Running an EtreSoft diagnostic on a Macbook Pro (2019), I see this in the report: Firewall: Blocked apps: org.mozilla.updater com.apple.controlcenter com.vdigger.MacVideoDownloader com.apple.garageband10 com.GoPro.goproapp.GoProMsgBus com.soma-zone.BackupLoupe com.proxyman.NSProxy Stealth mode: Enabled Some of them I recognize, but some I don't.  I've never knowingly done anything to block any of them.  Are they blocked from receiving packets, sending packets, or both?  Is the block outside my local subnet, or does it include items within (printer, iPhones, iPads, router). macOS is 15.5 (24F74)

I'm developing an app that binds to a local address, on a random port when it runs. I used to get a prompt to allow connections but I accidentally pressed Enter key and I think I denied the terminal app. Where should I look to fix this?

I connect to a Cisco VPN Server and want to share that connection via wifi. Using the macOS Internet Sharing feature, I can only select one interface to share - either my LAN adapter, or the VPN connection. Clients on the wifi can then only connect to either the iNet, or the VPN. The VPN Server is only creating a split-tunnel connection - and switching to full tunnel is unfortunately not an option. Setting my nat rules directly in /etc/pf.conf/ works fine and solves my problem to a degree. I want to script and dynamically add them using a nat-anchor. Setting the anchor with load for an external config works, however when I define my anchor in pf.conf and try to populate my rules using pfctl like so:

echo "                                                                                                                                      
nat on en8 from bridge100:network to any -> (en8)
nat on utun1 from bridge100:network to any -> (utun1)" | pfctl -a my.anchor -f -

or as a one-liner:

echo -e "nat on en8 from bridge100:network to any -> (en8)\nnat on utun1 from bridge100:network to any -> (utun1)\n" | pfctl -a my.anchor  -f -

(w/ or w/o the trailing \n) I can confirm that the rules are set on my anchor using pfctl -sn -a my.anchor but the actual routing remains unchanged. What am I doing wrong here?

I am developing some software as part of a research project, and am running into an annoying issue with the Mac firewall. Our system architecture involves running multiple concurrent processes which open network ports, so when I start an execution, I get a _ton_ of firewall notifications: Whether I click Allow or Deny, the notification comes back every time. I've also tried adding the program to the firewall settings, but the notifications still appear. Enabling stealth mode, or even disabling the firewall, likewise does nothing. This [similar question](https://apple.stackexchange.com/questions/3271/how-to-get-rid-of-firewall-accept-incoming-connections-dialog) asks about fixing this issue for a single program, and there's some discussion about code signing. But this won't work for me: I'm just compiling new versions of my code; I need to prevent these dialogs from appearing _during testing_, not production. So marking a single executable as "safe" (if even possible) would only work until the next compilation. A few more data points: - This happens no matter where I run the program from — terminal or VS code terminal - This used to happen occasionally, but now happens nearly all the time, after I moved my project from my Documents folder (which I realized was being backed up to iCloud) to a separate local folder. Possibly something with file-provenance trust? This would be strange, however. My new directory is just ~/Local Documents - While some variants of our program _do_ use incoming network access, I'm currently just testing on a single machine (with multiple processes acting as multiple hosts, using the mpi framework). Ideally, I'd like to mark executables in a certain folder as being exempt from firewall rules, but at this point, I'm happy to even just turn off the warnings system-wide. [This answer](https://apple.stackexchange.com/questions/74517/how-can-i-exclude-certain-ports-from-the-firewall-notifications) seems to suggest I may be out of luck.

I have a mac that's connected to a VPN, where the VPN's gateway is the system's default gateway for all outgoing traffic. This means that I cannot connect to any services running on my mac from some arbitrary IP outside of my local network, even when port forwarding is set up correctly on my router, because the source IP address of the connection will be a non-local IP and therefore the system will try to route it through the VPN, not through my local gateway. However, I think it might be possible to use pf to route this traffic differently based purely on its port number. What I'd want is to have the default gateway for a connection on a specific port to be my local gateway, rather than the VPN, regardless of what the source IP address is. (If I knew the IP in advance, I could just set up a static route.) Is it possible to do this? If so, how would I configure pf to do so? (Perhaps it's possible to use pf to select a different routing table for the connection based on its port?)

