NetGuard
See every connection your Mac makes — in and out — and decide who gets through. A per-app firewall with a live traffic monitor and encrypted DNS, that also watches for the inbound scans and probes most Mac firewalls ignore.
A firewall that shows its work.
NetGuard intercepts connections at the process level, checks each against your rules, and either allows, denies, or asks — so nothing leaves your Mac unseen.
Per-app firewall
Every outgoing connection is matched to the app that opened it, then allowed, denied, or held for you to decide.
Ask, once
A clean alert names the app, host and port. Answer once and NetGuard remembers the rule — by app, domain, or connection.
Live traffic monitor
Watch connections as they happen, ranked by app, plotted on a world map with GeoIP — see exactly where traffic goes.
Encrypted DNS
A built-in proxy resolves names over DoH, DoT and DoQ, so lookups stay private and can't be sniffed on the wire.
Blocklists built in
Millions of tracker and malware domains, blocked before they resolve — updatable, and enforced at the DNS layer.
Native & private
SwiftUI + NetworkExtension, with an encrypted rules database on-device. No accounts, no telemetry — signed and notarized.
Watch every connection, in and out.
Outgoing and incoming traffic is plotted by GeoIP and animated in real time — see where your Mac is reaching out to, and who's reaching back.
Controls what gets out. Watches what comes in.
Most Mac firewalls only police what leaves. NetGuard does both — a per-app firewall for every outgoing connection, plus active detection of the scans and probes coming the other way.
Decide who gets out
Per-app, per-connection verdicts with a live monitor and a world map.
- ✓ Allow, deny or ask on every new connection
- ✓ Rules by app, domain, port & network
- ✓ Encrypted DNS & blocklists stop trackers at the source
Catch what's probing you
Reconnaissance against your Mac is flagged before it turns into something worse.
- ✓ Spots SYN scans, UDP probes & traceroutes
- ✓ ARP-spoofing, ICMP-redirect & OS-fingerprint modules
- ✓ BPF packet capture with tunable thresholds
Every screen, built for control.
A real macOS app — not a menu-bar toy. Eight screens for monitoring, rules, blocklists, insights and network profiles, each doing one job well.
Your rules, enforced on the device.
- 01Ask before it leaves. New connections pause for a verdict — you allow or deny, and the choice becomes a rule.
- 02Everything is local. Rules and traffic history live in an encrypted database on your Mac. Nothing is sent to us.
- 03Incoming too. Inbound connections run the same rule engine, with a policy you set — follow, deny-all, or always ask.
- 04Never holds traffic hostage. If a license ever can't be verified, filtering steps aside — the network keeps working, it just stops guarding.
Native, signed, universal.
A direct download, not the Mac App Store — a system-wide network filter can't run inside the App Store's sandbox. Every copy is signed and notarized by Apple, so it installs cleanly with no security warnings.
Own it once. Guard forever.
A one-time license for NetGuard 1.0 — every 1.x update included. Handled internationally by Creem, with tax and receipts sorted.