Protecting Your Computer with a Firewall

Mac OS X has a built-in firewall (the BSD ipfw firewall) which can be enabled to protect your computer when connected to the network.

Enabling the Firewall

By default, the Mac OS X firewall is disabled. To enable the firewall:

  • Open the Sharing pane of the System Preferences
  • Click the Firewall tab
  • Click the Start button
  • The firewall can be stopped at any time by clicking the Stop button.

The Firewall Rules

The default firewall rules block all incoming tcp network connections i.e., the connections other computers try to make with services running on your machine. All outgoing and established tcp connections are permitted e.g. when you browse the web or access your e-mail. These settings provide a sufficient level of security for most users. However, if you wish to run services on your machine, the firewall must be configured to allow these specific connections.

Adding "Standard" Services

Mac OS X will automatically configure the firewall for any services enabled in the Services tab of the Sharing pane.

For security reasons, we do not recommend running any of these services unless it is absolutely necessary. If you need to access your computer and transfer files from another machine on the network, we recommend running SSH (the Remote Login service) as a secure alternative to FTP and network file sharing.

Adding Custom Services

Installing additional services on your machine e.g. CVS will require custom rules to be added to the firewall.

  • Select the Firewall tab of the Sharing pane
  • Click the New... button
  • Select the protocol from the menu and click OK
  • If the protocol isn't defined, select Other from the menu and enter the port(s) or port range and a description of the new service
  • Custom services can be disabled by simply unchecking them in the list of allowed services.
  • Custom services can be modified or deleted by highlighting the service in the list and clicking the Edit/Delete button.

Advanced Firewall Configuration

The Mac OS X GUI provides only limited control over the firewall configuration. It is possible to customise the firewall further using third-party tools or the ifpw command line tool. However, changing the default firewall policy is only recommended for advanced users!