I followed the following guide: https://iyanmv.medium.com/setting-up-correctly-packet-filter-pf-firewall-on-any-macos-from-sierra-to-big-sur-47e70e062a0e to set up my firewall on my Mac. Problem is, now I can't connect to the internet from it. The only changes I made to the instructions are naming of files (not the problem since the firewall starts up and is definitely up so my renaming of stuff worked fine) and a different firewall rule set. In my case my rules are really simple: block in pass out That's it. Now I can't access the internet. My Mac has taken up the IP address of 169.254.x.x (Which I know is a DHCP issue i.e. it's a self assigned IP address when the DHCP server is unreachable) and Wireshark has no traffic other than to my Gateway, obviously DHCP traffic. All other devices on my network are working fine, so it's almost certainly the PF firewall. Any ideas on what might be the problem?

Does anyone know how to configure NAT for use with a bridge on MacOS? I tried a configuration, which I thought worked in the past, however it no longer works. I have my public internet on en1 192.168.0.10 and bridge for QEMU guests on bridge100 192.168.57.1. sudo sysctl net.int.ip.forwarding=1 (I note, omitting the previous line causes NAT to work! still asking if this is the correct configuration). Here it's not set when NAT works: sudo sysctl -a|grep fowar '' I'm trying the following in pf.conf: nat on en1 from bridge100:network to any -> (en1) My routes look like: Host: default 192.168.0.1 VM: default via 192.168.57.1 I try trace route from the VM, and it's going through the right route, but pings time out: $ traceroute www.google.com traceroute to www.google.com (142.250.80.36), 30 hops max, 60 byte packets 1 _gateway (192.168.57.1) 0.990 ms 0.644 ms 0.527 ms^C

I have an app that (while it is running and only while it is running) needs to make changes to the packet filter (pf) so that it blocks or allows certain traffic. These rules should be in addition to the user's own rules in /etc/pf.conf - but i do not want to directly edit /etc/pf.conf as this is extremely intrusive. I can do this trivially in linux using iptables and even in windows using wfp without altering any on-disk files, can i accomplish the same thing in osx with pf ? Solution only has to work in yosemite (10.10) and above

I use [syncthing](https://syncthing.net/) for backups and data sync. In Linux, I run it via a systemd hardened unit, restricting what directories the process can read, access to privileged kernel ops and, most important, I restrict TCP/UDP traffic to a particular subnet, to ensure no data egress happens. I'm installing it on a Mac laptop via Brew which uses launchd to run it, the file is this one:

KeepAlive
	
	Label
	homebrew.mxcl.syncthing
	LimitLoadToSessionType
	
		Aqua
		Background
		LoginWindow
		StandardIO
		System
	
	ProgramArguments
	
		/opt/homebrew/opt/syncthing/bin/syncthing
		-no-browser
		-no-restart
	
	RunAtLoad
	
	StandardErrorPath
	/opt/homebrew/var/log/syncthing.log
	StandardOutPath
	/opt/homebrew/var/log/syncthing.log

I've done some research and I could not found a way to harden security. I can live without data and privileged access restrictions, but I'd like to ensure no data egress happens. Is this possible? Note: tried sandbox-exec, but it does not support IP addresses (error: sandbox-exec: host must be * or localhost in network address)

