A deny-all and allow-by-exception firewall policy _MUST_ be employed for managing connections to other systems. Organizations _MUST_ ensure the built-in packet filter firewall is configured correctly to employ the default deny rule. Failure to restrict network connectivity to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate the exfiltration of data. If you are using a third-party firewall solution, this setting does not apply. [IMPORTANT] ==== Configuring the built-in packet filter firewall to employ the default deny rule has the potential to interfere with applications on the system in an unpredictable manner. Information System Security Officers (ISSOs) may make the risk-based decision not to configure the built-in packet filter firewall to employ the default deny rule to avoid losing functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== Fix: Enable Firewall and Run following command to block all incoming connections. # /usr/bin/defaults write /Library/Preferences/com.apple.alf.plist "globalstate" -int 2 The changes will reflect after reboot. Note: Setting the default value to 2 blocks all incoming connections, if changing it to 2 please ensure you add exceptions for services like SSH.

[yes/no]

NOTE: See the firewall supplemental which includes a script that has an example policy to implement this rule.