- If H&R Block Tax Software will not update on your Mac computer, there are a couple of options you can try to solve the problem. First, you can try running a Disk Utility. To open the Disk Utility: Click the Macintosh HD icon on the desktop.
- How to block outgoing connections on Mac. Edit: when this tutorial was originally written, TCPBlock was still being updated. After OS X 10.11 (El Capitan), TCPBlock doesn’t work correctly on Mac anymore. If you are running OS X El Capitan or a more recent version of OS X like Sierra, then make sure you check out this updated tutorial.
- OS X manages the firewall on a per-application basis, but sometimes you want to open a specific port on your Mac. You can allow or block incoming traffic to specific apps using the Security.
It is therefore not practical to use the hosts file to block a significant number of sites. For a dozen or so it's fine, but we're talking about tens of thousands, which would make your computer virtually unusable. I tried this just a week ago and was shocked, since this is the oldest method in the book and works well on every other Unix-like OS.
Network administrators can use this information to make sure that Mac computers and other Apple devices can connect to services such as the App Store and Apple's software-update servers.
Ports used by Apple products
This is a quick-reference guide showing common examples, not a comprehensive list of ports. This guide is updated periodically with information available at the time of publication.
Some software might use different ports and services, so it can be helpful to use port-watching software when deciding how to set up firewalls or similar access-control schemes.
Some services might use more than one of these ports. For example, a VPN service can use up to four different ports. When you find a product in this list, search (Command-F) in your browser for that name, then repeat your search (Command-G) to locate all occurrences of that product.
Some firewalls allow selective configuration of UDP or TCP ports with the same number, so it's important to know the type of port you're configuring. For example, NFS can use TCP 2049, UDP 2049, or both. If your firewall doesn't allow you to specify the type of port, configuring one type of port probably configures the other.
Port | TCP or UDP | Service or protocol name1 | RFC2 | Service name3 | Used by |
---|---|---|---|---|---|
7 | TCP/UDP | echo | 792 | echo | -- |
20 | TCP | File Transport Protocol (FTP) | 959 | ftp-data | -- |
21 | TCP | FTP control | 959 | ftp | -- |
22 | TCP | Secure Shell (SSH), SSH File Transfer Protocol (SFTP), and Secure copy (scp) | 4253 | ssh | Xcode Server (hosted and remote Git+SSH; remote SVN+SSH) |
23 | TCP | Telnet | 854 | telnet | -- |
25 | TCP | Simple Mail Transfer Protocol (SMTP) | 5321 | smtp | Mail (sending email); iCloud Mail (sending email) |
53 | TCP/UDP | Domain Name System (DNS) | 1034 | domain | -- |
67 | UDP | Bootstrap Protocol Server (BootP, bootps) | 951 | bootps | NetBoot via DHCP |
68 | UDP | Bootstrap Protocol Client (bootpc) | 951 | bootpc | NetBoot via DHCP |
69 | UDP | Trivial File Transfer Protocol (TFTP) | 1350 | tftp | -- |
79 | TCP | Finger | 1288 | finger | -- |
80 | TCP | Hypertext Transfer Protocol (HTTP) | 2616 | http | World Wide Web, FaceTime, iMessage, iCloud, QuickTime Installer, Maps, iTunes U, Apple Music, iTunes Store, Podcasts, Internet Radio, Software Update (OS X Lion or earlier), Mac App Store, RAID Admin, Backup, Calendar, WebDAV, Final Cut Server, AirPlay, macOS Internet Recovery, Profile Manager, Xcode Server (Xcode app, hosted and remote Git HTTP, remote SVN HTTP) |
