LuLu Firewall CLI
CLI for managing LuLu macOS firewall rules. LuLu is a free, open-source macOS firewall that blocks unknown outgoing connections.
Requires: macOS 13+, LuLu installed, sudo for write operations.
When to Use This Skill
- - A network request fails and you suspect it's being blocked by the firewall
- You need to allow a new domain or service through the firewall
- You want to audit what's currently allowed or blocked
- You need to clean up stale or unnecessary rules
- You're setting up a new machine and need to configure firewall rules
How LuLu Works
LuLu runs as a macOS system extension. When configured in passive mode with new connections defaulting to block, any unrecognized outbound connection is silently blocked and logged as a passive rule.
- - Rules live in
/Library/Objective-See/LuLu/rules.plist (NSKeyedArchiver binary format, owned by root) - The CLI reads/writes this file directly using the same serialization format as LuLu
- The system extension only reads rules at startup, so
reload (kill + auto-restart) is needed after changes - New blocks from passive mode appear immediately in
recent without needing a reload
Core Workflow
Most usage follows this pattern:
- 1. Diagnose -- check what's being blocked
- Fix -- add allow rules for legitimate domains
- Apply -- reload the extension
CODEBLOCK0
Commands
list [filter]
List all firewall rules. Optionally filter by keyword (matches key or binary path).
CODEBLOCK1
No sudo required.
recent [N]
Show the N most recent block rules, sorted by creation date (newest first). Default: 20.
CODEBLOCK2
No sudo required. This is the first command to run when diagnosing connection failures.
add
Add a new firewall rule. Requires sudo.
Flags:
- -
--key KEY -- signing identity (e.g. com.apple.curl) or * for global - INLINECODE7� -- binary path or
* for global - INLINECODE9� -- rule action
- INLINECODE10� -- domain, IP, or regex pattern (default:
*) - INLINECODE12� -- port number or
* for any (default: *) - INLINECODE15� -- treat
--addr as a regex pattern
CODEBLOCK3
delete
Delete rule(s) by key. Requires sudo.
Flags:
- -
--key KEY -- required - INLINECODE18� -- specific rule UUID. If omitted, deletes ALL rules for the key.
CODEBLOCK4
delete-match
Delete rules matching specific criteria. Requires sudo.
Flags:
- -
--key KEY -- required - INLINECODE20� -- optional filter
- INLINECODE21� -- optional filter
- INLINECODE22� -- optional filter
CODEBLOCK5
enable / disable
Toggle a rule's enabled state. Requires sudo.
Flags:
- -
--key KEY -- required - INLINECODE24� -- required
CODEBLOCK6
reload
Restart the LuLu system extension to apply rule changes. Requires sudo.
CODEBLOCK7
Kills the extension process. macOS auto-restarts registered system extensions within ~8 seconds. There is a brief gap in filtering during the restart.
Always run reload after add, delete, enable, or disable.
help
Show usage information.
CODEBLOCK8
Key Concepts
- - key: Signing identity (e.g.
com.apple.curl) or binary path for unsigned apps. Use * for global rules that apply to all apps. - action:
allow or �INLINECODE29 - addr: Domain name, IP address, regex pattern, or
* (any) - port: Port number or
* (any) - type:
default (system), apple, user (manually created), passive (auto-created from blocked connections) - Global rules: key=
* and path=* apply to all applications
Rule Policy: Allow-All vs Domain Allowlist
Not all processes should get unrestricted internet access. When using LuLu as a security boundary for AI agents:
Allow-all (addr=* port=*) -- Only for processes the agent cannot invoke:
- - Apple system daemons (apsd, mDNSResponder, trustd, ocspd, etc.)
- User-only apps (Raycast, Zed, LuLu, Bitwarden CLI)
- Network infrastructure (Tailscale, ssh)
Domain allowlist only -- Any process an agent could use to reach the internet:
- -
node (Claude Code, OpenClaw runtime) - INLINECODE40� /
uv (agent scripts) - INLINECODE42� (command-line HTTP)
- INLINECODE43� /
gh (could push to arbitrary remotes) - Browser helpers (agent browser automation)
When in doubt, leave a process restricted to the domain allowlist. It's easy to add an allow-all later; harder to notice data leaking through an over-permissive rule.
Troubleshooting
If a connection is failing:
- 1. Run
lulu-cli recent to see if it was blocked - If yes, add an allow rule for the domain + port (usually 443 for HTTPS)
- Run
sudo lulu-cli reload to apply - Retry the connection
If the domain doesn't appear in recent, the problem is not the firewall.
