10 Replies Latest reply: Aug 19, 2012 10:30 AM by defilm
AndyTNZ Level 1 Level 1 (0 points)

I've just bought an iMac with OSX Lion and noticed that be default the firewall is off.


I'm new to OSX (but not iPhones, iPads & iPods) and with a PC background I'm very nervous at not having a software firewall and anti-virus and anti-malware programmes running. I'm becoming "relaxed" on the latter two, but the OSX firewall still bothers me!


I've read a lot of threads on various support forums and there's mixed views, for and against, but can I ask here whether......


  1. I'm taking a real (as opposed to theoretical) risk if I leave the firewall off?
  2. there's a downside to having the firewall on - other than configuration?
  3. configuration of the firewall is problematical?


The iMac is hard wired to a netgear router via ethernet and I use the internet a lot.

iMac 27" : iPad : iPhone 4 : iPods
  • Tony T1 Level 6 Level 6 (8,865 points)

    Turn it on

  • Barry Hemphill Level 8 Level 8 (37,065 points)

    Hello Andy:


    Activate the built-in OS X firewall.  For some reason, the default is off.  There is no downside to activating the firewall.  As an aside, your router probably has a firewall as well - but that is no problem.


    anti-virus and anti-malware programmes running

    There are NO viruses that affect a Mac running OS X - NONE.  A/V software, at a minimum, wastes resources and frequently causes serious problems.



  • AndyTNZ Level 1 Level 1 (0 points)

    Thanks guys ... on it is ..... and no AV or malware progs!


    Have you found configuring the OSX firewall to be straightforward or a problem?

  • Linc Davis Level 10 Level 10 (177,855 points)

    There is no reason to activate the built-in firewall if you're behind an NAT router, which you are. It's disabled by default for good reason. All it can do is cause problems. It is not some sort of magical malware filter, as many people seem to imagine.


    The only practical use for the firewall is on a portable computer that is sometimes connected to a trusted network, where it provides services such as file sharing, and sometimes to an untrusted network such as a public Wi-Fi hotspot, where those services should not be accessible. When on an untrusted network you can activate the firewall instead of turning off the services individually. When back on the trusted network, you inactivate the firewall. Otherwise, leave it alone.

  • Linc Davis Level 10 Level 10 (177,855 points)

    Have you found configuring the OSX firewall to be straightforward or a problem?


    Not a problem at all. Just turn it off.

  • Barry Hemphill Level 8 Level 8 (37,065 points)

    Hello Andy:


    I do not argue with people - particularly ones who pontificate while giving bad advice.


    There is NO reason not to turn the built-in OS X firewall on.  It does not "cause problems" as asserted.


    Configuring it is quite simple - a couple of clicks.  In my own case, it is set to block all incoming connections...... the default, I believe, in OS X 10.7.



  • AndyTNZ Level 1 Level 1 (0 points)

    Thanks Barry.


    Following your earlier posting I switched the firewall on and so far no problems. But I'll see how it goes ... and if there's problems I can always switch it off again.



  • Linc Davis Level 10 Level 10 (177,855 points)

    If you're going to use the firewall, make sure you understand what it does and doesn't do. Then you can make an informed decision about whether and how to use it, rather than relying on others' opinions.


    The application firewall blocks incoming network connections, regardless of origin, on a per-application basis. Typically, it would be configured to allow only applications digitally signed by Apple to accept connections. It does not block outgoing connections by any application.


    So for example, suppose you enable file sharing, and allow access by guests to certain folders. You want people on your local network to be able to access those files without having to enter a password. When configured as stated above, the firewall will allow that. Your router will prevent outsiders from accessing the files, whether the application firewall is on or not. But if your computer is portable and you connect it to an untrusted network such as a public hotspot, the firewall will still allow access to anyone, which is presumably not what you want.


    Now suppose you inadvertently install a trojan that steals your data and uploads it to a remote server. The firewall will not block that outgoing connection, no matter how it's configured. It does nothing to protect you from that threat.


    Another scenario: Your web browser (e.g., Safari) is replaced by a trojan, unbeknownst to you. The trojan sends all your web traffic to a bogus server. The firewall does nothing to protect you from this threat.


    A final scenario: You're running a public web server. Your router forwards connections on port 80 to your Mac, and the connections are accepted by the built-in web server, which is signed by Apple. The application firewall, still configured as above, allows this to happen. Now you download a different trojan, one that tries to hijack port 80 and direct it to a different process on your Mac. The good news here is that the firewall does protect you; it blocks incoming connections to the trojan and alerts you. The bad news is that you've been rooted. The attacker who can do all this can just as easily disable the firewall, in which case it doesn't protect you after all.


    So try to come up with a use case in which you think the firewall would benefit you. If you can, then by all means use it. If you can't, then you're just taking the advice of self-appointed experts who might just as easily be giving you wrong advice.

  • sdevan Level 2 Level 2 (465 points)

    Little Snitch allows you to allow outgoing traffic on a per application basis if you want to.  It's basic setting is block all outgoing traffic unless you explicity allow it.

  • defilm Level 1 Level 1 (0 points)

    Be sure you are aware that at any time Apple can apply an update and screw up the firewall.  This is not normally a problem for me as I am behind a SPI firewall, but in a hotel on Wifi, I had a problem.  Ran www.gmc.com Shields Up and found port 22 (SSHd) port 80 (HTTP) and 443 (HTTPS) wide open!


    I had to make sure there was no SSHd, nor apache, or other code running against 80/443.  Note even in

    "Block all", it still left those ports open.   Apple has never been good with security.  As for Viruses, the larger market share is indeed attracting more viruses.  It is projected that many of the "upper middle, and wealthier class" use Mac's.  That makes it a nice target.  THe days of no virus software may be over soon.  True hackers can easily write code for Linux, which is what your MAC is running if it is running mac OS X...


    I always have the firewall on if I have no firewall in front of me.  If I am in the office, I have it on, but select to allow come incoming connections (such as IM software calls internal to the company).

    Good luck.