macOS Sierra 10.12: Configure firewall for a single port (3690)

If you are using Sierra's Application Firewall you can't restrict it to a single port.

To allow incoming traffic for a specific binary, open System Preferences > Security & Privacy > Firewall > Firewall Options and either hit the plus button and choose the binary or drop the binary from a Finder window.

In my example below I have chosen the X11 binary in /Applications/Utilities/XQuartz.app/Contents/MacOS/

You can the check additional apps added by executing:

sudo /usr/libexec/ApplicationFirewall/socketfilterfw --listapps

After adding Xcode, anything starting with svn in /usr/bin/ and /Applications/Xcode.app/Contents/Developer/usr/bin/ and starting /usr/bin/svnserve I was asked once to allow incoming traffic for svnserve (I don't know which of both svnserve executables) and it worked from remote. After removing everything and repeating the same steps it failed again.

The log file at /var/log stays empty and the other logs don't reveal anything related to blocked incoming connections.

I recommend to enable ssh and create a ssh:svn-tunnel. Link: Subversion through a tunnel

As an alternative install Murus - a GUI for pf. If you don't activate it with an email and a serial number it will run as the free Murus Lite.

Open the app and choose a strategy. E.g. Novice > Predefined Firewall Configuration Presets > Almost all services blocked. Then activate the selected Murus preset and start pf.

Hit the library button. In the services library panel hit the gear

and add a new custom service SVN:

In the groups library hit the gear and add new custom group

Hit the loupe, enter a group name, add an appropriate interface, hit the plus button and add an IP or network.

Drag the SVN service to the main windows (Managed inbound services) and configure it:

If you have additional services like SSH running, add them also. Start or restart pf if necessary. Now - protected by pf - you may dissable the application firewall.