Marta Turnbull is a MacUpdate OG and has written about technology, marketing and brand creativity for over 10 years. She splits her time between Michigan and Ukraine.

Mac Firewalls: 6 Questions, 6 Answers

Does Mac have a firewall?

Do I need a third-party firewall?

Can't I just use the built-in Mac firewall?

What is the best firewall for Mac?

These are some of the questions that Mac users ask all the time.

While maintaining privacy and ensuring data security is vital for all Mac users, few do anything about it. If they do, it's usually the bare minimum, which means using the built-in macOS tools found in System Preferences and Safari.

Is that enough?

No!

Let’s explain what a firewall is and why you need it.

1. What is a Firewall and how Does It Work?

A firewall is a barrier or shield that monitors either incoming or outgoing network traffic - or both - sent through your internet connection. As information is sent or received, the firewall filters each packet of data based on a set of rules.

If the data is flagged as having malicious intent, the firewall blocks it to prevent your privacy and data from being put at risk.

2. Do I Need a Firewall for My Mac?

Yes.

While Macs are generally more secure and more difficult to exploit than Windows PCs, they're not unhackable.

According to Macworld, Mac malware grew by 270% in 2017.

Malwarebytes reported an increase in malware attacks in 2019, with 16 million instances recorded in April - four times the previous record!

As Macs grow in popularity and cybercriminals become bolder, greedier, and smarter, new threats are appearing.

These threats include:

Adware

Identity theft

Malware (designed to gain access to cryptocurrency)

Phishing attacks

Ransomware

Security flaws

As a result, taking steps to protect your Mac is more important than ever.

3. Can I Use the MacOS Built-in Firewall?

Yes. The first step to securing your Mac is to enable the built-in firewall.

While you might expect the built-in macOS firewall to be enabled by default, it's not. We recommend that - if you haven't already done so - you turn on the firewall settings in System Preferences.

To turn on your Mac firewall:

Open System Preferences from the Apple menu at the top left of your screen. Click on Security & Privacy. Click on the Firewall tab. Click on the padlock icon at the bottom left of the window to unlock the system settings (if prompted, type your login password for access). Check the box beside hat the Turn On Firewall.

For more details on how to turn on and configure your firewall on Mac, visit the macOS User Guide.

4. When do I Need a 3rd Party Firewall?

If you're using your Mac to access any public network - such as in the cafeteria or at the local Starbucks - you need a third-party firewall.

The reason is that while the built-in Mac OS firewall monitors and blocks incoming traffic, it doesn't provide any protection against outbound traffic.

For example, if you download malware - or apps that “phone home” without your knowledge - and they want to send personal data across the internet, the macOS firewall won't stop them.

You need a third-party firewall to complement the macOS firewall to protect you from both incoming and outgoing threats.

5. What are the Top 5 Mac Firewalls as Voted by MacUpdate Users?

What are your best choices? Below is a list of five of the most highly-rated firewalls based on our reader's ratings, including those who offer a free firewall for Mac on a trial basis:

Vallum 4.9 stars

Current Version: 3.3.1

3.3.1 System Requirements: OS X 10.11 El Capitan, macOS 10.12 Sierra or higher.

OS X 10.11 El Capitan, macOS 10.12 Sierra or higher. Licensing: 30-day free trial, one-time purchase of $15 for a single license, $20 for a five-license family pack (15-day money-back guarantee).

One of the most advanced and best-designed firewall apps available, Vallum complements the macOS firewall by intercepting connections at the application layer and detaining them while you decide what to do.

A custom app list and pre-defined rules can be created to govern which apps are allowed to connect to the internet.

Drag and drop support enables you to either allow or block apps quickly. Outbound connections can also be blocked in a variety of ways, including geo-location, pre-defined schedules, and other methods.

Pros

Attractive, icon-based user interface

Easy to use with drag and drop functionality

Inspects and blocks outbound connections

Simple interface for creating rules and filter lists

Advanced features for creating complex rules

Unobtrusive with notification prompts

Lifetime license with free upgrades and updates

Cons

Can be overwhelming for beginners

Read all about Vallum for Mac with reviews from our readers on MacUpdate.

MacUpdate User Rating: 4.9

4.9 Version Reviewed: 3.3.1

3.3.1 Date Reviewed: 31 August 2019

Little Snitch 4.2 stars

Current Version: 4.4.3

4.4.3 System Requirements: OS X 10.11 El Capitan, macOS 10.12 Sierra or higher.

OS X 10.11 El Capitan, macOS 10.12 Sierra or higher. Licensing: 30-day free trial, $45 for a single license, $89 for a family license, $169 for a five-license pack, and $299 for a ten-license pack.

Little Snitch claims to make the invisible visible by informing you whenever an app attempts to establish an outgoing Internet connection.

It allows you to permit or deny the request, define a rule for future requests, or - if you the volume of notifications overwhelming - silence the requests and make decisions later.

The network monitor feature allows you to see exactly where the traffic is coming from or being sent.

Pros

Attractive interface

Inspects and blocks outgoing connections

Silent mode for delayed decision making

Network monitor for graphically depicting connections

Once set up, runs in the background and requires little interaction

Detects network activity related to malware, trojans, and viruses

Cons

Potentially complicated for beginners

More expensive than other firewalls

Read all about Little Snitch for Mac with reviews from our readers on MacUpdate.

