LuLu is the free, shared-source macOS firewall that aims to block unknown outgoing connections, unless explicitly approved by the user.
LuLu is the free, shared-source firewall for macOS. Its goal is simple; block any unknown outgoing connections, until approved by the user. While it was designed to generically detect malware by flagging unauthorized networking connections, LuLu can also be used to block OS components or 3rd-party applications from transmitting information to remote servers.
* Network Monitoring
By design, LuLu only monitors for outgoing network connections. Apples built in firewall does a great job blocking unauthorized incoming connections.
Currently, LuLu only supports rules at the process level, meaning a process (or application) is either allowed to connect to the network or not. As is the case with other firewalls, this also means that if a legitimate (allowed) process is abused by malicious code to perform network actions, this will be allowed.
* Single User
For now, LuLu can only be installed for a single user. Future versions will likely allow it to be installed by multiple users on the same system.
Legitimate attackers/security professionals know that any security tool can be trivially bypassed if specifically targeted - even if the tool employs advanced self-defense mechanisms. Such self-defense mechanisms are often complex to implement and in the end, almost always futile. As such, by design LuLu (currently) implements few self-defense mechanisms. For example, an attacker could enumerate all running processes to find the LuLu component responsible for displaying alerts and terminate it