You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Firewall in Sequoia now a security risk

In MacOS Sequoia, if the firewall is set to "Block all incoming traffic" it also turns off the services.


My security concept was to use Cloudflared to provide secure access via Cloudflare's Zero Trust system. This worked in Sonoma because I could access the Screen Sharing service locally.


How this works is that Cloudflared is using an OUTGOING connection to connect to my private network. Once that is established, I could access the services on the Mac through the tunnel, but to the outside world, the computer was invisible as it doesn't respond to any requests. This now no longer works. I now have to enable external access to Screen Sharing for the Screen Sharing to work through the tunnel, something which I would consider a security risk.


Does anyone know a good tool to manually configure the MacOS firewall so that I can still block all connections but have the sharing services running for localhost access?

Mac mini

Posted on Nov 25, 2024 1:18 PM

Reply
Question marked as Top-ranking reply

Posted on Nov 25, 2024 1:39 PM

The application firewall doesn't do anything by default. Or at least, it didn't use to do anything. Now it breaks lots of 3rd party software in Sequoia, while otherwise not doing anything.


Now if you've configured the built-in firewall to actually block something, and some UI bug doesn't turn that off when you aren't looking, then it will do that. This is why I say the firewall doesn't do anything by default. If it's allowing connections, then it isn't doing anything.


Unless you have your Mac jacked right into a switching up on the internet, then you actually aren't on the internet. Your ISP router is on the internet. Your built-in firewall is protecting your Mac from your iPhone or maybe your printer. So just turn it off as it isn't needed. That will solve your problem.

10 replies
Question marked as Top-ranking reply

Nov 25, 2024 1:39 PM in response to Oliver Breidenbach

The application firewall doesn't do anything by default. Or at least, it didn't use to do anything. Now it breaks lots of 3rd party software in Sequoia, while otherwise not doing anything.


Now if you've configured the built-in firewall to actually block something, and some UI bug doesn't turn that off when you aren't looking, then it will do that. This is why I say the firewall doesn't do anything by default. If it's allowing connections, then it isn't doing anything.


Unless you have your Mac jacked right into a switching up on the internet, then you actually aren't on the internet. Your ISP router is on the internet. Your built-in firewall is protecting your Mac from your iPhone or maybe your printer. So just turn it off as it isn't needed. That will solve your problem.

Nov 26, 2024 12:35 AM in response to etresoft

Thanks for your response. Since the Mac is hosted at the ISP and has a public IP address, I need the built-in firewall. There is an "external" firewall available but that doesn't screen the Mac from the other computers hosted there. Opening the Screen Share port on the local firewall makes it accessible to the other computers in the rack, so doing that will solve half the problem. I really want to lock it down so it is ONLY accessible via the Cloudflare Zero Trust tunnel. And I might add that this was possible in MacOS Sonoma.

Nov 26, 2024 12:50 AM in response to Oliver Breidenbach

I didn't realize you wanted to firewall from LAN too. Can't you put the Mac on a separate LAN from the other computers in the rack and then use the router's firewall? You've got a pretty special set of requirements and the Mac's firewall is a bit of a big-button feature phone when it comes to customization. Unless you're using the one provided by your ISP, most routers have pretty good firewalls and LAN management. Mine can block by IP range WAN to LAN, LAN to WAN and LAN to LAN and include specific websites. I think it can also block by application, but I've never used that.

Nov 26, 2024 2:13 AM in response to Zurarczurx

Thank you very much for taking the time to respond. I don't have control over how the computer is hosted in the rack as I'm using Oakhost. They have a pretty good firewall that is easy to set up and if that's all I get, it will work. I was hoping to be able to add another level of security by using the Mac's own firewall. But as I now dive into it, it seems that the Mac "firewall" isn't your typical IP firewall at all. Seems like the name is confusing.

Nov 26, 2024 3:27 AM in response to Zurarczurx

Thanks for the suggestion. I will look into it. It seems to be more concerned with apps creating outgoing connections than managing incoming connections.


I think I can make it work with the ISP's firewall. I'm just upset that the thing I spent hours to figure out and was quite happy to make work is now been made impossible by a change in MacOS that doesn't make sense. Then again I might have been wrong about what the Mac firewall does all along.

Nov 26, 2024 6:11 AM in response to Oliver Breidenbach

Oliver Breidenbach wrote:

Since the Mac is hosted at the ISP and has a public IP address, I need the built-in firewall. There is an "external" firewall available but that doesn't screen the Mac from the other computers hosted there. Opening the Screen Share port on the local firewall makes it accessible to the other computers in the rack, so doing that will solve half the problem. I really want to lock it down so it is ONLY accessible via the Cloudflare Zero Trust tunnel. And I might add that this was possible in MacOS Sonoma.

The Mac is a consumer device. It's not designed for that kind of use. I don't recommend trying to fix it with 3rd party consumer software either, because that also wasn't designed for that kind of use.


Turn off the built-in firewall. That's not what you want. Instead, do some research on the built-in packet filter system. Look at the "pfctl" and "pf.conf" man pages.


There were some really low-level networking changes in Sequoia. You'll have to do some testing and you can't rely on anything the internet says about it. None of that may be true for Sequoia.


And you should also consider not bothering. There are plenty of Mac hosting services and their default configurations allow external connections. The built-in services are secure with good passwords. Even if this is your own computer, you still have to treat it like a hosted system. If you try to secure it too much, you'll find yourself locked out and having to pay extra for someone at the data centre to fix it for you.

Firewall in Sequoia now a security risk

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.