How to Block All Incoming Network Connections in Mac OS X
The Mac OS X Firewall provides an optional ability to block all incoming network connections , offering a significant security boost to Macs that are located in untrusted networks or hostile network environments.
Because this is the strictest level of preventative network access possible in Mac OS through the built-in Mac firewall, the ideal usage is for situations where the default assumption would be to not trust any incoming network connection attempts. Accordingly, this is simply too strict to be practical for average users in most environments, but it is at least worthwhile knowing how to enable the feature should it become necessary at some point.
Blocking All Inbound Network Connections in Mac OS X
This feature is available in all versions of Mac OS:
- Open System Preferences from the Apple menu and choose the “Security & Privacy” panel
- Select the “Firewall” tab and then click the lock icon in the corner to login and allow changes
- Choose “Turn On Firewall” if it hasn’t been enabled yet, then choose “Firewall Options”
- Select the topmost “Block all incoming connections” option
As noted by the preference panel, when enabled this blocks all network connections to the Mac, including all sharing services, all file sharing through networks, screen sharing, remote access, remote login, and remote connectivity through SSH and SFTP, iChat Bonjour, AirDrop file transfers, iTunes music sharing, ICMP requests and responses – literally everything that is inbound which is not required for basic internet connectivity and servicing.
Blocks Inbound Connections, Not Broadcasts
It’s important to note this setting will not prevent the Mac from broadcasting it’s presence on a network if certain networking features are enabled (like File Sharing, AirDrop, Samba for Windows sharing, etc) and it does nothing to prevent outgoing connections, it will only impact inbound connection attempts from all nonessential internet services.
For a specific example; if a user left File Sharing turned ON but blocked all incoming connections with the firewall, the Mac would still show up on network scans, but nobody would be able to connect to it.
If blocking the Mac from broadcasting it’s presence on a network is desired as well, simply go to the “Sharing” preference panel and turn off the services that are revealing it’s presence.
As you can see in the dialog box, it says “except for ….”. So this does not work as your title suggest (it does not block *ALL*)
Read the article to understand how this works to block all incoming network connections while maintaining internet use.
Much of the internet is back and forth communication of data sending and receiving to work as expected. If you go to a webpage, your browser requests data from that webpage, then data is incoming to the computer to view the webpage. If you blocked that incoming data you couldn’t view the webpage, you’d be sending a request and get nothing back.
Therefore some core functionalities of networking and internet services are required for any internet usage. If you block all networking functionality and internet connectivity, you can’t get online.
Of course sometimes that is actually desirable for high security environments, and if you want to block 100% of network and internet connections coming into a Mac (and going out) then disconnect from ethernet, turn off Bluetooth, disable Wi-Fi, and do not connect any hardware to the computer that has any internet connection (or better yet, connect nothing at all that can even store data or get online). Then you can’t send or receive any network data, you are basically air gapped.
A good way is to:
1. not block all connections.
2. enable stealth mode.
3. not allow signed (or built-in starting with Sierra) software to automatically accept incoming connections. This is an insecure luxury and assumes all registered developers are honest people. While most probably are, why take the risk?
Then specifically allow or disallow connections on request as they come in. You have to do this only once for each application.
Unless you have compelling reasons to allow them, you may also want to block netbiosd (incoming requests from MS Windows), httpd (incoming requests for your web server which you are probably not running), and gamed (incoming requests from the Apple Game Center).
I am not a security expert, but have been using the Mac since 1984 and read some about security issues.
Thanks for your article.