88 | TCP | Kerberos | 4120 | kerberos | Kerberos, including Screen Sharing authentication |
106 | TCP | Password Server (unregistered use) | -- | 3com-tsmux | macOS Server Password Server |
110 | TCP | Post Office Protocol (POP3), Authenticated Post Office Protocol (APOP) | 1939 | pop3 | Mail (receiving email) |
111 | TCP/UDP | Remote Procedure Call (RPC) | 1057, 1831 | sunrpc | Portmap (sunrpc) |
113 | TCP | Identification Protocol | 1413 | ident | -- |
119 | TCP | Network News Transfer Protocol (NNTP) | 3977 | nntp | Apps that read newsgroups. |
123 | UDP | Network Time Protocol (NTP) | 1305 | ntp | Date & Time preferences, network time server synchronization, Apple TV network time server sync |
137 | UDP | Windows Internet Naming Service (WINS) | -- | netbios-ns | -- |
138 | UDP | NETBIOS Datagram Service | -- | netbios-dgm | Windows Datagram Service, Windows Network Neighborhood |
139 | TCP | Server Message Block (SMB) | -- | netbios-ssn | Microsoft Windows file and print services, such as Windows Sharing in macOS |
143 | TCP | Internet Message Access Protocol (IMAP) | 3501 | imap | Mail (receiving email) |
161 | UDP | Simple Network Management Protocol (SNMP) | 1157 | snmp | -- |
192 | UDP | OSU Network Monitoring System | -- | osu-nms | AirPort Base Station PPP status or discovery (certain configurations), AirPort Admin Utility, AirPort Express Assistant |
311 | TCP | Secure server administration | -- | asip-webadmin | Server app, Server Admin, Workgroup Manager, Server Monitor, Xsan Admin |
312 | TCP | Xsan administration | -- | vslmp | Xsan Admin (OS X Mountain Lion v10.8 and later) |
389 | TCP | Lightweight Directory Access Protocol (LDAP) | 4511 | ldap | Apps that look up addresses, such as Mail and Address Book |
427 | TCP/UDP | Service Location Protocol (SLP) | 2608 | svrloc | Network Browser |
443 | TCP | Secure Sockets Layer (SSL or HTTPS) | 2818 | https | TLS websites, iTunes Store, Software Update (OS X Mountain Lion and later), Spotlight Suggestions, Mac App Store, Maps, FaceTime, Game Center, iCloud authentication and DAV Services (Contacts, Calendars, Bookmarks), iCloud backup and apps (Calendars, Contacts, Find My iPhone, Find My Friends, Mail, iMessage, Documents & Photo Stream), iCloud Key Value Store (KVS), iPhoto Journals, AirPlay, macOS Internet Recovery, Profile Manager, Dictation, Siri, Xcode Server (hosted and remote Git HTTPS, remote SVN HTTPS, Apple Developer registration), Push notifications (if necessary) |
445 | TCP | Microsoft SMB Domain Server | -- | microsoft-ds | -- |
464 | TCP/UDP | kpasswd | 3244 | kpasswd | -- |
465 | TCP | Message Submission for Mail (Authenticated SMTP) | smtp (legacy) | Mail (sending mail) | |
500 | UDP | ISAKMP/IKE | 2408 | isakmp | macOS Server VPN service |
500 | UDP | Wi-Fi Calling | 5996 | IKEv2 | Wi-Fi Calling |
514 | TCP | shell | -- | shell | -- |
514 | UDP | Syslog | -- | syslog | -- |
515 | TCP | Line Printer (LPR), Line Printer Daemon (LPD) | -- | printer | Printing to a network printer, Printer Sharing in macOS |
532 | TCP | netnews | -- | netnews | -- |
548 | TCP | Apple Filing Protocol (AFP) over TCP | -- | afpovertcp | AppleShare, Personal File Sharing, Apple File Service |
554 | TCP/UDP | Real Time Streaming Protocol (RTSP) | 2326 | rtsp | AirPlay, QuickTime Streaming Server (QTSS), streaming media players |
587 | TCP | Message Submission for Mail (Authenticated SMTP) | 4409 | submission | Mail (sending mail), iCloud Mail (SMTP authentication) |
600–1023 | TCP/UDP | Mac OS X RPC-based services | -- | ipcserver | NetInfo |
