By default our servers come with a public IP address that is reachable worldwide. No ports are blocked to allow you to run any application you wish. However, it is a good practice to limit access to your servers with a firewall. In this article we show how to do this using a software firewall built-in macOS PF (Packet Filter) using a handy GUI tool called Murus.
Murus is a great firewall configuration tool for macOS. They offer a free version that is very powerful already, and if you wish to use the more advanced features there is a Pro version that costs only $35.
You can discover all features on their website, and also download the software: https://murusfirewall.com/murus/
In this article we'll use the free version Murus Lite. The software runs on macOS 10.14.4 or later, but older versions are available as well.
The risk of locking yourself out
When configuring a firewall, be aware of the risk that you lock yourself out. If your rules are too restrictive, or if you make a typo it might be possible that you block your own connections, and physical intervention is required from us.
Murus solves this with a great feature: when you apply new rules, a timer will start to tick and you will need to confirm you still have access. If your connection is lost, the previous config will be reverted after a while and you can regain access.
Think about what kind of traffic you want to allow. Usually it's best to have an inbound policy that by default blocks all traffic, and allows only the traffic that is required. What kind of ports do your applications need to work? For a web server these are TCP ports 80 and 443. If you just want to log in using SSH or VNC, you will need to open ports 22 and 5900.
Think about who will access the ports.. if it's just you - it might be good to only allow connections from your own IP, or only from your country. This greatly reduces the attack surface for anyone that tries get into your server.
Just make sure you have a static IP, or whitelist multiple IPs that you know are relatively stable over time.
Installing the app
After you download the app from the Murus website, installation is as simple as dragging it to the Applications folder.
You will need to enter your admin password several times, as the app will change configuration files that can only be changed by an administrator.
Choose to start Murus Lite, and unlock the app.
Configure your rules
A good place to start is configuring the Inbound Rules. Just add all the Applications or ports you need to open to the internet. If you can't find the right ports in the pre-defined list, just add them under 'Services'
In this example, we'll open the Web ports, and VNC and SSH (Remote Login). We will restrict VNC and SSH access only to IPs defined in the Group 'Management'
When you're done configuring your base rules, just click the 'Play' button in the top left bar, and start the firewall! Murus will ask if you're remotely controlling the computer, click yes! The counter will start, if you still have access to the server - dismiss the counter. If you made a mistake, you will be able to access your server again after 60 seconds.
Load rules on boot
If you're happy and you have successfully applied all rules, make sure they survive a reboot, by installing the Boot Scripts.
It is a good practice to test this as well, reboot your server and see if the rules still work. Congratulations with making your server, and the internet, a safer place!
If you have any issues or questions about configuring your firewall, feel free to reach out to us at firstname.lastname@example.org for assistance.