Department of Defense
High Performance Computing Modernization Program

The Application Firewall in Apple macOS (all versions) and OS X (versions 10.5 Leopard through 10.11 El Capitan) is Internet Protocol (IP)-agnostic. It requires no configuration changes to support IP version 6 (IPv6), and filtering rules apply equally to IPv4 and IPv6. It is turned off by default. This Application Firewall is based on the TrustedBSD MAC Firewall in FreeBSD. This article describes how to turn it on and configure it. The port-oriented Application Firewall found in OS X (versions 10.2 Jaguar through 10.4.4 Tiger) was also IP-agnostic and turned off by default. This article describes how to turn it on and configure it. The Application Firewall was originally called the Application Layer (or Level) Firewall, or ALF.

Although the Application Firewall user interface only supports filtering of incoming packets, the underlying packet filter can be configured to filter outgoing packets. It can also be configured to enable IP-specific filtering.

Historically, the ipfw packet filter (and its replacement ipfw2 introduced in OS X 10.4 Tiger and also called ipfw) had been part of OS X since before it was OS X. ipfw is the same packet filter used by many Linux distributions and had its origins in FreeBSD. ipfw was deprecated in OS X 10.7 Lion and removed in OS X 10.10 Yosemite.

Then, the pf packet filter was introduced in OS X 10.7 Lion, updated in OS X 10.8 Mountain Lion and remained part of OS X versions 10.9 Mavericks through 10.11 El Capitan. pf is the same packet filter used by many Linux distributions and had its origins in OpenBSD. The use of pf is described in this article. The OpenBSD pf is documented in more detail here. pf is controlled by the pfctl command. The use of pf and pfctl are described in this article. The OpenBSD pfctl is documented in more detail here. [Apple no longer maintains man pages for software in macOS or OS X on their website.]

macOS (all versions) includes that same pf packet filter and pfctl command. Their use in macOS is described in this article. Filtering outgoing packets is described here. References for OpenBSD pf and pfctl documents in the previous paragraph apply.

The man pages on your local system are resources as well.

Disabling IPv6 in Mac OS X-based Firewalls

Rather than disabling IPv6 in the pf firewall, it is a better practice to disable IPv6 at the system level. See the Disabling IPv6 in macOS and OS X article in the IP Transport section.


Top