Murus is a powerful software firewall available for macOS. It is a frontend for the built-in macOS pf (packet filter) firewall. This tutorial will be using the latest free version of Murus. This tutorial will show how to enable ICMP and lock down a Mac with only VNC (Screen Sharing) and SSH ports open to specific IPs.
WARNING: Configuring a firewall on a remote server can result in an unreachable server. We recommend reading through this guide fully before beginning. Complete the steps in order. Applying the default Murus rules can result in an unreachable server. When configuring a firewall on a production server, do so during a maintenance window.
Start by downloading and installing the latest version of Murus: https://www.murusfirewall.com/murus/#download
After it is installed, open Murus and there may be a couple informational popups about the menulet that will display in the menu bar. Click OK and then select Start Murus Menulet At User Login if you would like (recommended).
After Murus is started, click Start Murus Lite.
Decide if you would like Murus to auto-update. We recommend declining this option in a production environment and scheduling a maintenance window to upgrade software.
In the main Murus configuration window, click the lock icon at the bottom left to unlock Murus and make changes. It will ask you to enter your user password. You will now see the full Murus configuration window.
Important screens within Murus:
Status – We won’t use this screen until the end, when we have our firewall rules configured and tested.
Services – This screen contains a predefined list of services known to Murus. Each service has one or more tcp/udp ports assigned to it. Custom services can be created as well.
Groups – To allow connections to specific services from certain IP addresses, we will create a group of IPs or IP ranges.
Option Rules – General options for Murus rules
Inbound Rules – All inbound traffic is blocked by default. We will be allowing traffic from specific groups in this screen.
Overview – This screen shows the raw output of the pf rules that have been created by Murus.
First, we’re going to enable inbound ICMP so that it is available as a troubleshooting option. By default, Murus drops inbound ICMP traffic.
Navigate to Option Rules -> Filtering Preferences and uncheck the box for Block inbound icmp echo requests.
Moving on, we’re going to create a group. A group can be your home or office IP, or any other IP address that you would like to grant access to certain ports on your remote Mac. Navigate to Groups and click the + icon towards the top. Choose a Group Name and click Add New Group.
We have named our group Testing, and added several IP addresses to it. Make sure to add the IP address that you are currently connecting from.
Next, we’re going to add VNC and SSH as ‘managed’ services, and allow access from our new group.
Navigate to Inbound Rules -> xx open ports are unmanaged -> 5900. Select VNC and click Manage Service.
VNC is currently open to the world. Click on VNC and for Inbound Policy, select Pass Only…
Under Groups and lists, press the + icon and add the group that was created in the previous step.
Repeat these steps for SSH (port 22) if applicable.
Now it’s time to test our rules to make sure we can still connect after enabling the firewall rules. Murus will give us 60 seconds to disconnect and then reconnect to the remote Mac and click a button. If we haven’t clicked the button in 60 seconds, it will disable the firewall rules. This is very useful when configuring firewall rules in a remote environment.
Click the blue arrow at the top of the Murus window. Murus will ask if you’re remotely controlling the Mac, and it’s important to click I’m using remote control. Doing so will bring up a 60 second timer.
After disconnecting from Screen Sharing (VNC) and reconnecting, click the Dismiss button. This will leave the new firewall rules in place.
At this point, we have a working firewall, but it will not be enabled after the next reboot. Once you’re happy with the firewall rules, navigate to Status and click the Install Boot Scripts button. This will cause the firewall rules to load every time the Mac is rebooted.
Murus can be configured further, and there is extensive documentation available on the Murus website: https://murusfirewall.com/docs140/