Your Mac’s network settings significantly impact your digital privacy. Every unencrypted DNS query tells your ISP which domains you visit. Every app allowed to receive incoming connections is a potential exposure point. Every saved WiFi network your Mac probes for broadcasts your location history.
macOS ships with reasonable defaults for home users, but anyone handling sensitive work deserves a tighter configuration. The settings below are organized from quickest wins to advanced configurations so you can apply the layers matching your threat model.
Prerequisites
Before you begin, make sure you have the following ready:
- A computer running macOS, Linux, or Windows
- Terminal or command-line access
- Administrator or sudo privileges (for system-level changes)
- A stable internet connection for downloading tools
Step 1 - Understand macOS Network Architecture
macOS provides multiple layers of network privacy controls:
- Application Firewall. controls which apps accept incoming connections
- pf packet filter. low-level kernel firewall for port and IP blocking
- DNS resolver. where queries are sent and whether they are encrypted
- Network Extensions. VPN clients, content filters, and DNS proxies installed by apps
- System services. location, Bonjour, AirDrop, and diagnostic uploads
Step 2 - Built-in Firewall Configuration
Application Firewall
The first line of defense is macOS’s built-in firewall:
- Open System Settings → Network → Firewall
- Enable the firewall if not already active
- Click the info icon next to each app to control incoming connections
The Application Firewall differs from traditional packet-filtering firewalls. It operates at the application level, giving you granular control over which apps can accept incoming connections. Anything not explicitly allowed is blocked automatically when the firewall is on.
Review the list of allowed applications periodically. Installers and update daemons sometimes add themselves during installation and never get removed when you uninstall the app. Prune this list aggressively.
Enabling Stealth Mode
For enhanced privacy, enable Stealth Mode:
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on
Stealth Mode prevents your Mac from responding to:
- ICMP (ping) requests
- UDP packets from closed ports
- Probing attempts from network scanners
This makes your Mac invisible to network scanners on the same segment. On a public WiFi network, this meaningfully reduces your exposure to opportunistic port scans.
Blocking All Incoming Connections
For the highest firewall setting. useful on untrusted networks. enable “Block all incoming connections”:
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setblockall on
This blocks everything except basic internet browsing (outbound connections you initiate). Essential services like file sharing and remote login will not work, making it ideal for coffee shop or airport WiFi sessions.
Step 3 - DNS Configuration for Privacy
Why Default DNS Is a Privacy Problem
When you connect to any network, macOS automatically uses the DNS servers provided by the router. typically your ISP’s resolvers. Those resolvers log every domain you query. Your ISP can sell aggregated browsing data, comply with surveillance requests, or inject ads via DNS manipulation.
Custom DNS Servers
Configure privacy-focused DNS:
- System Settings → Network → WiFi (or Ethernet)
- Click Details → DNS
- Add servers like:
- Cloudflare:
1.1.1.1,1.0.0.1 - Quad9:
9.9.9.9(blocks malicious domains) - NextDNS: custom resolvers with filtering and logging control
- Cloudflare:
Enabling DNS Encryption
macOS supports DNS over HTTPS (DoH) and DNS over TLS (DoT) natively since macOS 11 Big Sur via configuration profiles. The easiest approach for most users is installing a signed .mobileconfig profile from Cloudflare, Quad9, or NextDNS:
- Cloudflare DoH profile:
https://1.1.1.1/dns-over-https/cloudflare-dns.mobileconfig - Quad9 DoT profile: provided directly on Quad9’s website
After installing, go to System Settings → Privacy & Security → Profiles to verify the DNS profile is active and trusted.
For command-line configuration:
Confirm current DNS assignment per interface
scutil --dns | grep nameserver
Set resolver manually via networksetup (unencrypted, use as fallback)
sudo networksetup -setdnsservers Wi-Fi 1.1.1.1 1.0.0.1
DNS encryption encrypts your DNS queries, preventing network observers from seeing your browsing destinations even if they capture your traffic.
NextDNS for Logging Control
NextDNS gives you detailed control over DNS logging, retention, and custom blocklists. Its free tier supports up to 300,000 queries per month. Configure it via the macOS app or by installing their signed configuration profile.
Step 4 - Network Extensions and Privacy
Managing Extensions
Network Extensions can intercept your traffic. Review them regularly:
- System Settings → Privacy & Security → Network Extensions
- Review installed content filters, DNS proxies, and VPN plugins
- Remove unnecessary extensions
Any VPN app, parental control software, or enterprise MDM profile installed on your Mac may have a Network Extension that routes all traffic through its infrastructure. If you no longer use a VPN service, verify that its extension is fully removed. uninstalling the app does not always remove the extension.
VPN Configuration
When using VPNs, ensure proper configuration:
- Enable Kill Switch to prevent data leaks if VPN disconnects
- Use IKEv2 or WireGuard protocols for better security
- Configure VPN to connect automatically on untrusted networks
- Avoid free VPN services. they frequently monetize user traffic
Check active VPN configurations
scutil --nc list
Check VPN connection status
scutil --nc status "YourVPNName"
Advanced Network Privacy Settings
Disabling Bonjour and AirDrop
Bonjour (mDNS) continuously announces your Mac’s presence on the local network, broadcasting your hostname and the services you advertise. AirDrop uses Bluetooth and WiFi to make you discoverable. Both expose you to local network enumeration:
Disable Bonjour multicast
sudo defaults write /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist ProgramArguments -array "-NoMulticast"
Set AirDrop to contacts only (or disable in Control Center)
defaults write com.apple.airdrop allowNoResponderLookup -bool true
For AirDrop, open Control Center → AirDrop → No One to disable discovery entirely when you don’t need it.
