Securing Mac OS X Mojave for Local Development

You are here

Local development often means listening on `127.0.0.1`/`localhost` and calling it a day. While that works locally, it becomes a challenge to perform end-to-end tests when trying to use real devices or simulate with virtual machines. Solutions such as ngrok exist that allow you to securely create tunnels (with the added benefit of https out of the box), but still expose your application on the web. Binding your application to `0.0.0.0` allows you to listen on all interfaces, but opens you up to connections from anyone on your network. 

Mac OS X comes with a firewall out of the box that allows you to lock down incoming connections.

 

When enabled, the firewall is not very configurable.

Luckily, Mac OS X doesn't actually provide a firewall, it just uses the OpenBSD Packet Filter, which means we can configure it to do what we want.

Firstly, we'll need to enable stealth mode. This is a requirement as the launch daemon won't start unless this option is checked. After you exit out of those dialogs, open up a terminal.

The first thing we're going to do is modify the packet filter configuration. Be sure to leave all the existing rules in the file.

$ sudo vim /etc/pf.conf

We can use the following ruleset

If you leave out the rules for Bonjour, features such as AirPlay will not work. We can test those changes by running

$ sudo pfctl -f /etc/pf.conf

That will load the new firewall configuration. You can test if it works by running netcat and trying to connect over any protocol to the specified port from a different machine

192.168.1.5  $ nc -lv 0.0.0.0 9000

192.168.1.10 $ echo "test" | nc -q 1 192.168.1.5 9000

Be sure to remember that you've enabled this configuration.