Block IP Scanners on Mac

TL;DR

This guide shows you how to block IP address scanners from accessing your Mac using the built-in firewall and, optionally, a more advanced rule set. This helps protect against unwanted probing of your network.

Blocking IP Scanners on Your Mac

1. Understand the Problem: IP scanners quickly check many IP addresses to see which ones are active. They aren’t always malicious, but they can be a sign someone is looking for targets. Blocking them reduces unnecessary network traffic and potential security risks.
2. Check Your Firewall Status: macOS has a built-in firewall. First, let’s make sure it’s on.
   • Go to System Settings (or System Preferences in older versions of macOS).
   • Click on Network.
   • Select Firewall.
   • Ensure the firewall is switched On.
3. Create a Firewall Rule to Block Incoming Connections: We’ll use the command line for more control.
   • Open Terminal (found in /Applications/Utilities/).
   • Use the following command to block all incoming connections except those explicitly allowed:

     sudo pfctl -f /etc/pf.conf

4. Edit the pf.conf File: The pf.conf file controls the firewall.
   • Open the file with a text editor (you’ll need administrator privileges):

     sudo nano /etc/pf.conf

   • Add these lines to block common scanner ports. Be careful when editing this file, as incorrect settings can lock you out of your Mac.

     block all in proto tcp from any port { 21, 22, 23, 80, 443, 3389 }

     block all in proto udp from any port { 53, 67, 68, 135, 137, 138, 139, 4045 }

   • Save the file (Ctrl+X, then Y to confirm).
5. Reload the Firewall: Apply the changes.
   • In Terminal, run:

     sudo pfctl -f /etc/pf.conf

   • Check the firewall status to confirm it’s running correctly:

     sudo pfctl -s ruleset

6. (Optional) Block Specific IP Addresses: If you identify a specific IP address scanning your network, block it directly.
   • Edit /etc/pf.conf again:

     sudo nano /etc/pf.conf

   • Add a line like this (replace 192.168.1.100 with the IP address you want to block):

     block quick from 192.168.1.100

   • Save and reload the firewall as in step 6.
7. (Optional) Logging: Enable logging to see blocked connections.
   • Edit /etc/pf.conf:

     sudo nano /etc/pf.conf

   • Add a line like this:

     log all pass

   • Save and reload the firewall.
   • View logs in Console app (/Applications/Utilities/). Filter by ‘pf’ to see firewall activity.