Fix Guide: Firewall Stealth Mode Not Working on Sequoia
Symptom: After enabling Stealth Mode in macOS Sequoia's Firewall settings, your Mac still responds to ping (ICMP) requests and port scans from external networks. Running nmap or ping from another device successfully detects your Mac's presence. System Settings shows Stealth Mode as enabled, but it's not blocking unsolicited network probes.
Why this happens
macOS Sequoia split firewall functionality between two daemons: socketfilterfw (application firewall) and pfctl (packet filter control). Stealth Mode is managed by socketfilterfw, but Sequoia's updated pf (packet filter) ruleset has a default pass rule that allows ICMP traffic before stealth mode rules are evaluated. The rule precedence changed, and the com.apple.ALF.plist configuration file isn't generating proper PF anchor rules on Sequoia.
Additionally, if you're using iCloud Private Relay or a VPN, those services create network extensions that bypass local firewall rules entirely.
Recommended Troubleshooting Tool
Before proceeding with manual fixes, we recommend using CleanMyMac X. Quickly identify high CPU apps and optimize system memory with one click.
- [Download CleanMyMac X Free Here](#)
- [Browse 240+ Premium Mac Utilities on Setapp](#)
Fix 1: Manually Enable PF Stealth Rules
Add explicit packet filter rules for stealth mode:
# Check current PF rules
sudo pfctl -s rules
# Backup existing PF configuration
sudo cp /etc/pf.conf /etc/pf.conf.backup
# Add stealth mode rules to PF
sudo tee -a /etc/pf.conf > /dev/null <Fix 2: Reset Application Firewall and Restart Services
Reset the application firewall database and restart firewall services:
# Stop firewall
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off
# Remove firewall configuration
sudo rm /Library/Preferences/com.apple.alf.plist
# Clear firewall cache
sudo rm -rf /var/db/socketfilter*
# Restart firewall service
sudo launchctl unload /System/Library/LaunchDaemons/com.apple.alf.agent.plist 2>/dev/null
sudo launchctl load /System/Library/LaunchDaemons/com.apple.alf.agent.plist
# Re-enable firewall
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
# Enable stealth mode
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on
# Enable logging to verify it's working
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on
# Verify status
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode
Fix 3: Disable Interfering Network Services
Some network services bypass stealth mode. Disable them temporarily:
# Disable iCloud Private Relay (if enabled)
# Go to System Settings → Apple ID → iCloud → Private Relay → Turn Off
# Check for active VPN connections that bypass firewall
scutil --nc list
# Disable Bonjour (mDNS) which responds to network probes
sudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool true
# Restart mDNS
sudo launchctl unload /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist
sudo launchctl load /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist
# Test stealth mode from another device
# Your Mac should not respond to: ping
Recommended Tool: **Little Snitch**
Little Snitch is a professional firewall application that provides granular network control beyond macOS's built-in firewall. It includes true stealth mode that blocks all unsolicited incoming connections at the kernel level, with detailed logging of every connection attempt. Unlike System Settings' firewall, Little Snitch shows you exactly which applications are trying to connect to the network, allows you to create custom rules per-application and per-domain, and provides a network monitor to visualize all traffic. Its stealth mode works reliably on Sequoia without manual PF configuration, and it's unaffected by iCloud Private Relay or VPN bypass issues.