623 | UDP | Lights-Out-Monitoring | -- | asf-rmcp | Lights Out Monitoring (LOM) feature of Intel-based Xserve computers, Server Monitor |
625 | TCP | Open Directory Proxy (ODProxy) (unregistered use) | -- | dec_dlm | Open Directory, Server app, Workgroup Manager; Directory Services in OS X Lion or earlier This port is registered to DEC DLM |
626 | TCP | AppleShare Imap Admin (ASIA) | -- | asia | IMAP administration (Mac OS X Server v10.2.8 or earlier) |
626 | UDP | serialnumberd (unregistered use) | -- | asia | Server serial number registration (Xsan, Mac OS X Server v10.3 – v10.6) |
631 | TCP | Internet Printing Protocol (IPP) | 2910 | ipp | macOS Printer Sharing, printing to many common printers |
636 | TCP | Secure LDAP | -- | ldaps | -- |
660 | TCP | Server administration | -- | mac-srvr-admin | Server administration tools for Mac OS X Server v10.4 or earlier, including AppleShare IP |
687 | TCP | Server administration | -- | asipregistry | Server administration tools for Mac OS X Server v10.6 or earlier, including AppleShare IP |
749 | TCP/UDP | Kerberos 5 admin/changepw | -- | kerberos-adm | -- |
985 | TCP | NetInfo Static Port | -- | -- | -- |
993 | TCP | Mail IMAP SSL | -- | imaps | iCloud Mail (SSL IMAP) |
995 | TCP/UDP | Mail POP SSL | -- | pop3s | -- |
1085 | TCP/UDP | WebObjects | -- | webobjects | -- |
1099, 8043 | TCP | Remote RMI and IIOP Access to JBOSS | -- | rmiregistry | -- |
1220 | TCP | QT Server Admin | -- | qt-serveradmin | Administration of QuickTime Streaming Server |
1640 | TCP | Certificate Enrollment Server | -- | cert-responder | Profile Manager in macOS Server 5.2 and earlier |
1649 | TCP | IP Failover | -- | kermit | -- |
1701 | UDP | L2TP | -- | l2f | macOS Server VPN service |
1723 | TCP | PPTP | -- | pptp | macOS Server VPN service |
1900 | UDP | SSDP | -- | ssdp | Bonjour |
2049 | TCP/UDP | Network File System (NFS) (version 3 and 4) | 3530 | nfsd | -- |
2195 | TCP | Apple Push Notification Service (APNS) | -- | — | Push notifications |
2196 | TCP | Apple Push Notification Service (APNS) | -- | — | Feedback service |
2197 | TCP | Apple Push Notification Service (APNS) | -- | -- | Push notifications |
2336 | TCP | Mobile account sync | -- | appleugcontrol | Home directory synchronization |
3004 | TCP | iSync | -- | csoftragent | -- |
3031 | TCP/UDP | Remote AppleEvents | -- | eppc | Program Linking, Remote Apple Events |
3283 | TCP/UDP | Net Assistant | -- | net-assistant | Apple Remote Desktop 2.0 or later (Reporting feature), Classroom app (command channel) |
3284 | TCP/UDP | Net Assistant | -- | net-assistant | Classroom app (document sharing) |
3306 | TCP | MySQL | -- | mysql | -- |
3478–3497 | UDP | -- | -- | nat-stun-port - ipether232port | FaceTime, Game Center |
3632 | TCP | Distributed compiler | -- | distcc | -- |
3659 | TCP/UDP | Simple Authentication and Security Layer (SASL) | -- | apple-sasl | macOS Server Password Server |
3689 | TCP | Digital Audio Access Protocol (DAAP) | -- | daap | iTunes Music Sharing, AirPlay |
3690 | TCP/UDP | Subversion | -- | svn | Xcode Server (anonymous remote SVN) |
4111 | TCP | XGrid | -- | xgrid | -- |
4398 | UDP | -- | -- | -- | Game Center |
4488 | TCP | Apple Wide Area Connectivity Service | awacs-ice | ||
4500 | UDP | IPsec NAT Traversal | 4306 | ipsec-msft | macOS Server VPN service |
4500 | UDP | Wi-Fi Calling | 5996 | IKEv2 | Wi-Fi Calling |
5003 | TCP | FileMaker - name binding and transport | -- | fmpro-internal | -- |
5009 | TCP | (unregistered use) | -- | winfs | AirPort Utility, AirPort Express Assistant |
5100 | TCP | -- | -- | socalia | macOS camera and scanner sharing |
5222 | TCP | XMPP (Jabber) | 3920 | jabber-client | Jabber messages |
