Port forwarding

Message/Post - 01.

(Part-1)

Port-Forwarding functionality will work, after you also set/assign/allot a fixed/same ip-address to the computer, in which you are trying to forward the port.

So, allow your DHCP service inside the router,

to reserve & allot a fixed/same ip-address for your specific computer only, for example: 192.168.1.101 ,

and then specify network MAC-address of the network adapter used by that computer.

( here, the word "MAC" does not mean, apple's mac ).

Change Hardware settings in Network preferences on Mac - Apple Support (CA)

So you will also need to know that computer's network MAC (hardware) address for Ethernet port, if you use wired connection with your router.

Or, you will need to know the WiFi network-adapter's MAC-address if you connect to router via WiFi.

Your router will detect the MAC-address, & assign a fixed ip-address for it.

and port forwarding functionality will forward the port traffic/packet from WAN side ip-address , by using NAT-PAT translation mechanisms , etc , into router's LAN side into your computer's fixed ip-address.

For example:

if you want to run your own web-server, then in router you will need to TCP forward port 80 & 443 into a local (LAN) computer that has the server apps/services running (such as: apache httpd, NGineX, etc, etc ) , to response the queries coming from internet into port 80 or 443.

if you want to run your own NAME-SERVER for your own Domain-Name (website), then in router you will need to forward UDP port 53 and TCP port 53 into a local (LAN) computer that has the DNS server apps/services running (such as: BIND, unbound, etc), to response the queries coming from internet into port 53.

Every server/daemon app/program/service has a specific 1 or 2 ports, that it needs, their manual / developer docs will show those info , such daemon/server app listens for queries coming from internet into those specific port(s), then responds back via other ports.

Normal communication apps/programs/services will connect with outside/external server in internet who made the communication app/program/service , so that is why, your computer do not need to give/allow it incoming connection permission.

but if you are running your own communication server app/service, then you will need to permit/allow it, so that other users can connect into it.

(Part-2)

Change Firewall preferences on Mac - Apple Support (CA)

Goto your mac computer > goto System Preferences > Security & Privacy > click on the LOCK symbol, to allow saving new changes > you should keep Firewall: On > Firewall Options... >

if "Block all incoming connection" is selected, then your mac computer's macOS firewall will drop/cancel all network/data packets coming into your mac computer, via that forwarded port.

So unselect "Block all incoming connections" line option ... once you do this ... you will see a list box appears under that line,

Here you add/remove software/app/service(s) that will use incoming network data packets.

Here you have to click on "+" and browse/find and add the app , that you will use for the forwarded port, which you've setup in router.

After adding the app/service, select if you want to allow incoming connection or if you want to block incoming connection.

for your case, you must allow incoming connection.

Often you will receive notice from macOS, that, this app/service or that app/service is trying to get/take incoming connections, obviously you will have to apply your knowledge & experience on apple macOS app/service names , app/service functionality , app/service purpose etc ... and then you can take decision to allow or block incoming connection.

Set up file sharing on Mac - Apple Support (CA)

Share your printer on Mac - Apple Support (CA)

( after you follow each those steps, go back to "List of apps/services for incoming connections", & see which new services/apps are permitted, or see what permission was changed ).

By the way,

for more safety & security, keep Firewall settings like this:

Block connections to your Mac with a firewall - Apple Support (CA)

• Do Not Select the "Automatically Allow built-in software to receive incoming connections".

... this selection choice allows you to stop incoming connections into various system apps without your fully aware consent & active step, this selection choice allows you to decide & manually add an app in "List of apps/services for incoming connections" when you need to do that.

• Do Not Select the "Automatically Allow downloaded signed software to receive incoming connections".

... this selection choice allows you to stop incoming connections into various downloaded apps, coming from their devs/manufacturers or from hackers who got hold onto those remote access mechanisms. this selection choice allows you to decide & manually add an app in "List of apps/services for incoming connections" when you need to do that.

... see next msg/post ...

Message/Post - 02 :

... pls see previous message/post ...

• Select the "Enable stealth mode".

Use stealth mode to keep your Mac more secure - Apple Support (CA)

macOS does not have an interface/options to completely configure the builtin pf firewall.

But we, advanced users, need that.

Windows-OS have such option, and firewall settings can be done easily, makes the computer & resources & life more secure.

Without anti-malware, without full firewall, and without secure settings ... by-default, no smart person should assume/claim things are just automatically safe & secure.

Message/Post - 03:

... see earlier msg/post ...

Network port number that are below port 1024, those are often reserved for business / commercial services,

many residential internet service provider ( ISP ) , will not allow incoming traffic into those ports, which are below 1024.

