis.tcbblocknke_load_kext.plist exists. This file starts the TCPBlock Kernel Extension at system boot time. If it is not there then check if you have some software installed which may delete it. This file is included in the TCPBlock install package; I would expect it is recreated when you reinstall TCPBlock.

  60. Frank says:

    Dear Jo Delantis:

    Thank you for your prompt reply and guidance.

    In fact, checked the file in the suggested location: i/Library/LaunchDaemons/com.delantis.tcbblocknke_load_kext.plist and did not appeared there.

    After the reinstall of TCPBlock the file came up, besides, made some tests with the software installed in my iMac.

    Confirmed that CleanMyMac tried to delete “com.delantis.tcbblocknke_load_kext.plist” nominating it as a broken login item.

    Took all measures to prevent the deletion of the same file. Hope this will work smoothly.

    Have a nice day.

  61. saltine says:

    Hello Mr. Delantis,

    I’m trying your new firewall app but v3.0 final version doesn’t work on my iMac with Mavericks.
    v2.10 was working correctly.

    I have uninstalled the v2.10 (that was working very well) with the supplied tool and installed the new v3.0 without errors. I enabled the whitelist flag and started to configure it, like i did on the old version.

    But the connecting apps panel is filled only with few apps automatically blocked (mdnsresponder and npd). Any other application manually launched that connect to internet (ex. firefox, safari, mediainfo, etc) is not listed on the panel. Manually adding an application on the whitelist don’t change nothing.

    Daemon is loaded and enabled (launchctrl verified).
    Notifications appears correctly for the few services blocked.
    Show “all connections log” is selected.

    Reinstalling the v2.10 the system returned to work perfectly.
    Something must be wrong with this new version.

    Thanks in advance for any support you can give.
    Regards.

    • Jo Delantis says:

      Do not block the mDNSResponder. An app which connects out asks it for translating the target hostname into an IP address. If the mDNSResponder is blocked then the address resolution does not work and your app’s outgoing connection fails before it even can send any data out, therefore it does not appear in the connecting apps panel.

      • Saltine says:

        Thanks for the quick response.

        With your suggestion I managed to have TcpBlock fully working.
        The mDNSResponder matter is not a simple thing for not-expert users. I hope that this comment will help other users too. Adding it to the instructions would be a nice thing.

        I will use this program and I appreciate your efforts to improve it and to have made it fully compatible with Mavericks.

        Next step should be the possibility to block IN and OUT traffic (IMO).

        Well done. I just donated. Thank you again.
        Greetings from Italy.

      • Jo Delantis says:

        Thanks for your donation. The default behaviour of TCPBlock is to block an app’s incoming and outgoing connections when you block the app or to whitelist both incoming and outgoing when you whitelist it.

  62. Saltine says:

    Mr. Delantis,
    I replied here because there is no reply button on your last comment.

    Regarding the IN/OUT traffic block, I mean to selectively choose which direction block, inbound or outbound traffic, implementing an additional flag for example.

    Just for information, please look the following screenshot:

    http://www.imagebam.com/image/08d6f5302674617

    Note that I have FTPD whitelisted and I’m able to connect to my iMac from another computer using a ftp client. But I don’t know why there are always two entries for the same port, one blocked and one not.

  63. i installed it, now the lock to add programs won’t unlock… help please.

    • Jo Delantis says:

      Do you get the authentication dialog window if you click the lock icon?

      • Paul D. says:

        Jo is correct, you should get the normal “authentication” box popup.. make sure you’re clicking the bottom left tiny lock icon first.. and then entering admin user/pass (if you are not already using an admin account – which I do not recommend as a casual user).

      • Paul D. says:

        Ahaha of course Jo is correct s/he/they is the developer! my mistake.

  64. Paul D. says:

    Hello, has anyone tried running tests on TCPBlock to see if it actually blocks outgoing connections? My impression was that if an app was on the blacklist, it was blocked (incoming/outgoing). However, after installing a program, blocking it, and blocking all of its associated programs (update software etc.), it still is able to connect (I know this because I receive notifications to update the software!)..

    My next test, which is a bit tedious, will be block all outgoing and then provide a whitelist of the apps I want to connect.. has anyone done this?

  65. depressed says:

    4.0 version was buggy. Now I tried 4.2 and looks like it shows some active applications but does not show all of them. So I would say that 4.2 is buggy, too.