I'm on a 2021 MacBook Pro with Sequoia 15.3.2 and some of my settings (DNS, Firewall) are set with a profile by the company I work for. Sometimes I share this MacBook to a user for which I've created a standard (non-admin) account and has Android Studio with Android emulator. I noticed that it is possible to start android emulator from the command line and set another DNS by adding -dns-server parameter. I would like to prevent the use of another DNS in Android emulator and possibly in other apps. I can't uninstall Android Studio as it is needed. How could I do that, independently of the network the user is connected to (I can force something on Wifi network but not with 4G/5G hotpoint) ? I first thought of hosts file, but I think it only allows to block by host name and not by IP. I don't have access to Firewall and DNS settings as it is handled by the company. Then I thought of pfctl but I don't know exactly how to configure it, I made a quick try but didn't succeed I added those lines in pfctl conf and restarted it :

block drop proto tcp from any to 8.8.8.8 port 53
block drop proto udp from any to 8.8.8.8 port 53

Then I launched Android emulator with -dns-server 8.8.8.8 option, but this DNS server was still accessible. Maybe I should add port 853 in my conf too ? Can you please advise me on how I could do that ?

FreeBSD includes pflog as a way to analyze pf logs. I dont see a /var/log/pflog and I would like to enable this. Are pflog and /var/log/pflog available on macOS?

I'm running a MacOS VM (VMWare Fusion) on a MacOS host. The guest has a VM-assigned NAT IP address. Both guest and host on MacOS 15.2 (Sequoia). I'm encountering a strange issue: I can ping, nc, or ssh from the host to the guest, but Homebrew telnet as well as some apps based on the go network stack return no route to host. For example, the following works fine from the host to the guest:

# nc -zv guest-ip-address 1234
Connection to guest-ip-address port 1234 [tcp/search-agent] succeeded!

traceroute from the host to the guest-ip-address also succeeds. But the following fails:

# telnet guest-ip-address 1234
telnet: connect to address guest-ip-address: No route to host

I don't have firewall enabled and there is nothing in Settings-->Privacy Security-->Local Networking that is not already allowed. Can anyone point me in the right direction to troubleshoot?

Which option in the built-in firewall in System Preferences needs to be enabled to allow AirDrop to receive files on a Mac? The Mac can currently see iPhone's and other devices in Airdrop, but does not show on the iPhone as a target for Airdrop.

I'm using macos 15.3.2, and I haven't changed /System/Library/LaunchDaemons/com.apple.pfctl.plist on my Mac, its content is

Disabled
	
	Label
	com.apple.pfctl
	WorkingDirectory
	/var/run
	Program
	/sbin/pfctl
	ProgramArguments
	
		pfctl
		-f
		/etc/pf.conf
	
	RunAtLoad

But when I tapped sudo pfctl -s info in terminal, it shows the status is enabled. There's no command like -e in this file, why the pfctl is enabled after power on?

There appears to be a bug in MacOS Ventura (but also any version) whereby an attempt to share a tunnel connection (like WireGuard, OpenVPN, etc.) over WiFi will fail without error (no AP created). I doubt Apple will ever fix this long-standing bug, but I am hopeful a workaround can be implemented. It is possible to share an "AdHoc" network via: sudo networksetup -createnetworkservice AdHoc lo0 sudo networksetup -setmanual AdHoc 192.168.2.1 255.255.255.255 sudo networksetup -setmanual AdHoc 127.0.0.1 255.255.255.255 then selecting this new service in Internet Sharing. An AdHoc AP is created. Of course, this doesn't have access to the internet so something has to be routed such as a NAT router. I haven't used pf since I setup a pfsense router over a decade ago, but I tried something like: nat on utun3 from 192.168.2.0/24 to any -> utun3 but that didn't appear to work. Any suggestions on how to get around this problem?

Recently starting a python process that opens a server port always triggers the Firewall dialog Do you want allow that Python.app can accept incoming network connections? (translated) As the system Python version is too old I have installed Python 3.11 and Python 3.13 via brew. The code signing of e.g. Python 3.13 seems to be valid:

codesign -vv /opt/homebrew/Cellar/python@3.13/3.13.2/Frameworks/Python.framework/Versions/3.13/Resources/Python.app
/opt/homebrew/Cellar/python@3.13/3.13.2/Frameworks/Python.framework/Versions/3.13/Resources/Python.app: valid on disk
/opt/homebrew/Cellar/python@3.13/3.13.2/Frameworks/Python.framework/Versions/3.13/Resources/Python.app: satisfies its Designated Requirement