5223 | TCP | Apple Push Notification Service (APNS) | -- | -- | iCloud DAV Services (Contacts, Calendars, Bookmarks), Push Notifications, FaceTime, iMessage, Game Center, Photo Stream |
5228 | TCP | -- | -- | -- | Spotlight Suggestions, Siri |
5297 | TCP | -- | -- | -- | Messages (local traffic) |
5350 | UDP | NAT Port Mapping Protocol Announcements | -- | -- | Bonjour |
5351 | UDP | NAT Port Mapping Protocol | -- | nat-pmp | Bonjour |
5353 | UDP | Multicast DNS (MDNS) | 3927 | mdns | Bonjour, AirPlay, Home Sharing, Printer Discovery |
5432 | TCP | PostgreSQL | -- | postgresql | Can be enabled manually in OS X Lion Server (previously enabled by default for ARD 2.0 Database) |
5897–5898 | UDP | (unregistered use) | -- | -- | xrdiags |
5900 | TCP | Virtual Network Computing (VNC) (unregistered use) | -- | vnc-server | Apple Remote Desktop 2.0 or later (Observe/Control feature) Screen Sharing (Mac OS X 10.5 or later) |
5988 | TCP | WBEM HTTP | -- | wbem-http | Apple Remote Desktop 2.x See also dmtf.org/standards/wbem. |
6970–9999 | UDP | -- | -- | -- | QuickTime Streaming Server |
7070 | TCP | RTSP (unregistered use), Automatic Router Configuration Protocol (ARCP) | -- | arcp | QuickTime Streaming Server (RTSP) |
7070 | UDP | RTSP alternate | -- | arcp | QuickTime Streaming Server |
8000–8999 | TCP | -- | -- | irdmi | Web service, iTunes Radio streams |
8005 | TCP | Tomcat remote shutdown | -- | -- | -- |
8008 | TCP | iCal service | -- | http-alt | Mac OS X Server v10.5 or later |
8080 | TCP | Alternate port for Apache web service | -- | http-alt | Also JBOSS HTTP in Mac OS X Server 10.4 or earlier |
8085–8087 | TCP | Wiki service | -- | -- | Mac OS X Server v10.5 or later |
8088 | TCP | Software Update service | -- | radan-http | Mac OS X Server v10.4 or later |
8089 | TCP | Web email rules | -- | -- | Mac OS X Server v10.6 or later |
8096 | TCP | Web Password Reset | -- | -- | Mac OS X Server v10.6.3 or later |
8170 | TCP | HTTPS (web service/site) | -- | -- | Podcast Capture/podcast CLI |
8171 | TCP | HTTP (web service/site) | -- | -- | Podcast Capture/podcast CLI |
8175 | TCP | Pcast Tunnel | -- | -- | pcastagentd (such as for control operations and camera) |
8443 | TCP | iCal service (SSL) | -- | pcsync-https | Mac OS X Server v10.5 or later (JBOSS HTTPS in Mac OS X Server 10.4 or earlier) |
8800 | TCP | Address Book service | -- | sunwebadmin | Mac OS X Server v10.6 or later |
8843 | TCP | Address Book service (SSL) | -- | -- | Mac OS X Server v10.6 or later |
8821, 8826 | TCP | Stored | -- | -- | Final Cut Server |
8891 | TCP | ldsd | -- | -- | Final Cut Server (data transfers) |
9006 | TCP | Tomcat standalone | -- | -- | Mac OS X Server v10.6 or earlier |
9100 | TCP | Printing | -- | -- | Printing to certain network printers |
9418 | TCP/UDP | git pack transfer | -- | git | Xcode Server (remote git) |
10548 | TCP | Apple Document Sharing Service | -- | serverdocs | macOS Server iOS file sharing |
11211 | -- | memcached (unregistered use) | -- | -- | Calendar Server |
16080 | TCP | -- | -- | -- | Web service with performance cache |
16384–16403 | UDP | Real-Time Transport Protocol (RTP), Real-Time Control Protocol (RTCP) | -- | connected, -- | Messages (Audio RTP, RTCP; Video RTP, RTCP) |
16384–16387 | UDP | Real-Time Transport Protocol (RTP), Real-Time Control Protocol (RTCP) | -- | connected, -- | FaceTime, Game Center |
16393–16402 | UDP | Real-Time Transport Protocol (RTP), Real-Time Control Protocol (RTCP) | -- | -- | FaceTime, Game Center |
16403–16472 | UDP | Real-Time Transport Protocol (RTP), Real-Time Control Protocol (RTCP) | -- | -- | Game Center |