    • Jo Delantis says:

      It may depend where you look for connections. In the Connecting Apps tab the entries are coalesced: If a connection is already in the list then it is not displayed a second time at a subsequent connection attempt in order to not flood the list with redundant entries. Use the cmd line network monitor to see all the connections TCPBlock sees, together with a time stamp: /usr/local/bin/tcpblock -mt

  66. depressed says:

    There are still some strange things happening.
    For example TOR. It is allowed together with firefox and no other rules are set for it, but it still somehow blocks it and in the same time allows it.
    Type Local Address Remote Address uid pid application blocked
    11609 TCP IN 0.0.0.0:0 127.0.0.1:52733 501 1173 tor.real no
    11789 TCP IN 127.0.0.1:9150 127.0.0.1:52733 501 1173 tor.real yes

  67. depressed says:

    Another thing.
    When you leave opened the application tcpblock for the night and in the morning try to use some app it does not work correct.

    For, example, FileZilla, is in allowed list but subapp fzsftp is added without hash check (empty string) and because of that it does not work. Even if it “hash check” is checked and even when you manually click on reshash. It works only when you re-activate tcpblock.

    My guess is that password for using tcpblock has timed-out but the thing is that no warning is given for it.

    • depressed says:

      I would suggest to rename 4.2 version as beta, since it is not well tested and behaves strange. ;) Waiting for a bugfix. Switched back to v3.0.

  68. Jason says:

    Just leaving a comment to say, keep up the great work, its agreat app, and works very well with 10.9.2 :)

  69. Jiri says:

    I wonder. Can TCPBlock generally allow connections AND allow a specific Application only a specific connection and block any other of its connections?

    For example: (the application APP can connect to the localhost [127.0.0.1] on any port AND is blocked on anything else) AND (all other applications are not limited at all).

  70. OttoB says:

    Minor HASH AND FILTERING BUG?

    Generally great SW. I recommend.

    I think it is unable to hash com.xxx… as I think these are not exactly applications. I use avast free antivirus. Turning on hash check will block com.avast.proxy. Re hashing will not help.

    I have allowed com.avast.proxy on white list, yet attempts from com.avast.proxy to connect gets blocked in a fashion that the first one is allowed and second denied. If I remove the check box of Enabled (disabling TCPBlock) this behavior disappears.

    TCP out 54.225.237.4:80 com.avast.proxy no
    TCP in 127.0.0.1:50588 com.avast.proxy no
    TCP in 127.0.0.1:50588 com.avast.proxy yes
    TCP in 127.0.0.1:50590 com.avast.proxy no
    TCP in 127.0.0.1:50591 com.avast.proxy no
    TCP in 127.0.0.1:50590 com.avast.proxy yes
    TCP in 127.0.0.1:50591 com.avast.proxy yes

    /etc/tcpblock.conf
    tbEnabled:1
    tbBlockAllOut:0
    tbWhiteList:1
    tbLogLevel:1
    tbBlockIncon:1
    tbCheckHash:0
    tbAddApp:firefox/*/*/35ca359364445dc068729c94d59b89cf907edde3/Applications/Firefox.app/Contents/MacOS/firefox
    tbAddApp:configd/*/67/0299d0813e6ec68e96a1ebf934ef3dc52ea40994/usr/libexec/configd
    tbAddApp:mDNSResponder/*/53/72ddfba34752e04f94879addd350decc350d5329/usr/sbin/mDNSResponder
    tbAddApp:”com.avast.proxy/*/*//Library/Application Support/Avast/components/proxy/com.avast.proxy”
    tbAddApp:*/127.0.0.1/*//

    OSX inbuilt firewall on.

    • OttoB says:

      OK.. the problem with the blocking of com.avast.proxy to 127.0.0.1 seem to have been resolved by white listing kernel_task. My setting now:
      kernel_task/*/*//
      mDNSResponder/*/53/72ddfba34752e04f94879addd350decc350d5329/usr/sbin/mDNSResponder
      configd/*/67/0299d0813e6ec68e96a1ebf934ef3dc52ea40994/usr/libexec/configd
      firefox/*/*/35ca359364445dc068729c94d59b89cf907edde3/Applications/Firefox.app/Contents/MacOS/firefox
      com.avast.proxy/*/*//Library/Application Support/Avast/components/proxy/com.avast.proxy

  71. kyan says:

    Hello,

    Thank you for the greate app.

    I’m trying TCPBlock on OS 10.10 preview (Yosemite), but I have this error :

    > sudo /usr/local/bin/tcpblocknke
    Password:
    /System/Library/Extensions/tcpblocknke.kext failed to load – (libkern/kext) not loadable (reason unspecified); check the system/kernel logs for errors or try kextutil(8).
    2014-06-08 15:57:57.742 tcpblock[827:15127] ioctl CTLIOCGINFO: No such file or directory
    connection to the tcpblock kernel extension failed

    When I try kextutil to have more logs, I get this:

    > sudo kextutil /System/Library/Extensions/tcpblocknke.kext
    Diagnostics for /System/Library/Extensions/tcpblocknke.kext:
    Code Signing Failure: not code signed
    ERROR: invalid signature for com.delantis.kext.tcpblocknke, will not load

    • Jo Delantis says:

      Hmmm… Obtaining an Apple code sign certificate requires a paid Apple developer membership which I have not, because of the costs. Right now I can not solve this error. May be there is an OS setting to allow unsigned kexts.

