Notice! This document is currently in Archived status.
The content of this document may be incorrect or outdated.

Print this article Edit this article

Using the Mac OS X Firewall

Purdue Engineering Computer Network


This FAQ has instructions and graphics relevant for OS X versions 10.0 10.1.x 10.2.x 10.3.x and 10.4.x ONLY.

Mac OS X includes the ability to enable a firewall on your computer. A firewall is a software (or hardware) intermediary that screens incoming and outgoing network traffic. The main purpose of this is to stop hackers from gaining entry into your computer through various connection methods. By limiting the amount and type of traffic that is allowed to pass on your computer, you can eliminate many of these methods.

Mac OS X's firewall works by allowing certain ports to open. This is different from some firewall products, which by default allow all ports and restrict certain ports. OS X's implementation allows you to close the largest number of potentials entries with the least amount of setup.

When you set up your firewall, you need to decide which ports you will need to keep open. OS X includes a number of default ports for things such as viewing web sites (port 80), SSH (port 22), and many others. To increase security, ports that have a corresponding service in the Services tab of the Sharing control panel cannot be allowed until that service is enabled. For example, Apple File Protocol (AFP), used for file sharing between Macs, uses ports 548 and 427. OS X will not allow those ports until Personal File Sharing is enabled. These "built-in" services cannot have their settings changed, and also cannot be deleted. You might also have specific applications, such as iChat, that use ports not included with the default OS X install. We can add our own ports, and even specify a range or series of ports.

Enabling the Firewall

The first step is to locate the Firewall controls. You will find it in the Sharing control panel of System Preferences.

Fig. 1

 

 

 

 

 


 

After you are in the Sharing control panel, Firewall is the 2nd tab.

 

Fig. 2

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 


 

By default, the firewall is off. Now that you know what specialized ports you may need open (if any), make sure those applications or services are not running, as turning on the firewall will disrupt their connection.

Turn the firewall on by clicking the Start button in the middle of the Firewall window. The firewall should start almost immediately.

Fig. 3

 

 

 

 


 

To the right of the Start/Stop button you will see a list of pre-configured services and their respective ports. The ones that are checked (enabled) have corresponding enabled services, as stated above. You cannot edit or delete these configurations.

Fig. 4

 

 

 

 

 

 

 

 

 

 

 

 


 

The next step is to add any ports that are not in the default list. These could include remote access, secure ports, chat/messaging applications, and many others. For this example, we will add support for SFTP, port 115.

A complete list of common ports used is available here. Always check this site for an updated list of frequently used ports.
 

Since SFTP is not a default service, we will have to add it. To do so, click the New... button.

Fig. 5

 

 

 

 

 


Now you will be presented with a list of pre-specified port names. Selecting one will enter the name as the port name and add the appropriate port number.

Fig. 6

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 


 

Since SFTP is not listed as a pre-configured port, we will enter it ourselves. In the Port Name pop-up box, select Other. You will be presented with blank text boxes. Enter 115 as the port number and SFTP as the description.

Fig. 7

 

 

 

 

 

 

 

 

 

 

 


 

Click OK and the entry will be added to the list of ports allowed.

Fig. 8 

 

 

 

 

 

 

 

 

You should continue to add and tweak your own settings until your computer is as secure as possible, while not disrupting your work. Also be sure to turn off any built-in services that you don't use frequently, such as FTP or Remote Access. Turning them on only when needed will greatly decrease the risk of intrusion.

 

 

 

Last Modified: Aug 1, 2023 4:07 pm GMT-4
Created: Nov 6, 2007 2:23 pm US/Eastern by admin
JumpURL: