• Mac Security: Firewall Protection

    Home » Forums » AskWoody support » Apple » Apple operating systems » macOS » Mac Security: Firewall Protection

    Author
    Topic
    #346773

    In this segment of Mac Security, I’ll be covering firewall protection for Macs.

    First of all, for your home Internet, your router should automatically have network-level firewall protection on the router (pretty much every home router should automatically have it and have it enabled). If you’re not sure, ask your router manufacturer or ISP to ensure this is enabled correctly for your network.

    Mac Built-In Firewall

    Macs have their own built-in firewall which offers solid inbound network firewall protection (but not outbound). It is enabled under the Firewall section of Security and Privacy in System Preferences. A flip of the switch enables it.

    The firewall does have the ability to handle application-level connections. I recommend checking “automatically allow signed software to receive incoming connections” under Options, as it allows the majoirty of the apps on your Mac to automatically allow through the firewall. You should seldom see any prompts to allow or deny apps through the firewall (I haven’t seen one in years), although in the past, I did see prompts from certain apps like Microsoft Office. If you need to manually add an app to the firewall, clicking the plus button under Options allows you to easily allow or deny apps to the firewall.

    Any sharing services you enabled under the Sharing section of System Preferences are automatically added to the firewall as allowed.

    I also recommend enabling Stealth Mode under Options, as Apple has always recommended enabling that.

    Little Snitch

    The built-in firewall on macOS does not allow for outbound connections. For those wishing for control over outbound connections, I recommend Little Snitch. It reminds me of when I used ZoneAlarm on Windows years ago. It’s a small cost, but it does allow for granular control over outbound connections from apps and even what specific domains specific apps can use. You can also choose to receive alerts immediate or silently allow/deny them then manually review the rules later with silent mode. The network monitor is also a neat feature that allows you to see how much data apps are using, as well as where the servers are located where the apps are connecting to. The research assistant in the app also can lookup additional information on the app prompting the connection message in case the app’s name isn’t familar.

    Intego NetBarrier

    For those who use Intego VirusBarrier, Intego NetBarrier is also included. Intego NetBarrier works similar to Little Snitch (it offers support for outbound firewall alerting at the app level, as well as with granular control such as allowing certain apps to certain domains). Little Snitch has added more features, plus Little Snitch doesn’t require a subscription, so if you’re using another antivirus solution for Mac, Little Snitch is a great addition to the built-in macOS firewall and your network router’s firewall for solid firewall protection. If you’re using Intego VirusBarrier for your Mac antivirus solution, it makes sense to use Intego NetBarrier instead, since it’s included with Intego VirusBarrier.

    Those are the main firewall solutions for the Mac. If anyone has any questions, let me know!

    Nathan Parker

    2 users thanked author for this post.
    Viewing 8 reply threads
    Author
    Replies
    • #346774

      Nathan Parker: “The built-in firewall on macOS does not allow for outbound connections

      Is this related to “telemetry”, data mining and such?

      Would this be a problem when trying to connect with client software to a server transmitting data in real time? As I used to do in order to process GPS data broadcast over the Internet by an international scientific organization, when developing software for real-time positioning — and might have to do again in the not-too-distant future. Or using sftp to send and receive files, or doing remote logins with ssh. I had no problem when doing any of that with Windows 7 Pro and without a need to fiddle with the System settings.

      Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

      MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
      Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
      macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

    • #346784

      Nathan Parker: “The built-in firewall on macOS does not allow for outbound connections” Is this related to “telemetry”, data mining and such? Would this be a problem when trying to connect with client software to a server transmitting data in real time? As I used to do in order to process GPS data broadcast over the Internet by an international scientific organization, when developing software for real-time positioning — and might have to do again in the not-too-distant future. Or using sftp to send and receive files, or doing remote logins with ssh. I had no problem when doing any of that with Windows 7 Pro and without a need to fiddle with the System settings.

      It terms of working with SFTP, etc., enabling the built-in macOS firewall doesn’t have any issues with this. I work with a SFTP server, and with the firewall enabled, I’ve had no issues.

      In terms of uploading, if you have Little Snitch enabled, you have to tell Little Snitch once to allow uploading to the SFTP server, but once you allow it, it just works.

      Did that answer everything or is there more I need to answer?