  72. kyan says:

    I found this work around…

    In Developer Preview 1 unsigned or improperly signed kexts will not be loaded. To use unsigned kexts during development, this strict check can be disabled by adding a “kext-dev-mode=1” boot arg.

    https://developer.apple.com/library/prerelease/mac/releasenotes/General/rn-osx-10.10/index.html

  73. Torsten says:

    Hm. At least the latest version seems to be pretty broken. I had the helper app being started twice. Logging slider is getting ignored. In fact – it seems that even via command line there is no dice in configuring it.

  74. Torsten says:

    Feature requests would be: profiles (or at least turning individual apps/rules on off). Plus port lists as opposed to just ranges.

  75. boocramp says:

    i can´t get tcpblock 4.2 to work after i used cleanmymac-it does not block any application i put in theapplication list.if i block everything it works but not by choosing an application!any help is appreciated!!!

  76. tcurdt says:

    Since 4.2 is still broken can anyone confirm 2.10 to be working on 10.9?

  77. Will TCPBlock be compatible with OSX Yosemite?

  78. Dani says:

    OSX 10.9.3

    I am trying to find /var/log/system.log !

    Any idea where else it could be?
    Logging is turned on!

    It would be great to have a button to open the log in TextEdit.

    Also with notifications turned on the popup should have a button to allow or block the connection.

    Keep it up, THANKS…

  79. Dudikus says:

    to make it work on Yosemite you need to enter the command below into the console and reboot:

    sudo nvram boot-args=”kext-dev-mode=1”

  80. Ebvin says:

    I am using TCPBlock for a few months now and I like it. However, some aspects make it unneccessarily complicated to use. I want suggest some improvements:

    – Logging block-events to kernel.log has several drawbacks:
    1. it makes checking the list of blocked programs complicated, especially for normal users who don’t have read permission for kernel.log. (You don’t want to have the TCPBlock preference pane open all the time).
    2. it clutters kernel.log.
    3. it is not easy to clean up, in case you want to delete the list of blocked programs.
    I would suggest that TCPB logs to its own log file, “tcpblock.log” or similar, which should be readable for all users.

    – The Connecting Apps window and tcpblock -m don’t show the app’s path. How can you tell which binary has just been blocked if you have multiple versions of a program installed (e.g. one from OS X, one from MacPorts)?

    – If a program is in the Application List on a volume which is not mounted and one clicks on Rehash, the hash code is removed from the entry (without warning). When the volume is mounted again, and Rehash is clicked again, the hash field is NOT updated but stays empty.

    – entries in the Application List should be editable after their creation.

    – it should be possible to define a list of allowed ports and IP addresses for one program.

    – as others have noted: some programs are blocked even if they are on the whitelist. The only way to let such a program communicate is to disable TCPBlock temporarily, which is bad, because it is against the idea of an application firewall. In my case /usr/bin/rsync remains blocked. Rehashing rsync doesn’t help. The hash value of rsync in /etc/tcpblock.conf is identical to shasum /usr/bin/rsync. I have also /opt/local/bin/rsync from MacPorts installed, which could be the reason (both rsync remain blocked, even though I have a TCPBlock whitelist entry for both of them!). The effect is, that I cannot update MacPorts without disabling TCPBlock.

    – the Application List window needs a better UI. Just showing the raw text of /etc/tcpblock.conf is quite Mac-unlike and hard to read. The whitelist is not even sortable, well…

    – Please, make TCPBlock open source! More people could look for bugs and security holes and help developing it further. Also this prevents the project from dying if one day TCPBlock is incompatible with future OS versions and the original author stops developing it.

  81. Otto says:

    Thanks for developing this, it works great for me.

    One little issue, I’ve unchecked ‘Block incoming connections’ in TCPBlock system preferences, but I still get notifications about them in notification center. And I still see entries under ‘Connecting Apps’ that says TCP in – Blocked: yes.

    Is this the expected behavior?

  82. Ralph says:

    TCPBlock Timing – a major issue with its core functionality?
    Under Mavericks 10.9 (MBP with fast SSD), enabling Hash checking and adding an app to the white list will sometimes let the app communicate, sometimes not.
    I have read in the documentation that
    a) tcpblockd handles the hash checking and
    b) the process works asynchronously,
    so I’d suggest that the kernel tries to run the app before tcpblockd has had a chance to verify the app binary’s checksum, sometimes resulting in a block where in fact the app should have been allowed. Please have a look into this. Thank you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: