Page: 3 of 4
In this report

Do Mac users need a firewall?

Macintosh pundits disagree about the need for security. Apple's operating systems are structured differently than Windows operating systems and are less vulnerable to attack. In addition, because Apple systems represent a minority -- but growing -- market share, they have been less attractive targets for malicious hackers. Mac users running OS X have a firewall included in the operating system (two, actually). By default, the Mac firewall closes the most-exploited ports, requiring users to actively enable ports for file sharing, print sharing or personal web hosting.

The OS X Lion operating system firewall blocks only inbound connections, meaning it won't prevent spyware from "phoning home" with your sensitive data or browser history. Presumably, the upcoming Mountain Lion upgrade will function the same way. A secondary firewall program, called simply PF, is included as part of the operating system, replacing the older IPFW software. Though PF is capable of blocking outgoing connections, it is turned off by default and its command-line interface can be challenging to configure for all but the most advanced users. For that reason, you may want to use a graphics-based third-party front-end for that firewall. Hanynet created the IceFloor front-end for OS X Lion's PF firewall; if you're still on Leopard or Snow Leopard, Hanynet also offers WaterRoof, for advanced users, or NoobProof, (for less experienced users, if you want to make use of IPFW. All are free.

Third-party Mac firewall software

Little Snitch (*Est. $30) from Objective Development gets high marks among the standalone firewall offerings available for Macs, scoring well with hundreds of users at and Little Snitch is pre-configured not to interfere with safe surfing while allowing the user to control inbound and outbound connections. It also has a network monitor, which shows users which programs are accessing their network. Like Comodo and many other standalone firewalls, Little Snitch will ask you to block or allow connections whenever a program attempts to reach the Internet.

That functionality alone has kept Little Snitch at the top of the Mac firewall charts for several years running, but a new program has appeared that usurps that title, reviewers say. Metakine's Hands Off! (*Est. $25) features the same network monitoring and outbound blocking capabilities as Little Snitch, but it features more bells and whistles. For example, Little Snitch only blocks outbound connections; Hands Off! blocks inbound connections as well, and it offers more control over incoming information than the firewall built into OS X.'s Vincent Danen and's Jonathan Garro each compare Little Snitch and Hands Off! head to head, and Hands Off! comes out on top in both reviews. Danen appreciates that Hands Off! warns you when apps are trying to access the file system of your Mac, rather than simply keeping tabs on inbound/outbound Internet connections. Garro finds Hands Off!'s interface more streamlined, helpful and easy to use than the competition's. However, users at warn that Hands Off! uses more processing power than Little Snitch.

Mac users looking for a firewall program as part of a security suite may like Intego's VirusBarrier X6 (*Est. $50 for up to 2 Macs). The program combines Intego's old NetBarrier firewall and network software, which no longer are available separately, with an antivirus program and other functions. Nicholas Bonsack at Macworld doesn't test VirusBarrier X6 but says that its improvements include a two-way firewall, phishing and spyware protection, and "dynamic code monitoring" to identify new kinds of malware. Tom Gorham at Britain's Expert Reviews does conduct testing and says, "VirusBarrier's firewall is both easier to understand and more configurable than Mac OS X's built-in offering." He adds that the program's anti-spyware functionality resembles that of Little Snitch.

Intego also offers a more comprehensive security solution, SecurityBarrier X6 (*Est. $80 for up to two Macs), which adds anti-spam, parental control, back up and data protection features. User feedback for that suite is sparse, but CNET's Topher Kessler calls SecurityBarrier "the most complete security and data protection package I've seen to date" for Macs. However, he calls most of the added features "pointless" and says they "seem like add-ons to the main functions offered in VirusBarrier X6," albeit "nice enhancements."

Macworld covers McAfee Internet Security for Mac 2012 (*Est. $80), which includes a firewall. Reviewer Glenn Fleishman reports that the antivirus component blocked all the Mac-specific malware he threw at it. The firewall earns high marks, as well. "I particularly like that you can shut down all incoming or outgoing traffic or both with a couple of clicks without having to disable your network interface," he writes. Users can set custom rules or define trusted networks for the firewall, and a separate Application Protection allows users to block or limit the connectivity of new applications when they launch.

Many free firewall programs have been developed for Linux. However, none of these has been formally reviewed by any well-regarded critics. describes a dozen of them and has links; see Useful Links for more information.

Internet Security Barrier X6
Buy from
New: $79.95   
Average Customer Review:  
McAfee Protection for MAC 1 User 2012 [Old Version]
Buy from
New: $59.99 $4.99   
In Stock.
Average Customer Review:  

Firewalls Runners Up:

Little Snitch *Est. $30

2 picks including:,…

ZoneAlarm Free Firewall 2012 Free

2 picks by top review sites.

Norton Internet Security 2012 *Est. $70

2 picks including:, PC Advisor…

Back to top