MacUpdate User Rating: 4.2

4.2 Version Reviewed: 4.4.3

4.4.3 Date Reviewed: 8 October 2019

Hands Off! 4.2 stars

Current Version: 4.4.0

4.4.0 System Requirements: OS X 10.11 El Capitan, macOS 10.12 Sierra or higher.

OS X 10.11 El Capitan, macOS 10.12 Sierra or higher. Licensing: 30-day free trial, $49.99 for a single license.

An easy to use firewall with advanced features and a simple, user-friendly interface.

Hands Off! protects your privacy by enabling sniffing mode, preventing apps and services from accessing remote servers. If an app tries to establish a connection, an alert appears requesting you to either allow or block the connection.

Advanced settings and rules are simple to use.

Pros

Flexible configuration options

Blocks incoming and outgoing connections

Blocks read and write disk access

Prevents malware and virus infiltration

Identifies trusted applications

Simple, user-friendly interface

Detailed notifications prompt

Cons

Some features may impact performance e.g., disk monitoring

More expensive than some other firewalls

Read all about Hands Off! for Mac with reviews from our readers on MacUpdate.

MacUpdate User Rating: 4.2

4.2 Version Reviewed: 4.4.0

4.4.0 Date Reviewed: 27 October 2019

Radio Silence 4.0 stars

Current Version: 2.3

2.3 System Requirements: OS X 10.10 (Yosemite) or higher.

OS X 10.10 (Yosemite) or higher. Licensing: 24-hour free trial, $9.00 for a single license. $49 team license with no user limits (30-day money-back guarantee).

Designed for people who don’t want to configure and manage traditional firewalls, Radio Silence allows you to quickly create a list of applications that aren’t allowed access to the internet.

Managed via a user-friendly interface, the firewall also allows you to create custom profiles to prevent groups of apps from accessing the internet. Full visibility into which processes are trying to connect to online servers is available in real-time.

Whenever an app or service tries to make a connection, a notification prompt appears that allows you to allow, inspect, or block the connection.

Pros

Easy to use through a user-friendly interface

Inspects and blocks outgoing connections

Custom profiles for rules and filters

Notification prompt for user actions

Inexpensive

Cons

None

Read all about Radio Silence for Mac with reviews from our readers on MacUpdate.

MacUpdate User Rating: 4.0

4.0 Version Reviewed: 2.3

2.3 Date Reviewed: 19 October 2019

NetBarrier X9 3.6 stars

Current Version: 10.9.6

10.9.6 System Requirements: OS X 10.8 (Mountain Lion) or higher.

OS X 10.8 (Mountain Lion) or higher. Licensing: 30-day free trial, $39.99 for a single, one-year subscription, $59.99 for a one-year subscription for five Macs.

NetBarrier X9 provides thorough protection against threats from both the internet and your local network, constantly filtering activity and automatically alerting you to suspicious activity.

Providing a robust set of features within a simple, user-friendly interface, users choose which network connections are allowed, which apps are permitted to connect to the network, and the data blocked from being sent.

Three preset firewall settings cover most situations encountered during regular use, with graphics animations displaying the effect of applying each profile.

Pros

Simple, easy to use graphical interface

Active application list to identify network usage

Inspects and blocks incoming and outgoing connections

Preset profiles for fast setup and configuration

Automatic profile switching when the connection changes

Location-aware network security

Cons

Limited functionality with the free trial

Read all about NetBarrier X9 for Mac with reviews from our readers on MacUpdate.

MacUpdate User Rating: 3.6

3.6 Version Reviewed: 10.9.6

10.9.6 Date Reviewed: 12 April 2019

6. How Do I Test My Firewall?

It’s a good idea to test your Mac firewall every now and then to make sure it’s working correctly.

To find out whether your Mac is vulnerable to attack by external hackers, you need to understand what it looks like from the Internet.

Port scans conducted from outside your network will identify any weaknesses in your firewall.

Here are three online tools to test whether your firewall is protecting your Mac the way it should:

HackerTarget: Simple and easy to use, this online firewall test mimics the actions of a hacker, attempting to connect with services open to the Internet. It requires that you simply enter your IP address and click on the Begin Firewall Test button. A results box appears to indicate whether your open connections are filtered (protected) or not. ShieldsUP: After reading the info in the blue box, click on Proceed. On the next page, you have several test options to choose from. Click on the Common Ports button in the blue box. A results page appears indicating whether your system passed or failed the test with detailed results available in the table below. Pentest-Tools: Insert your IP address in the box at the top of the page, confirm that you have the right to run the test, and click on Scan Now. If the results pane pops up and says: “This host seems to be down,” then your firewall is working correctly. The scan only provides basic information, and only two free scans are allowed every 24 hours.

Note: To find your IP address, open System Preferences and click on Network under Internet & Wireless. Click on the active connection in the left-hand bar (the one with the green dot). Your IP address will appear in the right-hand pane below the Status field.

The Bottom Line

There are many myths about whether you need a firewall on your Mac or not.

Our recommendation?

Don't expose yourself to unnecessary risks!

Activate the built-in macOS firewall to guard against malicious incoming threats; Purchase a third-party firewall to guard against malicious outgoing connections.

Explore the firewalls our readers recommend.

Choose the one that's right for you.

Install it.