How to Enable Stealth Mode in Mac OS X Firewall for Added Security
Mac users who want a bit more network security can turn on an optional firewall feature in Mac OS X called Stealth Mode. With Stealth Mode enabled, the Mac will not acknowledge or respond to typical network discovery attempts with ICMP ping requests, and will not answer connections attempts made from closed TCP and UDP networks. Essentially, it makes the Mac appear to these requests as if it doesn’t exist at all.
Because Stealth Mode can interfere with some network functions and troubleshooting methods to and from a Mac with this feature enabled, using Stealth Mode is really only appropriate for advanced users, or for those who routinely use their Macs on untrusted public or private networks and who want to improve their machines security in that environment. If your Mac is simply on a closed home network behind a general router and firewall and accompanied by friendly computers and users, turning on stealth mode may be more problematic than helpful, and is really not recommended for computers on trusted LAN situations. Additionally, if you don’t trust the network you’re on whatsoever, you may want to disconnect and find a safer one go all out and block every possible incoming network connection to the Mac instead.
How to Enable Stealth Mode Firewall in Mac OS X
Stealth Mode is an optional feature of the Mac firewall available to virtually every somewhat modern version of Mac OS X:
- Go to the Apple menu and choose System Preferences
- Go to the “Security & Privacy” preference panel and select the “Firewall” tab
- Click on the unlock button and authenticate with an administrator password, click on “Turn On Firewall” if it hasn’t been turned on yet, then then click on the “Firewall Options” button
- Check the box for “Enable Stealth Mode” then click OK
- Close out of System Preferences as usual
The Mac is now in stealth mode, meaning it will not respond to certain types of common network communication and discovery attempts.
If you want to test out of the efficacy of Stealth Mode, you can use ping at the command line or use Network Utility to attempt to discover the Mac from another Mac. If you attempt to ping the Mac with Stealth Mode enabled, there will be no response just as if you were sending ICMP requests to a nonexistent machine, like so (assuming the Stealth Mode Mac is 192.168.0.201):
MacBook-Pro% ping 192.168.0.201
PING 192.168.0.201 (192.168.0.201): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
Request timeout for icmp_seq 4
^C
--- 192.168.0.201 ping statistics ---
6 packets transmitted, 0 packets received, 100.0% packet loss
MacBook-Pro%
While this blocks most of the common network finding methods, a particularly savvy individual could still discover the Mac if they really wanted to, whether with a targeted packet capture, through a connected router, or a variety of other methods. This is why it’s called Stealth Mode and not Definitively Invisible Mode, because while it’s certainly going to be under the radar from common finding attempts, it can still be uncovered by a dedicated technical search particularly if that someone is on the same network.
If you are interested in using Stealth Mode for security and privacy reasons, you may want to consider blocking all incoming network connections to the Mac as well, which is in the same firewall preference panel of Mac OS X. Combining the two is pretty effective.
Of course, if you enable stealth mode and discover you’re suddenly experiencing network issues with the given Mac, turning off the feature is just a matter of returning to the firewall settings and unchecking the box again.
If you have any thoughts or opinions on stealth mode and the application firewall in Mac OS, share with us in the comments below.
My IPv6 connectivity is natively, no hardware or software firewall. Both systems (Mac and Win7 PC) behind the same router. It must be due to OS X.
How can I allow in this context ICMP echo replys IPv6 ? By default they are disabled under OS X. To check under: ipv6-test.com (ICMP unreachable) – See more at: https://osxdaily.com/2015/11/18/enable-stealth-mode-mac-os-x-firewall/
the stealth mode is disabled (by default) on os x. icmpv6 despite of not reachable, try it yourself! –> ipv6-test.com
It’s working for me; that site reports my temporary address as being pingable. There must be something interfering with packets from there to you.
What could disturb ???
On my Windows machine, it works perfectly.
In OS X does not.
Good question. Do you have any network obstacles between your Mac and the Internet? A hardware firewall, say?
What about your IPv6 connectivity–how are you obtaining it? A tunnel? Natively?
How can I allow in this context ICMP echo replys IPv6 ? By default they are disabled under OS X. To check under: ipv6-test.com
(ICMP unreachable)
Should probably just use pf if you want real control. Murus is a decent GUI if anyone’s interested.
It’s really not. It’s a mixed bag that really fails to help the user understand the mechanics of PF. It’s nice looking in ways but uninformative in others but counterintuitive in yet others. It’s a really good attempt to simplify an otherwise complex process.
