MacOS – How to block all ports except 443 on macOS Catalina

catalinafirewallmacosNetwork

I realize this will break a lot of built in functionality on macOS as it ships, but for test reasons I want to temporarily block all tcp inbound / outbound ports on macOS Catalina except 443.

How can I do this in a way that's somewhat easy to toggle on/off once it's set up?

Best Answer

Apple's application firewall is designed to have many exceptions to work with its services so the system prefs will take a lot of clicks. I will suggest a more command-line way to accomplish this large change in port access for the built-in pf firewall (no need for extra software).

Here is a simple rule set that will block all traffic except for ports 80 and 443 (http and https). I don't advise saving it in your /etc/pf.conf in case things go sideways - a simple reboot (if you have pf set to load at boot) will fix things. I used the filename ~/pf_rules01.conf, you can call it what you like.

Create the rule file

# Set the interface to be used
if="en0"

# Default Deny Policy
block all

# Skip the loop back interface
set skip on lo

# Set http(80) & https (443) ports #
web_ports = "{80 443}"

# Pass in only web traffic
pass in quick on $if proto tcp to any port $web_ports keep state
pass out quick on $if proto tcp to any port $web_ports keep state


Test the file

Before you enable the new rule set (keep in mind that you specifically asked for all protocols to be blocked except 443), you can check for syntax errors with the command:

$ sudo pfctl -n -f /path/to/rulefile
  • The -n tells pfctl to just parse the rules
  • The -f specifies what file to load; the default is /etc/pf.conf


Enable pf

If all is good, enable the rule set with the -e flag

$ sudo pfctl -e -f /path/to/rulefile

Testing...

From another machine, issue the command telnet <machinename || IPaddress> 80 of the host running your web server. If everything works, you'll receive something similar to the following:

Trying 192.168.1.123...
Connected to testmachine.home.
Escape character is '^]'.

Success! You can also try pointing your browser to the address and if you get a response from the server, it works.


Caveats

  1. This blocks all traffic with the exception of 80 and 443 (http and https). If you are SSHing into this box, you will lose your connection because it's not passing SSH (port 22) in or out (maybe pass 22 as well?).

  2. en0 is my network adapter (wired). Yours may be different. To get a listing of your network interfaces, use the ifconfig command. They are usually at the top of the output starting with en0, en1 etc.

  3. This was tested on a FreeBSD server running dhttpd (not Apache). You can't test unless you have something listening and responding on the ports you're interested in.

    I typically don't run any sort of web server on my Mac, but in VMs for the sake of portability, security, and stability. However, pf is based on BSD and the rules and commands are identical.

  4. If you want to turn this off just issue the command sudo pfctl -d and it will disable the pf firewall.

Related Question