Fire up your Mac's firewall
Worried about your networked Mac? Protect yourself with OS X's built-in firewall. Here's how.
A few weeks back, after the Working Mac column about scanning your Mac for viruses I received an email message from Yolanda:
Hope you can help your readers with something that I haven’t found. I’ve just purchased my first Mac after being on Windows for about 15 years, so I’m looking around for reputable recommendations of free and good anti-virus/firewall programs.
The article Yolanda linked to recommended ClamXav for scanning your Mac for viruses, but Yolanda was correct, there was no mention made of firewall applications.
Most people, whether you’re using a Mac or a PC, are aware that commercial virus scanning applications such as Norton Security not only provide virus and malware protection, they also include firewall protection.
What’s a firewall? In the simplest terms it’s hardware on your network or a piece of software on your computer that limits the way other computers can send data to or receive data from your Mac. (For a more detailed explanation on Firewalls, have a look at Jeff Tyson’s, How Firewalls Work).
While you can certainly spend money on firewall applications for your Mac—the aforementioned Norton Security application will set you back a minimum of $45 per year—your Mac, no surprise, already includes an excellent, built-in, free Application Level Firewall that, with minimal configuration, will do everything you need. So, why spend anything at all, when you can have great for free?
You’ll find your Mac’s firewall in the Security and Privacy preference in the System Preferences app.
- Open System Preferences
- Click Security and Privacy or
- Type Firewall in System Preferences search field and select “Turn Firewall on or off”
Before you can make changes to the Security and Privacy preference you need to authenticate as an administrator:
- Click the lock at the bottom left of the Security and Privacy preference
- Enter your password
To start using the firewall, once you’ve entered your password, all you need to do is click the button that says Turn On Firewall
That’s it! But there’s more to the the built-in firewall than meets the eye, so let’s take a look at what’s going on behind the scenes.
- Click the button that says Firewall Options
Depending on what applications you have running and which sharing services you have turned on, what you’ll see when you look at Firewall Options may be a little different than what you see in the following screenshot:
If you don’t see anything, that means you don’t currently have any applications running that are sending or receiving network traffic.
If you do see something in the list, it means that the Application Level Firewall trusts that application and is allowing it to send and receive network traffic. How and why the firewall trusts an application is more than we can go into in detail here, but it’s because of something called Code Signing Certificates, which Apple only issues to trusted applications. Any application with one of these trusted certificates can request and be granted access to allow traffic to pass through Application Level Firewall.
Let’s see how this works automatically:
- Make sure that the only box that’s checked is the one that says, “Automatically allow signed software to receive incoming connections”
- Take note of the applications listed in the list of allowed applications
- Click OK
- Open the Sharing preference in System Preferences
- Put a check in the box that says File Sharing or, if that’s already selected, put a check in one of the other sharing boxes
- Re-open the Security and Privacy preference
- Click the Firewall Options button
- Look at the list of allowed applications
If you selected File Sharing in the Sharing preference you should now see File Sharing (AFP, SMB) in the list of allowed applications.
The beauty of Apple’s built-in Application Level Firewall is that you don’t need to do anything other than turn it on. Your Mac will take care of determining whether or not an application should be allowed to send and receive network traffic.