True, I suppose I should have explained that better. It’s not good in the sense that Apple’s GUIs used to be good, it’s good in the sense that it’s far easier for me to accomplish what I wanted than using the command line, even if it doesn’t actually simplify understanding.
Is using the command “sudo sysctl -a | grep net.inet” good standard practice? Or has Apple already turned off ICMP redirect in later Yosemite or El Cap versions?
If it’s still enabled out of the box on both OS X and iOS, is ICMP redirect used for some Apple specific eco system service?
Does Stealth Mode disab;e ICMP redirect, or is “”sudo sysctl -a | grep net.inet” a sub-set of Stealth Mode?
Thanks
The command you’ve listed only prints parameters in the net.inet tree. It’s safe–you can try it yourself, although for extra safety leave off the “sudo”.
ICMP redirects are no longer accepted. That’s been fixed. And I doubt that “stealth mode” would have filtered them, anyhow.
Thank Sebby. It looks like to disable ICMP redirect the option is “net.inet6.icmp6.rediraccept: 1”. Do you know exactly what the verb is?
Has redirect been disabled in iOS? Was there any reason Apple left ICMP redirect enabled for so long? I’ll check but was this fixed in a security update or an OS update? I’m showing “ENABLED” and I’m running the latest Security Update but not the latest OS. Anyway, I’ll disable it manually. It’s amazing how many people probably have no idea.
I have ZERO concerns about the few apps I use. I made sure of that! I used Little Snitch for about a year and paid close attention. After buying a new drive and doing an OS X clean install and fresh install of all apps I now have a slim and locked down “trusted” OS.
Although I’m not too worried because I’m normally behind a secure home router, I’m still very curious what other ways someone can discover my Mac, and what they can do with whatever is left open, and what the serious power user way of handling it is. Anytime I can use a command or script instead of a 3rd party front end, the better, even if said app is just a GUI version for the very same commands.
I found this link below which got me started in the right direction and lead me to many other resources. Net-Monitor looks good and Yosemite Phone Home look good. WaterRook looks like a pretty good option if one needs a GUI. And there are quite a few
https://blog.zimperium.com/doubledirect-zimperium-discovers-full-duplex-icmp-redirect-attacks-in-the-wild/
Thanks for your time.
I wouldn’t worry too much about network security, unless you have a bunch of services running, never update software, have weak passwords, and are joined to a hostile network (like visiting Defcon!) you have little to worry about for the most part. Particularly if you’re behind a router and hardware firewall.
If you’re at Defcon, you’re probably just better off turning off all your radios. Bluetooth, Wifi, the universal wireless dongle for your mouse… just turn them off.
The app firewall in OS X is pretty useless. It doesn’t block discovery, so turning it on–and especially “Stealth” mode which just violates standard behaviour for no good reason–will just break stuff. If you like breaking stuff, that’s cool, but if you’d rather have complete control over network traffic, use pf yourself directly instead. Apple will “do no harm” to its own subsystems in the application firewall.
Or better yet, just don’t firewall. Don’t you trust OS X and your applications? If not, then you’ve got bigger problems than a firewall configuration. Simply don’t run services you don’t want, and you’ll be fine! This isn’t Windows, you know.
Is there a terminal command or shell script that could be run that would print and save in a text document every type of icmp, attacks on the modem/router and/or Mac, pings and any other connection attempts made 24/7 complete with IP address or any other information that could be captured?
Little Snitch is good for installed apps that are phoning home (Chrome users take note and be prepared to be surprised!), but beyond that I’d like to see everything that goes on especially when all of my user processes are shut down and my Mac is awake overnight doing nothing other than what the system does.
I should mention that I read Console Logs on occasion mainly to get familiar with what goes on in the underworld of the root processes. So perhaps someone could mention specific things of interest to look for there too. For instance, I once had a System folder on a volume that was removed but the User folder was kept. Shut down on that Mac was slow. The reason was because the OS was looking for a Kext Cache folder to write to and after taking about 20 seconds it gave up and shut down.
A response would be welcome. Otherwise would any of this make for a worthy osxdaily article?
Thank you.
Have you looked at deploying Snort?
You can also enable firewall Stealth Mode from the command line:
/usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on
Switch to ‘off’ at the end if you wish to turn it off from the command line as well.
As I understand it, the firewall in modern OS X is no longer based on IPFW, and it has been replaced by PF and a separate application firewall.