Using Mac OS X Built-In Firewall

It's easy to think that no one could possibly be interested in your Mac, but that's not the case. Having a fast Internet connection that's "always on" when you want to surf the Web is great for you, but it's also great for hackers from around the world who have nothing better to do than sweep through thousands of random IP addresses looking for machines that they can exploit.

Do you connect to the Internet with an always-on connection? If you do, you should use a firewall to protect your computer -- a network protection tool that guards against and reports intrusions on your computer from the outside, or unauthorized communications from the inside -- and you must keep it running at all times. In fact, you need to consider securing your home computers even if you are only connected some of the time. You're vulnerable whenever you're connected.

To get an idea of what the firewall will do for you, run

Symantec's Internet Security Check

before and after you install/turn on a firewall. Running this check might be just the thing you need to convince you to run a firewall. This service checks the security of your computer's connection to the Internet by sending it various connection requests. The info on this service says that it requires Internet Explorer 5.0, Netscape 4.5, or Safari 1.0 on a Mac, but I used Firefox 2 on my Mac and it worked just fine.

Mac OS X comes with a built-in firewall with, as of Mac OS 10.2, an easy to use graphical setup program to configure it that is application-based. You specify the behavior of specific applications to either allow or block incoming connections. (The Mac OS firewall is actually two-way -- incoming and outgoing, but the GUI only allows you to set up incoming rules.)

• To use the built-in Mac OS X firewall:

1. Apple menu -> System Preferences
   
   
2. Click on Sharing in Internet & Network. If the Preference is locked, click on the lock in the lower left corner then enter an Administrator's account name and password to unlock it.
3. Click on the Firewall tab. (If Firewall is greyed out click on Internet first.)
   
4. If the Firewall is not turned on, click Start to turn it on.
5. If you want to allow some activities, such as setting the time on your Mac using a Network Time server, scroll down to find Network Time in the Allow: list and click the box in front to turn it on.
   
   
6. When you are finished configuring specific tasks, click the Advanced... button. In the sheet that appears, select the Enable Stealth Mode option. This makes your computer almost invisible on the Internet, so hackers will be less likely to attack.
   
   I recommend to enabling Firewall Logging also, just to prove to yourself that it's doing something for you.
   You might consider selecting the third Advanced option, Block UDP Traffic. However, some applications use UDP protocols -- including Network Time -- so blocking all UDP traffic could interfere with them. Examples are playing online games and VoIP (voice over IP) services such as Skype.

Adding an application that isn't in the Allow list.

These illustrations are from our Mac at home. We recently got a third generation TiVo and installed TiVo Desktop on this Mac. It needed additional ports added to the Mac's firewall. Here is how we did it.

1. In the Sharing preference, Firewall tab:
   
2. Click New....
   • From the Port Name: dropdown list, select Other. (TiVo Desktop isn't on the list.)
   • The instructions for the TiVO said the ports needed were: TCP ports 2190, 5353, and 8101
   • The Description: is TiVo Desktop because that is the software that is going to use these ports.
     
   • Click OK. This adds TiVo Desktop to the Allow: list on the Firewall tab.
3. Click in the Allow: list to turn on the new TiVo Desktop ports.