Personally, I'll choose Linux over any other desktop or laptop environment, but that doesn't stop me from making some recommendations when it comes to protecting your Mac.
First things first, Mac comes with a built-in firewall. However, Mac's firewall is switched off - by default!
System Preferences —> Security & Privacy —> Firewall and turn it ON
—> Firewall Options
Check 'Block all incoming connections'
Yes, it is that easy to set up the firewall of macOS. That said, it is by no means the perfect solution and, of course, it wouldn't block macOS-specific apps etc.
The biggest name when it comes to firewalls on macOS is Little Snitch. This convenient and 'easy to use' firewall will give notice of any internet connections to or from any of your apps or browser. You can manually block those connections, or allow them. This can be set to once or forever, domain specific or any connection. Every time you allow or deny a connection, Little Snitch will create a rule. This rule can be modified and revised/reviewed later.
You can even run Little Snitch in Silent mode to avoid notifications. Yet, I would say if you do use Little Snitch, let it 'snitch' on every app. Even if it might interrupt you quite often at the beginning, it is worth the hassle and will protect you long term.
Little Snitch is not open-source, but has a few audits and a great reputation built up over a number of years. You can get a 30-day free demo and a single licence will set you back $45.
In conclusion, Little Snitch can do a lot and gives you multiple options. However, it can be a little overwhelming at first, and might not be everyone's cup of tea because of the price tag.
This one is simple, powerful, and hassle-free. In fact, it is absolutely beginner-friendly and protects your privacy. You won't have any pop-ups, you set all in the settings and forget about it. It is dead simple, allow or deny an app to go online. The app gives you a 24 hours trial version and cost $9 once afterwards.
In summary, it works fine but doesn't have many features. Yet, it is very beginner-friendly.
This one is open-source! Lulu works pretty much like Little Snitch. Once you enable Lulu, you get pop up notifications, and can block or allow connections. This can be done permanently or temporarily. Just as with Little Snitch, you can apply rules based on process or at domain level.
You can also delete rules or add domains or ports to the rules.
At NetIQuette you can see what your Mac does in real time.
Lulu does pretty much most of what Little Snitch does. However, Lulu is built to block outgoing connections. You can, of course, pair it with your built-in macOS firewall and have the macOS firewall on strict mode for incoming connections.
The best part (maybe), is that Lulu is not only open-source, but also free.
It also has a host file, so you can select a blocklist and block domains at root level.
In conclusion, Little Snitch has a bit more to offer than Lulu, but is not open-source. I recommend everyone who gets a Mac to try Lulu and if it works for you, it's the perfect solution.
The Privacy Advocate