View Other Checks

Contents

View Other Checks

How to Configure macOS Firewall to Block Unauthorized Connections

The macOS firewall comes disabled by default, but should be enabled whenever possible.

What Is the macOS Application Firewall?

Since 2007, all Macs have come with a built-in application layer firewall that is capable of blocking incoming connections unless they have been explicitly permitted by the end-user.

The firewall can be turned on within the sharing section in System Preferences

To turn on the Firewall simply unlock the pane and click Turn off Firewall

Once enabled, if a previously unknown process attempts to accept incoming connections you will be prompted with an alert that looks like the following:

Why Should the macOS Firewall Be Enabled?

The macOS firewall comes disabled by default. This is because by default, Apple does not ship any high-risk services that listen for connections on the public internet.

That said, over time, most users (especially technical users like developers) do install software or use macOS features that can listen and respond to connections on public networks. We believe it is important to enable the firewall to block outsiders from making incoming connections to your device, which can undermine its security.

How to Programmatically Determine the macOS Firewall State

There are two methods you can use to programmatically determine the macOS Firewall state. The first approach utilizes built-in macOS CLI tools and the terminal, whereas the second approach uses the osquery open-source project.

Using the Terminal

  1. Open the Terminal
  2. Type the command /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate --getblockall --getallowsigned --getstealthmode
  3. The output is self-explanatory, and demonstrated below:
$ /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate --getblockall --getallowsigned --getstealthmode
Firewall is enabled. (State = 1)
Block all DISABLED!
Automatically allow signed built-in software ENABLED
Automatically allow downloaded signed software ENABLED
Stealth mode disabled

Using Osquery

You can also use an open-source tool like osquery to determine the status of the macOS Firewall.

SELECT * FROM alf;
allow_signed_enabled = 1
     firewall_unload = 0
        global_state = 1
     logging_enabled = 1
      logging_option = 0
     stealth_enabled = 0
             version = 1.6

Additionally, osquery is capable of enumerating the apps, processes, and services that have been allowed to pinhole through the firewall.

SELECT path FROM alf_exceptions WHERE path LIKE '/Applications/%';
+-----------------------------------------------------------------------+
| path                                                                  |
+-----------------------------------------------------------------------+
| /Applications/Sketch.app/                                             |
| /Applications/Sketch.app/Contents/XPCServices/SketchMirrorHelper.xpc/ |
| /Applications/Tuple.app/                                              |
+-----------------------------------------------------------------------+

Kolide’s endpoint agent includes osquery’s functionality and automatically stores all information about Remote Login and other macOS settings as part of its built-in Inventory. Using Kolide, you can easily enumerate all the devices with this feature enabled.

How to Programmatically Enable the macOS Firewall

While we generally don’t recommend forcing the firewall to be on for all users (more on that later), there are two approaches should you decide to remotely manage this setting.

With the Command Line

If you can run scripts across your Macs, you can use the aforementioned socketfilterfw utility to programmatically set the firewall state.

Here is an example of a script that includes our recommended configuration.

#!/bin/sh

echo " Enable Firewall"
sudo /usr/libexec/ApplicationFirewall/socketfilterfw \
  --setblockall off \
  --setallowsigned on \
  --setallowsignedapp on \
  --setloggingmode on \
  --setstealthmode on \
  --setglobalstate on

With Mobile Device Management (MDM)

If you use an MDM product like Apple Business Essentials, you can disable the entirety of the Sharing section in SystemPreferences with a .mobileconfig profile (using the payload below).