Firewall with pf.conf
For advanced users, pf offers kernel-level control significantly beyond the Application Firewall:
View current pf ruleset
sudo pfctl -sr
Edit /etc/pf.conf for custom rules
block in all
pass out all keep state
pass in proto tcp from 192.168.1.0/24 to any port 22
Always test pf rules carefully. Use a second terminal session or recovery plan before applying restrictive inbound rules.
Step 5 - Monitor Network Activity
Using Little Snitch or Lulu
macOS’s built-in firewall only handles incoming connections. To see and control outbound connections. including which apps call home without your knowledge. you need a third-party monitor:
- Little Snitch ($60, commercial): Real-time connection monitoring with per-rule alerts. Shows every DNS query, TCP connection, and blocked attempt. Excellent for auditing new app installs.
- Lulu (free, open-source): A simpler outbound firewall that blocks any new connection attempt until you explicitly allow it. Lower overhead, good for privacy-focused users who don’t need the full reporting suite.
Both tools reveal background telemetry calls from apps you thought were offline, system daemons phoning home, and analytics SDKs in otherwise legitimate software.
Built-in Network Diagnostics
macOS provides several built-in tools for inspecting connections:
List all current listening sockets
lsof -i -P | grep LISTEN
Monitor all active connections in real-time
netstat -an | grep ESTABLISHED
View recent network-related system log entries
log show --predicate 'subsystem == "com.apple.network"' --last 1h
Use netstat -rn to inspect your routing table and confirm VPN traffic is properly routed through the tunnel interface.
Step 6 - WiFi Privacy Considerations
Preventing Auto-Joining Networks
Your Mac probes for previously joined networks by name when WiFi is active. An attacker nearby can create a hotspot matching a saved network name and intercept your automatic connection:
- System Settings → Network → WiFi
- Disable Auto-Join for any network you don’t control
- Remove saved networks you no longer use. click the network → Forget This Network
MAC Address Randomization
macOS supports Private WiFi Address (MAC randomization) per network since macOS 14 Sonoma. Enable it for each network you connect to:
- System Settings → Network → WiFi
- Click the Details button next to a network
- Enable Private WiFi Address → choose Rotating for maximum protection
Rotating mode changes your MAC address on a schedule, further reducing the ability of network operators to track your device across sessions.
Step 7 - System Services Network Access
Location Services and Networking
Some system services transmit data automatically:
- System Settings → Privacy & Security → Location Services
- Review System Services → Networking & Wireless
- Disable location-based networking if unnecessary. this prevents macOS from using known WiFi hotspot locations to supplement GPS positioning data
Diagnostic Data and Analytics
Control what diagnostic data Apple receives:
- System Settings → Privacy & Security → Analytics & Improvements
- Disable Share Mac Analytics
- Disable Share with App Developers
- Disable Share iCloud Analytics if you use iCloud
These settings limit the amount of usage data, crash reports, and behavioral telemetry sent to Apple’s servers.
Confirm diagnostics submission daemon is not running
launchctl list | grep diagnostic
Step 8 - Comparing Third-Party Firewall Tools
| Tool | Price | Outbound Control | Logging | Open Source |
|---|---|---|---|---|
| macOS Firewall | Free | No | No | No |
| Lulu | Free | Yes | Basic | Yes |
| Little Snitch | ~$60 | Yes | Detailed | No |
| Radio Silence | $9 | Yes | Minimal | No |
Lulu provides strong protection at no cost. Little Snitch is the professional choice when you need detailed logging and network map visualization.
Troubleshooting Network Privacy Issues
If you experience connectivity problems after adjusting settings:
- Temporarily disable the firewall to identify conflicts with specific applications
- Check DNS settings if websites fail to load. some corporate DNS setups break when you override with public resolvers
- Verify VPN configuration if connection drops occur by checking
scutil --nc status - Review system logs:
log show --predicate 'subsystem == "com.apple.network"' --last 30m - If pf rules lock you out of SSH, reboot into Recovery Mode and restore from backup pf.conf
Frequently Asked Questions
Does enabling the macOS firewall slow down my internet? No measurable impact for typical home users. The Application Firewall only evaluates incoming connection attempts, not ongoing data transfer.
Should I use both the built-in firewall and pf? They complement each other. The Application Firewall is the quickest protection; pf gives IP-level and port-level control the Application Firewall cannot provide.
Does MAC randomization break anything? Some enterprise networks authenticate by MAC address. Enabling Private WiFi Address requires re-authenticating on those networks. For home routers with MAC-based DHCP reservations, disable randomization for your home network specifically.
Related Articles
- How to Configure macOS Privacy Settings 2026
- macOS Privacy Settings For Remote Workers 2026
- macOS Privacy Hardening Checklist 2026
- Harden macOS Sequoia Privacy Settings Beyond Default
- Facebook Privacy Settings 2026 Complete Guide
- AI Coding Assistant for Network Traffic Analysis - What Built by theluckystrike. More at zovo.one