Personal firewall software for the Mac OS

This document provides a list of selected personal firewall software products for the Mac OS. These products can protect your computer from many types of network attacks initiated from other computers.

This document also briefly describes two types of hardware-based products - hardware routers and firewall appliances - which can serve as alternative methods for protecting Macintoshes on home networks.

Finally, this document provides links to selected Web-based resources which can help you learn how to configure and use firewall products (both software and hardware) with your Macintosh.

Contents

About personal firewall software

By blocking selected types of network connections to your computer, personal firewall software can protect your Macintosh against many types of attacks coming from other computers on the Internet. Most such software is pre-configured to block incoming connections initiated from other computers to all - or nearly all - of the "network ports" on your Macintosh.

(With some third party firewall products for Mac OS X, as well as with the built-in firewall software introduced with Mac OS X 10.5 Leopard, personal firewall software can block others from connecting over the Internet to specific application programs running on your computer that may be "listening" for such connections. Depending on the product, this capability is provided in addition to, or instead of, the ability to block connections to specific network ports on your Macintosh.)

Firewall software can also typically be configured so that certain types of outgoing connections, such as those that might be initiated by viruses, worms, or trojans that have made their way onto your computer, might also be blocked.

Certain firewall software products offer additional configuration options and features. Some common examples include:

Personal (or "host-based") firewall software runs directly on your Macintosh and is generally intended to protect just your own computer. This is in contrast with firewalls that your organization may be running elsewhere on your network, which can protect multiple computers. These two types of firewalls are often complementary; each may be able to prevent certain types of attacks that the other cannot.

Combining your firewall with other security measures

A firewall is only a piece of the security puzzle, as it can only can protect your computer against certain types of attacks.

A firewall should never be your computer's only protection. You always should combine a well-configured firewall with up-to-date anti-virus software and good system administration practices, such as:

In combination, security measures such as these can help keep your computer from being taken over by an intruder via the Internet, and can help protect your data from being destroyed, altered, or exposed.

For excellent, in-depth guides which cover many techniques for securing Macintoshes running Mac OS X from attack, please see Stephen de Vries' white papers at Corsaire's website, or Apple Inc.'s Mac OS X Security Guides.

An alternative for home use: hardware routers or firewall appliances

If you have a Macintosh at home with an always-on, high-speed (DSL, cable modem ...) connection to the Internet, you can also block many types of network attacks in another way: by purchasing a hardware router and placing it between your Macintosh and the DSL or cable modem which connects your computer to the Internet.

The primary purpose of these devices is to allow you to share a high-speed Internet connection amongst multiple computers on your home network. However, adding a hardware router can be useful even if you have only a single computer at home. That's because nearly all of these devices include Network Address Translation (NAT) functionality which offers protection roughly comparable to that of personal firewall software, at least against direct attacks over the Internet that are initiated by other computers against your computer.

The Firewall Guide provides links to reviews of many popular hardware routers. When choosing a hardware router, keep in mind that some routers require that you use a PC running Microsoft Windows, rather than a Macintosh, when changing their settings or updating their on-board software ("firmware"). To identify which routers provide full support for Macintoshes, you can check vendor Web sites, search for online product reviews, or contact vendors' customer support staff.

If you should need even greater control over what network traffic goes into and out of your home Macintosh and other computers on your home network, another type of hardware device called a firewall appliance might be worth investigating. Firewall appliances typically include all of the features of hardware routers, and add a highly configurable firewall. Some of these products also come with such features as virus scanning and Internet content filtering. However, firewall appliances also may be considerably more expensive and potentially more complicated to set up than hardware routers, and are often oriented toward business use, rather than personal use. The Talisker Firewalls website offers a list of some firewall appliances aimed at small offices and home offices (abbreviated on that page as "SOHO").

Whether you are using a hardware router or firewall appliance to connect your home network to the Internet, it is important that you change the default administration password - the password that is provided by the manufacturer, and that is first used when you take the device out of the box - to a strong password of you own choosing. There already is "proof of concept" code that demonstrates that a web page with a malicious script can break into your home router or firewall if that device is still using the default manufacturer's password. Once having done so, a miscreant can redirect your web browsing to fake websites, to steal your passwords and identification numbers.

