OS X Firewall Not Stealth

By | 2012/04/19

By default, the OS X Lion firewall enabled and stealth actually has a few ports open, despite the System Preferences displaying no services running and no ports open.

A nessus scan will reveal the following UDP ports open and broadcasting information:

  • 5353 / UDP
  • 123 / UDP
  • 127 / UDP

Note: Ignore port 4242 TCP on these screenshots. I am knowingly running Crashplan on this port! 🙂

This occurs even with the following security configurations made as tight as possible by the end user in the System Preferences:


06-firewall-osx 07-firewall-osx
5353 udp is used for mDNS, or Bonjour. Apple has wrapped this service into DNS for OS X, which makes this difficult to disable. It is possible to disable the broadcasting portion of this service with some hackery as noted in this Apple KB article.

123 udp is used for NTP, but for operation of an NTP client this port does not have to be open in the firewall. Again there are no user configurable options to disable this.

127 udp is used for Windows NetBIOS to broadcast the host’s NetBIOS name for compatibility in Windows networks. This is on by default even with no Sharing ‘services’ enabled in the System Preferences. This should be user configurable in the System Preferences to disable broadasting this service.

If you don’t have nessus handy, you can also verify these particular UDP ports on your OS X machine with nmap:

$ sudo nmap -sU -p 123,127,5353

Starting Nmap 5.21 ( http://nmap.org ) at 2012-04-19 11:42 EDT
Nmap scan report for
Host is up (0.00063s latency).
123/udp  open          ntp
127/udp  open|filtered locus-con
5353/udp open|filtered zeroconf
MAC Address: 00:11:22:33:44:55 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 1.40 seconds