The Living Thing / Notebooks :

Firewalls, routing etc

In which years of study are needed to do basic things, and even then still probably wrongly

You need to route network traffic cleverly, e.g. for a vpn, filesync client or ssh, or various server security.

Oh sweetie. If you are getting advice from me, you are royally fucked. I’m so sorry. I’m not the kind of person who knows about network stacks. Otherwise how would I have had time to do the other things for which you would read the blog?

Anyway, let’s discover this together.

TODO: difference between application and network firewalls.



IceFloor 2 is group based, like the old ServerAdmin firewall tool. Control filtering, bandwidth, logs, connections and custom PF configurations.

(No longer current for recent macOS)


macOS features one of the best network firewalls: PF (Packet Filter). It comes in an “under the hood” fashion, installed and disabled by default.

Murus’ purpose is to unleash its potential. With its easy and intuitive icons-based and drag&drop-based interface, visual layers of abstraction and a friendly view of the PF firewall it’s a lean and mean tool to protect your Mac and network.

Designed with ease of use in mind, yet full of advanced options and monitoring tools, Murus is perfect for everybody; from the average user to the experienced UNIX guru/system administrator and even for educational purposes.

Configure and start the PF firewall in one click using built-in presets, use Murus graphical ruleset editor design tool or write fully customized rulesets using the advanced rule editor.

Murus Pro includes Vallum, an application-layer firewall. This allows you to take full control of your Mac at both application and network level.


Application firewall, with emphasisis on outgoing connections and very nice UI/monitoring.

As soon as you’re connected to the Internet, applications can potentially send whatever they want to wherever they want. Most often they do this to your benefit. But sometimes, like in case of tracking software, trojans or other malware, they don’t.

But you don’t notice anything, because all of this happens invisibly under the hood.


So what’s the linux networking routing doo-dangle called? iptables. This is how you interact with the netfilter subsytem. How does it work? Fucked if I know; every time I touch it I break things because there are thousands of moving parts in a modern computer’s networking system.

There are a million firewalls for linux, but eh one that n00bs like me seem to get recommended is ufw the Uncomplicated FireWall, which is installed on Ubuntu per default.

opensnitch is an open port of Little Snitch. It has dicey reviews but looks much better than nothin’.

gufw is a friendly GUI for network firewall, ufw, which in turn provides a simpler front end to iptables.GuFW AFAICT doesn’t add much value in terms of visualizing your firefall, which would be the big win.

Do you need one? Yeah. Do you have one by default? No.

AppArmor, the preferred ACL system of ubuntu is in effect an application firewall, in that it controls access to resources for processes including network resources.