Overview
macOS includes an Application Layer Firewall (ALF) that controls inbound network connections on a per-application basis. The firewall configuration reveals which applications are allowed or blocked from receiving incoming connections, the overall firewall state, and stealth mode settings. This data helps assess the system's network security posture.
Forensic Significance
| Evidence Type | Forensic Value |
|---|
| Firewall state | Whether the firewall is enabled or disabled |
| Application rules | Which apps are allowed/blocked for incoming connections |
| Stealth mode | Whether the system ignores ICMP and port scans |
| Exceptions | Applications bypassing firewall rules |
| Signed app policy | Whether signed apps are automatically trusted |
File Locations
| Artifact | Path | Format |
|---|
| ALF preferences | /Library/Preferences/com.apple.alf.plist | Plist |
| Key | Type | Description |
|---|
globalstate | Integer | 0=off, 1=on (specific services), 2=on (essential only) |
stealthenabled | Integer | 1=stealth mode enabled |
allowsignedenabled | Integer | 1=auto-allow signed apps |
allowdownloadsignedenabled | Integer | 1=auto-allow downloaded signed apps |
loggingenabled | Integer | 1=logging enabled |
applications | Array | Per-application firewall rules |
exceptions | Array | Firewall exceptions |
firewallunload | Integer | 1=firewall is unloaded |
Application Rules
Each entry in the applications array:
| Key | Description |
|---|
bundleid | Application bundle identifier |
state | 0=blocked, 2=allowed |
path | Path to application bundle (optional, used for identification) |
Key Fields for Analysis
# Read full firewall configuration
defaults read /Library/Preferences/com.apple.alf.plist
# Check firewall state
/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
# List application rules
/usr/libexec/ApplicationFirewall/socketfilterfw --listapps
# Check stealth mode
/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode
Analysis Notes
- Disabled firewall: A disabled firewall (
globalstate = 0) on a corporate or security-sensitive system warrants investigation. - Unusual allowed apps: Review the applications list for unexpected entries. Malware may add itself to the allow list to receive incoming connections (C2 traffic).
- Stealth mode: Stealth mode prevents the system from responding to ICMP ping requests and port scans. Its absence on a network-facing system may indicate weakened security.
- Signed app auto-trust: If
allowsignedenabled = 1, any code-signed application is automatically allowed through the firewall. This means a signed malware binary would bypass the firewall. - Logging: When firewall logging is enabled, connection attempts are recorded in
/var/log/appfirewall.log and Unified Logs.
| Tool | Support |
|---|
| macfor | Not yet implemented (planned) |
| socketfilterfw (macOS built-in) | Query and configure ALF |
| defaults (macOS built-in) | Read ALF preferences |
References