English | العربية | Español | 日本語 | 简体中文 | 繁體中文

PureSnitch

See what your Mac is talking to. Block what you don't trust.
Free, open-source application firewall for macOS. No subscription, no telemetry, no upsell.

Install - Why this exists - What it does - How it works - Permissions - Screenshots - Contributing

---

Install

brew tap momenbasel/puresnitch
brew install --cask puresnitch

Or download the signed, notarized .dmg from Releases and drag PureSnitch into /Applications. No Gatekeeper warnings, no quarantine workaround.

First launch will ask you to approve the privileged helper in System Settings → General → Login Items & Extensions → Allow in Background.

Build from source

brew install xcodegen
git clone https://github.com/momenbasel/puresnitch.git
cd puresnitch
xcodegen generate
xcodebuild -project PureSnitch.xcodeproj -scheme PureSnitch -configuration Release \
  -derivedDataPath build build
open build/Build/Products/Release/PureSnitch.app

Why this exists

Little Snitch is the gold standard for application firewalls on macOS. It costs $59 per machine. LuLu is free and excellent at the per-process kernel level, but the rules manager is spartan and there is no world map, no traffic graph, no built-in blocklist library. The macOS built-in firewall blocks inbound — it does nothing for outbound traffic.

So most Mac users sit between three choices: pay $59, accept a barebones UI, or have no visibility into what their machine talks to at all.

PureSnitch is the fourth choice:

• Same UI pattern as Little Snitch 6. Menubar status item, world map, rules manager, connection alert popups. If you've used LS you already know how to use this.
• Free under MIT. Read the code, fork it, audit it. The matcher, the DNS proxy, the pf integration — all open.
• No telemetry. No analytics SDKs. No crash reporters phoning home. No "anonymous usage" pings. The only outbound traffic from PureSnitch itself is your DNS queries going to the DoH resolver you chose, and (toggle-able) ip-api.com for the world map.
• Built like a Mac app, not a port. Native SwiftUI for the windows, real NSStatusItem for the menubar, SMAppService for the privileged helper, XPC over a Mach service for the GUI ↔ daemon bridge.
• Signed + notarized by Apple. No "developer cannot be verified" wall.

What PureSnitch is honest about: per-process kernel filtering is the one feature gated behind Apple's com.apple.developer.networking.networkextension entitlement. The hook points exist in Sources/NetExt/ dormant in the codebase. Until Apple grants the entitlement, PureSnitch blocks at DNS level and packet level (pfctl), which in practice catches everything that resolves a hostname — i.e. nearly everything that is not hardcoded-IP malware. LuLu has the entitlement today and is the right choice if per-process kernel filtering is a hard requirement for you right now.

What it does

Network Monitor

A live world map of every active connection your Mac is making, with a per-process bandwidth sidebar and a summary pane that ranks the top processes, domains and countries by traffic volume. Sort, filter and click into any process to see exactly which hosts it talked to in the last five minutes.

Rules Manager

The full rules UI you'd expect from a Little Snitch-style firewall — All Rules, Active, Deny, Temporary, Unapproved categories, Rule Groups, Blocklists in the sidebar. Each rule shows process, allow/deny chip, priority, hit count. Search across every field. Glob hostnames, CIDR ranges, port-specific rules, time-bounded rules with expiry.

Connection Alerts

Default-deny mode pops a clean alert on every new outbound connection: "Allow / Deny", "remember this", scope (this process / this domain / this IP / this port), duration (5 min / 1 hr / forever). Three modes total — Alert, Silent Allow, Silent Deny — switchable from the menubar.

DNS over HTTPS

Built-in DoH client to Cloudflare, Quad9, Google, or any DoH endpoint you point it at. Domain-level blocking runs through a local DNS proxy on 127.0.0.1:53, so every getaddrinfo your apps make passes through PureSnitch before leaving the machine.

Blocklist Library

1Hosts, OISD, StevenBlack, HaGeZi out of the box. Subscribe, refresh on a schedule, audit which entries are matching. Bring your own list URLs too.

Packet-Level Blocking

A puresnitch anchor in pfctl for IP, CIDR and port blocking at the kernel — works regardless of which process initiated the connection.

Profiles

Default, Home, Public Wi-Fi, Lockdown. Different rule sets active on different networks. Switches automatically when the SSID changes.

Menubar Status Item

Live up/down throughput, five-minute traffic graph, recent activity stream, denied-count badge, one-click mode picker.

