How to: Block network access for application

Selectively blocking network access is no easy task. Especially if you want to do it often (e.g. while manually testing something). Turning off Wi-Fi is fast, but what if you want to google something while running an application that shouldn’t communicate with the outside world?

It turns out that it is actually easy in Mac OS X via sandbox utility.

This utility include sandboxd service which is preventing your newly downloaded applications from being started immediately - you’ve probably seen “This application has been downloaded from the internet…” dialog triggered by that service. It also has sandbox-exec utility, which allows you to run an app within sandboxed environment and one capability is restricting everything in this environment from accessing internet.

Here is how you can do it.

First of all, create sandbox profile for the particular application, let’s say nonet.sb in your home folder:

(version 1)
(allow default)
(deny network*)

Then starting application in the no-network sandbox mode can be done as follows (starts Skype without network access):

sandbox-exec -f $HOME/nonet.sb /Applications/Skype.app/Contents/MacOS/Skype

Voila!

P.S.: If you quit sandboxed application and then start it again without applying the sandbox profile, the application will not be denied from accessing internet.

P.P.S.: You can read more on sandbox utility here and here. Or just type man sandbox-exec in your Mac Terminal!