Some residential ISP allows incoming traffic into most ports that are below port 1024, except the port 25 , which is used for SMTP , to send/receive email from one email server into another email server.

So even if you/we setup Port-Forwarding & others settings correctly in router, computer, etc ...

... it will still NOT-WORK, as current ISP subscription may-be blocking it.

So, you will have to call ISP, & take their business category based internet service/subscription,

that category allows all incoming port, ( but still make a request, initially, to open-up the port-25, if you want to run your own email-server ).

and to use port 25 for email services, other settings are also needed, so you wud need to see more details here : Looking for advice on Mail Provider servi… - Apple Community .

But if you dont need to open-up port 25 (SMTP), setup rDNS, etc ... then just obtain business category subscription to allow all incoming ports , OR , just request the ISP to allow certain incoming port traffic, and see if they are willing to do that for you or not, in residential category.

There are some internet or Dynamic-DNS service provider , who can accept the incoming port(s) traffic on behalf of you in their server/device, & then they forward it into a different port number that is higher than port 1024, so that it can come into a residential connection based ip-address . This solution is not secure, as it goes thru another controller , but convenience for some users , who are changing their ip-adrs often.

You should hire a professional to establish that connection. Opening ports through your router is a high security risk. If you have any personal medical information on the computers that are being connected to behind that router, you are probably going to violate some law somewhere.

Yes, as Barney-15E also pointed-out,

businesses, that have people's/user's financial data, health-care data, etc, such, requires following extra HIGH security safety & protections, precautions, etc, and multi-layer based.

BUT, there are business categories , sub-categories ... variations, etc, etc.

HIPAA does not apply to all healthcare businesses/entities.

if your business practice would need to access patient's private+confidential data, then your business will need to do+take extra security steps, that is HIPAA compliant. in such case do hire professional network security engineer(s) with HIPAA, etc compliance experience.

Otherwise, (when your bsns practice will not need acsess into patient's private+confidential health record data, etc) , then your business will not need to create very secure solution , but more than average security is must atleast.

Let us assume that, your special business/commercial type use-case / practice,

will need to access patient's private+confidential info, etc records,

then your business side computer network devices, modem device, router devices, network-switches, firewall devices, servers, DB-server(s), sub-router devices, backup-devices, etc, etc,

need to use very secure configurations, to stop all un-authorized access.

Generally, some puts a wifi-router after a modem or some uses a modem that also has builtin router, etc ... such devices cannot be used.

Modem > router (non-wifi) > firewall > server(s): wire-level-encryption > sub-router (with WiFi) for office/business use.
                                                                        > data-backup.
                                                                        > UPS.
                                     > and sub-router (with WiFi) for User general use.
...

Various designs are possible to make a system HIPAA, etc compliant.

See this pages : HIPAA-Security (Compliancy-Group) , HIPAA (WP), to get a sense on what you will be required to do.

In summary:

Your business type, must obtain "Business" category ISP subscription/line.

All data storage drive volumes must be encrypted, this slows down various things, but SECURITY has top-most PRIORITY than slowness.

And your business type will need to have data backup, also in encrypted form.

Often, your business type may end-up migrating data from lower-size volume into higher size volume as your data usage requirements will grow, as patients list will grow over time.

Your business type will have to keep some patient's data available, for many years, and in very secure form.

Any & all types of data access, access-time-moment, accessing person's/entity's info, must be recorded/logged, for very very long time. such person's Identity must have be verified, but how exactly is upto the business, as various ways exist.

And some entity's access has to be re-verified again periodically.

All data access must be done over encrypted pages or encrypted channels or encrypted mediums, etc.

Various settings/configurations must be printed out in paper, (not with visible password).

Passwords, access-key id info, etc can be printed out separately, and MUST BE kept in Disaster-Recovery location (such as: bank vault, etc), and even any access or inquiry into DR location/vault must also be notified over email, letter, etc into multiple persons.

Various network & computer setup requires a business/entity to use two location's network-resources, to be compliant with various network security standards, So you will need to consider such solutions as well. ( Use two trustworthy busines partner's locations, as your business security solution, that is various network security STANDARDS compliant & also HIPAA standards compliant ).

Your business type will have to choose software, solutions, etc that have highest SECURITY track records, no or lowest vulnerabilities, etc , it does not have to be fastest-speed.

if you load weak software or solution, then that can be used against you as your negligence toward HIPAA related responsibilities, etc etc.

You must check more info on HIPAA for individuals : https://www.hhs.gov/hipaa/for-individuals/index.html .

or, You must check more info on HIPAA for professionals : https://www.hhs.gov/hipaa/for-professionals/index.html .

What service are you trying to connect to on your Mac? You would have to enable that service to listen on the port you forwarded.