Finally, you may wish to run personal firewall software on each of your home computers, even in conjunction with a hardware router or firewall appliance. That way, if an intruder breaks into one of the computers on your home network and thus establishes a presence behind your hardware router or firewall appliance, the other computers on your home network will still be protected by their personal firewall software.

Hardware routers and firewall appliances are suggested here only for home use, and should never be used on the UC Berkeley campus network.

Personal firewall software products for Mac OS X

(Listed alphabetically, except for Apple's products which are listed first. All prices below are as of late May 2002, in USD, except as noted otherwise.)

Name & vendor Notes
Application Firewall
Apple Inc.
ipfw
Apple Inc.
Flying Buttress (formerly BrickHouse)
Brian Hill
  • Shareware ($25). Can be fully evaluated for a limited period of time at no cost.
  • Application for configuring Apple's integral Mac OS X firewall. Offers a broad set of configuration and logging options, going well beyond Apple's interface.
  • Version 1.3 requires Mac OS X ("Panther") or later. Earlier versions work with Mac OS X 10.1 and 10.2 ("Jaguar").
DoorStop X Firewall
OpenDoor Networks
  • Commercial ($49 retail price).
  • Firewall application which features an easy to use configuration interface, while allowing you to restrict access to services based on IP address ranges and adding enhanced logging, features which are not (yet) present in Apple's interface to its integral Mac OS X firewall.
  • Requires Mac OS X 10.3 ("Panther") or Mac OS X 10.4 ("Tiger").
Firewalk X
Pliris (Mike Vannorsdel)
  • Shareware ($34.99, as of late October 2003). Downloadable version for evaluation can be used for up to two hours after each system reboot.
  • Starting with version 2.x, now includes its own firewall.
  • Version 1.x of FireWalk X was an application for configuring Apple's integral ipfw firewall. Version 1.4.2 is still available for downloading from the vendor's website.
  • The current version 2 release requires Mac OS X 10.2 ("Jaguar") or Mac OS X 10.3 ("Panther"). An earlier release of version 2 works with Mac OS X 10.1.
Impasse
Glucose Development Corporation
  • Note: this product no longer appears to be supported, although it is still available for downloading from major Macintosh download sites.
  • Shareware ($10). Can be fully evaluated for a limited period of time at no cost.
  • System preference panel for configuring Apple's integral ipfw firewall.
  • Works with Mac OS X 10.1 and 10.2 ("Jaguar").
IPNetSentryX
Sustainable Softworks
  • Commercial ($40 retail price).
  • A faceless background application which "watches for suspicious behavior, and when triggered, invokes a ... filter which completely bans the potential intruder from your Macintosh." Comes with a set of pre-configured triggers, to which users can add custom triggers.
InterGate
Vicomsoft
  • Commercial ($99 for a five-user license, as of late October 2003).
  • Software Internet gateway (router) product which includes a network firewall.
Little Snitch
Objective Development
  • Shareware ($24.95). Demo version can be used for up to three hours at a time.
  • An "application supervisor" which monitors outgoing network connections. When an application tries to access the network, displays a dialog permitting the user to allow or deny the connection and asks whether to set up a permanent or temporary access rule for future connections of that type. Rules can also be edited via a System Preferences panel.
  • Requires Mac OS X 10.2 ("Jaguar"), 10.3 ("Panther"), or 10.4 ("Tiger").
NetBarrier X4
Intego
  • Commercial ($69.95 retail price). Also sold in various bundles with other Intego products as Intego Security Barrier.
  • Includes additional features: "Antivandal" (e.g. detecting incorrect access passwords and protecting against denial of service attacks), "Internet Filter" (scanning outbound packets for personal data such as credit card numbers and passwords), and "Internet Privacy" (controlling cookies and ad banners, protecting against hostile Java applets and browser plug-ins).
  • Works with Mac OS X 10.1, 10.2 ("Jaguar"), 10.3 ("Panther"), and 10.4 ("Tiger").
NoobProof
Hany El Imam
  • Freeware, open source.
  • Simplified version of the author's WaterRoof utility (below) for basic configuration of ipwf, Apple's integral Mac OS X firewall.
  • Requires Mac OS X 10.4 Tiger or later.
Norton Personal Firewall for Macintosh
Symantec Corporation
  • Commercial ($69.95 retail price).
  • Application for configuring Apple's integral ipfw firewall and extending the feature set of that firewall through kernel extensions. Can be purchased by itself or in a bundle with several other products, including Norton AntiVirus, in Symantec's Norton Internet Security for Macintosh product ($99.95 retail price).
  • An earlier version, version 2.x, came bundled with OpenDoor Networks' "Who's There? Firewall Advisor" product.
  • Works with Mac OS X 10.1, 10.2 ("Jaguar"), and 10.3 ("Panther"). Via an update to version 3.0.3 or later, this product is also compatible with Mac OS X 10.4 ("Tiger").
sunShield
sunProtectingFactory (formerly sunBurst)
  • Freeware.
  • System preference panel for configuring Apple's integral ipfw firewall. Works with Mac OS X 10.1, 10.2 ("Jaguar"), and 10.3 ("Panther"). As of September 2005, a beta version had been released for compatibility with Mac OS X 10.4 ("Tiger").
WaterRoof
Hany El Imam
  • Freeware, open source.
  • Application for configuring ipwf, Apple's integral Mac OS X firewall. Offers a set of configuration and logging options that go well beyond Apple's interface.
  • Requires Mac OS X 10.4 Tiger or later.
Who's There? Firewall Advisor for Mac OS X
OpenDoor Networks
  • Commercial ($49 retail price).
  • Not a firewall or firewall configuration utility. Rather, this product is a "firewall advisor," providing tools for analyzing and responding to the network attacks detected by a firewall.
  • Works with Open Door's DoorStop X, Symantec's Norton Personal Firewall for Macintosh, BrickHouse, and "and any other firewall that uses Mac OS X's built-in firewall logging capabilities."
  • Came bundled with version 2.x of Norton Personal Firewall.
  • Requires Mac OS X 10.2.8 or later.

