Enabling and Using the Apple OS X Firewall

Enable Firewall on OS-X version 10.6 - Snow Leopard

These procedures outline the steps necessary to turn on the firewall on mac OS X 10.6 Snow Leopard and above.

BACKGROUND

Snow Leopard is reasonably secure out of the box, however, enabling the Application Gateway Firewall (AGFW) improves that security significantly. The AGFW is new to OS X as of Snow leopard and adds an additional layer of protection over and above the more difficult to configure IPFW (a.k.a. a packet filter) that is in previous versions. Because the IPFW requires more advanced knowledge to set up correctly, that is not covered here.

It is important to understand that these firewalling mechanisms primarily regulate if and how other devices or systems can connect TO your Mac over wired and wireless network connections – iSync or iTunes for example – rather than your system connecting to something like a web server such as www.apple.com. When a system attempts to connect to your computer, that connection is processed first by the packet filter (IPFW) and then by the Application Gateway Firewall.

For additional information on the firewalls and advanced configuration refer to:

More information about IPFW firewall configuration can be found here: The Free BSD Handbook, Chapter 30 Firewalls

The first section details the steps needed to enable the firewall. The second section details the steps needed to permit an additional application to accept communications through the firewall.

To enable the Application Gateway Firewall.

  1. Open the system preferences
  2. Choose security

    The security settings page may be locked, as indicated by a a closed padlock icon in the lower left corner of that page, and you will not be able to alter any settings. If it is unlocked, the padlock icon will appear to be open.

    To unlock the settings page, click the padlock icon in the lower left corner of the security settings page, and enter the administrative password. Once a valid password has bee accepted the padlock icon will change to the open position.

    NOTE: Leaving the security settings page will re-lock the settings if they were locked previously.

  3. Click Firewall

    The firewall status will be displayed:
    (greyed-out indicator) Firewall: Off
           OR
    (green indicator) Firewall:On

  4. If the firewall is off, click the start button to enable it.
  5. Click the Advanced button.
  6. On the advanced page, unless you have specific reasons to configure it otherwise, check "Block all incoming connections" at the top of the page.
  7. Click OK

The Application Gateway Firewall is now enabled.

Allowing access to additional applications through the firewall

The following instructions are based on a system that has not been configured to allow specific applications through the firewall already

  1. Open the system preferences
  2. Choose Security

    The security settings page may be locked, as indicated by a a closed padlock icon in the lower left corner of that page, and you will not be able to alter any settings. If it is unlocked, the padlock icon will appear to be open.

    To unlock the settings page, click the padlock icon in the lower left corner of the security settings page, and enter the administrative password. Once a valid password has bee accepted the padlock icon will change to the open position.

    NOTE: Leaving the security settings page will re-lock the settings if they were locked previously.

  3. Click Firewall

    The firewall status will be displayed:
    (greyed-out indicator) Firewall: Off
           OR
    (green indicator) Firewall:On

  4. If the firewall is off, click the start button to enable it.
  5. Click the Advanced button.
  6. Uncheck Block all incoming connections if it was checked.
  7. NOTE: if the firewall was previously configured to permit specific applications, those applications will be listed in a text box immediately below this check box. Otherwise the text box will be blank or will contain the text similar to the following:

    The firewall will block all sharing services, such as file sharing, screen sharing, iCHat Bonjour, and iTunes Music sharing. If you want to allow sharing services, deselect the “Block all incoming connections” checkbox.

  8. Check Enable Stealth Mode if it is not checked already
  9. Uncheck Automatically allow signed software to receive incoming connections if it is checked
  10. Click on the “+” button immediately below the text box to configure applications that will be allowed through the firewall
  11. Select the application to allow through the firewall
    A navigator panel will unfold from the firewall settings panel.

    • In the left most column, under “PLACES” Click “Applications”
      A list of installed applications will appear.
    • Find the application to be allowed through the firewall and click it.
    • Verify that this is the application you wish to enable.
    • Click Add
    • You are returned to the firewall configuration panel.

    The application you enabled will appear in the white text area along with any others that have been specifically enabled.

  12. Repeat Steps 9 & 10 for any additional applications you wish to allow through the firewall.
  13. Note: individual applications that are listed in the text box on this page can also be toggled between allowing and blocking incoming connections without deleting them by clicking the selector on the right side of the text box.

  14. Click OK