How it works

                    ┌─────────────────────────────────────┐
                    │            PureSnitch.app           │
                    │  ┌────────────────────────────────┐ │
                    │  │  SwiftUI GUI                   │ │
                    │  │  - Menubar status item         │ │
                    │  │  - Network Monitor window      │ │
                    │  │  - Rules Manager window        │ │
                    │  │  - Connection Alert popups     │ │
                    │  └──────────┬─────────────────────┘ │
                    │             │ XPC (Mach service)    │
                    │  ┌──────────▼─────────────────────┐ │
                    │  │  PureSnitchHelper (root daemon)│ │
                    │  │  - pfctl anchor manager        │ │
                    │  │  - DNS proxy (UDP/TCP :53)     │ │
                    │  │  - DoH upstream (Cloudflare)   │ │
                    │  │  - Blocklist fetch + parse     │ │
                    │  │  - nettop + lsof stream parser │ │
                    │  │  - SQLite rule store           │ │
                    │  └────────────────────────────────┘ │
                    └────────────────┬────────────────────┘
                                     │
                ┌────────────────────┼────────────────────┐
                │            macOS networking            │
                │   pfctl  ·  DNS  ·  bpf  ·  ess  ·  …  │
                └─────────────────────────────────────────┘

Three things move bytes:

1. DNS interception — A local DNS proxy on 127.0.0.1:53 answers every query. Blocklisted domains return NXDOMAIN; everything else forwards over DoH to the resolver of your choice.
2. pfctl anchor — A puresnitch anchor in /etc/pf.conf carries block-rules for IPs, CIDR ranges and ports. Kernel-level.
3. Process and connection observability — nettop -P -L 0 -x -J bytes_in,bytes_out is parsed continuously for per-process bandwidth. lsof -i -n -P -F pcnT snapshots active connections every two seconds. Both feed the GUI's process list, world map and traffic graph.

Anatomy of a rule

Rule(
    processBundleId: "com.example.app"   // optional
    processPath:     "/Applications/Example.app/…"
    remoteHost:      "*.tracker.com"     // glob
    remoteIP:        "1.2.3.0/24"        // CIDR
    remotePort:      443
    direction:       outgoing | incoming | any
    action:          allow | deny | ask
    scope:           process | domain | ip | port | any
    priority:        100
    profile:         "default"
    temporary:       false
    expiresAt:       Date?
)

The matcher walks enabled rules in priority order (DESC) and applies the first match. No match → fall back to the active mode (alert, silentAllow, silentDeny).

Permissions

PureSnitch needs to install a small privileged helper at first launch in order to:

• write pfctl rules to /etc/pf.anchors/puresnitch
• bind 127.0.0.1:53 for the local DNS proxy
• read per-process connection state via nettop and lsof

The helper is installed via SMAppService.daemon, the modern replacement for SMJobBless. macOS will surface it in System Settings → General → Login Items & Extensions as a service you can enable, disable or remove with a single switch. PureSnitch never asks for your password during normal operation; the helper handles privileged calls on its own through XPC.

What PureSnitch does not do:

• It does not collect telemetry, crash reports, or usage analytics.
• It does not require an account, license check, or any kind of identity.
• It does not move data anywhere except the DoH resolver you pick and (optionally, toggle-able) ip-api.com for the world map.
• It does not modify your system DNS settings until you flip the "use PureSnitch as system DNS" switch in Settings.

Screenshots

Network Monitor	Rules Manager

Comparison

	PureSnitch	Little Snitch	LuLu	macOS Firewall
License	MIT, open source	Commercial, $59	GPL, open source	Apple, closed
Price	Free	$59 / Mac	Free	Bundled
World map / traffic graph	✅	✅	❌	❌
Rules manager (LS-style)	✅	✅	basic	❌
DNS proxy + DoH	✅	✅	❌	❌
Domain blocklists out of the box	✅ (1Hosts, OISD, StevenBlack, HaGeZi)	✅	❌	❌
pf-based IP/CIDR blocking	✅	✅	n/a	basic
Per-process kernel filtering	gated (NE entitlement)	✅	✅	❌
Outbound blocking	✅	✅	✅	❌
Inbound blocking	✅	✅	✅	✅
Telemetry	none	none	none	n/a
Auditable source	yes	no	yes	no

If per-process kernel filtering matters to you today, use LuLu — it's free, open source and has the Network Extension entitlement. If you want the Little Snitch UI without paying $59, that is what PureSnitch is for.

