NetMuteWhat LuLu is, and installing it
LuLu is a free, open-source firewall developed by Patrick Wardle and the Objective-See foundation — the same team behind a respected suite of free Mac security tools. The full source is published on GitHub under the GPLv3 license, which means anyone can read exactly what it does. For a security tool, that auditability is a genuine selling point: you are not trusting a black box. Installation is simple. Download the disk image from objective-see.org, drag LuLu to Applications, and grant it the system (network) extension permission macOS prompts for. A reboot finishes the setup. There is no account, no license key, and no payment step — LuLu is free, with donations welcome. The current release as of 2026 (the 4.x line) requires a recent macOS and runs natively on Apple Silicon. Once installed, LuLu sits quietly in the menu bar and starts watching outbound connections.
How LuLu works — the alert model
LuLu is an alert-based outbound firewall. When an app tries to make an outgoing connection that LuLu has no rule for, it pauses the connection and shows an alert: which process is connecting, to which remote address, and whether you want to allow or block it. LuLu remembers your choice as a rule, so it only asks once per app (or per app+endpoint, depending on how you scope the rule). This is the same fundamental model as Little Snitch, with a lighter touch. In the first day you will answer a burst of prompts as your everyday apps each make their first connection. After that it settles down quickly, because most Macs run a fairly stable set of apps. LuLu lets you set the rule scope when you respond — allow an app for all connections, or restrict it to a specific endpoint. It can also be configured to allow Apple-signed binaries automatically, which cuts a lot of the macOS-internal noise if you would rather only police third-party apps.
Where LuLu shines
It is genuinely free. Not a trial, not a freemium tier — the whole tool, no paywall. For anyone who just wants to stop unknown apps phoning home without spending money, that is hard to beat. It is open source and auditable. The code is on GitHub. Security-conscious users can verify there is no telemetry and no hidden behaviour. Because it is open source, you can verify that LuLu itself does not phone home — fitting for a privacy tool. It is lightweight. LuLu does one job — alert on and block outbound connections — and does not try to be a full network-analytics suite. Resource use is minimal and it stays out of your way once rules are built. It comes from a trusted source. Objective-See's tools are widely used and well regarded in the Mac security community, which matters for something running at the network layer.
The trade-offs of a free firewall
No rich traffic dashboard. LuLu is not built to be a network monitor. You do not get the live per-app bandwidth charts, historical graphs, or connection maps that Little Snitch's Network Monitor offers. LuLu tells you about connections at the moment of decision, not as an ongoing visual analytics view. No categorised tracker intelligence. This is the big one for privacy. LuLu shows you that an app is contacting, say, `app-measurement.com` — but it does not tell you that this is a Google analytics endpoint. You have to recognise tracker domains yourself, or look them up. NetMute takes the opposite approach: it ships with a categorised Tracker Shield database (1,100+ known advertising, analytics, social and data-broker domains) so trackers are flagged and blockable in one tap rather than identified by hand. Alert fatigue and a technical bar. Because everything is decided through prompts, the experience assumes you are comfortable judging whether a given process and endpoint are legitimate. Less technical users can find the stream of allow/block decisions daunting. Fewer power-user rule options. LuLu's rules are simpler than Little Snitch's. That is a feature for some and a limit for others — there is no deep per-port, per-network, time-of-day rule editor.
LuLu and the alternatives
LuLu is the free, open-source, alert-based choice. If price and auditability are your priorities and you are comfortable making allow/block decisions, it is excellent value — which is to say, free. Little Snitch is the paid power-user option: the same alert model plus a deep rule editor, a full Network Monitor, integrated blocklists, and DNS encryption. You pay for depth and polish. NetMute automates the part LuLu leaves to you: instead of identifying tracker domains by hand, NetMute's Tracker Shield recognises 1,100+ of them automatically and scores each app's privacy based on what it actually contacts. It is a one-time purchase on the Mac App Store, not open source, but it removes the manual tracker-spotting work. Radio Silence drops prompts entirely — you add an app to a blocklist and it is silenced, no decisions required. The honest summary: in our view, LuLu is the strongest free Mac firewall available today. If you want trackers identified for you rather than recognising them yourself, a tracker-aware tool is the upgrade path.
