Configuring macOS Security With Your Built-in Firewall


Your Mac comes with its very own built-in firewall. But like many built-in security features, new users often ignore these settings. The firewall controls what Internet connections are accepted by your Mac. Some connections, like obviously malicious ones, will always be refused. Some connections, like Apple’s own services, will always be permitted. Connection types between those two extremes are a little murkier, requiring user configuration.

Viewing the Firewall

Let’s pop open System Preference and check out the firewall. We should also confirm that the system firewall is on. Turning it off is highly dangerous and not recommended. If you don’t have a very specific good reason for disabling your firewall, don’t do it.

1. Open by clicking on the Apple menu in the upper right of your screen and selecting “System Preferences” from the drop down.

2. Click on the “Security & Privacy” tab.

3. Select the “Firewall” tab from the top of the window.

4. Here, you’ll be able to see if your firewall is on or off. If the firewall is off, we should turn it back on. First, click the lock icon at the bottom left of the window. When prompted, enter your administrator password. If you don’t know what that is, enter the password you use to log on to your computer when it boots up. Then click “Unlock.”

 

Then click the “Turn Firewall On” button.

Firewall Options

In this window, we can tweak some options and provide exacting permissions for specific applications. Click “Firewall Options…” to open the screen showing these features. ‘

We’ll take a quick tour through everything we can do here.

  • Block all incoming connections: This will block almost every connection request for your computer. However, it doesn’t block outgoing requests or requests required for “basic Internet services.” Other applications might start to break down, however, depending on their configuration. This isn’t generally a setting you can just set and forget.
  • App Settings: Below that option a list of services that are cleared to accept incoming connections or prevented from accepting incoming connections. On most computers, you’ll only see a couple of applications here. Green dots next to the name mean all incoming connections are permitted. Red dots mean all incoming connections are denied. If you want to change an application’s firewall settings, click on the arrows next to the connection type and chose its opposite. If you see any apps here that look unfamiliar or suspicious, you can block their connectivity here. Otherwise, these settings should be left the same.
  • Automatically allow built-in software to receive incoming connections: this allows your Mac’s built-in apps (Mail, Calendar, Messages, etc.) to accept all incoming connections. There’s no reason not to leave this checked.
  • Automatically allow downloaded signed software to receive incoming connections: allows all incoming connections for apps that have been digitally signed by the developer. This generally is accepted as proof that the application is not malicious, especially since most signed software comes from the Mac App Store.
  • Enable stealth mode: With this box ticked, your computer won’t respond when another computer on the network asks for a roll call through ICMP or Ping. That can make you a little less noticeable on public networks

Using Third-Party Firewalls

Your Mac’s firewall is an important tool in your security arsenal, but it’s not very powerful. If you want finer grained control over network communications, you can use third-party firewall apps like Little Snitch or Radio Silence. These permit app- and service-specific firewall settings that aren’t available through the default Mac firewall. These apps don’t necessarily provide greater security, of course. If you globally permit every connection type, that’s the same as just using the system firewall. But if you’re specific about your settings, these applications can provide more powerful control over your network communications.


Alexander Fox

0 Comments

Your email address will not be published.