User profile for user: JMCanning
JMCanning Author
User level: Level 1
8 points

macOS Sequoia firewall preventing local LAN connections

I recently upgraded my desktop and laptop to macOS 15.2 Sequoia. I develop several websites and run local web servers on different ports on each machine. I used to be able to connect from one machine to the web service on the other across the local LAN, but since the upgrade to Sequoia, I cannot connect to some services. It looks to me like there's some firewall change that's blocking access from other devices on the LAN. I looked at and adjusted the ApplicationFirewall/socketfilterfw settings, and they show my application allowing incoming connections. How can enable access between my devices on the local LAN?


Here are more specifics.

I run a web service inside a Docker container that binds to port 80 and another as part of a Python script.that binds to port 8888. Both those applications show up in the socketfilterfw output:


% sudo /usr/libexec/ApplicationFirewall/socketfilterfw --listapps
Password:
Total number of apps = 25 
1 : /Applications/UniFi.app/Contents/PlugIns/jre1.8.0_131.jre/Contents/Home/jre/bin/java 
             (Allow incoming connections)
...
15 : org.python.python 
             (Allow incoming connections)
...
23 : com.docker.docker 
             (Allow incoming connections)
...
27 : /usr/local/bin/python3 
             (Allow incoming connections)
28 : /usr/local/Cellar/python@3.13/3.13.0_1/Frameworks/Python.framework/Versions/3.13/bin/python3.13 
             (Allow incoming connections)


Note that there are 3 entries for Python where they were granted network access using different names/paths. When I use the curl command line tool to test the web services, I can get the web page using "locahost" and 127.0.0.1 for the host. When the URL passed to curl has the IP address for my desktop, curl cannot connect to the server (which I used to be able to do). By contrast, when I use the IP address and try to connect to the webserver running in the docker container on port 80, the connection works. Here are some tests that I ran:


% curl localhost:8888 | tail -3
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 12129  100 12129    0     0  5154k      0 --:--:-- --:--:-- --:--:-- 5922k
  <script>display_choice('Home')</script>
</body>
</html>
% curl 127.0.0.1:8888 | tail -3
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 12129  100 12129    0     0  5994k      0 --:--:-- --:--:-- --:--:-- 11.5M
  <script>display_choice('Home')</script>
</body>
</html>
% curl ${myIP}:8888 | tail -3
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (7) Failed to connect to 192.168.0.107 port 8888 after 2 ms: Couldn't connect to server
% curl ${myIP}:80 | tail -3
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    52  100    52    0     0   4336      0 --:--:-- --:--:-- --:--:--  4727
The provided host name is not valid for this server.%


The last line of that transcript where it says "The provided host name is not valid for this server" is the actual webserver response (the server running in Docker on port 80 expects the HTTP-Host to contain a host name and not a numeric IP address like 192.168.0.107). I can also connect to the web service running in the Docker container from other hosts like the laptop running on my LAN.


I want the web server running in Python on port 8888 to process requests from other hosts on my LAN. What needs to be changed to allow that?

iMac 24″, macOS 15.2

Posted on Jan 20, 2025 11:06 PM

Reply
4 replies
Sort By: 
User profile for user: tack789
tack789
User level: Level 1
8 points

Feb 2, 2025 3:12 PM in response to JMCanning

In Sequoia (macOS 15), under Privacy and Security > Local Network, “Allow applications to find and communicate with devices on the local network” now requires permission to communicate with devices on the Local Network. Allow applications to find and communicate with devices on the local network” in Privacy and Security > Local Network. I don't think this feature is working very well, sometimes it works and sometimes it doesn't.


I think this feature is not working very well, sometimes it works and sometimes it doesn't. When an application that is essentially a network access application is launched, it will now say, “”com.*****. ***. ***” would like to find devices on your local networks This will allow the app to discover, connect to, and collect data from devices on your However, in some cases, the pop-up does not open and the application stops working for no apparent reason. However, in some cases, the pop-up does not open and the application stops working for unknown reasons.


Please check Privacy and Security > Local Network. If an application (one that communicates with devices on the network) gives you a message that it is not connected to WiFi or cannot find the device, then the device may not be communicating with the device. I'm sorry if this is an off-the-beaten-path comment.



