Virginia Tech® home

Application Firewall

Introduction

This guide talks about the firewall in relation to your applications. While the other firewall guides talk about how to enable and configure your firewall, this one will go through how to allow applications through and the risks involved with doing so.

Risks

There are two main ways to allow an app through a firewall on most operating systems.

  • Add an app to the list of allowed apps.
  • Open a port.

Opening a port in your firewall is much riskier than allowing an app through.

When you open a port on a firewall, you allow traffic into or out of your device as though you drilled a hole through it. This makes your device less secure and might create opportunities for hackers or malware to use one of those openings to get to your files or use your device to spread malware to other devices.

When you add an app to the exceptions list on your firewall, it only creates a “hole” when it needs to use it.

To help reduce your security risk:

  • Only allow an app or open a port when you really need to, and follow the steps to remove apps from the list of allowed apps or close ports that you no longer need.
  • Never allow an app that you don’t recognize to communicate through the firewall.

Procedures

Windows

Add or Remove an App from the List of Allowed Apps

  1. Click the Start menu, type Allow an app through Windows Firewall, and select it from the list of results.
    firewall_windows_1
  2. Click Change settings. You might be asked for an administrator password or to confirm your choice.
    firewall_windows_2
  3. To add an app, check the check box next to the app, or click Allow another app and enter the path for the app.
  4. To remove an app, uncheck the check box next to the app, and then click OK.

Open or Close a Port

  1. Click the Start menu, type Windows Defender Firewall, and select it from the list of results.
    firewall_windows_3
  2. Click Advanced settings on the side navigation menu. You might be asked for an administrator password or to confirm your choice.
    firewall_windows_4
  3. Click Inbound Rules.
    firewall_windows_5
  4. To open a port, click New Rule, and complete the on-screen instructions.
  5. To close a port, click the rule you want to disable, and then under the Actions drop-down, click Disable Rule.

macOS

Add or Remove an App from the List of Allowed Apps

  1. On your macOS device, click Apple menu > System Preferences > Security & Privacy > Firewall. If the lock at the bottom left is locked, click it to unlock the preference pane.
  2. Click Firewall Options. If the Firewall Options button is disabled, first click Turn On Firewall to turn on the firewall for your macOS device.
  3. Click Add from the list of services drop-down, then select the services or apps you want to add. After an app is added, click its up and down arrows to allow or block connections through the firewall.

Blocking an app’s access through the firewall could interfere with or affect the performance of the app or other software that may depend on it.

Important: Certain apps that don’t appear in the list may have access through the firewall. These can include system apps, services, and processes, as well as digitally-signed apps that are opened automatically by other apps. To block access for these programs, add them to the list.

When your macOS device detects an attempt to connect to an app you haven’t added to the list and given access to, an alert message appears asking if you want to allow or deny the connection over the network or internet. Until you take action, the message remains, and any attempts to connect to the app are denied.

Open or Close a Port

Reminder that this is not recommended.

  1. Open the Terminal app.
  2. Enter the following at the prompt to stop the pf (packet filter) firewall if it’s active.
    sudo pfctl -d
    
  3. Next, use the nano text editor to open the configuration file for pf.
    sudo nano /etc/pf.conf
    
  4. The editor will show the contents of the default config, which contains some important stuff. You can add your custom rule, but make sure you do so below any existing configurations.
  5. If you want to open port 12044, for example, enter the following at the bottom of the file.
    pass in inet proto tcp from any to any port 12044 no state
    
    To break this down, you’re allowing (pass) incoming (in) TCP (inet proto tcp) traffic from any machine to any other machine (though in this context it means just your machine) on port 12044 with no state inspection.
  6. Press Ctrl-X to exit nano, and press Y and Enter to confirm that you want to save the file with the same name.
  7. Type the following command into the prompt to reload the firewall’s configuration from the file you just edited.
    sudo pfctl -f /etc/pf.conf
    
  8. Finally, enter the following at the terminal to re-start the firewall.
    sudo pfctl -E
    

Linux - Debian/Ubuntu

Debian and Ubuntu both use Uncomplicated Firewall (ufw) as their recommended firewall. Therefore, the following instructions apply for both Debian and Ubuntu.

Open a Port

To open a port on ufw, use the following command with replaced with the numerical value for the desired port.

sudo ufw allow [port]/tcp

Note: Either TCP or UDP can be used here, if UDP is desired instead use udp in place of tcp above. Please note that assigning both in one command is not supported.

Opening a Port Range

Open a range of ports on ufw by using the following command.

sudo ufw allow [start port]:[end port]/tcp

The start and end port are replaced with the numerical value of the port range (inclusive) to be opened. For example, if you want to open ports 7100-7200, you would use the following command.

sudo ufw allow 7100:7200/tcp

Allow an App

Applications that open ports can include an ufw profile, which details the ports needed for the application to function properly. The profiles are kept in /etc/ufw/applications.d, and can be edited if the default ports have been changed.

To view which applications have installed a profile, enter the following in a terminal.

sudo ufw app list

Similar to allowing traffic to a port, using an application profile is accomplished by entering the following command.

sudo ufw allow [app]

where [app] is the name that appears in the list from the previous command.

Linux - Fedora

Fedora uses a firewall service called firewalld.

Opening a Port

Opening ports can leave your system vulnerable, it is recommended not to open any ports unless absolutely necessary.

Execute the following commands in a terminal.

  1. Get a list of allowed ports in the current zone.
    $ firewall-cmd --list-ports
    
  2. Add a port to the allowed ports to open it for incoming traffic.
    $ sudo firewall-cmd --add-port=port-number/port-type
    
  3. Make the new settings persistent.
    $ sudo firewall-cmd --runtime-to-permanent
    

The port types are either tcp, udp, sctp, or dccp. The type must match the type of network communication.

Resources