24000–24999 | TCP | -- | -- | med-ltp | Web service with performance cache |
42000–42999 | TCP | -- | -- | -- | iTunes Radio streams |
49152–65535 | TCP | Xsan | -- | -- | Xsan Filesystem Access |
49152– 65535 | UDP | -- | -- | -- | |
50003 | -- | FileMaker server service | -- | -- | -- |
50006 | -- | FileMaker helper service | -- | -- | -- |
1. The service registered with the Internet Assigned Numbers Authority, except where noted as “unregistered use.”
2. The number of a Request for Comment (RFC) document that defines the service or protocol. RFC documents are maintained by RFC Editor.
3. In the output of Terminal commands, the port number might be replaced by this Service Name, which is the label listed in /etc/services.
FaceTime is not available in all countries or regions.
Learn more
The application firewall in macOS is not a port-based firewall. It controls access by app, instead of by port.
Starting from version 10.7 (Lion), Mac OS X includes 2 firewalls: PF & Application Firewall. Both are disabled by default.
PF
Mac OS X 10.6 (and earlier) came with IPFW, a port of FreeBSD’s stateful firewall. IPFW was deprecated in OS X 10.7, and was completely removed in OS X 10.10; it was replaced with PF. PF (Packet Filter) is OpenBSD’s system for filtering TCP/IP traffic and doing Network Address Translation. PF in OS X, however, appears to be based on the FreeBSD port of PF. Like FreeBSD 9.X and later, OS X appears to use the same version of PF as OpenBSD 4.5.
The latest OpenBSD version is 5.6 (as of January 2015); and the configuration syntax for PF changed around 4.6/4.7.
Apple has enhanced PF so that various system components might choose to enable and disable PF, as indicated by the following snippet in
/etc/pf.conf
:These two flags,
-E
and -X
, are absent from pfctl on other BSDs. Here’s how they are documented in pfctl(8):The main PF configuration file is
/etc/pf.conf
, which defines the following main ruleset by default in OS X 10.9 & 10.10:The main ruleset loads sub rulesets defined in
/etc/pf.anchors/com.apple
, using anchor:The launchd configuration file for PF is
/System/Library/LaunchDaemons/com.apple.pfctl.plist
. PF is disabled by default:Application Firewall
OS X v10.5.1 and later include Application Firewall that allow the users to control connections on a per-application basis (rather than a per-port basis). Application Firewall is disabled by default.
After enabling the Application Firewall (System Preferences -> Security & Privacy ->
Firewall
-> Turn On Firewall
), you’ll find PF is enabled too:Apparently Application Firewall enables PF using
pfctl -E
. In addition to its own rules, Application Firewall generates a set of dynamic rules (sub ruleset) for PF through anchor point com.apple/250.ApplicationFirewall
. At this stage, the sub ruleset is empty, which got someone really confused.But if either “Enable stealth mode” or “Block all incoming connections” is checked in
Firewall Options..
, dynamic rules for PF will indeed be created:Note there is a bug in Apple’s implementation of PF! According to pfctl(8):
If the anchor name is terminated with a ‘*’ character, the -s flag will recursively print all anchors in a brace delimited block.