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>BlockAllIncoming</key>
            <true/>
            <key>EnableFirewall</key>
            <true/>
            <key>EnableLogging</key>
            <true/>
            <key>EnableStealthMode</key>
            <true/>
            <key>LoggingOption</key>
            <string>detail</string>
            <key>PayloadDescription</key>
            <string>Configures Firewall settings</string>
            <key>PayloadDisplayName</key>
            <string>Firewall</string>
            <key>PayloadIdentifier</key>
            <string>com.github.erikberglund.ProfileCreator.7666956F-AA94-4810-802A-32F99239FFB4.com.apple.security.firewall.DFA5361A-1AF9-4E14-B9EA-01A673545BEA</string>
            <key>PayloadOrganization</key>
            <string></string>
            <key>PayloadType</key>
            <string>com.apple.security.firewall</string>
            <key>PayloadUUID</key>
            <string>DFA5361A-1AF9-4E14-B9EA-01A673545BEA</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>Enable Firewall and ensuring logging/stealth mode is also enabled</string>
    <key>PayloadDisplayName</key>
    <string>Enable Firewall</string>
    <key>PayloadIdentifier</key>
    <string>com.github.erikberglund.ProfileCreator.7666956F-AA94-4810-802A-32F99239FFB4</string>
    <key>PayloadOrganization</key>
    <string>Kolide</string>
    <key>PayloadScope</key>
    <string>System</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>7666956F-AA94-4810-802A-32F99239FFB4</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>

End User Impacts of Forcing the Firewall To Be Enabled

While these are both effective ways of enabling the firewall, they can create new and more nuanced problems. For example, developers are often concerned that the firewall may be causing connectivity issues with important services, like those which run inside Virtual Machines or Docker containers.

If you force the firewall to be enabled at all times you may prevent a software engineer from correctly troubleshooting a pressing issue, forcing them to work around the instructions (disabling the MDM) or using their personal devices.

When you use the MDM to lock-out the end user from settings they can get frustrated and begin using their personal device

This is why Kolide recommends an approach where end users are reminded (not forced) to turn on the firewall if they’ve left it off too long.

How Does Kolide Remediate This Problem?

Automatically remediating this issue isn't necessarily the best way to go. Instead, consider following the Honest Security approach by reaching out to end-users who have devices that fail this check, and then giving them precise instructions on how to resolve the issue.

Kolide's Slack app does exactly that. After enrolling devices, Kolide will automatically determine the primary user, introduce itself, and then reach out via Slack when a user's device experiences this problem. From there, it provides step-by-step instructions on how to fix it and gives them tools to verify they did it correctly.

Kolide
Home
Messages
About
9:41
Quin's Macbook • MacBook Pro (16-inch, 2021)
Failing Check: Require macOS Firewall is Enabled
Reason: macOS Firewall is Disabled

Why is this a Problem?

The Application Layer Firewall is the default firewall built into the macOS operating system. It controls and restricts network connections from a Mac based on the rules configured. A properly configured firewall is a critical component of a Mac's security and can protect your Mac from unwanted contact initiated by other computers when you're connected to the internet or a network. Additionally, enabling stealth mode makes it more difficult for your Mac to be hacked or infected with malware.

For more information, please consult the Official Apple Support Documentation: Block connections to your Mac with a firewall Use stealth mode to keep your Mac more secure

Required Action:

To turn on your macOS firewall:

  1. Click the Apple icon in the top left corner of your screen and then select System Preferences from the menu.
  2. In the System Preferences window, click the icon labeled Security & Privacy.
  3. In the Security & Privacy preference pane, click the tab at the top labeled Firewall.
  4. Unlock the preference pane by clicking the gold lock icon in the lower-left corner. When prompted, enter the administrator username and password.
  5. If the Firewall Options button is disabled, first click the button labeled Turn On Firewall or Start to enable the firewall.
  6. With the firewall enabled, click the button labeled Firewall Options.
  7. Select the checkbox labeled Enable stealth mode and then click the button labeled OK to enable stealth mode.
  8. Once finished, you may close the System Preferences window.
I've fixed it. Check again
Contact Admin for help
Want to start delivering this notification automatically to your end-users?
Sign Up With Slack

Share this story:

Related Device Checks:

Ensure Windows' Ransomware Protection is Enabled

ransomware, malware, windows-security-center

Find Unencrypted SSH Keys and Encrypt Them

ssh, developers, unencrypted-credentials, no-mdm-resolution

Ensure Ubuntu’s Unattended Upgrades Are Turned On

os-updates, patching, debian, ubuntu, no-mdm-resolution
View More of Kolide's Checks
Try Kolide Free
Try Kolide Free