Hi everyone!
I just realised the firewall on my mac was disabled, which apparently, is the default setting. I find that quite strange. Anyway, I thought it best to enable it and when I did, there are several items in the list allowing incoming connections. Does anyone know what they are and if they're supposed to be allowing incoming connections?
Thanks.
[Edited by Moderator]
amd1 wrote:
Barney-15E wrote:
If you do not have any sharing services enabled then there is no way into your Mac
When you say sharing services, do you mean things like airdrop?
no, I mean, the things that are actually in the sharing system setting
I occasionally connect to public WiFi, but when I do, I always enable a VPN.
I would ask what you are expecting that VPN to accomplish also.
I understand your concerns, but device security is a broad concept that simply cannot be relegated to a setting or even some third-party software product including those VPNs that have been enjoying recent success during the inevitable demise of the smarmy "anti-virus" industry.
Effective defenses against malware and other threats - Apple Community describes the principles that have served me well for years, whether using Macs in my office or while traveling, even in public "open" Wi-Fi networks.
Assuming you are using the portable Mac away from your studio, in a coffee shop perhaps, for email, messages, browsing, etc then concerns such as connecting to other devices on your network, printing, whatever music production hardware you typically use are not likely to be involved. They will not be affected by merely turning on that main "Block all..." switch because (I assume) you're not using those other network devices in a coffee shop.
But I don't even bother in those circumstances, because basic Internet connections are already encrypted, "firewall" or not. Safari already includes robust anti-tracking prevention and other privacy-enhancing features. So does Apple's iMessage service. We could go on. That's what Apple does. They think about these things.
Don't concern yourself with the other settings. As it states, "... except those required for basic internet services" connections (ports) will remain open as usual. It is not likely that you will encounter the inconveniences closing the other ports will impose, if that's all you are doing in those environments.
As for VPNs, read: Don't use VPN services. If you don't want to read the whole thing the bottom line is that they do not and cannot convey the benefits their marketing campaigns have led people to believe. Arguably, they diminish security instead of enhancing it. Don't believe the hype.
If this is a Mac for use only at home, and you have a router, then it's very, VERY likely you don't need the built-in firewall on.
You almost can't buy a router that doesn't have a firewall of its own. Which means the OS firewall has nothing to do.
If you don't know what the macOS firewall is for, then leave it off — its default setting.
Hint: there is no fire and there is no wall. Now tell me its purpose.
If yours is a desktop Mac that does not routinely connect to potentially hostile networks, and if you don't routinely let strangers you don't trust on that network, and if that network is under your sole control, then it serves no practical purpose. Leave it off. On the other hand if you have a portable Mac that routinely connects to open / "guest" networks, or those over which you have no control, and potentially bad actors with a lot of time on their hands also use that network, then there may be circumstances in which its use is justified.
amd1 wrote:
Thanks again John Galt and MrHoffman for your replies. I'm glad I asked my original firewall question, as I've learned a lot of other important stuff too.
Going back to my original question for a moment; you've all recommended leaving the firewall off except for users who know what they're doing. I'm wondering if there's any harm in having it on? Can it cause problems of any sort for the average user?
Because the default settings work fine for most people, because most networks already have firewalls, and because low-level network changes can be difficult to diagnose and troubleshoot and resolve.
Having supported some folks that had proclivities involving poking at unknown buttons, and around adding security and adding security apps, they become immensely difficult to support, when — when, not if — things broke.
I’d suggest learning more about IP networking and routing, about ICMP traffic and related networking, about subnets, about VPNs, about the unwisdom of hidden SSIDs, using and detecting and ignoring port scans, and other related topics. About having backups, and the ability to revert to an earlier and stable configuration. Build a foundation.
As you add to your foundation, maybe add some canaries and detection capabilities, maybe a security review, maybe an equipment inventory including system or firmware revisions, unexpected device detection, detection for indications of data egress, and adding deeper or offsite backups as appropriate.
Also recognize that adversaries can choose what is the easiest path for them, not necessarily the path we might prefer. That might include exploiting a down-revision or unsupported network printer and “re-deploying” it as a hostile network probe, for instance. Which has ~nothing to do with the Mac firewall.
