Pinterest Stumbleupon Whatsapp
Ads by Google

Dig through your Mac’s settings and you’ll find a firewall, turned off by default. Isn’t that insecure? Why would Apple be so irresponsible?

Don’t panic: this doesn’t mean your machine isn’t secure. The firewall in question lets you block incoming traffic to particular programs, meaning it’s only useful if there are programs on your computer that you’d like to restrict in terms of incoming information.

If that’s not the case, and if you use the Internet primarily behind a secure router, you probably don’t need to enable a firewall at all.

What Do The Experts Say?

A lot of general tech advice is really only true in particular situations – and “you need to have a firewall turned on or you’re not safe” is a good example of that. This isn’t to say that firewalls aren’t helpful – they can be, in some circumstances. But simply installing and turning one on isn’t going to be helpful in all cases, particularly if you don’t know how to configure it.

If none of this means anything to you, at all, you’re probably best just leaving the firewall turned off.

mac-firewall

Ads by Google

It’s possible I’m out of my depth here – I’m a software usability guy, not a security expert. Thomas Reed, on the other hand, knows what he’s talking about. He’s the longterm blogger behind The Safe Mac, a site that’s been documenting Mac security trends for nearly a decade. He argues that you don’t need a firewall on your Mac:

For the most part, the average user does not need a firewall.  A firewall is not a magical solution to problems like malware and spam, and is not much use at protecting a system that is left unsecured.

My one-time colleague Chris Hoffman, writing for HowToGeek, came to a similar conclusion:

In summary, a firewall isn’t really necessary on a typical Mac desktop, just as it isn’t really necessary on a typical Ubuntu Linux desktop. It could potentially lead to more hassle with setting up certain network services. But, if you feel more comfortable with it on, you’re free to enable it!

This seems to be the consensus out there on the web: firewalls are great for power users, who understand what a firewall is for and know how to properly configure it to achieve what they want. For everyone else, enabling a firewall is unnecessary at best and infuriating at worst.

Still, if you want to turn a firewall on and configure it, you’ve got options. Let’s go over them.

Turning On Apple’s Firewall

Not all Mac users know this, but there’s been a built-in Mac firewall since Snow Leopard How To Enable the Firewall In Mac OS X Snow Leopard How To Enable the Firewall In Mac OS X Snow Leopard Since we rarely hear about security problems with Apple hardware, we Mac users often ignore some of Apple's basic security applications and features such as the Firewall. It’s easy to set up, but there are... Read More . You’ll find it in the System Preferences, under Security.

mac-security-firewall

As we said, this is off by default. Turning the firewall on is easy:

mac-turn-on-firewall

If this option is greyed out, you’ll need to click the lock at bottom-left and enter your password before you can do this. Once you do you’ll be able to access additional options:

mac-firewall-settings

You can block particular applications from inbound requests. Note that you cannot stop applications from making outbound requests using this firewall, which is why many opt for more advanced options.

Other Mac Firewall Options

In addition to the firewall included with OS X, there are a selection of third-party tools that provide control over incoming and outgoing connections, as well as which software can send and receive information over the Internet.

Murus ($10) — A Better GUI for The Built-In Firewall

Apple’s built-in firewall is Packet Filter, a powerful firewall commonly known as “pf” and well-known to Unix users. The default GUI, outlined above, doesn’t give you access to many of pf’s features, which is where Murus comes in. For $10 this app gives you control over inbound and outbound requests, and a lot more.

murus

There’s a free version to download if you want to get a feel for what’s offered, though you’ll need to pay up if you want control over outbound requests.

Little Snitch ($35) — Top-Class Firewall for OS X

Another popular Mac firewall is Little Snitch, which notifies you when any program is accessing the Internet Which Apps Are Using Your Internet Connection? Find Out With Little Snitch [Mac OS X] Which Apps Are Using Your Internet Connection? Find Out With Little Snitch [Mac OS X] We've shown you how to enable the included firewall in OS X, but it's quite limited. It allows you to block traffic on a per-app basis, but beyond that there's not a lot of configuration... Read More and lets you decide whether they should have access or not. For $35 it’s not exactly cheap,

This is a popular product that packs in the attention to detail, so look into it if you’re seriously contemplating setting up a firewall or you specifically want easy, GUI control over individual applications.

Private Eye — A Free Network Monitor

If you like the idea of seeing which programs are using your Internet, but don’t necessarily think you need the full firewall experience, I highly recommend checking out Private Eye.

private-eye

With this app you can monitor, in real time, which of your applications are accessing the Internet and what specific URLs they’re accessing. This has all sorts of uses, from figuring out whether your Mac has malware I Think My Mac Has A Virus! 3 Ways You Can Tell I Think My Mac Has A Virus! 3 Ways You Can Tell Is your Mac acting kind of... weird? Whether you're seeing adverts you can't explain, or your system is unreasonably slow, you might think the problem is malware. But you're probably wrong. Read More to working out which programs are using bandwidth constantly.

The Take-Away: Learn to Use Your Firewall

If you know how a firewall works, and are willing to take the time to configure it properly, go for it! Turning on the firewall won’t hurt anything, especially as most port ranges need to be opened manually if you are accessing the Internet via a secured router.

If you’re not sure, there’s no particular reason to turn it on. A firewall can add an additional layer of security, sure, but that doesn’t mean your system is any more vulnerable without one turned on.

Do you use a firewall with Mac OS X? Which one and why?

Image Credits: Fire ring Via Shutterstock

  1. Rachel
    January 4, 2016 at 2:03 am

    I don't intentionally install any program I don't trust to use the internet. Creative Cloud for example needs the internet but I am hoping that Private Eye will let me know if I have and if I do use them, I will be able to add them to the OSX Firewall. Is that how it works? If not I will take a class in network security. I'm a budding web designer/developer/student I should probably know the basics, anyway.

