Each rule is defined by its parameters and position.
A rule defines the verdict of matching network flows.
Flows are matched against rules by the flow handler. In order to be matched, all rule parameters must match the corresponding flow parameters.
Rule parameters list
Rules 'agent' parameter defines which processes are matched by a rule and how.
- All Processes: match all processes seen by the filter, no exceptions.
- Absolute Path: can be a file or directory path. All processes within this path or its subpaths will be matched by the rule.
- App Fingerprint: this is the default way to match a signed app. Fingerprint is derived from app signature, it includes app's bundle identifier and designated requirement. Fingerprint is supposed to be unique and consistent across app updates. Matching by fingerprint is possible only with signed apps. All preinstalled apps, AppStore apps and legit notarized apps from identified developers are always signed.
When matching 'by fingerprint' a rule will match all connections by the corresponding app even if you move it to a different location on your filesystem or if you rename it.
- Apps Group: match all apps belonging to a specific Apps Group. Each apps group contains one or more signed apps.
- Apple Signed Apps: match all macOS preinstalled apps. To verify if an app is signed by Apple you can check its identity in Vallum Configurator rules view. This list includes Safari, Mail and all other system apps and tools.
- Third Party Signed Apps: match all signed apps excluding apps signed by Apple. This option will match all third party apps distributed with AppStore or Developer ID signed apps distributed via web or via other means, including your own self-signed apps.
- Developer Team Identifier: match all apps signed using the same Developer Team Identifier (Team ID)
- Unsigned Apps: match unsigned apps.
Please note that you should not run unsigned apps on your Mac. If you trust an unsigned code, then sign it with your own certificate. Never let unsigned binaries run on you Mac and, in case you do so, never let them connect to the network.
Vallum default configuration blocks unsigned apps.
- Process ID: every time you dismiss a notification alert selecting the "Until App Quits" option Vallum creates a new rule that will expire when the corresponding PID quits. These kind of rules use both Fingerprint and PID to match the process. A different process using the same PID will not be matched, so to avoid PID reuse issues.
action taken by the flow handler
- Pass: flow is allowed
- Block: flow is dropped
- Ask: if Vallum.app is running flow is paused and a notification alert is displayed. When alert is dismissed flow is resumed and matched against the new ruleset.
If Vallum.app is not running flow is passed or blocked according to rule's background- action parameter.
('Ask' rules only)
action taken by the flow handler when a flow matches an 'Ask' rule but Vallum.app is not running (notification popup alerts cannot be displayed).
- Pass: flow is allowed
- Block: flow is dropped
rules with the 'quick' option set are matched instantly. All forthcoming rules are ignored.
Please note that 'Ask' rules cannot be set as 'quick'.
rules with the 'log' option set will generate a log for every matched flow.
optionally specify network protocol. When empty matches all protocols. If rule specify a port then TCP/UDP is assumed.
optional address family. Can be set as IPv4, IPv6 or both
Inbound only. Can be an IPv4/IPv6 IP address or CIDR address, a group name or "any"
- any: matches all targets
- IPv4 or IPv6 IP address or CIDR (192.168.10.2, 10.0.0.0/8)
- hostname (outbound only)
- domain wildcard (outbound only)
- a group
Inbound only. TCP/UDP ports or range. Define ranges using colon, like 90:99
TCP/UDP ports or range. Define ranges using colon, like 90:99
rule can match connections of a specific user or all users. While the filter uses the numeric Posix ID, Vallum displays usernames.
each rule can be set to expire at a specific time/event
for each rule you can specify one or more conditions. A rule can be matched only if its conditions are met.
- Network connection type
can be set as 'Wifi', 'WiredEthernet' or 'Cellular'. Please note that the last one is not yet available on Macs. 'WiredEthernet' includes ethernet cable connections and bluetooth PAN. Rule can be matched only if current net connection type matches rule's net connection type.
- Connected to SSID
set a list of wifi SSIDs. Add as many SSIDs as you want. Rule can be matched if current SSID is included in the list
- Not connected to SSID
set a list of wifi SSIDs. Add as many SSIDs as you want. Rule can be matched if current SSID is not included in the list
- Interface is active
set a list of network interfaces. Add as many interfaces as you want. Rule can be matched only if all listed interfaces are active.
- Interface is not active
set a list of network interfaces. Add as many interfaces as you want. Rule can be matched only if all listed interfaces are not active.
Select Network -> Status to display current system parameters used to match rules conditions. This view is automatically updated every time network path is changed.