Mac Security

Does Your Mac Really Need a Firewall? What You Need to Know

Rahul Saigal Updated 25-02-2020

Do you need a firewall on your Mac? Well, yes and no.

Advertisement

Chances are that your computer is behind the firewall that’s part of your router, so having macOS’s firewall turned off makes it easier to set up connections with other Apple devices. But if you use a laptop and hop onto untrusted networks frequently, you should enable the firewall.

macOS also includes an assortment of shared network services to remotely access your content. If you keep those services enabled or use third-party apps, that could make your Mac vulnerable to a network attack. We’ll show you how to configure your firewall and when you need to use it.

Setting Up Your Mac’s Firewall

The importance of a firewall as a part of a security strategy cannot be underestimated. We have already discussed in detail why you should use a firewall 5 Reasons Why You Should Use a Firewall You've heard of firewalls, but what are they really for? Do they stop viruses? Can you manage without one? We look at five reasons to install and use a firewall on your computer. Read More .

In macOS’s case, there are two components of the software firewall.

Application Layer Firewall (ALF)

This component of the firewall will allow or deny access for an app to establish communication over the network. It is not based on the ports used. The built-in macOS firewall offers this, and by design, it’s simple and intuitive. You can specify, for each app, whether to allow or block incoming connections.

To turn on the firewall on your Mac, open System Preferences > Security & Privacy > Firewall. Click the lock icon in the lower-left of the window, enter your administrator password, and click Unlock.

If the window doesn’t already say Firewall: On, click the Turn On Firewall button. The green circle lights up, and your Mac will only allow incoming traffic for established connections, signed software, and enabled services. You can later turn off your Mac’s firewall using the corresponding button.

turn on the firewall in system preferences

Packet Filter (PF) Firewall

This component of the firewall is embedded deep in the operating system kernel. PF is the OpenBSD packet filter. Its primary function is to filter network packets by matching the properties of individual packets (and the network connections built from them) against the filtering criteria defined in the ruleset.

With a PF firewall, you can control network traffic based on virtually any packet or connection type. This includes source and destination address, interface, protocols, and ports. Based on these criteria, you can let the packet pass, block it, and trigger events that other parts of the operating system can handle.

A PF firewall came into effect on macOS starting with Mac OS X 10.7 Lion. While ALF is easy and intuitive to use, setting up a PF firewall requires a thorough knowledge of syntax, logic, and network configuration. You must edit the configuration files manually, and the packet filter monitoring is entirely done from the command line.

Configure Apple Firewall Settings

macOS includes many built-in services to share files, printers, access resources remotely, and more. To enable a service, navigate to System Preferences > Sharing and tick the box next to each service you want to use.

Since the firewall works on the per-application basis, you’ll see these services listed by name rather than a port number. For example, you’ll see File Sharing on the pane instead of port 548.

sharing system preference pane

To customize the firewall, head back to the Firewall panel and click the Firewall Options button. This will reveal more firewall configurations. Use the Plus and Minus buttons to add or remove apps as needed. You can also choose to check some additional options below.

Any services you’ve checked in the Sharing panel as above will automatically appear in the list of allowed connections. But if you disable any of the services, they’ll no longer appear in the firewall options pane.

firewall options window

When any third-party app starts listening for incoming connections, you’ll see a message asking “Do you want the application “[App]” to accept incoming network connections?” Click Allow or Deny to modify the firewall settings. Apps you allow access will appear on the list.

accept or deny connection dialog box

Should the Outbound Firewall Be On or Off?

The built-in firewall gives you the ability to monitor and block incoming connections. However, you can monitor outgoing connections as well. How can an average user utilize outgoing traffic data? Let’s illustrate with some examples.

  1. Most apps that you use on your Mac have a visible interface and continuously exchange data between your machine and servers located elsewhere. But many processes running in the background also send and receive data.
    1. Take a look at all the processes in the Activity Monitor > Network tab. How can you be sure that all those connections are genuine?
  2. Apps partake in activities all the time: your email app downloads new messages, apps periodically check for updates, and Dropbox syncs newly changed files. These activities are fine, but if you download a malicious app that secretly logs your keystroke and sends sensitive data to a malicious actor, that’s a problem.
  3. Premium apps routinely “phone home” to check your license data, but some developers may collect sensitive personal information without your consent. These apps may also sniff or broadcast over your network, copy the configuration details of your Mac, and monitor how you use a particular app.

From these examples, it’s clear that a two-way firewall offers protection from both inbound and outgoing traffic. They can help identify the activity of malware (if it’s installed and running), but they’re less concerned about security than privacy.

Third-Party Firewall Apps for Mac

Many third-party firewall apps provide control over both incoming and outgoing connections. We discuss a few popular ones below.

