ova
Back to blog
·9 min read·productdevbook

How to Block an App From Using the Internet on Mac

Practical ways to block an app from using the internet on macOS, without breaking the rest of the system.

  • macOS
  • Security
  • Privacy
  • Tutorial

An app you bought in 2022 still phones home on every launch. A game wants to download a 3 GB update while you're on a hotspot. A scanning utility insists on checking for updates over and over. You want to block app from internet mac access entirely — without uninstalling it, and without breaking the rest of your system.

The good news: macOS gives you several ways to block app from internet mac users actually need. The bad news: each one has a different trade-off, and the wrong choice will either fail silently or break things you didn't mean to break. Here's the practical playbook.

The four ways to block app from internet mac users should know

In rough order of how most people should pick:

  1. Little Snitch — purpose-built outbound firewall. Per-app rules, prompts on first connection, GUI for editing.
  2. LuLu — free, open-source outbound firewall by Objective-See. Less polished than Little Snitch, similar core idea.
  3. macOS Application Firewall + a network filter — the built-in firewall only handles inbound. For outbound block, you need a third-party network extension or a pf rule.
  4. /etc/hosts blocking — blunt, partial, but useful for known telemetry endpoints.

For a single app you want fully offline, options 1 or 2 are the right answer. The others are situational.

Option 1: Little Snitch (the standard)

Little Snitch installs a Network Extension that intercepts outbound connections. When an app you haven't seen before tries to phone home, Little Snitch shows a prompt: allow once, allow forever, deny once, deny forever — with optional scopes (this hostname only, any port, etc.).

To block one app entirely:

  1. Open Little Snitch → Network Monitor → Rules.
  2. Search for the app name.
  3. Either delete its existing rules and rely on a default-deny prompt next time, or add an explicit "Deny — any process from /Applications/YourApp.app — any connection".
  4. Quit and relaunch the target app.

Little Snitch is paid software with a free demo (3 hours per session). For a tool you'll rely on at the kernel level, paying once is the right move.

Rule scopes that matter

  • Process path — Little Snitch keys on the on-disk path, so updating an app via Sparkle can re-prompt. Reapprove or set the rule to "any version".
  • Helper processes — apps like Slack, Discord, and Chrome have helper binaries that need their own rules. If you allow the parent and forget the helper, traffic can sneak through. A monitor like ova folds helpers under the parent so you can see when this happens.

Option 2: LuLu (free)

LuLu does what Little Snitch does, with a smaller feature set. Same Network Extension model, same prompt-and-rule flow. It won't show traffic graphs or do hostname-based filtering as cleanly, but for a "block this one app" use case it's perfectly adequate.

Download from objective-see.org, drag to Applications, grant the Network Extension permission, and add a deny rule for the binary you want to silence.

Option 3: macOS built-in firewall (limited)

The macOS Application Firewall lives at System Settings → Network → Firewall. It blocks incoming connections. It does not block outgoing. So for the question "stop my app from talking to the internet", the built-in firewall is not the answer.

If you also want to block inbound — for instance, an app runs a local server you don't want exposed — toggle the firewall on, click Options, and add the app to the deny list.

Option 4: /etc/hosts blocks (partial)

For specific telemetry endpoints, you can blackhole the hostname:

sudo nano /etc/hosts

Add:

0.0.0.0 telemetry.example.com
0.0.0.0 analytics.example.com

Save with Ctrl-O, exit with Ctrl-X. Then flush DNS:

sudo dscacheutil -flushcache
sudo killall -HUP mDNSResponder

This works only for apps that actually consult system DNS. Apps that hardcode IPs or use their own DNS bypass /etc/hosts entirely. Browsers using DoH bypass it. So treat /etc/hosts as a sniper rifle for known endpoints, not a general-purpose block.

The verification step everyone skips

Setting up the block is half the job. The other half is confirming it works. This is where a separate monitoring tool earns its keep.