I also have tried to add the two Python installations to the firewall allow list: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --listapps I have added the .app folder and the application executable as I wasn't sure which one had to be added:

4 :  /opt/homebrew/Cellar/python@3.13/3.13.2/Frameworks/Python.framework/Versions/3.13/Resources/Python.app/Contents/MacOS/Python
         ( Allow incoming connections )

5 :  /opt/homebrew/Cellar/python@3.13/3.13.2/Frameworks/Python.framework/Versions/3.13/Resources/Python.app
         ( Allow incoming connections )

## What do I need to do to permanently allow my Python installations to open a listening port? The firewall is configured to allow "system software " as well as "signed software" to accept incoming connections. The Mac should be running headless as server, thus there is no-one who can click on the dialogs opened by the system... **Edit 1**: I found some more details in the firewall log. It seems like for some reasons MacOS comes to the conclusion that /opt/homebrew/Cellar/python@3.13/3.13.2/Frameworks/Python.framework/Versions/3.13/Resources/Python.app is neither "local signed" nor "Apple signed" - is this the expected result?

(venv) appicaptor@ac-macdyn ~ % log stream --info --debug --predicate 'process == "socketfilterfw"'

Filtering the log data using "process == "socketfilterfw""
[com.apple.ALF.ApplicationFirewall:fw] KEXT: Python: Allow TCP CONNECT (in:1 out:0)
[com.apple.ALF.ApplicationFirewall:fw] DoRead
[com.apple.ALF.ApplicationFirewall:fw] sw_msg_hdr len: 44 type: updaterules (8)
[com.apple.ALF.ApplicationFirewall:fw]   pid: 1120 flag: 0x0
[com.apple.ALF.ApplicationFirewall:fw] rules: tc: 0x0 tl: 0x0 tb: 0x0 uc: 0x0 ub: 0x0
[com.apple.ALF.ApplicationFirewall:fw] pe_path:
[com.apple.ALF.ApplicationFirewall:fw]
(Security) [com.apple.securityd:csresource] 0x140f093e0 rule ^Contents$ added (weight 0, flags 0x12)|\.SoftwareDepot\.tracking)$ added (weight 0, flags 0x9)
(Security) [com.apple.securityd:csresource] 0x1421060b0 rule ^(\.LSOverride|\.DS_Store|Icon
(Security) [com.apple.securityd:dirval] entering /opt/homebrew/Cellar/python@3.13/3.13.2/Frameworks/Python.framework/Versions/3.13/Resources/Python.app
(Security) [com.apple.securityd:dirval] entering /opt/homebrew/Cellar/python@3.13/3.13.2/Frameworks/Python.framework/Versions/3.13/Resources/Python.app/Contents
(Security) [com.apple.securityd:dirval] leaving /opt/homebrew/Cellar/python@3.13/3.13.2/Frameworks/Python.framework/Versions/3.13/Resources/Python.app/Contents
(Security) [com.apple.securityd:dirval] leaving /opt/homebrew/Cellar/python@3.13/3.13.2/Frameworks/Python.framework/Versions/3.13/Resources/Python.app
(Security) [com.apple.securityd:unixio] open(/opt/homebrew/Cellar/python@3.13/3.13.2/Frameworks/Python.framework/Versions/3.13/Resources/Python.app/Contents/MacOS/Python,0x0,0x1b6) = 12
(Security) [com.apple.securityd:unixio] open(/opt/homebrew/Cellar/python@3.13/3.13.2/Frameworks/Python.framework/Versions/3.13/Resources/Python.app/Contents/MacOS/Python,0x0,0x1b6) = 13
(Security) [com.apple.securityd:macho] 0x14200a6c0 is a thin file (arm64)
(Security) [com.apple.securityd:unixio] close(12) err: 0