LuLu

lulu app alert dialog box

LuLu is a free, open source firewall that aims to block outgoing traffic unless it’s explicitly approved by the user. Once installed, it will alert you about new or unauthorized attempts to create an outgoing network connection. Click the Allow or Block button to handle the connection.

The alert window displays a process icon and code-signing status of an app. The built-in VirusTotal integration can help you check if an app is malicious or not. Along with it, you can see the hierarchy of the process (this helps you to understand the main culprit process), process details, and more.

Download: LuLu (Free)

Radio Silence

radio silence mac app

Radio Silence is the simplest firewall app for your Mac. After installation, the app automatically runs in the background without any menu bar icon or other visual indicators. Navigate to the Firewall tab and click the Block Application button. Once you add an app to the blacklist, it’ll no longer connect over the internet.

Since you’re manually adding these apps, you won’t see any annoying popups. The Network Monitor tab provides you with real-time data for a particular process or an app. You can find hidden helpers, in-memory processes, daemons, XPC services, port numbers, and host IP addresses. While the app comes at a small fee, you can try it before you buy.

Download: Radio Silence ($9, free trial available)

Little Snitch

little snitch network monitor

Little Snitch is a host-based application firewall for Mac. The app provides detailed reports on processes, outgoing and incoming connections, ports, and protocols. It also shows the complete traffic history down to a one-minute interval time range.

By default, the Silent Mode feature allows all network access not explicitly forbidden by a rule. Since you’re not deny anything, you’ll have time to learn the ins and outs of the app. Behind the scenes, the app records every connection. From there on, you can start creating rules.

The Network Monitor shows a global map of the active connections from your system to the IP-derived or probable locations around the world in real-time. The left panel displays a list of apps sending and receiving data, while the right panel gives you a detailed summary.

The Automatic Profile Switching feature allows you to create filtering profiles based on the network. You can create separate profiles for home, work, the coffee shop, and more. There are many more features, though the software doesn’t come cheap. For enthusiasts, however, Little Snitch is a hard firewall to beat.

Download: Little Snitch ($45, free trial available)

Murus

murus pf firewall app

Murus is a graphical frontend for the PF firewall. It packs an intuitive interface and lets you configure the app using the built-in presets. It also gives you a ruleset editor to create and manage rules. You can create complex rules with advanced options like port knocking, accounting, and more.

Murus Lite is a basic firewall with only inbound filtering and logging capabilities. For $10, you’ll get outgoing filtering capabilities, custom rules, port knocking, customization related features, and a lot more.

Download: Murus (Free, premium versions available)

A Layered Defense Offers the Best Protection

A firewall is not a magical solution to problems such as malware and spam. But its importance may vary in different use cases. For an standard user, the built-in firewall, along with Little Snitch, is more than enough. If you work for a business that uses all Macs, then having a different layer of firewall protection makes sense.

A combination of an ALF and PF firewall can work well without any major issues. However, their approach to network filtering is different and covers distinct layers of the network stack. The same is true for third-party firewall apps. Every third-party ALF can work with the PF firewall.

Remember that firewall protection is only a part of the security strategy. Know how to avoid infecting your Mac with malware 5 Easy Ways to Infect Your Mac With Malware Malware can definitely affect Mac devices! Avoid making these mistakes or else you'll end up getting your Mac infected. Read More , and check out other macOS security tips to increase your protection.

Explore more about: Anti-Malware, Computer Security, Firewall, Mac Apps, Mac Tips, Online Security.

Whatsapp Pinterest

Enjoyed this article? Stay informed by joining our newsletter!

Enter your Email

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Rachel
    January 4, 2016 at 2:03 am

    I don't intentionally install any program I don't trust to use the internet. Creative Cloud for example needs the internet but I am hoping that Private Eye will let me know if I have and if I do use them, I will be able to add them to the OSX Firewall. Is that how it works? If not I will take a class in network security. I'm a budding web designer/developer/student I should probably know the basics, anyway.

    • Justin Pot
      January 4, 2016 at 2:36 pm

      You can block Adobe from accessing the web using Creative Cloud, the built-in firewall doesn't give you the same control though.

  2. Rachel
    January 4, 2016 at 1:58 am

    Thanks for the advice. I just got a strange pop up on Facebook. It said I had malware and offered to scan it for me. Why would Facebook do that? I assumed it was not Facebook and quickly did some research on Mac specific security programs. I have since installed Sophos, Malwarebytes, Private Eye and turned on my Firewall. I don't normally take my MacBook out of the house but if that ever becomes the case I will be investing in Little Snitch due to Mike's review. I too am economically vulnerable, I've not had non contract work since a March lay off. If God forbid I have to cancel my internet and move into Starbucks across the street, I will likely need it. Sophos already caught a few things. Likely from 2013 when my MacBookPro did leave the house.

