Open-source application firewall for macOS. Built in the same style as Little Snitch. Free. MIT-licensed. Zero telemetry.
Why this exists
Gold standard UI. World map, rules, alerts. $59 per Mac, every Mac.
Excellent per-process kernel filtering. Spartan UI. No map, no graph, no blocklists.
Blocks inbound only. Outbound traffic walks right out the front door.
Little Snitch UI muscle memory. LuLu's price. Native SwiftUI, not a port. Signed and notarized by Apple. Source on GitHub, MIT, zero telemetry. Built because no one else had built it.
Features
Live map of every active connection. Sort by process, by domain, by country. Click any process to see its last five minutes of traffic.
All Rules, Active, Deny, Temporary, Unapproved categories. Glob hostnames, CIDR, port. Priority-ordered. Search every field.
Default-deny pops a clean popup. Allow / Deny. Remember. Scope: process / domain / IP / port. Duration: 5 min / 1 hr / forever.
Built-in DoH to Cloudflare, Quad9, Google, or any endpoint. Local DNS proxy on 127.0.0.1:53 — every getaddrinfo passes through.
1Hosts, OISD, StevenBlack, HaGeZi. Subscribe, refresh on schedule, audit matches. Bring your own list URLs too.
A puresnitch anchor in pfctl carries IP / CIDR / port rules. Kernel-level, regardless of which process initiated the connection.
Default, Home, Public Wi-Fi, Lockdown. Different rule sets per network. Switches automatically when the SSID changes.
Live up/down throughput. 5-minute traffic graph. Recent activity. Denied-count badge. One-click mode picker.
No analytics SDK. No crash reporter. No license check. Outbound is your DoH resolver + optional IP-to-country lookup (toggle-able).
How it works
PureSnitch is a SwiftUI app talking over XPC to a small privileged daemon. The daemon does the actual work.
A local DNS proxy on 127.0.0.1:53 answers every query. Blocklisted domains return NXDOMAIN; the rest forwards over DoH to the resolver you picked.
A puresnitch anchor in /etc/pf.conf carries IP, CIDR and port rules. Kernel-level enforcement, independent of which process started the connection.
nettop streams per-process bandwidth, lsof snapshots active connections every 2s. Both feed the GUI's process list, map and graphs.
┌─────────────────────────────────────────────────────────┐
│ PureSnitch.app │
│ ┌───────────────────────────────────────────────────┐ │
│ │ SwiftUI GUI │ │
│ │ · Menubar status item · Network Monitor window │ │
│ │ · Rules Manager · Connection Alert popups │ │
│ └────────────────────────┬──────────────────────────┘ │
│ │ XPC (Mach service) │
│ ┌────────────────────────▼──────────────────────────┐ │
│ │ PureSnitchHelper (root daemon) │ │
│ │ · pfctl anchor · DNS proxy · DoH upstream │ │
│ │ · blocklist sync · nettop/lsof · SQLite store │ │
│ └───────────────────────────────────────────────────┘ │
└────────────────────────────┬────────────────────────────┘
│
┌────────────────────▼────────────────────┐
│ macOS networking │
│ pfctl · DNS · bpf · ess · … │
└─────────────────────────────────────────┘Comparison
| PureSnitch | Little Snitch | LuLu | macOS Firewall | |
|---|---|---|---|---|
| Price | Free | $59 / Mac | Free | Bundled |
| License | MIT, open source | Commercial | GPL, open source | Apple, closed |
| World map / traffic graph | ✓ | ✓ | — | — |
| Rules manager (LS-style) | ✓ | ✓ | basic | — |
| DNS proxy + DoH | ✓ | ✓ | — | — |
| Blocklists out of the box | 1Hosts, OISD, StevenBlack, HaGeZi | ✓ | — | — |
| pf-based IP/CIDR blocking | ✓ | ✓ | n/a | basic |
| Per-process kernel filtering | gated (NE entitlement) | ✓ | ✓ | — |
| Telemetry | none | none | none | n/a |
| Auditable source | yes | no | yes | no |
If per-process kernel filtering is a hard requirement today, use LuLu — it's free, open source and has the Network Extension entitlement. If you want the Little Snitch UI without paying $59, PureSnitch is for you.
Screenshots
Per-process bandwidth, world map, summary pane.
All Rules / Active / Deny / Temporary / Unapproved, Rule Groups, Blocklists.
Install
brew tap momenbasel/puresnitch
brew install --cask puresnitchSigned and notarized DMG from the Releases page. Drag into /Applications.
brew install xcodegen
git clone https://github.com/momenbasel/puresnitch.git
cd puresnitch
xcodegen generate
xcodebuild -project PureSnitch.xcodeproj -scheme PureSnitch \
-configuration Release -derivedDataPath build build
open build/Build/Products/Release/PureSnitch.appFAQ
An independent open-source alternative with a deliberately similar UI. The blocking engine, DNS proxy and matcher are all written from scratch. No Little Snitch source, assets or proprietary plist formats are used. "Little Snitch" is a trademark of Objective Development Software GmbH; this project is not affiliated.
No. Your DNS queries leave only as far as the DoH upstream you pick (Cloudflare by default — override in Settings). No telemetry, no analytics, no phone-home. IP→country lookups for the world map go to ip-api.com (free tier) and can be disabled.
Per-process blocking requires Apple's com.apple.developer.networking.networkextension entitlement, which is application-gated. The hook points exist in Sources/NetExt/; the entitlement must be granted by Apple. Until then, blocking is DNS-level + packet-level (pfctl), which catches anything that resolves a hostname — essentially everything except hardcoded-IP malware.
The release DMG is arm64 only. To build for Intel, set ARCHS = arm64 x86_64 in project.yml and rebuild.
Yes. Point PureSnitch's DoH upstream at your own DoH endpoint and PureSnitch becomes a per-device enforcement layer on top of your network-wide blocker.
pfctl rules apply at the kernel level so they work alongside VPN tunnels on utun* interfaces. The DNS proxy is a loopback bind, so it stays out of the way of VPN-pushed DNS unless you opt in via the "use PureSnitch as system DNS" toggle.
PureSnitch is free. Read the source. Fork it. Audit it.