Block all the network traffic except our application

Hey team,

We have a use case where we need to block all the MacOS network traffic except our app's network traffic.

But I don't find any apis from apple with that capability.

I see using NEFilterSettings, we can allow the required endpoints and block all the other endpoints we get from handleNewFlow(_ flow:. But this api has a control in endpoint level not the app level.

Could you suggest if we have any other apis for this use case? Thanks

I would be very surprised if you could do this. An app would have the power to block a critical system resource ? So I think there is no "legitimate" API to do so.

You can give higher priority to your app: https://support.apple.com/en-sg/guide/mac-help/mchlp2711/mac

But this has to be done by the user, not the app itself.

        let rules = allowedHosts.map { hostname in
            let rule = NENetworkRule(destinationNetwork: NWHostEndpoint(hostname: hostname, port: "0"), prefix: 32, protocol: .any)
            return NEFilterRule(networkRule: rule, action: .allow)
        }
        
        let rules1 = ["0.0.0.0", "127.0.0.1"].map { hostname in
            let rule = NENetworkRule(destinationNetwork: NWHostEndpoint(hostname: hostname, port: "0"), prefix: 32, protocol: .any)
            return NEFilterRule(networkRule: rule, action: .drop)
        }
        
        let filterSettings = NEFilterSettings(rules: rules + rules1, defaultAction: .filterData)
        
        apply(filterSettings) { error in
            if let applyError = error {
                os_log(.default, log: OSLog(subsystem: "com.nesedemo.extension", category: "content-filter"), "Failed to apply filter settings: %{public}@", applyError.localizedDescription)
            }
            completionHandler(error)
        }

For endpoint level, I've tried this rule just to blocks all the connection except the host I allow, it works,. Please share your insights on this.

But I don't find an api to control in network traffic from app level.

I’d use a transparent proxy for this. When you get a flow you can look at its metadata to see if it’s an app you want to allow. If so, return false from the ‘handle new flow’ method and the system will run that flow normally. OTOH, for an app you want to block, return true and then refuse to forward any traffic (you probably want to just close the flow).

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hey @eskimo thanks for sharing it.

I checked NEAppProxyProviderManager, but it will be used only with NETunnelProviderManager with per app VPN mode. I can configure per app VPN using

  1. appRules - not ideal, I can’t find a matching rules which excludes only our app.
  2. excludedDomains - I'll leave it as empty, since we'll be allowing flow by filtering app metadata from handleNewFlow(_:)
  3. associatedDomains - not sure if I can give wildcard rules like "0.0.0.0", "127.0.0.1" to match all domains. Could you confirm this?

Also it has limitation where it won't applicable for Apple system apps[except safari].

Block all the network traffic except our application
 
 
Q