  3. Mike
    November 29, 2015 at 9:08 pm

    Little Snitch! First bought it and used it in a demo mode. Didn't see where it prevented any problems for me, though it was interesting to watch different processes at work on my MacBook Pro and how they used the network.

    Then, last year, during a rough patch where I primarily had to use unsecured WiFi at a local public library (and without money for a VPN service), I scaped up some pennies and bought Little Snitch. OMG. I saw that my MacBook Pro (with firewall enabled) had become infested with several malware processes that were constantly causing traffic across my network to nefarious servers. Instant resolution by using Little Snitch to block all these processes. So easy and so obvious when there's something suspicious going on. You have to love Little Snitch in "strict" mode where it flashes you an alert for ANY traffic in OR out of your computer. And backup of all my settings with customizations is a cinch. So even if I boot off a different system drive, I can pull in my database of Little Snitch rules so I've got the same settings regardless.

    Little Snitch also caught some odd behavior by Evernote, where it was constantly communicating (thousands of calls per second) with what was allegedly the Chinese Evernote website, though the reasons for this were evaded by Evernote in their forums. At any rate, the odd process was flagged by Little Snitch and I was able to shut the process down completely. (Side note: whatever was going on, Evernote finally fixed it, but it took months for them to respond to the numerous complaints on their user forums.)

    I see so many calls by browsers to suspicious servers (and I'm talking about when I'm on SFW, mainstream sites) and unneeded calls to "content display networks" by apps that shouldn't even need such communication (since I've paid for the apps) that I kiss the feet of the Little Snitch developers on a daily basis.

    And they sure as heck keep their software up to date with the latest OS X developments.

    Ringing endorsement here—worth well more than the $35 price tag!

    • Jim
      May 19, 2016 at 10:45 pm

      Couldn't agree more -- Little Snitch is awesome!

      Plus, with some fine tuning, you can use it to block some popular ad servers completely. :-)

  4. Anonymous
    August 20, 2015 at 11:37 am

    Private Eye seems pretty cool. Do they have a WIndows version too?

    • Justin Pot
      August 20, 2015 at 3:25 pm

      So far as I know, no. Sorry. :\

  5. Anonymous
    August 19, 2015 at 8:12 pm

    And you don't need to wear a seat belt or motorcycle helmet or stop at stop signs...until you do.

    I am so tired of these twits with their "we don't get viruses/virii on the Mac because...Apple." It's BS. With popularity comes attention. With attention comes interest. With interest comes hacks, virii(?), malware and all sorts of nasties. Anyone who thinks this doesn't apple to Apple gear needs to get their head out of their...sandbox.

    It's not just the Mac OS that can and has been exploited but all the other applications (not not just the pirated ones either, that's just naive) that can be installed, linked to via the browser etc.

    And don't forget that many people don't use their Macs "behind a secure router" (which is even less likely given the recent stats on open/exposed commercial/home routers) they use them at Coffee Shops, malls etc.

    So, in fact, any effort to apply security is better than not doing so.
    “The absence of evidence is not the evidence of absence.”
    ? Carl Sagan, Cosmos

    • Justin Pot
      August 20, 2015 at 3:29 pm

      Macs aren't configured to have all ports open by default: they only open the ports for authorized software. Turning on the firewall turns off this default and puts the control in the users hand, meaning it will only help if the user knows what they're doing. If not, putting the power into the user's hand is worse than doing nothing.

  6. Anonymous
    August 18, 2015 at 12:16 pm

    I didn't mean to get into a Win/OSX battle. The real battle is between users and the Internet. A firewall can help.

    I don't know if OSX uses Linux's uncomplicated firewall (ufw) but Ubuntu has a good FAQ for people wanting to make their firewall even more useful.

    • Justin Pot
      August 20, 2015 at 3:30 pm

      OS X uses Packet Filter by default, configured so that only authorized software can use the web.

  7. Anonymous
    August 18, 2015 at 2:24 am

    This sounds an awful lot like the "Do you need to run an anti-virus on your Mac?" article of a few years ago. Those who ignored the advice and ran AV software anyway might have dodged a bullet or two. A default firewall, assuming Apple's is about equivalent to Microsoft's, helps add a bit (not a lot) more protection. It can't hurt and it might help. If nothing else, the logs might reveal unwanted behavior.

    • Justin Pot
      August 18, 2015 at 5:10 am

      If you've avoided pirating Mac software, in all likelihood you've been fine these last few years – with or without an antivirus. Seriously, Mac viruses get a lot of press but affect very few people at the end of the day.