Allow multiple rules per process

[leipert]

I really would like more granular level of control over which IPs a process connects to. I definitely do not want a process to connect to any Tracking system, e.g. Google, while maintaining connections to the APIs of the process.

[gondo]

currently the rules are per process. it would be much more helpful if they were per process + destination (different rule for different port)

[KizzyCode]

Yeah, something like Default Block *:* + Allow IP:Port per process/application would be nice. This would allow you, for example, to limit your e-mail program to your mail-servers to block all "efail" attacks and tracking-attempts etc.

[ctramnitz]

Yeah, per port and/or per destination network rules would make a lot of sense.

[Wdavery]

Another vote for this. This feature is huge.

[tbnv]

Voting for this as well, since it's kind of a deal breaker. Mostly for the same reason as @leipert: blocking access to Analytics or Crashlytics should not prevent the process from talking to other APIs.

[peterloron]

I came here just for this reason. LuLu is good so far, but adding this feature would really make it awesome.

[grzegor]

This would be awesome!

[inteist]

This would be an awesome addition! Hope someone who is more networking savvy than myself would have the time to do a PR.

[bretello]

+1

[working-name]

+1

[sashsvamir]

waiting this feature too!

[nax-bedroom]

It would be super cool to control which applications have access to specific addresses.

[360fun]

👍 🌳

[luco]

Please add this!

[ghost]

+1 , this feature is a must for any firewall :)

[OiCkilL]

Can't wait!

[aAmahQpwRk]

+1, it's the only feature that keeps me from using LuLu as my main firewall!

[matatablack]

+1, it's the only feature that keeps me from using LuLu as my main firewall!

What are you using as main firewall? I was very happy with LuLu but now i have an use case that need this feature, i need to use another firewall! :( :( :( :(

[smachi]

+1

[PencilNotPen]

+1

[pmjohann]

+1

[jawsoftware]

+1

[LuckyLukert]

I'm wondering what's the status on this. Do you plan on implementing this in near future?

[360fun]

in the meanwhile I decided to try another firewall... :( I really hope that this feature will come in the future to switch back.

[ghost]

This is a really important request and I now have a use case: It's a VNC client that I want to green-light for LAN connections but not on the Internet, where it could cross unwanted boundaries and 'phone home' where it has no business doing so.

I'm sad LuLu has not added this, despite 3 years of strong community request for it.

[anymos]

do not get it, why after 3 years it is still not implemented, this is a basic need. Going to find another firewall then ..

[objective-see]

Aloha, I just pushed LuLu 2.0.0 (beta!) Amongst other things, supports multiple rules per process (finally!)

(notarized) Download: https://bitbucket.org/objective-see/deploy/downloads/LuLu_2.0.0_BETA.zip

Would love any beta-testers/feedback! Bugs? → https://github.com/objective-see/LuLu/issues

p.s. To view (log) output, while test, run the following from the Terminal: log stream --level debug --predicate="subsystem='com.objective-see.lulu'"

[360fun]

This is just awesome: thank you!!! 🥳

[supervisitor]

Aloha, I just pushed LuLu 2.0.0 (beta!)

sounds and looks good!

however, i would prefer radio-buttons instead of the drop-down-menu. is faster and easier to use. and it has the place on the window. even if you would offer a complete list of all possibilities, meaning something like this::

• process (/usr/bin/curl)
• host (www.example2.com)
• sub-domain ((*.)example2.com.akadns.net)
• domain ((*.)example2.com)
• ip (173.231.210.103)
• cidr /24 (173.231.192.0-173.231.255.255)
• port (http/80)
• port@host (www.example2.com:80)
• port@sub-domain ((*.)example2.com.akadns.net:80)
• port@domain ((*.)example2.com:80)
• port@ip (173.231.210.103:80)
• port@cidr :80/18 (173.231.192.0-173.231.255.255:80)

are there any more useful options? i think this corresponds to the most important wishes of all... ok, a slider for the cidr or a drop-down-menu... 😇

the more granular rule-set like this is on my wish list... thanks a lot for rethinking

[initrd]

+1 for allowing more options for rules. Ex: I would like to whitelist all of [Zoom's](https://support.zoom.us/hc/en-us/articles/201362683-Network-Firewall-or-Proxy-Server-Settings-for-Zoom IP addresses] to the specific process. The current options are very granular - either allow every IP Zoom connects to, or whitelist /80, /443 - neither of which are ideal.

[D-e-n-t]

+1 for Network Options. On the popup, the options can/should be limited - too many options in the image above. If users/admins need to refine the rules, they should be able to do that in the rules window of the app. The dialog should be limited to 2-3 options at most, because it is intrusive.

• Users should be able to manually specify the subnet (i.e. allow destination of 17.0.0.0/8 for direct to Apple connections)
• Should be able to specify "Local Networks" as destination (i.e. the subnet of any connected interface, including Loopback)
• It would be nice to be able to specify a range or list of destination ports for a rule.
• I would suggest the rules.plist file be moved under /Library/Application Support/Objective-See/Lulu for ease of support.

There should be an option to deploy rules to hosts. I.e. have the extension periodically check for a "new-rules.plist" file deployed by administrators. Alternatively, the new-rules file could be pulled remotely like the block list. I would like to see a preference to allow the existing rules to be overwritten by the deployed or remote ruleset, or merged into the existing rules.

It would be nice to allow for the new rules to be signed in some way - with the public key saved in the preference file so that only trusted rules would be loaded automatically.

[mandeepsinghgill]

I turned on Passive mode in LuLu firewall settings and it works fine for me.

[inspiredearth]

Aloha, I just pushed LuLu 2.0.0 (beta!) Amongst other things, supports multiple rules per process (finally!)

p.s. To view (log) output, while test, run the following from the Terminal: log stream --level debug --predicate="subsystem='com.objective-see.lulu'"

Would you please elaborate on rule prioritisation, now that there are Process and Endpoint level rules?

For example, if I've blocked 10 endpoints for an application, and then I Allow the Process, to the prior Blocks get applied before the Allow (Process) rule is applied? If not, then all the other rules are made ineffective if a Process rule is added, so I am assuming there is rule prioritisation taking place, but would like to know for certain.

Thank you.