Mac app firewall · Private beta

Control which Mac apps reach the internet.

Faraday Cage is a privacy-first, per-app outbound firewall for macOS. Pick an app, put it in the Cage, then choose what gets out.

Deny by default / Ask when supported / Allow by rule

Development build. Apple capability approval and signed runtime acceptance are still in progress.

Faraday Cage Mac app firewall dashboard showing blocked Transmission connections grouped by destination
Actual development interface · July 2026 Blocked events remain local to this Mac
One app at a time Cage only the software you want to constrain.
Decisions stay local No cloud dashboard or remote reputation lookup.
No account The app does not need a login to enforce local rules.
No telemetry Faraday does not phone home to explain who phones home.

Download

Download Faraday Cage for Mac

The public Developer ID build is not available yet. Join the early-access list and we will send one release email when the signed build has cleared system-extension, reboot, and real-network acceptance.

Join private beta

How it works

A boundary you can explain.

Faraday starts with an explicit user choice. It does not make every application ask for permission; you choose which app belongs inside a Cage.

01 / Select

Add an installed app

Choose an app or drag its bundle into Faraday. Only explicitly selected applications become caged.

02 / Decide

Set its default policy

Start with Deny, use supported Ask prompts, or allow by default while keeping specific block rules.

03 / Admit

Restart under the guard

The development architecture admits the app by signed process identity and is designed to attribute its descendants.

04 / Refine

Turn evidence into rules

Review destinations and create app, host, endpoint, path, or method rules from the network evidence you actually observed.

Ask semantics Interactive Ask is implemented for supported TCP requests. UDP, DNS, and QUIC cannot safely wait for the same prompt; the current design denies them unless a persistent allow rule matches.

Real product UI

See the decision, not a cartoon shield.

These are real development-build screenshots, not generated App Store mockups. The current guard-plane build is still undergoing signed runtime validation.

01 / Activity Trace a connection back to the selected app.

Destinations, request decisions, and the next matching policy stay together in one local view.

02 / Policy Choose how broad the next rule should be.

Allow or block a method and path, a path, an endpoint, or a host instead of making a vague all-or-nothing choice.

03 / Rules Keep the policy readable.

Filter global and app-specific rules by decision and layer. No account or cloud console is required.

Why Faraday

Privacy software should need less trust.

The most important design choice is not another graph. It is a narrow data boundary: observe the selected app locally, make the policy legible, and do not create new network traffic to enrich it.

A / Targeted control

Cage selected apps, not your entire workflow.

Faraday begins with the apps you explicitly choose. Everything else stays outside that policy unless you add it.

B / Process attribution

Designed around process families, not just a filename.

The guard architecture tracks audit-token identities across exec, fork, and exit so helper-process attribution can be validated without trusting a reused PID.

Signed runtime validation pending
C / Passive observation

No telemetry. No analytics. No cloud enrichment.

Faraday UI, core services, helper, process monitor, and content filter do not initiate DNS, TCP, or UDP to explain the traffic they observe.

D / Failure semantics

Protection status must mean something.

The current guard-plane design requires fresh agreement between its protection components before reporting a Cage as protected.

Boot acceptance pending

Practical Mac firewall guides

Start with the question you searched.

Each guide gives the direct macOS answer first, then shows where a per-app firewall fits. No keyword-stuffed filler and no pretending Faraday is the only option.

Mac app firewall FAQ

Short answers. Deeper guides.

Each answer maps to a specific search question and links to the complete explanation instead of hiding the useful part in an accordion.

Can I block internet access for one Mac app without turning off Wi-Fi?

Yes. A per-app outbound firewall can deny connections for one selected application while Safari, Mail, and the rest of your Mac remain online.

Learn more about blocking one Mac app →
Does the built-in macOS firewall block outgoing connections?

Apple documents its built-in firewall around protecting the Mac from network access and managing incoming connections. That is different from deciding which remote services an app may contact.

Learn more about incoming vs outgoing firewalls →
How can I see which Mac apps are connecting to the internet?

Activity Monitor shows per-process byte totals. A per-app network monitor can add destinations, timestamps, transport, decisions, and retained history for the app you are investigating.

Learn more about app network activity →
What does it mean when an app “phones home”?

It means the app contacts a developer, analytics, advertising, update, licensing, or another remote service—often in the background. The phrase does not prove the connection is malicious.

Learn more about phoning-home connections →
Is Faraday Cage a VPN?

No. Faraday Cage is a local application firewall. It does not provide a remote VPN exit, change your public location, or upload activity to a hosted account.

Learn more about local-only firewall privacy →
Can Faraday ask before a connection is allowed?

The development build implements interactive Ask for supported TCP requests. UDP, DNS, and QUIC cannot wait on the same prompt; they are denied unless a persistent allow rule matches.

Learn more about policy behavior →
Does Faraday Cage upload or analyze my network activity?

No. Its UI, core services, menu helper, process monitor, and content filter do not initiate network connections for telemetry, analytics, enrichment, or update checks.

Learn more about the passive-observation boundary →
How is Faraday Cage different from Little Snitch, LuLu, and Radio Silence?

Faraday focuses on an explicit Cage for selected apps and local process-family attribution. Other products may be a better fit for whole-Mac alerting, open-source use, or a minimal blocklist.

Compare Mac app firewalls →

Put one app inside a network boundary.

Join the private beta list. One email when the signed build is ready—no newsletter, pixels, or marketing telemetry.

Request early access