Personal firewall software products for Mac OS 8 & 9

(Listed alphabetically. All prices below are as of late May 2002, in USD, except as noted otherwise.)

Name & vendor Notes
DoorStop Server Edition
OpenDoor Networks
InterGate
Vicomsoft
  • Commercial ($99 for a five-user license, as of late October 2003).
  • Software Internet gateway (router) product which includes a network firewall. The Mac OS 8 & 9 version of this software does not contain all of the features of the Mac OS X version. (See also "SurfDoubler.")
IPNetSentry
Sustainable Softworks
  • Commercial ($35 retail price).
  • A faceless background application which "watches for suspicious behavior, and when triggered, invokes a ... filter which completely bans the potential intruder from your Macintosh." Comes with a set of pre-configured triggers, to which users can add custom triggers.
NetBarrier
Intego
  • Commercial ($59.95 retail price).
  • Also can be purchased bundled with several other products in Intego's Internet Security Barrier product ($89.95 retail price).
  • Includes additional features: "Antivandal" (e.g. detecting incorrect access passwords and protecting against denial of service attacks), "Internet Filter" (scanning outbound packets for personal data such as credit card numbers and passwords), and "Internet Privacy" (controlling cookies and ad banners, protecting against hostile Java applets and browser plug-ins).
Norton Personal Firewall for Macintosh
Symantec Corporation
  • Commercial ($69.95 retail price).
  • Also can be purchased bundled with several other products, including Norton AntiVirus, in Symantec's Norton Internet Security for Macintosh product ($99.95 retail price).
  • Version 2.x comes bundled with OpenDoor Networks' "Who's There? Firewall Advisor" product.
SurfDoubler
Vicomsoft
  • Commercial ($54.99 retail price).
  • Software Internet gateway product which includes a network firewall. A simplified version of "Internet Gateway," supporting 1-3 users.
Who's There? Firewall Advisor
OpenDoor Networks
  • Commercial ($39 retail price).
  • Not a firewall or firewall configuration utility. Rather, this product is a "firewall advisor," providing tools for analyzing and responding to the network attacks detected by a firewall.
  • Bundled with version 2.x of Norton Personal Firewall.
  • Works with Open Door's DoorStop, Symantec's Norton Personal Firewall for Macintosh, and Sustainable Softwork's IPNetSentry.

