Mac OS X comes with a built-in firewall service that can be used to protect your Mac from online security risks. The firewall sits between OS X and the internet and only allows incoming traffic to come through on specific ports. OS X manages the firewall on a per-application basis, but sometimes you want to open a specific port on your Mac.
You can allow or block incoming traffic to specific apps using the Security settings, but you can open specific ports in terminal. This used to be done using ipfw, but in OS X 10.10 and later you use a new command: pfctl.
How does the firewall work in Mac OS X?
It might help to clear up the concept of ports and firewalls. Ports are the specific connections between your Mac and the network, and a firewall sits between your Mac and the network and decides which port is open and which is closed. Think of your Mac's IP address (used to connect it to the network) as a hotel, ports as room numbers and applications as guests. With the firewall turned off every application has access to every area. OS X firewall only allows access to specific areas.
Using OS X firewall to block and open Ports
The firewall in OS X is turned off by default. This might strike you as odd, because Apple is so keen on security. However, most computers no longer connect directly to the internet via a DSL modem, instead most go through a router provided by their Internet Service Provider (or via a corporate network). In either case a hardware firewall is provided, typically as part of NAT (Network Address Translation).
Another oddity is that OS X firewall doesn't manage ports individually, but on a per-application basis. Follow these settings to access the Firewall Options:
- Open System Preferences (Apple menu > System Preferences).
- Click Security & Privacy.
- Click Firewall.
- Click Firewall Options.
The Security & Privacy window displays a window with a selection of options:
- Block all incoming connections. This blocks everything except basic Internet services, such as DHCP, Bonjour, and IPSec. If you select this checkbox other apps that rely on internet services, such as Dropbox, will stop working.
- Applications. The main window displays a list of Applications with the status Allow Incoming Connections or Block Incoming Connections. Note this doesn't apply to outgoing connections.
- Automatically allow signed software to receive incoming connections. This option is enabled by default. If an application has a valid certificate the firewall allows incoming connections.
- Enable stealth mode. This prevents other people (or computers on a local network) from discovering your Mac. You Mac will no longer respond to ping requests. We think this is a little "tin-foil hat" for most users.
How to open an application's port in OS X firewall
If you have the OS X firewall enabled, you may install a new app that requires you to allow it access through the firewall. It's up to you to decide if you trust the app. Here is how to allow the app to accept incoming connections.
- Open System Preferences > Security & Privacy > Firewall > Firewall Options.
- Click Add.
- Choose an application from the Applications folder and click Add.
- Ensure that the option next to the application is set to Allow incoming connections.
- Click OK.
OS X manually manages the ports requested by the app and opens them correspondingly. Most users using the default OS X firewall should use this method to Allow and Block incoming connections, rather than manually opening ports. However, some advanced users--such as web developers or system admins--have a legitimate need to open a specific port.
How to open a specific port in OS X firewall
It is possible to open a specific port in OS X, although you'll need to jump into Terminal. In OS X 10.10 you use the pfctl command (use man for instructions). Earlier versions of OS X use ipfw, which is now depreciated. Follow these steps to open a specific port (in this example 8080) in OS X.
- Open Terminal (Go > Utilites).
- Enter sudo pfctl -vnf /etc/pf.conf
To open the port at system startup use sudo nano /etc/pf.conf and add the sudo pfctl -vnf /etc/pf.conf to this pf.conf file.
Read definitions of more Apple-related tech terms in our Apple users' tech jargon dictionary.