(Security) [com.apple.securityd:macho] 64-bit linkedit is valid
(Security) [com.apple.securityd:macho] 64-bit linkedit is valid
(Security) [com.apple.securityd:machorep] 546 signing bytes in 3 blob(s) from /opt/homebrew/Cellar/python@3.13/3.13.2/Frameworks/Python.framework/Versions/3.13/Resources/Python.app/Contents/MacOS/Python(arm64)
(Security) [com.apple.securityd:cfloadfile] failed to fetch /opt/homebrew/Cellar/python@3.13/3.13.2/Frameworks/Python.framework/Versions/3.13/Resources/Python.app/Contents/_CodeSignature/CodeRequirements-1 error=-10
(Security) [com.apple.securityd:staticCode] SecStaticCode network default: NO
(Security) [com.apple.securityd:unixio] close(13) err: 0
[com.apple.ALF.ApplicationFirewall:fw] CFBundleCreateIfLooksLikeBundle returns a bundle 0x42104480
[com.apple.ALF.ApplicationFirewall:fw] CFBundleGetId returns org.python.python
[com.apple.ALF.ApplicationFirewall:fw] found bundleid org.python.python in FindBundleIDEntry()
[com.apple.ALF.ApplicationFirewall:fw] ALF: IsPrefAppSigned()-file:///opt/homebrew/Cellar/python@3.13/3.13.2/Frameworks/Python.framework/Versions/3.13/Resources/Python.app/ not local signed, check for apple signed
(Security) [com.apple.securityd:csresource] 0x14200a740 rule ^Contents$ added (weight 0, flags 0x12)|\.SoftwareDepot\.tracking)$ added (weight 0, flags 0x9)x0                  
(Security) [com.apple.securityd:csresource] 0x14200c530 rule ^(\.LSOverride|\.DS_Store|Icon
(Security) [com.apple.securityd:dirval] entering /opt/homebrew/Cellar/python@3.13/3.13.2/Frameworks/Python.framework/Versions/3.13/Resources/Python.app
(Security) [com.apple.securityd:dirval] entering /opt/homebrew/Cellar/python@3.13/3.13.2/Frameworks/Python.framework/Versions/3.13/Resources/Python.app/Contents
(Security) [com.apple.securityd:dirval] leaving /opt/homebrew/Cellar/python@3.13/3.13.2/Frameworks/Python.framework/Versions/3.13/Resources/Python.app/Contents
(Security) [com.apple.securityd:dirval] leaving /opt/homebrew/Cellar/python@3.13/3.13.2/Frameworks/Python.framework/Versions/3.13/Resources/Python.app
(Security) [com.apple.securityd:unixio] open(/opt/homebrew/Cellar/python@3.13/3.13.2/Frameworks/Python.framework/Versions/3.13/Resources/Python.app/Contents/MacOS/Python,0x0,0x1b6) = 12
(Security) [com.apple.securityd:unixio] open(/opt/homebrew/Cellar/python@3.13/3.13.2/Frameworks/Python.framework/Versions/3.13/Resources/Python.app/Contents/MacOS/Python,0x0,0x1b6) = 13
(Security) [com.apple.securityd:macho] 0x140f09950 is a thin file (arm64)
(Security) [com.apple.securityd:unixio] close(12) err: 0
(Security) [com.apple.securityd:macho] 64-bit linkedit is valid
(Security) [com.apple.securityd:macho] 64-bit linkedit is valid
(Security) [com.apple.securityd:machorep] 546 signing bytes in 3 blob(s) from /opt/homebrew/Cellar/python@3.13/3.13.2/Frameworks/Python.framework/Versions/3.13/Resources/Python.app/Contents/MacOS/Python(arm64)
(Security) [com.apple.securityd:cfloadfile] failed to fetch /opt/homebrew/Cellar/python@3.13/3.13.2/Frameworks/Python.framework/Versions/3.13/Resources/Python.app/Contents/_CodeSignature/CodeRequirements-1 error=-10
