How stealthy is the stealth mode of the firewall? Does it increase security?

In the System Preferences there is the option:

`Security & Privacy -> Firewall -> Advanced... -> Enable Stealth Mode

Does this options significantly increase the security when networking or surfing the internet?

The hint only says: Don't respond to or acknowledge attempts to access this computer from the network by test applications using ICMP, such as Ping.

The hint does not explain how my work with the Mac is affected.


Yes. Stealth mode enhances your system's security. Stateful packet inspection is another crucial component of a firewall's prowess. It's also of note that Apple's firewall is powered by the rugged ipfw.

What Apple says is a concise summary of how stealth mode works, and if you aren't versed in IT security, a full-fledged explanation won't offer up much more as it's a complex system (TCP, or Transmission Control Protocol, which is just one element of data transmission itself is rather complicated and deeply layered).

The fundamentals of networking (aka transferring data on the internet) rely on protocols that establish connections ("handshaking" starts it all) and then relay of data (through things like TCP and UDP). ICMP (such as pinging or echo requests) are typically used to "probe" a target host (most often for quite valid reasons), identifying it on the network. Hackers use them to find their prey.

enter image description here

Firewalls work by planting themselves between the kernel and the TCP/IP stack (so at a very deep level) and watching the packets that run between those layers. In the image above, a system's kernel would be located between the ethernet driver and hardware. The firewall would sit right on top of the kernel. Firewalls need this deep level of integration to remain rugged and durable. If a firewall were implanted at a high level, say at the level of your browser, it would make it highly susceptible to attack. The deeper a process is located (closer to the kernel), the harder it is to gain access to it.

When a system runs without a firewall, the packets are allowed free access (in and out). If an echo request is sent, an echo response is loosed by your computer (think of it as a greeting; someone on the street passes you and says "hello," you smile and greet them in return). But when a firewall is operational, it steps in, like a member of the secret service, following its protocol. If it is told to deny requests, it will send a message to the machine making the request that it does not reply to echo requests. The machine gets a notice that their echo request was denied (or blocked). Naturally this doesn't give that machine much information, but it does inform them that someone is there.

Stealth mode, on the other hand, doesn't. The firewall watches the echo request come in, and instead of denying it, it simply tells your computer to ignore the packet. The machine on the other end, not only doesn't get any data, but doesn't even get a notice of rejection. It's as if their packet was just lost in the space. And that's indicative of either a machine guarded by a secure firewall, or a machine that doesn't even exist.

In effect, it's the equivalent of putting someone through to voicemail (denying the echo request) or simply disabling voicemail and letting it ring, indefinitely (running under stealth mode).

As with anything, a clever hacker can bypass these safe guards, but it does make their life a lot harder. And that's the key to security: making the hackers job just a little bit harder at every turn. That greatly weeds out the "script kiddie" from the die-hard, Lulzsec hacker.

Stealth mode cloaks you from those initiating traffic, but it doesn't make you invisible. Once a connection is established (either by you, or by something that was allowed to negotiate outbound traffic), you pop up on the grid just like any computer. So while sending ping requests may no longer work, there are still plenty of ways hackers could still establish a connection and potentially exploit your computer through a running service.