If you have a broadband, always-on connection, you’re open to the Internet 24 hours a day. It’s theoretically possible for some cretin to use automated hacking software to flood you with data packets or take control of your machine. OS X’s firewall feature puts up a barrier to such mischief. To turn it on, click the 
on the Firewall pane in the Security & Privacy section of System Preferences, authenticate yourself, and then click Start.
Note
You don’t need to turn on this firewall if your Mac connects to the Internet through a wired or wireless router (including the AirPort base station). Virtually every router already has a built-in firewall that protects your entire network. (Similarly, if you’re using the Internet Sharing feature described on Making the Switch, turn on the firewall only for the first Mac, the one connected right to the Internet.)
In short: Use the firewall only if your Mac is connected directly to a cable modem, DSL box, or dial-up modem.
Fortunately, it’s not a complete barrier. One of the great joys of having a computer is the ability to connect to other computers. Living in a cement crypt is one way to avoid getting infected, but it’s not much fun.
Therefore, you can turn the firewall on by opening System Preferences→Security→Firewall tab, authenticating, and clicking Turn On Firewall. But you can also fine-tune the blockade.
To do that, click Firewall Options; you see something like Figure 11-14 at bottom. As you can sort of tell, OS X lets you allow or block Internet connections individually for each program on your Mac. Here’s what you’ll find there:
Block all incoming connections. This option might be better known as Paranoid Mode. You’re allowed to do email and basic web surfing and a few other deep-seated services that OS X needs to get by. But all other kinds of network connections are blocked, including screen sharing, iTunes music sharing, and so on. This is a hard-core, meat-fisted firewall that, for most people, is more trouble than it’s worth.
Tip
As you can tell from the wording of this item, OS X’s firewall blocks only incoming connections, which covers most of the dangerous stuff. But if you’d also like your Mac to block outgoing Internet connections, you can install a shareware firewall program like Little Snitch. It’s available on this book’s “Missing CD” page at www.missingmanuals.com.
[List of individual programs]. If the firewall is on but you haven’t turned on “Block all,” then the Mac uses this list of individual programs and features to determine what’s allowed to accept network connections.
In this window (Figure 11-14, bottom), features of OS X itself are listed. They get added to this list automatically when you turn them on in System Preferences: File Sharing, Printer Sharing, and so on.
Non-Apple programs can gain passage through your firewall, too. You can add one to the list manually by clicking the
below the list and choosing it by hand; or you can simply respond to the request box that pops up whenever a new program wants to accept incoming Internet connections.Click Allow for each such request (unless, of course, you see a request for an app called SneakyPoisonVirus or something). As you do so, their names get added to the list of programs in this dialog box.
Figure 11-14. Top: The OS X firewall starts with a simple button click. The fun stuff doesn’t begin until you click Firewall Options. Bottom: This pane lists the programs that have been given permission to receive communications from the Internet. At any point, you can change a program’s Block/Allow setting, as shown here. You can also click the
button to navigate to your Applications folder and manually choose programs for inclusion.For each program, you can use the pop-up menu beside its name to specify either “Allow incoming connections” or “Block incoming connections,” depending on your level of paranoia.
Automatically allow signed software to receive incoming connections. Signed software means programs that Apple recognizes as coming from legitimate companies.
Note
OK, technically, a signed program is one whose authenticity is confirmed by a third party—a “certificate authority” company like Verisign or GoDaddy. A system of invisible keys (security numbers) confirms that the software did indeed come from the creators it claims it came from, no matter how many detours it took to reach you.
One more point: When you explicitly grant permission to a program, as described below, you’re signing that program.
If this checkbox is not turned on, then each time you run a new program for the first time, you’ll be interrupted so that the Mac can ask if it’s OK to permit Internet connections. The “signed software” box cuts down on the interruptions, since well-known apps are assumed not to be viruses or spyware.
Enable stealth mode. This is designed to slam shut the Mac’s back door to the Internet. See, hackers often use automated tools that send out “Are you there?” messages. They’re hoping to find computers that are turned on and connected full time to the Internet. If your machine responds, and they can figure out how to get into it, they’ll use it, without your knowledge, as a relay station for pumping out spam or masking their hacking footsteps.
“Enable stealth mode,” then, makes your Mac even more invisible on the network; it means your Mac won’t respond to the electronic signal called a ping. (On the other hand, you won’t be able to ping your machine, either, when you’re on the road and want to know if it’s turned on and online.)
Note
You might have noticed that there doesn’t seem to be any option to turn on firewall logging, which creates a little text file where OS X records every attempt that anyone from the outside makes to infiltrate your Mac. Logging is available, though—in fact, it’s turned on all the time. To view the log, open the Applications→Utilities→Console program. In the left-side list, expand the /private/var/log heading, and click appfirewall.log.