LuLu防火墙CLI
用于管理LuLu macOS防火墙规则的命令行工具。LuLu是一款免费、开源的macOS防火墙,可阻止未知的出站连接。
要求: macOS 13+、已安装LuLu、写入操作需使用sudo。
何时使用此技能
- - 网络请求失败,怀疑被防火墙阻止
- 需要允许新域名或服务通过防火墙
- 想要审计当前允许或阻止的内容
- 需要清理过期或不必要的规则
- 正在设置新机器,需要配置防火墙规则
LuLu工作原理
LuLu作为macOS系统扩展运行。当配置为被动模式且新连接默认阻止时,任何未识别的出站连接都会被静默阻止并记录为被动规则。
- - 规则存储在/Library/Objective-See/LuLu/rules.plist(NSKeyedArchiver二进制格式,root拥有)
- CLI使用与LuLu相同的序列化格式直接读写此文件
- 系统扩展仅在启动时读取规则,因此更改后需要reload(终止+自动重启)
- 被动模式的新阻止会立即出现在recent中,无需重新加载
核心工作流程
大多数使用遵循以下模式:
- 1. 诊断 -- 检查被阻止的内容
- 修复 -- 为合法域名添加允许规则
- 应用 -- 重新加载扩展
bash
1. 检查最近的阻止
lulu-cli recent 10
2. 允许被阻止的域名
sudo lulu-cli add --key
--path --action allow --addr api.example.com --port 443
3. 应用
sudo lulu-cli reload
命令
list [filter]
列出所有防火墙规则。可选择按关键字过滤(匹配key或二进制路径)。
bash
lulu-cli list # 所有规则
lulu-cli list curl # curl的规则
lulu-cli list node # node的规则
lulu-cli list * # 仅全局/通配符规则
无需sudo。
recent [N]
显示最近N条阻止规则,按创建日期排序(最新在前)。默认:20。
bash
lulu-cli recent # 最近20条阻止
lulu-cli recent 5 # 最近5条阻止
无需sudo。这是诊断连接失败时首先运行的命令。
add
添加新防火墙规则。需要sudo。
标志:
- - --key KEY -- 签名标识(例如com.apple.curl)或全局使用
- --path PATH -- 二进制路径或全局使用
- --action allow|block -- 规则动作
- --addr ADDR -- 域名、IP或正则模式(默认:)
- --port PORT -- 端口号或任意使用(默认:*)
- --regex -- 将--addr视为正则模式
bash
全局允许域名(所有应用)
sudo lulu-cli add --key
--path --action allow --addr example.com --port 443
允许域名及所有子域名(正则)
sudo lulu-cli add --key
--path --action allow \
--addr ^(.+\.)?example\.com$ --port * --regex
仅允许特定应用
sudo lulu-cli add --key /usr/bin/curl --path /usr/bin/curl \
--action allow --addr example.com --port 443
阻止域名
sudo lulu-cli add --key
--path --action block --addr malicious.com --port *
delete
按key删除规则。需要sudo。
标志:
- - --key KEY -- 必需
- --uuid UUID -- 特定规则UUID。如果省略,则删除该key的所有规则。
bash
按UUID删除特定规则
sudo lulu-cli delete --key com.apple.curl --uuid A1B2C3D4-...
删除key的所有规则
sudo lulu-cli delete --key com.apple.curl
delete-match
删除匹配特定条件的规则。需要sudo。
标志:
- - --key KEY -- 必需
- --action allow|block -- 可选过滤器
- --addr ADDR -- 可选过滤器
- --port PORT -- 可选过滤器
bash
删除curl在端口53上的所有阻止规则
sudo lulu-cli delete-match --key com.apple.curl --action block --port 53
enable / disable
切换规则的启用状态。需要sudo。
标志:
- - --key KEY -- 必需
- --uuid UUID -- 必需
bash
sudo lulu-cli enable --key * --uuid A1B2C3D4-...
sudo lulu-cli disable --key * --uuid A1B2C3D4-...
reload
重启LuLu系统扩展以应用规则更改。需要sudo。
bash
sudo lulu-cli reload
终止扩展进程。macOS会在约8秒内自动重启已注册的系统扩展。重启期间过滤功能会有短暂中断。
在add、delete、enable或disable之后始终运行reload。
help
显示使用信息。
bash
lulu-cli help
关键概念
- - key:签名标识(例如com.apple.curl)或未签名应用的二进制路径。使用表示适用于所有应用的全局规则。
- action:allow或block
- addr:域名、IP地址、正则模式或(任意)
- port:端口号或(任意)
- type:default(系统)、apple、user(手动创建)、passive(从阻止的连接自动创建)
- 全局规则:key=且path=*适用于所有应用
规则策略:全部允许 vs 域名白名单
并非所有进程都应获得无限制的互联网访问。当将LuLu用作AI代理的安全边界时:
全部允许(addr= port=) -- 仅适用于代理无法调用的进程:
- - Apple系统守护进程(apsd、mDNSResponder、trustd、ocspd等)
- 仅用户应用(Raycast、Zed、LuLu、Bitwarden CLI)
- 网络基础设施(Tailscale、ssh)
仅域名白名单 -- 代理可能用于访问互联网的任何进程:
- - node(Claude Code、OpenClaw运行时)
- python / uv(代理脚本)
- curl(命令行HTTP)
- git / gh(可能推送到任意远程仓库)
- 浏览器助手(代理浏览器自动化)
如有疑问,将进程限制在域名白名单内。事后添加全部允许很容易,但通过过度宽松的规则泄露数据则难以察觉。
故障排除
如果连接失败:
- 1. 运行lulu-cli recent查看是否被阻止
- 如果是,为域名+端口(HTTPS通常为443)添加允许规则
- 运行sudo lulu-cli reload应用
- 重试连接
如果域名未出现在recent中,则问题不在防火墙。