But this is your Mac. This is your firewall. Have at.
You'll learn a whole lot, but you’ll learn a whole lot.
Or you’ll learn a whole lot, ask for help, and get a polite suggestion to wipe and reinstall, and stop poking.
Thank you both for your replies. The Mac is mainly used for music production at home. When I use it for internet, I normally use my iPhone’s hotspot. I occasionally connect to public WiFi, but when I do, I always enable a VPN.
Should I still leave it off in those cases?
amd1 wrote:
Thank you both for your replies. The Mac is mainly used for music production at home. When I use it for internet, I normally use my iPhone’s hotspot. I occasionally connect to public WiFi, but when I do, I always enable a VPN.
Should I still leave it off in those cases?
For some of the various VPNs around, that’s very considerate of you, sharing all that personally-identified metadata with the VPN provider, and quite possibly also sharing your own Internet connection with other users, and also providing an easy path for remote entities to directly access the exposed services of your macOS system via the VPN. All that for negligible added security, and added connection overhead.
Thanks for your reply @MrHoffman.
Im used to using VPN’s at work because they’re mandatory on the company devices, which are windows and android. Are you suggesting that VPN’s are not necessary in my situation with my Mac, or in any situations with any devices?
For a work environment, a VPN is being used for its actual purpose. And that's to encrypt all data between yourself and other work related devices. It's a tunnel controlled by your employer with no one else in between.
When you're using a VPN in general, you're actually making yourself less secure. All of your data is fed through the servers of the VPN's provider. They can do whatever they want with that data. Which is typically to sell it. On top of that, all data between the VPN's server to the site you're visiting and back is in the clear, as if you weren't using a VPN at all. It has to be, or the site you're viewing would just get a load of encrypted data it can't do anything with.
Many of these junk VPN vendors also make your internet use slower. They set up the servers to make money off of their users. They don't care if their hardware or their own connection speeds can't keep up with the traffic going through them.
amd1 wrote:
Thanks for your reply @MrHoffman.
Im used to using VPN’s at work because they’re mandatory on the company devices, which are windows and android.
Which would be typical for connecting into a private network, along with added authentication for the connection.
There are additional steps commonly happening to better secure internal networks against malware and miscreants arriving via VPN connections, too. VPNs are not a panacea. VPNs also work both ways, with already-encrypted connections from the VPN client to the VPN server, and encrypted connections can pass from the VPN server to the VPN client.
Are you suggesting that VPN’s are not necessary in my situation with my Mac, or in any situations with any devices?
You’re already running end-to-end VPNs on your connections, which means adding the commercial “coffee shop” VPNs adds extra overhead and variously with negligible added security.
The design of the “coffee shop” VPNs does makes collecting your personally-identified metadata vastly easier, however.
If you want privacy, iCloud+ Private Relay with ODoH provides better privacy. “Coffee shop” VPNs are perfect for collecting that metadata, and personally-identified and collated.
Security apps that are heavily hyped are too often problematic. In practical terms, various of the advertised add-on security apps are getting harder to distinguish from malware with an installer and an end-user licensing agreement.
Outside of geo-shifting for web server testing or for content delivery network testing or other such, I’d avoid “coffee shop” VPNs. And if I needed that for testing, I’d look to run my own servers. Why? Some of the VPNs can share your ISP connection with other VPN users, and because some of the VPN vendors sure look sketchy. Sketchy? Some of the “no logging” VPN server providers were caught a while back, when the “non-existent “ logs were found on the open Internet.
If it’s a security apps and is getting hyped, again, best assume it’s exceedingly privacy-intrusive and quite possibly malware-adjacent, if not actually malware, until proven otherwise.
You’re already running end-to-end VPNs on your connections, which means adding the commercial “coffee shop” VPNs adds extra overhead and variously with negligible added security.
I don't understand when you say I'm already running VPN's and then adding the commercial one? I just have one VPN on my Mac. The other VPN I was referring to was the one the company have installed on our company devices.
Regarding iCloud Private Relay, I've read in several places that it doesn't provide high levels of privacy - that it's only useful for basic privacy.
If you're not using a VPN for its real purpose of a direct tunnel for a business/school server or similar, it's junk. The sole purpose for free, and even paid VPNs outside of the above usage is to collect your data and sell it.
