How to open a specific port in Firewall OS X 10.9.4

Apple's OS X Mavericks contains three firewalls. First of all, the Application Level Firewall which can be configured using the system settings. But there is also ipfw, a packet filtering firewall like netfilter/iptables on GNU/Linux and pf (FreeBSD/OpenBSD).

You can either configure ipfw using the command line, or using a graphical front-end like the free/libre WaterRoof.

You could start with an ipfw command like:

sudo ipfw add 31010 allow tcp from any to any dst-port 8080

I had the same issue under OS X Yosemite (10.10.3). Found this blog post that provides clear instructions. We can't use ipfw any more, as it's deprecated. Instead, use pfctl, which unfortunately lacks a nice command line way to tell it to open a port. Instead, you need to:

  1. Open /etc/pf.conf in a text editor.
  2. Add a line like this:

# Open port 8080 for TCP on all interfaces

pass in proto tcp from any to any port 8080

  1. Save the file.
  2. Load the changes with:

sudo pfctl -f /etc/pf.conf

If you need to open a udp port, change tcp to udp, if you need both, add a second line. Additional detail can be found in man pf.conf.

Also make sure your server is listening on the actual interface you want it accessible over (or all interfaces, using 0.0.0.0 or ::0), not localhost (127.0.0.1 or ::1).


ipfw is deprecated by Apple. Mountain Lion and later use pfctl.

http://support.apple.com/kb/ht5413


Here's a one liner rather than requiring the user to mess around with Vim. Useful for automation.

sed -i '' -e '$a\pass in proto tcp from any to any port 8080' /etc/pf.conf; pfctl -vnf /etc/pf.conf

Or an alternative for Linux users

sed -i -e '$a\pass in proto tcp from any to any port 8080' /etc/pf.conf; pfctl -vnf /etc/pf.conf

Just make sure you change 8080 in the example to whatever you have in mind. Swap tcp with udp if you like.