      Nathan Parker

      1 user thanked author for this post.
    • #347212

      Your client software sends a request to the external data source to say “send me your data on this port”. The firewall registers the external source and allows it to connect the the client software per the initial request. If the external source attempted to send the data to a port not specified by the client software, the firewall would block it.

      cheers, Paul

      1 user thanked author for this post.
    • #347362

      Thanks. I am not clear about this: Let’s say, in my Mac, I use sftp with put, or mput to send a file, or files to a remote sftp site, and get or mget to get a file, or files from that site. Do I need some additional third party software (e.g. Little Snitch) to enable me to upload files with put or mput? I am asking, because I have not used sftp yet with the Mac, but I’ll need to do it soon. I must say that if the answer was “yes”, that would be a little odd.

       

      Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

      MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
      Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
      macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

    • #347388
      Do I need some additional third party software (e.g. Little Snitch) to enable me to upload files with put or mput? I am asking, because I have not used sftp yet with the Mac, but I’ll need to do it soon. I must say that if the answer was “yes”, that would be a little odd.

      In terms of the firewall, the firwall is purely for security reasons. The built in macOS firewall will protect you concerning inbound connections, and a third-party addition such as Little Snitch will protect you concerning outbound connections (think of it as similar to ZoneAlarm).

      I believe what you’re referring to instead is an SFTP client, or a piece of software that allows you to connect to a SFTP server to upload or download files.

      In that case, the answer is indeed “yes”. You will need third-party software to handle this, but Little Snitch isn’t it.

      The Mac’s built-in Finder (the equivalent of Windows Explorer) has limited FTP access built in (I’m not sure if it even handles SFTP since I’ve never tried it), but you can only read and download content fron a FTP server using the Mac’s built-in Finder. Apple has not yet added the ability to upload content to a FTP or SFTP server using the Mac’s built-in Finder (I was told a few releases ago it was “coming soon”, but it’s yet to happen). The only remote connections I can upload content to through the Finder are AFP (Apple Filing Protocol) and SMB.

      For a good SFTP and FTP client, I recommend Transmit. I personally use it, and it offers the most Mac-friendly interface, plus the best performance I’ve seen yet. It also does cloud drives such as Amazon S3, etc., so it’s extremely versatile. I use it for all my web transfer work.

      https://www.panic.com/transmit/

      CyberDuck also works well, and I’ve used it in the past, but I’ve found Transmit to be worth the extra cost.

      Nathan Parker

      1 user thanked author for this post.
    • #347425

      Nathan Parker,

      Thanks. It looks like the macOS now has its own sftp application that can be used from the command line either directly or in scripts (that is fine by me, it’s how I always have used sftp):

      macOS and Linux: sftp is a command-line utility bundled with OpenSSH, a suite of command-line SSH tools integrated with macOS (accessible from the Terminal) and most Linux operating systems.

      More about this, here:   https://kb.iu.edu/d/ahjh

      Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

      MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
      Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
      macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

      1 user thanked author for this post.
    • #347430

      You do not need additional software to use local software to upload files. The standard firewall does not block outgoing connections.

      cheers, Paul

      1 user thanked author for this post.
    • #347670

      It looks like the macOS now has its own sftp application that can be used from the command line either directly or in scripts

      I forget about all the built-in command line stuff included with macOS (due to its UNIX underpinnings), and it’s true there’s a ton of great stuff you can use in macOS at the command line level in Terminal.

      In that case, correct, you can use sftp from the command line in Terminal to accomplish your sftp work without needing to install third party software. That’ll do the trick, and you’re all set.

      For those that need to access SFTP through a GUI, Transmit is ideal and CyberDuck also works well. The stuff I do with SFTP is more through a GUI, so I use Transmit to access the server, plus I use a couple of backup and sync apps to backup and sync files to the server (Goodsync and Arq if you’re curious).

      For command line access though to sftp, Terminal is perfect.

      Nathan Parker

      1 user thanked author for this post.
    • #349240

      I had a chance to drag out my old 2006 PowerBook G4, and I was able to add my old copy of Little Snitch 2 onto it, and it successfully worked. I may write an article later about using vintage Macs in 2019.

      Nathan Parker

    Viewing 8 reply threads
    Reply To: Mac Security: Firewall Protection

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: