Languages

Mac OS X v10.5, 10.6: About the Application Firewall

Mac OS X v10.5 and 10.6 include a technology called the Application Firewall. One of the basic purposes of a firewall is to control connections made to your computer from other computers on the network.

Note: This article applies to the version of the Application Firewall included with Mac OS X v10.5.1 and later.

The firewall in Mac OS X v10.5.1 and later is an Application Firewall, which allows you to control connections on a per-application basis, rather than a per-port basis. This makes it easier to gain the benefits of firewall protection, and helps prevent undesirable applications from taking control of network ports that have been opened for legitimate applications.

Configuring the Application Firewall in Mac OS X v10.6 and later

Follow these steps:

  1. Choose System Preferences from the Apple menu.
  2. Click Security.
  3. Click the Firewall tab.
  4. Unlock the pane by clicking the lock in the lower-left corner and enter the administrator username and password.
  5. Click Start to enable the firewall.
  6. Click Advanced to customize the firewall configuration.

Application Firewall's three advanced settings

1. Block all incoming connections:

Mac OS X v10.6 will block all connections except a limited list of services essential to the operation of your computer.

The system services that are still allowed to receive incoming connections are:

  • configd, which implements DHCP and other network configuration services
  • mDNSResponder, which implements Bonjour
  • racoon, which implements IPSec

This mode will prevent all sharing services, such as File Sharing and Screen Sharing found in the Sharing System Preferences pane, from receiving incoming connections. To use these services, disable this option.

2. Automatically allow signed software to receive incoming connections

Applications that are already signed by a valid certificate authority will automatically be added to the list of allowed applications rather than prompting the user to authorize them. For example, since iTunes is already signed by Apple, it will automatically be allowed to receive incoming connections through the firewall.

3. Enable stealth mode

With stealth mode enabled, the computer will not respond to requests that probe the computer to see if it is there. The computer will still answer requests coming in for authorized applications, but other unexpected requests, such as ICMP (ping), will not get a response.

Digitally-signed applications

All applications not in the list that have been digitally signed by a Certificate Authority trusted by the system (for the purpose of code signing) are allowed to receive incoming connections. Every Apple application in Mac OS X v10.6 has been signed by Apple and is allowed to receive incoming connections. If you wish to deny a digitally signed application, you should first add it to the list and then explicitly deny it.

If you run an unsigned application not in the Application Firewall list, you will be presented with a dialog with options to Allow or Deny connections for the application. If you choose Allow, Mac OS X v10.6 will sign the application and automatically add it to the Application Firewall list. If you choose Deny, Mac OS X v10.6 will sign the application, automatically add it to the Application Firewall list and deny the connection.

Some applications check their own integrity when they are run without using code signing. If the Application Firewall recognizes such an application it will not sign it, but then it will re-present the dialog every time the application is run. This may be avoided by upgrading to a version of the application which is signed by its developer.

Configuring the Application Firewall in Mac OS X v10.5

This article applies to the version of the Application Firewall included with Mac OS X v10.5.1 and later. Follow these steps:

  1. Choose System Preferences from the Apple menu.
  2. Click Security.
  3. Click the Firewall tab.
  4. Choose what mode you would like the firewall to use.

Application Firewall's three modes of operation

1. Allow all incoming connections:

This is the most open mode. Mac OS X will not block any incoming connections to your computer. This is the default mode for Mac OS X v10.5. If you upgraded from Mac OS X v10.4.x, your Application Firewall will default to this mode.

2. Allow only essential services:

This is the most conservative mode. Mac OS X will block all connections except a limited list of services essential to the operation of your computer.

The system services that are still allowed to receive incoming connections are:

  • configd, which implements DHCP and other network configuration services
  • mDNSResponder, which implements Bonjour
  • racoon, which implements IPSec

This mode will prevent all sharing services, such as File Sharing and Screen Sharing, found in the Sharing System Preferences pane from receiving incoming connections. To use these services, disable this option.

3. Set access for specific services and applications:

This mode offers you the most flexibility. You can choose whether to allow or deny incoming connections for any application on your system.

You can click the "+" button to add an application to this list. You can select an application and click the "-" button to remove it. Control-clicking on the application name gives you the option to reveal the application's location in Finder.

Once you've added an application to the list, you can choose whether to allow or deny incoming connections for that application. You can even add command line applications to this list.

When you add an application to this list, Mac OS X digitally signs the application (if it has not been signed already). If the application is later modified, you will be prompted to allow or deny incoming network connections to it. Most applications do not modify themselves, and this is a safety feature that notifies you of the change.

Digitally signed applications

All applications not in the list that have been digitally signed by a Certificate Authority trusted by the system (for the purpose of code signing) are allowed to receive incoming connections. Every Apple application in Mac OS X v10.5 has been signed by Apple and is allowed to receive incoming connections. If you wish to deny a digitally signed application you should first add it to the list and then explicitly deny it.

If you run an unsigned application not in the Application Firewall list, you will be presented with a dialog with options to Allow or Deny connections for the application. If you choose Allow, Mac OS X v10.5 will sign the application and automatically add it to the Application Firewall list. If you choose Deny, Mac OS X v10.5 will sign the application, automatically add it to the Application Firewall list and deny the connection.

Some applications check their own integrity when they are run without using code signing. If the Application Firewall recognizes such an application it will not sign it, but then it will re-present the dialog every time the application is run. This may be avoided by upgrading to a version of the application which is signed by its developer.

Additional Information

Advanced note: The Firewall applies to the Internet protocols most commonly used by applications, which are TCP and UDP. It does not affect AppleTalk. The Firewall may be set to block incoming ICMP "pings" by enabling Stealth Mode in the Advanced settings. Earlier ipfw technology is still accessible from the command line (in Terminal) and the Application Firewall does not overrule rules set with ipfw. If ipfw blocks an incoming packet, the Application Firewall will not process it.

Last Modified: May 19, 2010
Helpful?
Yes
No
Not helpful Somewhat helpful Helpful Very helpful Solved my problem
Print this page
  • Last Modified: May 19, 2010
  • Article: HT1810
  • Views:

    2173757
  • Rating:
    • 65.0

    (6086 Responses)

Additional Product Support Information

Start a Discussion
in Apple Support Communities
See all questions on this article See all questions I have asked