Firewall rules priority
Vallum rules are displayed in Vallum main window. They are evaluated from left to right, from top to bottom. When an outbound TCP/UDP connection is initiated Vallum looks for a matching rule in this order:
1) Global Rules
Vallum checks if the connection matches a rule defined in Global Rules. All processes and apps connections are always checked against Global Rules. These rules are evaluated from top to bottom. If a connection matches one or more Global Rules, the connection will be passed or blocked according to the first matched rule.
2) Managed Apps Rules
in case of no matches in Global Rules, Vallum will look for matching paths in Managed Apps. If the process that triggers the connection matches an existing managed app path (absolute path for binaries, app name for bundles) then Vallum looks into matched app’s ruleset from top to bottom to find a matching rule for this connection. In case of single or multiple matches the connection is passed or blocked according to the first matched rule. In case process path is matched but no matching rule is found in app ruleset then a notification alert is triggered.
3) Managed Folders Rules
in case the connection does not match any Global Rule and the triggering process path does not match any Managed App then Vallum will check for matching paths in Managed Folders rules. If the process path falls within a managed directory then the corresponding rule is applied. If a connections matches more than a Managed Folders rule then connection will be passed or blocked according to the first matched rule.
4) In case of no match at all a connection will:
- Pass if notification alerts are disabled.
In this case Vallum behaves like an exclusive firewall. If ruleset is empty all connections are passed. If a connection does not match any existing rule, the connection is passed and a pass rule is automatically generated in Managed Apps view. The rule will allow all outbound connections for the app or process that triggered the connection.
- Trigger a popup alert if Vallum notification alerts are enabled.
In this case Vallum enables an inclusive firewall. If ruleset is empty all connections will trigger a notification alert. Connection is held until the user makes the choice to pass or block it. Once done, Vallum stores the answer in app's ruleset. If a connection matches one or more existing rules it will not trigger popup alerts any more, but will be passed or blocked according to the first matched rule.
Matching a firewall rule
Both apps and folders are defined by a path. When a process initiates a connection Vallum looks for matches into its rule set (in a specific order). If the process path matches an existing object's path, then the existing object rule is applied. In case of multiple match the connection will be passed or blocked according to the first matched rule. However Vallum has different matching policies according the the type of process that initiates a connection.
Vallum handles two different types of processes on macOS:
- Application Bundles
- Binary Executables
Vallum uses different approaches for binaries and bundles:
- Binaries are matched against their absolute path
- Bundles are matched only by name
This has some implications you should be aware of. For example if you block a binary and then move it, its connections will not match the block rule. If you do the same with an application bundle, Vallum will find the match wherever you move the app, because bundles are matched only by their name (for example 'Safari.app') and not full path.