Public VPNs are anything but private.
It's the same reason Google pushes the snot out of Chrome. It exists, far more than for any other reason, to collect your personal and internet usage as sellable market data. When you install Chrome, it also installs two startup agents. One does nothing but check for updates. The other gathers data on you and uploads it to Google. All without your knowledge or permission. And since it loads at startup, this agent is active the entire time your Mac is on, whether Chrome itself is running or not.
amd1 wrote:
You’re already running end-to-end VPNs on your connections, which means adding the commercial “coffee shop” VPNs adds extra overhead and variously with negligible added security.
I don't understand when you say I'm already running VPN's and then adding the commercial one?
The “coffee shop” VPN services are adding a second and problematic encrypted connection around an existing and end-to-end encrypted connection.
That is, an encrypted connection from your local client to your connection destination gets wrapped into a second encrypted connection that terminates at an intermediate server at the “coffee shop” VPN provider.
Other “coffee shop” VPN users may well also have their connections end at your own ISP connection, too.
I just have one VPN on my Mac. The other VPN I was referring to was the one the company have installed on our company devices.
I am here differentiating “coffee shop” VPNs from the private VPNs commonly used to access private networks.
My replies here are about “coffee shop” VPNs unless otherwise referenced; about the “privacy” or ”security” services that are getting hyped and hyped for good reason. Good reason for those hyping the “coffee shop” VPN services, that is.
Regarding iCloud Private Relay, I've read in several places that it doesn't provide high levels of privacy - that it's only useful for basic privacy.
Private Relay keeps those with access into the network connection — the coffee shop, the ISP, the server at the connection destination — from knowing the details of both ends of the already-encrypted connection.
With Private Relay, nobody else knows about both ends of the already-encrypted connection.
Does Private Relay and ODoH provide the same results as Tor or I2P privacy? No. If think you need Tor or I2P, then you probably don’t want to be running a “coffee shop” VPN, either. And you will also want to review your entire approach to security and privacy as, for instance, Tor and I2P traffic can itself be detected.
The “coffee shop” VPNs badly solve a problem that hasn’t existed for a decade or more (insecure and cleartext connections), but badly solve it in a way perfect for personally-identified metadata collection.
As for “basic privacy” If you’re somehow of interest to a national security entity or to any entity with pervasive internet network access, you’re going to want to learn more. And anyone with concerns about “basic privacy” while also running a “coffee shop” VPN will definitely want to learn more.
But this is your gear, use whatever apps and services you want.
Kurt Lang and MrHoffman thanks again for your replies.
I think what's confusing me is than if connections are already encrypted, then why are VPN's necessary at all - at home or at the office? The answer is probably in some of the links you shared earlier, which I will definitely ready as soon as I get a chance. I'd love to learn more about how all of this works, so at the very least, I can make some informed choices in the future.
BTW, just looked up 'ODoh', as I'd not come across that term before - fascinating. I have a lot to learn! ☺️
amd1 wrote:
Kurt Lang and MrHoffman thanks again for your replies.
I think what's confusing me is than if connections are already encrypted, then why are VPN's necessary at all - at home or at the office?
Don’t conflate the two products as one and the same. The “home“ VPN is just a scam to collect all of your web habits into one nice package so they can sell it. An office VPN allows specific users to enter the company network remotely. The VPN is not there to keep people out, they have other devices for that. The VPN is used to allow certain people into the network. as others have noted, you already have that other device to keep people out of your network, your NAT router.
“What if I am on a public network,“ you may ask. If you do not have any sharing services enabled then there is no way into your Mac. If you need sharing services enabled, using the firewall to turn them all off while you’re on a public network may be easier than going through and disabling each one individually.
You can tell those VPNs are just a scam by how they advertise using fear, uncertainty, and doubt to convince you that you need their services. A firewall is a network management tool, not a security feature. The only reason people conflate a firewall with some sort of Internet security is Microsoft used it to blame its users for its leaky, insecure operating system. “Oh I’m sorry you were hacked but I see you didn’t have your firewall on, so that’s your fault“
Help with Firewall Settings macOS 15.5
