Should the Mac Firewall be turned 'on'?

In your case, with a home network setup and additional security measures, enabling the Mac firewall offers some benefits but also has a potential drawback:

Benefits of turning on Mac Firewall:

• Layered Security: Even with your router firewall and Bitdefender, adding another layer of protection with the Mac firewall can be beneficial. It can help catch anything that might slip through the other filters.

Drawback of turning on Mac Firewall:

• Potential Software Conflicts: In rare cases, enabling the Mac firewall might cause conflicts with some applications, especially if they rely on specific ports or network access. This is more likely if you use software that interacts with other devices on your network or the internet in non-standard ways.

Recommendation:

Given your setup, most people wouldn't consider the Mac firewall essential. However, the potential benefits outweigh the minor risk of conflicts. Here's how to decide:

• If you're comfortable with troubleshooting software conflicts: Enable the Mac firewall for that extra layer of security.
• If you prioritize avoiding any software issues: You can likely keep it off since you already have good protection with the router firewall and Bitdefender.

Tips:

• If you do enable the Mac firewall, monitor for any software issues.
• You can configure the Mac firewall to allow specific applications if needed (refer to Apple's guide on firewall settings for details on how to do this Change Firewall settings on Mac - Apple Support).

Lyphe-416 wrote:

Hi,

I've seen differing answers on this and wanted to ask the community.

I have a Mac that is only used at home. It connects via wifi to my router, that has a medium security firewall turned on. And I have Bitdefender for Mac.

Not sure if your router employs an application-level (socket filter) or network-level (packet filter) to offer any advice to, whether or not, it will provide your local network with any benefits.

macOS offers two software firewalls (both a socket filter & a packet filter type). Neither are enabled by default.

Apple's socket filter firewall would be enabled via System Settings > Network > Firewall. This is what most folks would use. The goal of this type of firewall is to prevent "unwanted intrusions" at the application layer of the OSI model. A third-party equivalent would be something like Little Snitch.

Ref: Block connections to your Mac with a firewall - Apple Support

Apple's packet filter firewall would be enabled via commands in the Terminal app. This type of firewall works at the much lower network layer of the OSI model. It mainly helps prevent "unwanted intrusions" of network protocols.

Enabling either or both of these will really depend on your networking security requirements. Using any type of firewall (hardware or software) is a trade-off between security and performance ... you can't have both.

Lastly, your Mac does NOT require any third-party Anti-Virus apps. macOS itself, is very secure, and all that is required is to keep it updated. Third-party AV products tend to cause more issues than resolve them and we see numerous posts here from folks asking for help with getting rid of them.

Ref: macOS - Security - Apple

If you are an Activist or political figure who might have a high enough profile to be the target of Nation-state level hacking, there is no such thing as "too much" protection. In that case, you may need lock-down mode. Most people are never targeted by attacks of this nature.

About Lockdown Mode - Apple Support

.

Tesseract has answered a far LARGER question than most Mac users are facing.

if your Home network includes a Server that is providing services to the Internet, answering queries from other Users on the Internet at large or allowing SSH connections for other Internet users, that answer is spot-on.

If you are NOT providing such services, I suggest these slightly more practical guidelines instead:

if you are behind a Router you control, and enable a Wi-Fi password, your over-the-air messages to your Router are encrypted.

Network Address Translation:

Your Router 'acts as your agent' on the Internet at large, and your local IP address is never sent off your own local network. Your Router ALSO has a built in state-wise firewall, and typical Medium settings will cause it to discard any unsolicited incoming requests. Only answers to your DIRECT queries are allowed in. The combination means your Mac is Un-reachable for unsolicited communication from the Internet at large.

As long as you are using your own Router, there is no need to activate the Mac firewall. On public Wi-Fi, at the Airport or coffee shop, then maybe the Mac firewall would be a good idea.

--------

A VPN you install yourself does NOT add security. Instead, it sends all your network traffic to a third party site for data harvesting. Your encrypted web site connections USUALLY remain private, but which sites you chose and when do not. One VPN provider recently had to pay a large fine for data harvesting without users' consent.

[Institutional VPN allows you to be “present” on an Institutions Network. Its use is a different matter, and will be managed and supported by your Institution if required (without data harvesting) .]

third-party virus scanners:

MacOS shares a lot of the lock-down mechanisms developed for the iPhone. Applications are all sand-boxed with a list of the resources they require, and they cannot ask for anything outside their sandbox without crashing. Signed Applications are checked that they are from legitimate Developers, and Notarized Applications are delivered with the assurance that they have NOT been modified since their release by the Developer.

Recent versions of MacOS completely changed how you should think about malware.

From MacOS 10.15 Catalina onward, the system is on a Separate, crypto-locked System Volume, which is not writeable using ordinary means. Any unauthorized differences that appear to the crypto-locked volume are quickly detected and you are alerted.

So you could store just about every malware known to mankind on your Mac, and your Mac would not get infected spontaneously. Scanning for virus-like patterns might make you feel a little better now, but it is outdated nonsense.

Nothing can become Executable Unless/Until you supply your Admin password to "make it so".

Turn on the Mac firewall and get rid of BitDefender. The router security is up to you. Others provided far more extensive answers, but the simple answer is to use the Mac Firewall and get rid of any third party software that claims to offer you protection, as they will only cause you more problems by conflicting with the built in security already provided.

Excellent explanation, Tesserax!