Roadmap

• v0.1.0 — Signed + notarized release. DNS-level + pfctl-level firewall. Full Little Snitch-style UI.
• v0.2.0 — System Extension path (NEFilterDataProvider) for per-process kernel filtering. Requires Apple's com.apple.developer.networking.networkextension entitlement.
• v0.3.0 — Internet Access Policy (.lsiap) file support, on par with Little Snitch's IAP feature. Other firewalls can read the same file.
• v0.4.0 — iCloud sync of rule sets between Macs.
• v0.5.0 — Endpoint Security Framework integration for process-event awareness.

FAQ

Is this a Little Snitch clone? It is an independent open-source alternative with a deliberately similar user interface. The blocking engine, the DNS proxy, the matcher — all written from scratch. No Little Snitch source, assets or proprietary plist formats are used. "Little Snitch" is a registered trademark of Objective Development Software GmbH; this project is not affiliated with or endorsed by Objective Development.

Does PureSnitch send my traffic anywhere? No. Your DNS queries leave only as far as the DoH upstream you pick (Cloudflare by default — override in Settings). PureSnitch itself has no telemetry, no analytics, no phone-home. IP→country lookups go to ip-api.com (free tier) and can be disabled.

Why isn't per-process blocking at parity with Little Snitch? Per-process blocking requires Apple's Network Extension entitlement, which is application-gated. The hook points exist in this codebase under Sources/NetExt/. The entitlement must be granted by Apple. Until then, blocking happens at DNS-level and packet-level (pfctl), which catches the overwhelming majority of unwanted traffic in practice — anything that resolves a hostname.

Will this run on Intel Macs? The release DMG is built arm64 only. To build for Intel, change ARCHS to arm64 x86_64 in project.yml and rebuild.

How is it different from LuLu? LuLu is excellent and has had the Network Extension entitlement for years. PureSnitch differs in: a Little Snitch-style UI (world map, traffic graph, mode picker), DoH out-of-the-box, an opinionated blocklist library, and a written-from-scratch rule engine. Try both; use whichever fits.

Does it work alongside Pi-hole / AdGuard Home / NextDNS? Yes. Point PureSnitch's DoH upstream at your own DoH endpoint and PureSnitch becomes a per-device enforcement layer on top of your network-wide blocker.

What about Tailscale, WireGuard, ProtonVPN? PureSnitch's pfctl rules apply at kernel level, so they work alongside VPN tunnels on utun* interfaces. The DNS proxy on 127.0.0.1:53 is intentionally a loopback bind, so it stays out of the way of VPN-pushed DNS unless you opt in via the "use PureSnitch as system DNS" toggle.

Project structure

puresnitch/
├── Sources/
│   ├── GUI/          # SwiftUI app (menubar, windows, alerts)
│   ├── Helper/       # Privileged daemon (pfctl, DNS proxy, nettop)
│   ├── NetExt/       # Network System Extension (dormant; needs Apple entitlement)
│   └── Shared/       # Rule model, SQLite store, XPC protocol, matcher
├── Resources/
│   └── Assets.xcassets/AppIcon.appiconset/
├── Scripts/
│   ├── make_icon.sh        # Generates app icon from Swift CoreGraphics
│   ├── sign_and_notarize.sh
│   └── make_dmg.sh
├── docs/                   # Screenshots, architecture, translations
├── .github/workflows/      # CI
├── project.yml             # XcodeGen project definition
├── README.md
└── LICENSE                 # MIT

Security

• The privileged helper is installed via SMAppService.daemon, the modern replacement for SMJobBless. Trust boundary is the system Login Items & Extensions list.
• The XPC interface is typed; the helper validates every request shape and refuses anything outside the declared protocol.
• pfctl writes are scoped to a single anchor (puresnitch) so the rest of /etc/pf.conf is never touched.
• The DNS proxy refuses queries from anything that isn't local loopback.
• All destructive operations (purge rules, reset blocklists) require explicit confirmation by default.

If you find a security issue, please open a private security advisory rather than a public issue.

Contributing

Pull requests welcome. See CONTRIBUTING.md.

Especially welcome:

• NEFilterDataProvider wiring for the dormant Sources/NetExt/ provider, if you have access to Apple's Network Extension entitlement
• Internet Access Policy (.lsiap) parser and integration
• Translations beyond English
• Additional blocklist providers
• XCTest coverage for the rule matcher and DNS proxy

Acknowledgments

• @objective-see for LuLu, the reference free firewall for macOS
• Objective Development for shaping what an outbound firewall UI should feel like with Little Snitch
• 1Hosts, OISD, StevenBlack and HaGeZi for the blocklist work everyone in this space stands on top of
• Cloudflare, Quad9 and Google for free public DoH resolvers

License

MIT. See LICENSE. Use it, fork it, ship it under your own name if you want — the only thing the license asks is that the notice stays.