SplitTunnel

Block Outgoing Connections on Mac

The Missing macOS Firewall

SplitTunnel Team·6 min read·Updated February 2026

Key Takeaways

  • The macOS firewall only blocks incoming connections — outgoing traffic is unrestricted

  • There's no built-in way to stop an app from connecting to the internet

  • A per-app outbound firewall gives you the missing control

Block Outbound Traffic

The macOS Firewall Gap

Open System Settings → Network → Firewall on your Mac and you'll find a toggle for the built-in firewall. Turn it on and you might assume your apps are now controlled. They're not.

The macOS firewall is an incoming-only firewall. It blocks unsolicited connections from reaching your Mac. It does nothing about connections your apps make outward.

Every app on your Mac can freely connect to any server on the internet, and the built-in firewall won't stop it. This is by design — Apple's firewall protects you from the outside, not from your own apps.

Why Outbound Blocking Matters

Without outbound control, your apps can:

  • Send usage telemetry and analytics without your consent

  • Auto-update at inconvenient times

  • Sync data to cloud services you didn't authorize

  • Phone home to license servers

  • Consume bandwidth with background downloads

Option 1: pf (Packet Filter) — The Hard Way

macOS includes pf, a BSD packet filter that can block outbound traffic. It's powerful but operates at the network layer — it filters by IP address and port, not by application.

pf rules are complex to write, require manual setup to persist across reboots, and can't distinguish between applications. You'd need to know every IP address an app connects to, and those change frequently.

Option 2: Hosts File — Domain-Level Blocking

Editing /etc/hosts lets you block specific domains system-wide. This works for known telemetry domains but has limitations.

  • Blocks affect all apps, not just the one you're targeting

  • Apps connecting by IP address bypass the hosts file

  • Domains change — you need to maintain the list

  • Requires root access to edit

Option 3: Per-App Outbound Firewall (Recommended)

A per-app outbound firewall blocks all outgoing connections for specific applications. No domain lists to maintain, no IP addresses to track.

1

Install SplitTunnel on your Mac

2

Find the app you want to block

3

Set it to "Block" — all outbound connections are stopped

Unlike domain-based or IP-based blocking, per-app blocking catches everything the app tries to send — regardless of which servers it connects to.

What About Apple's App Firewall Settings?

Under Firewall Options, macOS lets you set per-app rules — but these only apply to incoming connections. Setting an app to "Block incoming connections" has no effect on outbound traffic. The naming is confusing, but the behavior is documented by Apple.

When to Block vs. When to Allow

  • Block — apps that don't need internet for their core function (offline editors, design tools)

  • Block — apps sending telemetry you haven't consented to

  • Allow — apps that need internet to function (browsers, email, chat)

  • Allow — apps you trust with network access

Frequently Asked Questions

The Outbound Firewall macOS Should Have

Block any app's outgoing connections. One click from your menu bar.

Start Free Trial

7-day free trial · Cancel anytime

Related Guides

Block App Internet Access on Mac

How to block any app from the internet

Little Snitch Alternatives

Per-app firewall options compared

Stop Apps Phoning Home

Block telemetry and tracking