Recommended readings

Recommended books and articles for learning about personal firewall products, including how to configure and use them on your Macintosh:

Alan B. Oppenheimer and Charles H. Whitaker, Internet Security for Your Macintosh: A Guide for the Rest of Us
Second edition (2005-6), available electronically from Open Door Networks
First edition (2001), available as a printed book published by Peachpit Press
Find copies of this book for sale online via Best Book Buys or BookFinder.com (ISBN 0-201-74969-6)

Major portions of this highly-recommended book discuss personal firewall products, both generally and in the context of the Mac OS:
Robin D. H. Walker, Cable Modem Troubleshooting Tips: Firewall Security
Common-sense tips on using and configuring personal firewall software, both generally and specifically with several operating systems, including the Classic Mac OS (but not Mac OS X). This advice is oriented toward home users of cable modem Internet access services, and is part of a larger guide for customers of such services.

Robert Graham's FAQ: Firewall Forensics (What am I seeing?)
Provides details that can be helpful when interpreting the access log entries generated by your personal firewall software or firewall appliance. These log entries identify when and how other computers have tried to access your computer over the Internet.

Recommended introductory articles for learning about what firewalls can do - and can't do - as well as how they work:

Uzi Paz's Personal Firewalls - What They Can, and What They Cannot Do - A Non Technical Overview
Colloquially describes the major capabilities and limitations of personal firewall software, as well as debunking some "false statements you might have seen" - in the author's view, at least - about these products.

Lisa Yeo's Choosing a Personal Firewall
Despite its title, this article is primarily an introduction to some of the key technical features of personal firewall software and how these features are implemented. If you've wondered what such firewall-related terms as "Network Address Translation (NAT)," "stateful inspection of network packets," or "signature-based intrusion detection" mean, this article is a fine place to start learning. The article is apparently a sample chapter of Ms. Yeo's book, Personal Firewalls for Administrators and Remote Users.

Port lists

The following lists identify some of the network ports on your Macintosh that your firewall might selectively need to open (unblock) so that particular network services you use will work properly:

Apple Inc.'s "Well Known" TCP and UDP Ports Used By Apple Software Products
Identifies which network ports are used by the Mac OS and other Apple-provided applications and services.

Open Door Networks' DoorStop Port List
Seeks to be "as complete a list as possible of port numbers used by Macintosh applications." Includes links to the original vendor technotes for many of these applications.

Practically Networked's Special Application Port List
A list of ports used by special applications, such as messaging and conferencing products, peer-to-peer network applications for sharing audio and video, and multiplayer games. Also included is detailed information about how to use this port list, although some of the instructions provided are oriented toward configuring hardware routers, rather than personal firewall software. Certain of these special applications require you to open large ranges of ports, thus opening up sizeable holes in your firewall which can leave your Macintosh more vulnerable to network attacks.

NCSA's Kerberos and SSH through Firewalls and NATs
Advice on establishing secure connections through a firewall to other computers using SSH and Kerberos, including lists of the ports used by these protocols.

Robert Graham's FAQ: Firewall Forensics (What am I seeing?)
Question 1 of this Frequently Asked Questions document, "What does destination port number ZZZZ mean?", provides links to six lists of network ports, including IANA's (below). Some of these lists include descriptions of known "exploits" (attacks) which use various port numbers.

IANA's Port Numbers list
An extensive list of network ports used by many different types of computer systems, from the organization which registers port assignments.

Last updated by Aron Roberts on 2008-07-02.

Valid XHTML 1.0! Internet Content Rating Association