macOS Firewall Enablement Tech Note

Goal

Enable and verify the macOS built-in firewall from Terminal for a host that will expose services publicly.

1) Enable firewall basics

Run from Terminal on the Mac:

sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on

This turns on the application firewall (State = 1).

2) Apply recommended defaults for public service hosts

sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setblockall off
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned on

• --setblockall off keeps inbound traffic blocked only by firewall policy, not globally dropped.
• --setstealthmode on hides host responses to unsolicited probes.

3) Confirm current state

sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getblockall
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getallowsigned

Expected:

• Firewall is enabled. (State = 1)
• Firewall has block all state set to disabled.
• Firewall stealth mode is on
• Firewall allows signed applications to receive connections (or equivalent)

4) Optional: log and app-level visibility

sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --listapps

Use listapps to inspect what is currently allowed/blocked by app path in the firewall.

5) Verify from remote side after opening external ports

nmap -Pn <public-ip> -p 22,80,443,8080,9001

For this project, you typically want only:

• 22 reachable for admin SSH
• 80/443 reachable for Caddy
• 8080/9001 not publicly reachable

6) Important boundary note

macOS firewall is host-level only. If this Mac is behind provider networking (VPS firewall/security group), that layer still needs port policy set to match the same intent.