How can I block all ports except 443 on macOS Catalina
I realize this will break a lot of built in functionality on macOS as it ships, but for test reasons I want to temporarily block all tcp inbound / outbound ports on macOS Catalina except 443.
How can I do this in a way that's somewhat easy to toggle on/off once it's set up?
Apple's application firewall is designed to have many exceptions to work with its services so the system prefs will take a lot of clicks. I will suggest a more command-line way to accomplish this large change in port access for the built-in pf firewall (no need for extra software).
Here is a simple rule set that will block all traffic except for ports 80 and 443 (http and https). I don't advise saving it in your /etc/pf.conf
in case things go sideways - a simple reboot (if you have pf
set to load at boot) will fix things. I used the filename ~/pf_rules01.conf
, you can call it what you like.
Create the rule file
# Set the interface to be used
if="en0"
# Default Deny Policy
block all
# Skip the loop back interface
set skip on lo
# Set http(80) & https (443) ports #
web_ports = "{80 443}"
# Pass in only web traffic
pass in quick on $if proto tcp to any port $web_ports keep state
pass out quick on $if proto tcp to any port $web_ports keep state
Test the file
Before you enable the new rule set (keep in mind that you specifically asked for all protocols to be blocked except 443), you can check for syntax errors with the command:
$ sudo pfctl -n -f /path/to/rulefile
- The
-n
tellspfctl
to just parse the rules - The
-f
specifies what file to load; the default is/etc/pf.conf
Enable pf
If all is good, enable the rule set with the -e
flag
$ sudo pfctl -e -f /path/to/rulefile
Testing...
From another machine, issue the command telnet <machinename || IPaddress> 80
of the host running your web server. If everything works, you'll receive something similar to the following:
Trying 192.168.1.123...
Connected to testmachine.home.
Escape character is '^]'.
Success! You can also try pointing your browser to the address and if you get a response from the server, it works.
Caveats
This blocks all traffic with the exception of 80 and 443 (http and https). If you are SSHing into this box, you will lose your connection because it's not passing SSH (port 22) in or out (maybe pass 22 as well?).
en0
is my network adapter (wired). Yours may be different. To get a listing of your network interfaces, use theifconfig
command. They are usually at the top of the output starting withen0
,en1
etc.-
This was tested on a FreeBSD server running
dhttpd
(not Apache). You can't test unless you have something listening and responding on the ports you're interested in.I typically don't run any sort of web server on my Mac, but in VMs for the sake of portability, security, and stability. However,
pf
is based on BSD and the rules and commands are identical. If you want to turn this off just issue the command
sudo pfctl -d
and it will disable thepf
firewall.