How to Configure Your Mac’s Firewall Correctly | Tips & Tricks
Mac comes with a built-in software firewall, but it's frequently ignored by users. Your firewall must be on and should only be disabled for short stretches at a time. If you've never touched it, it should still be on. But it's a good idea to check. And if it is on, you have many options for adjusting its performance. You can also replace your Mac's software firewall with a third-party firewall, seen at the bottom of the post.
Viewing the Firewall
The firewall is found in System Preferences. We'll navigate there, then look through the available firewall settings.
1. Open by clicking on the Apple menu in the upper-right of your screen and selecting “System Preferences” from the drop-down.
3. Select the “Firewall” tab from the top of the window.
4. Here you'll be able to see if your firewall is on or off. If the firewall is off, we should turn it back on.
- First, click the lock icon at the bottom-left of the window.
- When prompted, enter your administrator password. If you don't know what that is, enter the password you use to log on to your computer when it boots up, then click “Unlock.”
- Click the “Turn Firewall On” button.
Now that we're sure the firewall is on, let's look at the firewall settings. To see the available settings for the firewall and make adjustments to the firewall's settings, click “Firewall options …” If that button is not clickable or grayed out, unlock the preference pane as mentioned in the last step.
In this window we can tweak some options and provide exact permissions for specific applications. Click “Firewall Options …” to open the screen showing these features.
We'll take a quick tour through everything we can do here.
Block all incoming connections
This will block almost every connection request for your computer. However, it doesn't block outgoing requests or requests required for “basic Internet services.” Other applications might start to break down, however, depending on their configuration. This isn't generally a setting you can just set and forget.
Below is a list of services that are cleared to accept incoming connections or prevented from accepting incoming connections. On most computers you'll only see a couple of applications here. Green dots next to the name mean all incoming connections are permitted. Red dots mean all incoming connections are denied.
If you want to change an application's firewall settings, click on the arrows next to the connection type and choose its opposite. It's not a very precise control, and it doesn't affect outgoing connections at all.
You can add new applications to this list by clicking the “+” button at the bottom of the list. Applications can be removed from the list with their “–” button. This doesn't delete the application – it only removes the firewall rule from the list.
Automatically allow built-in software to receive incoming connections
This sets all of your Mac's built-in apps (things like Mail, Calendar, Messages, etc.) to allow all incoming connections. Unless you're having trouble with your Apple services, this should always be checked.
Automatically allow downloaded signed software to receive incoming connections
Just like with the above, this permits all incoming connections. However, instead of doing so for Apple's own apps, it does the same for applications you've downloaded from the Internet. If you're cautious about what you download, it's fine to keep this turned on. If not, toggle it off. Then, you should be asked to enable incoming connections each time you install an application requesting them.
Enable stealth mode
This secret-agent sounding mode isn't as exciting as it appears. When stealth mode is enabled, your computer won't respond when another computer on the network tries to find it.
Essentially, if one computer on the network shouts out, “Who's here?” your Mac is configured to answer “Me!” by default and give out some basic details. If you turn on stealth mode, your Mac will no longer respond to those requests. Make sure stealth mode is on unless you know you need to keep it off. It might hide your Mac from troublemakers, but only the laziest kind.
What about Third Party Firewalls?
If the built-in Apple firewall isn't sufficient, you can also install third-party firewall tools. Typically expensive, these tools are designed to give security-conscious users more control over their computer's communication within a graphical user interface, as well as maximum peace of mind. Third-party firewalls typically also provide control over outgoing connections: a major improvement over Apple's one-way restrictions. Here are a couple of our favorite.:
1. Little Snitch
Little Snitch is robust and canny, blocking every single incoming and outgoing Internet connection until you explicitly permit them. If you do need precise and exacting control over your computer's Internet traffic, Little Snitch is hard to beat, even at $45. The all-seeing Network Monitor also observes the origin of every single packet leaving your computer for detailed traffic auditing. It's an ideal combination of powerful and user-friendly, with only slightly obscure function visibility.
2. Radio Silence
Radio Silence is a cheaper version of the venerable Little Snitch and lets you manually disable applications from accessing the Internet at all. If you don't include an app on the list, it's not affected. That makes Radio Silence easier to use than Little Snitch, which requires permissions for literally every connection after its installation. That can be confusing and overwhelming when all you want is to block one or two programs.
WaterRoof is another rigorous firewall. WaterRoof is an IP firewall (IPFW) GUI that controls features like NAT setup, port redirection, and dynamic tracking rules. It goes far beyond that, allowing for a nearly insane level of customization for knowledgeable users. New users will be stumped.
Most Mac users will be adequately protected by the built-in firewall. If you want or need extra protection, Little Snitch is an excellent starting point. If you only need to shut out one or two apps, Radio Silence will get that done most efficiently.