    • Justin Pot
      January 4, 2016 at 2:36 pm

      You can block Adobe from accessing the web using Creative Cloud, the built-in firewall doesn't give you the same control though.

  2. Rachel
    January 4, 2016 at 1:58 am

    Thanks for the advice. I just got a strange pop up on Facebook. It said I had malware and offered to scan it for me. Why would Facebook do that? I assumed it was not Facebook and quickly did some research on Mac specific security programs. I have since installed Sophos, Malwarebytes, Private Eye and turned on my Firewall. I don't normally take my MacBook out of the house but if that ever becomes the case I will be investing in Little Snitch due to Mike's review. I too am economically vulnerable, I've not had non contract work since a March lay off. If God forbid I have to cancel my internet and move into Starbucks across the street, I will likely need it. Sophos already caught a few things. Likely from 2013 when my MacBookPro did leave the house.

  3. Mike
    November 29, 2015 at 9:08 pm

    Little Snitch! First bought it and used it in a demo mode. Didn't see where it prevented any problems for me, though it was interesting to watch different processes at work on my MacBook Pro and how they used the network.

    Then, last year, during a rough patch where I primarily had to use unsecured WiFi at a local public library (and without money for a VPN service), I scaped up some pennies and bought Little Snitch. OMG. I saw that my MacBook Pro (with firewall enabled) had become infested with several malware processes that were constantly causing traffic across my network to nefarious servers. Instant resolution by using Little Snitch to block all these processes. So easy and so obvious when there's something suspicious going on. You have to love Little Snitch in "strict" mode where it flashes you an alert for ANY traffic in OR out of your computer. And backup of all my settings with customizations is a cinch. So even if I boot off a different system drive, I can pull in my database of Little Snitch rules so I've got the same settings regardless.

    Little Snitch also caught some odd behavior by Evernote, where it was constantly communicating (thousands of calls per second) with what was allegedly the Chinese Evernote website, though the reasons for this were evaded by Evernote in their forums. At any rate, the odd process was flagged by Little Snitch and I was able to shut the process down completely. (Side note: whatever was going on, Evernote finally fixed it, but it took months for them to respond to the numerous complaints on their user forums.)

    I see so many calls by browsers to suspicious servers (and I'm talking about when I'm on SFW, mainstream sites) and unneeded calls to "content display networks" by apps that shouldn't even need such communication (since I've paid for the apps) that I kiss the feet of the Little Snitch developers on a daily basis.

    And they sure as heck keep their software up to date with the latest OS X developments.

    Ringing endorsement here—worth well more than the $35 price tag!

    • Jim
      May 19, 2016 at 10:45 pm

      Couldn't agree more -- Little Snitch is awesome!

      Plus, with some fine tuning, you can use it to block some popular ad servers completely. :-)

  4. dinikasaxenas
    August 20, 2015 at 11:37 am

    Private Eye seems pretty cool. Do they have a WIndows version too?

    • Justin Pot
      August 20, 2015 at 3:25 pm

      So far as I know, no. Sorry. :\

  5. John Phillips
    August 19, 2015 at 8:12 pm

    And you don't need to wear a seat belt or motorcycle helmet or stop at stop signs...until you do.

    I am so tired of these twits with their "we don't get viruses/virii on the Mac because...Apple." It's BS. With popularity comes attention. With attention comes interest. With interest comes hacks, virii(?), malware and all sorts of nasties. Anyone who thinks this doesn't apple to Apple gear needs to get their head out of their...sandbox.

    It's not just the Mac OS that can and has been exploited but all the other applications (not not just the pirated ones either, that's just naive) that can be installed, linked to via the browser etc.

    And don't forget that many people don't use their Macs "behind a secure router" (which is even less likely given the recent stats on open/exposed commercial/home routers) they use them at Coffee Shops, malls etc.

    So, in fact, any effort to apply security is better than not doing so.
    “The absence of evidence is not the evidence of absence.”
    ? Carl Sagan, Cosmos

    • Justin Pot
      August 20, 2015 at 3:29 pm

      Macs aren't configured to have all ports open by default: they only open the ports for authorized software. Turning on the firewall turns off this default and puts the control in the users hand, meaning it will only help if the user knows what they're doing. If not, putting the power into the user's hand is worse than doing nothing.

  6. hildyblog
    August 18, 2015 at 12:16 pm

    I didn't mean to get into a Win/OSX battle. The real battle is between users and the Internet. A firewall can help.

    I don't know if OSX uses Linux's uncomplicated firewall (ufw) but Ubuntu has a good FAQ for people wanting to make their firewall even more useful.

    • Justin Pot
      August 20, 2015 at 3:30 pm

      OS X uses Packet Filter by default, configured so that only authorized software can use the web.

  7. hildyblog
    August 18, 2015 at 2:24 am

    This sounds an awful lot like the "Do you need to run an anti-virus on your Mac?" article of a few years ago. Those who ignored the advice and ran AV software anyway might have dodged a bullet or two. A default firewall, assuming Apple's is about equivalent to Microsoft's, helps add a bit (not a lot) more protection. It can't hurt and it might help. If nothing else, the logs might reveal unwanted behavior.

    • Justin Pot
      August 18, 2015 at 5:10 am

      If you've avoided pirating Mac software, in all likelihood you've been fine these last few years – with or without an antivirus. Seriously, Mac viruses get a lot of press but affect very few people at the end of the day.

Leave a Reply

Your email address will not be published. Required fields are marked *