I'm looking for an app that is fully Open Source OR built-in to MacOS as I am trying to use this for security / privacy (to ensure that particular apps cannot make arbitrary connections)
-
I have looked into things like the built in app sandboxing via
sandbox-execwhich seems promising, but super hard to find documentation and I haven't seen an example that forces networking through a proxy / port. -
Also
socketfilterfwwhich seems to only control inbound connections. pfctlseemed promising, but too low-level, I can't see how to isolate an entire app reliably.- I just found
TSockswhich looks great, but doesn't seem to be maintained. Was rejected 9 years ago from homebrew for this reason.
VMs are too heavy for my use case.
I believe some refer to this as an "App Firewall", but the built-in MacOS AppFirewall doesn't support this use.
I saw this question "Is it possible to have per-app network/vpn/proxy settings" but the answers are 7 years old and include closed-source software like ProxyCap.
Best Answer
sandbox-exec(deprecated, according to its man-page) is a utility of restriction framework withallow-denysemantics meaning it won't help you to change an app to bind a specific IP-address only (which later could be used together with Pf).There's a similar post where it's been claimed to be solved with Network Kernel Extensions but source hasn't been shared.
tsocks (even if was available) relies on
LD_PRELOADmechanism which isn't really bullet-proof because it's based on pre-loading of shared library which would further tamper libc calls. Of course, together with sandbox it could be more-or-less secured of leaks, but in general it's too much tinkering. Network Kernel Extensions look more promising, as to me.