Do you need a firewall on your Mac? Well, yes and no.
Chances are that your computer is behind the firewall that’s part of your router, so having macOS’s firewall turned off makes it easier to set up connections with other Apple devices. But if you use a laptop and hop onto untrusted networks frequently, you should enable the firewall.
macOS also includes an assortment of shared network services to remotely access your content. If you keep those services enabled or use third-party apps, that could make your Mac vulnerable to a network attack. We’ll show you how to configure your firewall and when you need to use it.
Setting Up Your Mac’s Firewall
In macOS’s case, there are two components of the software firewall.
Application Layer Firewall (ALF)
This component of the firewall will allow or deny access for an app to establish communication over the network. It is not based on the ports used. The built-in macOS firewall offers this, and by design, it’s simple and intuitive. You can specify, for each app, whether to allow or block incoming connections.
To turn on the firewall on your Mac, open System Preferences > Security & Privacy > Firewall. Click the lock icon in the lower-left of the window, enter your administrator password, and click Unlock.
If the window doesn’t already say Firewall: On, click the Turn On Firewall button. The green circle lights up, and your Mac will only allow incoming traffic for established connections, signed software, and enabled services. You can later turn off your Mac’s firewall using the corresponding button.
Packet Filter (PF) Firewall
This component of the firewall is embedded deep in the operating system kernel. PF is the OpenBSD packet filter. Its primary function is to filter network packets by matching the properties of individual packets (and the network connections built from them) against the filtering criteria defined in the ruleset.
With a PF firewall, you can control network traffic based on virtually any packet or connection type. This includes source and destination address, interface, protocols, and ports. Based on these criteria, you can let the packet pass, block it, and trigger events that other parts of the operating system can handle.
A PF firewall came into effect on macOS starting with Mac OS X 10.7 Lion. While ALF is easy and intuitive to use, setting up a PF firewall requires a thorough knowledge of syntax, logic, and network configuration. You must edit the configuration files manually, and the packet filter monitoring is entirely done from the command line.
Configure Apple Firewall Settings
macOS includes many built-in services to share files, printers, access resources remotely, and more. To enable a service, navigate to System Preferences > Sharing and tick the box next to each service you want to use.
Since the firewall works on the per-application basis, you’ll see these services listed by name rather than a port number. For example, you’ll see File Sharing on the pane instead of port 548.
To customize the firewall, head back to the Firewall panel and click the Firewall Options button. This will reveal more firewall configurations. Use the Plus and Minus buttons to add or remove apps as needed. You can also choose to check some additional options below.
Any services you’ve checked in the Sharing panel as above will automatically appear in the list of allowed connections. But if you disable any of the services, they’ll no longer appear in the firewall options pane.
When any third-party app starts listening for incoming connections, you’ll see a message asking “Do you want the application “[App]” to accept incoming network connections?” Click Allow or Deny to modify the firewall settings. Apps you allow access will appear on the list.
Should the Outbound Firewall Be On or Off?
The built-in firewall gives you the ability to monitor and block incoming connections. However, you can monitor outgoing connections as well. How can an average user utilize outgoing traffic data? Let’s illustrate with some examples.
- Most apps that you use on your Mac have a visible interface and continuously exchange data between your machine and servers located elsewhere. But many processes running in the background also send and receive data.
- Take a look at all the processes in the Activity Monitor > Network tab. How can you be sure that all those connections are genuine?
- Apps partake in activities all the time: your email app downloads new messages, apps periodically check for updates, and Dropbox syncs newly changed files. These activities are fine, but if you download a malicious app that secretly logs your keystroke and sends sensitive data to a malicious actor, that’s a problem.
- Premium apps routinely “phone home” to check your license data, but some developers may collect sensitive personal information without your consent. These apps may also sniff or broadcast over your network, copy the configuration details of your Mac, and monitor how you use a particular app.
From these examples, it’s clear that a two-way firewall offers protection from both inbound and outgoing traffic. They can help identify the activity of malware (if it’s installed and running), but they’re less concerned about security than privacy.
Third-Party Firewall Apps for Mac
Many third-party firewall apps provide control over both incoming and outgoing connections. We discuss a few popular ones below.
LuLu is a free, open source firewall that aims to block outgoing traffic unless it’s explicitly approved by the user. Once installed, it will alert you about new or unauthorized attempts to create an outgoing network connection. Click the Allow or Block button to handle the connection.
The alert window displays a process icon and code-signing status of an app. The built-in VirusTotal integration can help you check if an app is malicious or not. Along with it, you can see the hierarchy of the process (this helps you to understand the main culprit process), process details, and more.
Download: LuLu (Free)
Radio Silence is the simplest firewall app for your Mac. After installation, the app automatically runs in the background without any menu bar icon or other visual indicators. Navigate to the Firewall tab and click the Block Application button. Once you add an app to the blacklist, it’ll no longer connect over the internet.
Since you’re manually adding these apps, you won’t see any annoying popups. The Network Monitor tab provides you with real-time data for a particular process or an app. You can find hidden helpers, in-memory processes, daemons, XPC services, port numbers, and host IP addresses. While the app comes at a small fee, you can try it before you buy.
Download: Radio Silence ($9, free trial available)
Little Snitch is a host-based application firewall for Mac. The app provides detailed reports on processes, outgoing and incoming connections, ports, and protocols. It also shows the complete traffic history down to a one-minute interval time range.
By default, the Silent Mode feature allows all network access not explicitly forbidden by a rule. Since you’re not deny anything, you’ll have time to learn the ins and outs of the app. Behind the scenes, the app records every connection. From there on, you can start creating rules.
The Network Monitor shows a global map of the active connections from your system to the IP-derived or probable locations around the world in real-time. The left panel displays a list of apps sending and receiving data, while the right panel gives you a detailed summary.
The Automatic Profile Switching feature allows you to create filtering profiles based on the network. You can create separate profiles for home, work, the coffee shop, and more. There are many more features, though the software doesn’t come cheap. For enthusiasts, however, Little Snitch is a hard firewall to beat.
Download: Little Snitch ($45, free trial available)
Murus is a graphical frontend for the PF firewall. It packs an intuitive interface and lets you configure the app using the built-in presets. It also gives you a ruleset editor to create and manage rules. You can create complex rules with advanced options like port knocking, accounting, and more.
Murus Lite is a basic firewall with only inbound filtering and logging capabilities. For $10, you’ll get outgoing filtering capabilities, custom rules, port knocking, customization related features, and a lot more.
Download: Murus (Free, premium versions available)
A Layered Defense Offers the Best Protection
A firewall is not a magical solution to problems such as malware and spam. But its importance may vary in different use cases. For an standard user, the built-in firewall, along with Little Snitch, is more than enough. If you work for a business that uses all Macs, then having a different layer of firewall protection makes sense.
A combination of an ALF and PF firewall can work well without any major issues. However, their approach to network filtering is different and covers distinct layers of the network stack. The same is true for third-party firewall apps. Every third-party ALF can work with the PF firewall.