Reply
User profile for user: James Brickley
James Brickley
User level: Level 5
5,374 points

Jan 21, 2025 3:50 PM in response to JMCanning

Are these Mac's exposed to the actually public Internet (highly unlikely)? Or are you on a trusted LAN behind a gateway/router/NAT network firewall? If the latter, it's hardly worth even enabling the Application Firewall.


The Application firewall is not a great firewall, compared to other more capable firewall solutions. There is a BSD Packet Filter Firewall built-in to the Darwin Mach kernel that is normally turned off. There is no GUI for it. There is the 3rd party Murus App that provides a decent GUI to generate the configuration files. You can deploy the config without Murus App. You only need Murus to create the firewall rules. It is far more capable than the Application socket filter firewall. But there isn't much documentation other than BSD UNIX and the Apple implementation is not entirely the same. 3rd party firewalls like Little Snitch are pretty good as well.


However, there is a new network layer in town, known as zero-trust mesh virtual private network. I propose that you take a look at Tailscale.com. It is free for 3 users and up to 300 devices. I am certain it will solve all your needs succinctly and far more securely than any firewall solution. You install Tailscale on each device / server / container and then you can establish very secure encrypted network connections on the LAN or WAN. Meaning you could run a cloud hosted server and access it securely over the tailnet while not making it publicly accessible. Or run a web app on your computer but access it remotely with your smartphone or another computer on the LAN. Without worrying about it being insecure. You can definitely direct traffic to network ports temporarily or permanently. It has a large number of features and it's the easiest solution I've seen. You can be up and running in minutes and after only 30min have a good handle on how to accomplish what you are trying to accomplish. Their documentation is excellent. It works on just about every OS platform. Even if you can't install Tailscale on a device you can still use Tailscale to funnel traffic to an IP & network port. It supports tagging and ACL security permissions for tailnet users. There isn't much that isn't supported with Tailscale. Their Reddit r/tailscale community is very helpful with even employees contributing to the community. When you exceed the free limits the cost is not bad at all. It's ideal for small to medium businesses that cannot afford the enterprise class equivalents.


The only downside to Tailscale is if your employer is running an enterprise version of the same technology. The big one being known as Zscaler. In that case, they will effectively block Tailscale and other 3rd party similar mesh network layers for obvious reasons.





Reply
User profile for user: JMCanning
JMCanning Author
User level: Level 1
8 points

Feb 22, 2025 12:11 PM in response to JMCanning

Thanks, James and tack789 for your responses.

It is definitely the ApplicationFirewall/socketfilterfw that is blocking the traffic. I confirmed this by turning it off using the command:


sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off


Of course, turning it completely off is not ideal because firewalls are, in general, useful in preventing unauthorized activity. I note that signed applications downloaded from the internet can be trusted automatically. You can see that by running:


sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getallowsigned
Automatically allow built-in signed software ENABLED.
Automatically allow downloaded signed software ENABLED.


But for code I'm developing and for tools like apache httpd that one might compile using homebrew or other tools, you have to declare them to the firewall and (maybe) unblock them with commands like:


sudo /usr/libexec/ApplicationFirewall/socketfilterfw --add /usr/local/opt/apache2/bin/httpd
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --unblockapp /usr/local/opt/apache2/bin/httpd


In the System Settings > Privacy & Security > Local Network GUI, I would expect to see the command line changes reflected in the state of the GUI, but they were not. I had to use the command line tool's --getglobalstate and --listapps options to see the current settings. That is not as "transparent" as most macOS utilities are.

Reply
User profile for user: James Brickley
James Brickley
User level: Level 5
5,374 points

Feb 22, 2025 12:25 PM in response to JMCanning

Or just forego the awful Application Firewall and use the BSD Packet Filter Firewall instead. It's built-in to the Darwin macOS kernel. It is a true firewall unlike the Application Firewall. Same thing as pfSense / OpenSense firewalls. You can use the 3rd party Murus App to create configurations for the PF firewall. We only licensed Murus for a few engineers because you don't need to deploy Murus to the fleet, just the firewall configuration files.


Enterprises use the PF firewall and CrowdStrike has integration to configure it's rules. The built-in Application Firewall is not very good and not nearly as secure.IMHO, If you are looking for a traditional fully functional firewall then you should be looking at PF and not the Application Firewall.

Reply

macOS Sequoia firewall preventing local LAN connections

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up