The pattern:

  1. Set the block in Little Snitch / LuLu / hosts file.
  2. Open ova in your menu bar. It samples per-app traffic at about 1 Hz.
  3. Launch the target app and use it. Click around. Trigger the action that used to phone home — check for updates, log in, sync.
  4. Watch the per-app row. If it stays at 0 KB/s up and down, the block holds. If you see anything outbound, you have a leak.

Two reasons leaks happen:

  • Helper process not covered. The parent app is denied, but Slack Helper or Updater.app has its own rule that's still allow.
  • Connection cached before the block. The app opened a long-lived connection before the rule existed. Quit the app fully (right-click → Quit, or Cmd-Q) and relaunch.
Live verification
After setting a Little Snitch deny rule, use ova to confirm zero traffic. Helper processes are folded under the parent so you don't miss a leak from a separate PID.

Special cases

Block an app while keeping LAN access

Some apps need to talk to your AirPlay speaker or local printer but shouldn't reach the internet. In Little Snitch, set "deny any" then add an allow exception for LAN and Multicast/Broadcast. The macOS Local Network permission also gates this — check System Settings → Privacy & Security → Local Network and revoke it if the app doesn't need LAN at all.

Block an app on Wi-Fi but allow on ethernet

Little Snitch supports profiles. Create one for "Coffee Shop" and one for "Home", attach different rules, switch via the menu bar.

Block updates only, allow everything else

Most apps separate update traffic from feature traffic. Find the updater binary (often inside YourApp.app/Contents/Library/LoginItems/ or /Library/LaunchDaemons/), and add a deny rule for that specific path. Run the app, watch ova — features should still work, updates should fail with a network error in the log.

Verify your firewall blocks actually hold

ova shows live per-app traffic so you can confirm a Little Snitch rule did its job — local, signed, ~3 MB.

Download for macOS

A worked example: silence a chatty utility

Say you bought a screenshot utility three years ago. Lifetime license, used to be quiet, now phones home on every launch and you don't trust the new ownership.

  1. Install Little Snitch. Trial is fine for the first hour to see how the rules feel.
  2. Launch the screenshot utility. Little Snitch prompts: "Snipster wants to connect to api.snipster.app". Click Deny → Forever → any port.
  3. Use the app for a week. If features work, the deny held. If a feature breaks, look at what it tried to call — it'll be in Little Snitch's log — and decide whether to allow the specific endpoint.
  4. Run ova alongside. Confirm the per-app rate stays at 0 KB/s during normal use.

This pattern works for any app that doesn't actually need the internet to do its job locally.

What blocks won't fix

A few things to be honest about:

  • Push notifications via APNs. macOS routes Apple Push through apsd, not the app. Blocking the app doesn't block its notifications. Disable notifications in System Settings instead.
  • System extensions and daemons. Some apps install background daemons under /Library/LaunchDaemons/. Killing the app doesn't kill the daemon. Use the app's official uninstaller, or list daemons via launchctl list | grep -i appname.
  • Apps that hardcode IPs. Rare, but exists. Block by IP rather than hostname in Little Snitch.
  • Sandboxed App Store apps using XPC services. Sometimes the user-visible app is silent and an XPC helper does the talking. Same fix as helper processes — find it in Little Snitch's process tree, add a rule.

Why "monitor + firewall" is the durable setup

You can run just a firewall. You can run just a monitor. Most experienced Mac users run both:

  • The firewall (Little Snitch / LuLu) sets policy and blocks at the kernel.
  • The monitor (ova or similar) shows reality — what's still talking, how much, when.

The two answer different questions. "Did my rule work?" is a monitor question. "What new app is trying to phone home?" is a firewall-prompt question. Together they give you a full picture.

Wrapping up

To block app from internet mac access end to end: use Little Snitch or LuLu for the block, the macOS Application Firewall only if you also need inbound, and /etc/hosts for known endpoints when DNS-based blocking is enough. Then verify with a monitor, because a rule you didn't confirm is a rule you don't actually have.

Most apps work fine offline once you cut the network. The ones that don't, you'll find out fast — and you'll have learned something useful about which features were actually local in the first place.