Firewall rules priority

Rules Order

Vallum rules are displayed in Vallum main window. They are evaluated from left to right, from top to bottom. When an outbound TCP/UDP connection is initiated Vallum looks for a matching rule in this order:

1) Global Rules

Vallum checks if the connection matches a rule defined in Global Rules. All processes and apps connections are always checked against Global Rules. These rules are evaluated from top to bottom. If a connection matches one or more Global Rules, the connection will be passed or blocked according to the first matched rule.

2) Managed Apps Rules

in case of no matches in Global Rules, Vallum will look for matching paths in Managed Apps. If the process that triggers the connection matches an existing managed app path (absolute path for binaries, app name for bundles) then Vallum looks into matched app’s ruleset from top to bottom to find a matching rule for this connection. In case of single or multiple matches the connection is passed or blocked according to the first matched rule. In case process path is matched but no matching rule is found in app ruleset then a notification alert is triggered.

3) Managed Folders Rules

in case the connection does not match any Global Rule and the triggering process path does not match any Managed App then Vallum will check for matching paths in Managed Folders rules. If the process path falls within a managed directory then the corresponding rule is applied. If a connections matches more than a Managed Folders rule then connection will be passed or blocked according to the first matched rule.

4) In case of no match at all a connection will:

Matching a firewall rule

Both apps and folders are defined by a path. When a process initiates a connection Vallum looks for matches into its rule set (in a specific order). If the process path matches an existing object's path, then the existing object rule is applied. In case of multiple match the connection will be passed or blocked according to the first matched rule. However Vallum has different matching policies according the the type of process that initiates a connection.

Vallum handles two different types of processes on macOS:

Bundles are usually apps with a GUI while Binaries are usually shell commands, system tools or auxiliary utilities. A binary is basically a simple single executable file, while Application Bundles, despite appearing like a single file in macOS Finder, are directories with a predefined structure and a name ending in '.app' or '.xpc'. These directories includes executable files, resources and other files. For example Safari is an application bundle, its name is '', it is a folder containing many subfolders.

Vallum uses different approaches for binaries and bundles:

This has some implications you should be aware of. For example if you block a binary and then move it, its connections will not match the block rule. If you do the same with an application bundle, Vallum will find the match wherever you move the app, because bundles are matched only by their name (for example '') and not full path.