Introduction / Why This Is Needed
The built-in macOS Application Firewall is a key protection component that filters incoming network connections. It prevents unauthorized programs or malicious actors from the internet from establishing an unapproved connection to your computer. In this guide, you will learn how to quickly enable and properly configure the firewall to protect your Mac without disrupting the operation of legitimate network applications.
Requirements / Preparation
Before you begin, ensure that:
- You have administrator privileges (a password will be required to make changes).
- Your macOS is up to date (these instructions are valid for macOS 11 Big Sur and newer).
- You understand which applications should accept incoming connections (e.g., collaboration servers, gaming clients).
Step-by-Step Instructions
Method 1: Configuration via Graphical Interface (System Preferences)
This method is suitable for most users.
Step 1: Open Security Settings
From the Apple menu (), select System Preferences → Security & Privacy. At the top of the window, click the Firewall tab.
Step 2: Unlock the Control Panel
Changing firewall settings requires authentication. Click the lock icon in the bottom-left corner of the window. Enter the administrator password. The lock icon will change to an open state.
Step 3: Enable the Firewall
Click the Turn On Firewall button. The status indicator will turn green, and the firewall will start working immediately. macOS will automatically allow incoming connections for Apple-signed applications (e.g., Safari, Mail, Music).
Step 4: Configure Additional Options (Recommended)
For more precise control, click the Firewall Options... button. A new window will open.
- Block all incoming connections: If you enable this mode, the firewall will block all incoming connections, even for legitimate services (e.g., screen sharing or file sharing). Use it only in extreme cases or on public networks.
- Automatically allow signed software to receive incoming connections: This option is enabled by default. It is safe because it trusts applications signed by Apple developers.
- Application list: In the table below, you can manually add or remove applications for which you need to explicitly allow or deny incoming connections. Use the + or - buttons to manage the list. For example, add a game client or development server here if it did not appear automatically.
After configuring, click OK, then close the System Preferences window. All changes are applied instantly.
Method 2: Management via Terminal (for Advanced Users)
Terminal allows you to automate firewall management, for example, via scripts or remote access (SSH).
Step 1: Check Current Status
Open Terminal and run the command:
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
Enter the administrator password. A response of 1 means the firewall is on; 0 means it is off.
Step 2: Turn the Firewall On or Off
- To enable:
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on - To disable:
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off
Step 3: Add an Application to the Allowed List
To explicitly allow an application to accept incoming connections, specify the path to its executable file. For an application in the /Applications folder:
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --add /Applications/MyApp.app/Contents/MacOS/MyApp
Then, allow it:
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --unblockapp /Applications/MyApp.app/Contents/MacOS/MyApp
Note: You can find the path to the executable by right-clicking the application in Finder → 'Show Package Contents' → Contents/MacOS/.
Step 4: View the List of All Configured Applications
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --listapps
This command will show all applications for which rules have been set (allowed or blocked).
Verifying the Result
After configuration, confirm that the firewall is active:
- Via the interface: In System Preferences → Security & Privacy → Firewall, the status should be green and display "On".
- Via Terminal: Run
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate. A response of1confirms the firewall is working. - Practical test: Try to connect to your Mac from outside (e.g., via SSH or through screen sharing) if such services are enabled. The connection should be denied if a rule for that application has not been added to the allowed list.
Potential Issues
- The 'Turn On Firewall' button is inactive (grayed out). Ensure you have unlocked the settings by clicking the lock icon and entering the administrator password. Also, check if the 'Block all incoming connections' option is enabled in the firewall options—this is sometimes enforced by MDM (device management) policies on work computers.
- An application cannot accept connections even though the firewall is enabled. Check if the application is in the allowed list in 'Firewall Options...' or via Terminal (
--listapps). If not, add it manually by specifying the path to its executable file. - 'Operation not permitted' error in Terminal. Are you running the commands with
sudo? Do you have administrator privileges? Also, starting with macOS Catalina, some system processes are protected by SIP (System Integrity Protection), and their rules cannot be modified. - The firewall is not blocking connections. Ensure you are not in 'Block all incoming connections' mode if you expect network services to work. Check if the firewall has been disabled manually via Terminal or System Preferences.