Configuring the macOS Firewall: A Comprehensive Guide

Introduction / Why This Is Needed

The built-in Application Firewall in macOS is your first line of defense against unauthorized incoming network connections. It prevents unknown programs or internet-based attackers from establishing a connection to your Mac without your explicit permission. Configuring the firewall is one of the key fundamental security measures that doesn't require third-party software and operates at the system level. After completing this guide, you will be able to control which applications can accept incoming connections and gain an understanding of how network protection works in macOS.

Prerequisites / Preparation

Before you begin, ensure that:

• You have an administrator account.
• The latest version of macOS is installed (this guide is relevant for macOS Sonoma, Ventura, and Monterey).
• You are familiar with basic Terminal usage for the CLI-related steps.

Step 1: Enabling and Basic Configuration via System Settings

The simplest way to manage the firewall is through the graphical interface.

1. Open System Settings.
2. Navigate to Network → Firewall. In older versions, the path may be Security & Privacy → Firewall tab.
3. Enable the firewall by clicking the Turn On Firewall button or toggling the switch. The system may prompt for an administrator password.
4. Click Options... or Advanced to open detailed settings.
5. Here you can:
   • Automatically allow signed software to receive incoming connections: Leave this enabled for security.
   • Enable Stealth Mode: Recommended. This prevents your Mac from responding to diagnostic requests (ICMP ping), making it less visible on the network.
   • Add applications: Click + and select an application from the list or via Finder. For each added application, you can set a rule:
     • Allow incoming connections
     • Block incoming connections
   • Remove an application from the list: select it and click -.

💡 Tip: Only add applications to the list that genuinely require network access (web servers, games, file sharers). All others will be blocked by default.

Step 2: Managing Rules via Terminal (socketfilterfw)

For automation or remote management, use the built-in socketfilterfw utility. It fully duplicates the functionality of the graphical interface.

# Check current firewall (Application Firewall) status
sudo socketfilterfw --getglobalstate

# Enable the firewall
sudo socketfilterfw --setglobalstate on

# Disable the firewall (not recommended)
sudo socketfilterfw --setglobalstate off

# Add an application to the allowed list (path to .app)
sudo socketfilterfw --add /Applications/YourApp.app

# Allow incoming connections for a specific application
sudo socketfilterfw --unblockapp /Applications/YourApp.app

# Block an application
sudo socketfilterfw --blockapp /Applications/YourApp.app

# Remove an application from the rules list
sudo socketfilterfw --remove /Applications/YourApp.app

# Show a list of all applications with their status
sudo socketfilterfw --listapps

⚠️ Important: All socketfilterfw commands require superuser privileges (sudo). Specify the full path to the application file (.app).

Step 3: Checking Status and Statistics

After configuration, verify that the firewall is active.

1. Via System Settings: The "On" status should be active.
2. Via Terminal (Application Firewall statistics):

   # Show the number of unblocked and blocked connections
   sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getblockedapps
   

3. Real-time activity check (for pf):

   # Monitor packet filter events (requires pf to be enabled)
   sudo pfctl -s all
   

   Look for lines Status: Enabled and State: OPEN.

Step 4: Advanced Configuration with pf (Packet Filter)

The built-in Application Firewall operates at the application level. For filtering by ports, IP addresses, or protocols, a more powerful mechanism is used — pf (Packet Filter). This is a true stateful firewall.

1. Activating pf:

   # Enable pf (usually enabled by default)
   sudo pfctl -e
   
   # Check status
   sudo pfctl -s info
   

2. Creating and editing rules: The main configuration file is /etc/pf.conf. Do not edit it directly unless you are confident in the syntax. Instead, create a separate file for your custom rules, e.g., /etc/pf.anchors/com.myname.rules, and reference it in the main config.
   Example rule to allow incoming connections on port 8080 (e.g., for a local web server):

   # Open Terminal and create/edit the rules file
   sudo nano /etc/pf.anchors/com.myname.rules
   

   
   Add the line:

   pass in proto tcp from any to any port 8080
   

   
   Save (Ctrl+O, Enter) and exit (Ctrl+X).
3. Referencing the rules in the main config:

   sudo nano /etc/pf.conf
   

   
   Find the anchor section and add (or uncomment) the line:

   anchor "com.myname.rules" from "/etc/pf.anchors/com.myname.rules"
   

   
   Also ensure there is a load anchor line (it is usually already present in the template).
4. Reloading rules without a system reboot:

   # Check rule syntax before loading (MANDATORY!)
   sudo pfctl -nf /etc/pf.conf
   
   # If syntax is correct, load the new rules
   sudo pfctl -f /etc/pf.conf
   
   # Enable/reload pf (if disabled)
   sudo pfctl -e
   

5. Resetting rules to default (caution!):

   sudo pfctl -F all -f /etc/pf.conf
   

⚠️ Critically important: Always check the syntax (-n flag) before loading rules. An error in the config can disable all network traffic on your Mac, requiring a boot into Safe Mode to fix it.

Verifying the Result

1. For Application Firewall: Try running a server application (e.g., Python HTTP server: python3 -m http.server 8000). From another device on the same network, try connecting to http://<your_mac_ip>:8000. If the firewall blocks it, you'll see a connection error. Add the application to the allowed list — the connection should then succeed.
2. For pf: After loading the rule, check for its presence:

   sudo pfctl -s rules | grep 8080
   

   You should see your rule pass in proto tcp from any to any port 8080. Try connecting to the open port from another device.

Potential Issues

• "Operation not permitted" error when running pfctl or socketfilterfw commands: You are not using sudo or your account lacks administrator privileges.
• Cannot add an application to the firewall list via GUI or CLI: Ensure the application path is correct and the file exists. For App Store apps, the path is typically /Applications/AppName.app. For apps run for the first time, the system may first prompt for network access permission in a separate pop-up window.
• pf rules not applied after configuration, but syntax is correct: Check that /etc/pf.conf contains the load anchor line for your rules file and that the rules file itself (/etc/pf.anchors/com.myname.rules) exists and is readable.
• Lost network connection after an error in pf.conf: This is a classic problem. You need to boot into Safe Mode, disable pf (rules do not load in Safe Mode), fix the configuration file, and reboot.
• Firewall blocks a legitimate connection even though the application is in the allowed list: The application may use helper processes or child applications that were not added to the list. Add the main executable and all related utilities to the list. Also check the application's own settings (some have built-in proxies or use non-standard ports).

• pf rules not working for IPv6: By default, rules in pf.conf apply to IPv4. For IPv6 support, explicitly specify the family in the rule or configure separate rules:

  pass in proto tcp from any to any port 8080
  pass in inet6 proto tcp from any to any port 8080
  

  Or use pass in proto tcp from any to any port 8080 without specifying a family, which in modern pf versions may work for both, but it's better to be explicit.