But it produces an error instead:
We have to use the full anchor path:
As you can see, a set of dynamic PF rules is created for AirDrop too. I surmise they are still created by Application Firewall, because according to the output of
pfctl -s References
, PF has only been enabled once, by Application Firewall.Besides using the Security & Privacy Preference pane, you can also configure the Application Firewall from the command line. The utilities for Application Firewall are located at
/usr/libexec/ApplicationFirewall
. The default configuration file is /usr/libexec/ApplicationFirewall/com.apple.alf.plist
; and the running configuration file is /Library/Preferences/com.apple.alf.plist
.Stopping and starting Application Firewall is easy enough, using launchd. To stop:
To start:
We can configure the settings of Application Firewall using
socketfilterfw
:pflog
Logging support for PF is provided by
pflog
. The pflog interface is a pseudo-device which makes visible all packets logged by PF. Logged packets can easily be monitored in real time by invoking tcpdump on the pflog interface.Create a
pflog
interface:Monitor all packets logged by PF:
Destroy the
pflog
interface when you are done with it:Precedence
If two firewalls, Application Firewall & PF, are both running, you may wonder whose rules take precedence. Let’s find out.
The logs of Application Firewall are saved in
/var/log/appfirewall.log
. You’ll see a lot entries like the following, repeating roughly 2 times per minute on my iMac:Add the following as the first rule of
/etc/pf.conf
:Add the following 3 lines to
/etc/pf.conf
(to block incoming traffic but allow outgoing traffic):The first rule is to allow incoming Bonjour traffic. In a hostile environment, e.g., a public WiFi, we’ll put the above 3 lines at the end of the file to block all incoming traffic, in which case, the sub rulesets in anchor “com.apple” will have no effect!
For each packet or connection evaluated by PF, the last matching rule in the ruleset is the one which is applied.
In work environment, you can put the 3 lines right above the line:
Reload
/etc/pf.conf
:Show the currently loaded filter rules:
Check
/var/log/appfirewall.log
again. You’ll find no new log entry for Application Firewall appears in the file.So one can conclude that PF rules are applied first, then the rules for Application Firewall.
SSH
To enable OpenSSH server on OS X, in the Sharing Preference pane of System Preferences, check “Remote Login”. Or from the command line:
launchctl(1) says such about the
-w
flag:-w Overrides the Disabled key and sets it to false. In previous versions, this option would modify the configuration file. Now the state of the Disabled key is stored elsewhere on-disk.
but where exactly is the ‘elsewhere’? After some digging, I find it is
/private/var/db/launchd.db/com.apple.launchd/overrides.plist
.However, I don’t like the default configuration for sshd. I prefer to have password authentication disabled. Add the following options to
/etc/ssh/sshd_config
:Restart sshd:
Mac Os Block Website
Note to allow incoming traffics to the OpenSSH server through Application Firewall, you must allow incoming connections for
/usr/libexec/sshd-keygen-wrapper
, either in System Preferences -> Security & Privacy -> Firewall
-> Firewall Options..
, or from the command line:Configuring PF
The Application Firewall’s rule of allowing all incoming incoming traffics to the OpenSSH server offers no defense against brute force attack. Leaving the ssh port open on the internet, the server will get thousands of brute force login attempts each day. PF provides an elegant solution to this problem.
Append the following lines to
/etc/pf.conf
(see Section 30.3.3.5 - Using Overload Tables to Protect SSH of FreeBSD Handbook for an explanation):Reload
/etc/pf.conf
:Over time, the table bruteforce will be filled by overload rules and its size will grow incrementally, taking up more memory. We can expire table entries using
pfctl
. For example, this command will remove bruteforce table entries which have not been referenced for a day (86400 seconds):Mac Os Block App
To automate the process, let’s create a timed job using launchd that runs the above command once per day (see Timed Jobs Using launchd).
Create a launchd configuration file
/Library/LaunchDaemons/edu.ucsc.manjusri.pfctl-expire.plist
, with the following content:Start the timed job:
Dropping Blocks Mac Os 11
P.S. There are a few articles on the Internet on using PF on Mac OS X, but they often bypass the configuration file
/etc/pf.conf
Blade jumper mac os. (e.g. , Using pf on OS X Mountain Lion). If one takes that route, one must disable the Application Firewall. Otherwise Application Firewall will enable PF using the ruleset in /etc/pf.conf
. Only one ruleset will get loaded at last and become effective; but which one wins will probably be indeterministic or at least could be a surprise. I choose the approach described in this article, because:Dropping Blocks Mac Os X
- I always like to try something different
- I prefer layered defense. In this case, I have 2 firewalls running on the Mac.