macOS Built-in Firewall Configuration | MacOS Defense

🛡️ macOS Built-in Firewall

Application-Level Inbound Protection

Enable macOS's built-in application firewall to block unauthorized incoming connections. Essential baseline security that complements LuLu and Murus for comprehensive defense-in-depth.

⏱️ 5 minutes 🟢 Easy 🆓 Built-in & Free

⚠️ Why Enable the Built-in Firewall?

macOS's built-in firewall blocks unauthorized apps from accepting incoming connections. While LuLu controls outbound traffic and Murus provides network-level filtering, the built-in firewall is your first line of defense against inbound attacks.

Many users don't realize this firewall exists or that it's often disabled by default. Enabling it takes 30 seconds and significantly reduces your attack surface.

What the Built-in Firewall Does

The macOS built-in firewall is an application-level firewall that controls which apps can accept incoming network connections. It's different from LuLu and Murus:

🛡️ Blocks incoming connections to apps on your Mac
🚫 Prevents apps from acting as servers without permission
🔒 Blocks all sharing services by default (file sharing, screen sharing, media sharing)
👻 Stealth mode available - makes your Mac invisible to network scans
✅ Allows essential services - DHCP and IPSec still work

💡 Built-in Firewall vs LuLu vs Murus

Built-in Firewall: Blocks incoming connections at the application level

LuLu: Blocks outbound connections at the application level

Murus: Filters all traffic at the network level (IP/port/protocol)

Recommendation: Use all three for comprehensive defense-in-depth protection.

When to Use This

The built-in firewall should be enabled at all times, especially when:

☕ Using public Wi-Fi (coffee shops, airports, hotels)
🏢 On untrusted networks (conferences, coworking spaces)
🏠 Even at home - defense-in-depth principle
🎯 Under targeted surveillance - reduces attack surface
🔐 Any time you want baseline security - it's free and built-in

Step 1: Open System Settings

1 Click the Apple menu () in the top-left corner

Select System Settings

Step 2: Search for Firewall

2 In the System Settings search bar, type "firewall"

Click on "Turn firewall on or off" in the search results

Search for firewall in System Settings (annotated)

✅ Quick Navigation

You can also navigate manually: System Settings → Network → Firewall

But searching is faster and works across all macOS versions.

Step 3: Enable the Firewall

3 Toggle the firewall switch to ON (blue)

You should see the toggle turn blue and the status change to "The firewall is turned on..."

Firewall enabled with toggle ON (annotated)

⚠️ Understanding the Warning Message

You'll see a yellow warning: "The firewall blocks all sharing services, such as file sharing, screen sharing, and media sharing."

This is GOOD for security. Sharing services are common attack vectors. Only enable them on trusted networks when you specifically need them.

Step 4: Configure Advanced Options

4 Click the "Options..." button

This opens the advanced firewall configuration dialog

Firewall settings with Options button highlighted (annotated)

Step 5: Enable "Block All Incoming Connections"

5 In the Options dialog, check the box for "Block all incoming connections"

This is the most secure setting - it blocks ALL incoming connections except essential services (DHCP, IPSec)

Firewall Options dialog with Block all incoming connections (annotated)

🔐 Maximum Security Configuration

"Block all incoming connections" is the most secure option. When enabled:

All apps are blocked from accepting incoming connections
File sharing, screen sharing, and media sharing are disabled
Essential services (DHCP for IP assignment, IPSec for VPN) still work
You can still browse the web, send email, and use most apps normally

Only disable this if you specifically need to share files or screen on a trusted network.

Step 6: Enable Stealth Mode

6 In the same Options dialog, scroll down and check "Enable stealth mode"

Click OK to save all changes

Firewall Options with Stealth Mode enabled (annotated)

👻 What is Stealth Mode?

Stealth mode makes your Mac invisible to network scans. When enabled:

Your Mac doesn't respond to ICMP ping requests
Port scans won't detect your Mac on the network
Attackers can't easily discover your Mac exists
Essential for public Wi-Fi and untrusted networks

Recommendation: Always enable stealth mode for maximum security.

Understanding App Permissions

When an app tries to accept incoming connections for the first time, macOS will show you a permission dialog:

App permission prompt for incoming connections

⚠️ Review App Permissions Carefully

When you see this dialog, ask yourself:

Do I recognize this app? If not, click "Deny"
Does this app need to accept connections? Most apps don't
Am I on a trusted network? If not, default to "Deny"
Did I just launch this app? If it's asking unexpectedly, click "Deny"

Default to "Deny" unless you're certain the app needs incoming connections.

Verification

To verify your firewall is configured correctly:

Firewall toggle should be ON (blue)
Status should read: "The firewall is turned on and set up to block all incoming connections..."
In Options: "Block all incoming connections" should be checked
In Options: "Enable stealth mode" should be checked

✅ Firewall Configured Successfully

Your Mac is now protected against unauthorized incoming connections. The firewall will:

Block all apps from accepting connections (except essential services)
Make your Mac invisible to network scans (stealth mode)
Prompt you before allowing any app to accept connections
Protect you on public Wi-Fi and untrusted networks

Troubleshooting

I can't share my screen or files

This is expected when "Block all incoming connections" is enabled. To temporarily allow sharing:

Go to Firewall Options
Uncheck "Block all incoming connections"
Enable the specific sharing service you need in System Settings → General → Sharing
Re-enable "Block all incoming connections" when done

An app I trust is being blocked

If you need to allow a specific app to accept incoming connections:

Go to Firewall Options
Uncheck "Block all incoming connections"
Click the "+" button and add the app to the allowed list
The app will now be able to accept connections

Note: Only do this for apps you trust and that genuinely need to accept incoming connections.

I need to disable the firewall temporarily

While not recommended, you can disable the firewall by toggling it OFF. Remember to re-enable it when done.

How do I test if stealth mode is working?

From another device on the same network, try to ping your Mac:

Find your Mac's IP address: System Settings → Network → [Your Connection] → Details
From another device, run: ping [your-mac-ip]
If stealth mode is working, you'll see "Request timeout" or no response

💡 Defense in Depth Strategy

The built-in firewall is one layer of a comprehensive security strategy. For maximum protection, combine it with:

LuLu Firewall - Controls outbound connections (what apps can send)
Murus Firewall - Network-level packet filtering (IP/port/protocol control)
Wi-Fi Protocol Restrictions - Disable IPv4/IPv6 on Wi-Fi for Ethernet-only security
VPN - Encrypted tunnel for all internet traffic

Each layer protects against different attack vectors. Together, they create a robust security posture.

What Gets Blocked?

With "Block all incoming connections" enabled, the firewall blocks:

🚫 File Sharing - AFP, SMB, NFS protocols
🚫 Screen Sharing - VNC, Remote Desktop
🚫 Media Sharing - iTunes/Music sharing, AirPlay
🚫 Printer Sharing - Network printer access
🚫 Remote Login - SSH access
🚫 All other apps - Unless explicitly allowed

What still works:

✅ Web browsing - Safari, Chrome, Firefox, etc.
✅ Email - Mail, Outlook, etc.
✅ Messaging - Messages, Slack, Discord, etc.
✅ Video calls - Zoom, FaceTime, etc. (outbound connections)
✅ DHCP - IP address assignment
✅ IPSec - VPN connections

Quick Links

Case Studies

Video Library

Defense Guides

About AIMF

About