(Security) [com.apple.securityd:staticCode] SecStaticCode network default: NO
(Security) [com.apple.securityd:codedir] 0x14200ac70 validating slot -2
(Security) [com.apple.securityd:unixio] open(/opt/homebrew/Cellar/python@3.13/3.13.2/Frameworks/Python.framework/Versions/3.13/Resources/Python.app/Contents/Info.plist,0x0,0x1b6) = 12
(Security) [com.apple.securityd:unixio] close(12) err: 0
(Security) [com.apple.securityd:codedir] 0x14200ac70 validating slot -1
(Security) [com.apple.securityd:kcode] guest 0x14200a818(1120) kernel status 0x22000201
(Security) [com.apple.securityd:codedir] 0x14200ac70 validating slot -1
(Security) [com.apple.securityd:staticCode] 0x142009c88 loaded InfoDict 0x14200a400
(Security) [com.apple.securityd:cfloadfile] failed to fetch /opt/homebrew/Cellar/python@3.13/3.13.2/Frameworks/Python.framework/Versions/3.13/Resources/Python.app/Contents/_CodeSignature/CodeEntitlementDER error=-10
(Security) [com.apple.securityd:cfloadfile] failed to fetch /opt/homebrew/Cellar/python@3.13/3.13.2/Frameworks/Python.framework/Versions/3.13/Resources/Python.app/Contents/_CodeSignature/CodeEntitlements error=-10
[com.apple.ALF.ApplicationFirewall:fw] ALF: isSecCodesigned()-SecCodeCheckValidity returns error = -67050
[com.apple.ALF.ApplicationFirewall:fw] SecCodeCheckValidity rts error -67050
[com.apple.ALF.ApplicationFirewall:fw] ALF: pid 1120 is NOT apple signed
(Security) [com.apple.securityd:unixio] close(13) err: 0
[com.apple.ALF.ApplicationFirewall:fw] ALF: IsPrefAppSigned file:///opt/homebrew/Cellar/python@3.13/3.13.2/Frameworks/Python.framework/Versions/3.13/Resources/Python.app/ rts false
[com.apple.ALF.ApplicationFirewall:fw] ALF: DoUpdateRule()-GetFWConfig bundle org.python.python, path file:///opt/homebrew/Cellar/python@3.13/3.13.2/Frameworks/Python.framework/Versions/3.13/Resources/Python.app/ returns 0x0
[com.apple.ALF.ApplicationFirewall:fw] DoUpdateRule
[com.apple.ALF.ApplicationFirewall:fw] sw_msg_hdr len: 44 type: updaterules (8)
[com.apple.ALF.ApplicationFirewall:fw]   pid: 1120 flag: 0x0
[com.apple.ALF.ApplicationFirewall:fw] rules: tc: 0xffff tl: 0xffff tb: 0xffff uc: 0xffff ub: 0xffff
[com.apple.ALF.ApplicationFirewall:fw] pe_path:
[com.apple.ALF.ApplicationFirewall:fw]
[com.apple.ALF.ApplicationFirewall:fw] DoRead
[com.apple.ALF.ApplicationFirewall:fw] sw_msg_hdr len: 128 type: ask (3)
[com.apple.ALF.ApplicationFirewall:fw]   ref: 0xfffffe24cdfc9900 proc_ref: 0x460 proc_name: Python proc_id: 1120 op: 3 address: unknown family type:0 response: 65535 pid_entry: 0xfffffe1b342a0e80
[com.apple.ALF.ApplicationFirewall:fw]
[com.apple.ALF.ApplicationFirewall:fw] DoRead
[com.apple.ALF.ApplicationFirewall:fw] sw_msg_hdr len: 128 type: sw_msg_type_askmsgrelease (14)
[com.apple.ALF.ApplicationFirewall:fw]

I'm running MacOS Catalina 10.15.7 (19H114) on a Macbook Pro 11,3 15" mid 2014. Every time I log into my Mac, after about 5 seconds, I get a popup that says... >Do you want the application "mediasharingd" to accept incoming network connections? Clicking the Deny may limit the application's behavior. This setting can be changed in the Firewall pane of Security & Privacy preferences. After about 3/4ths of a second, the popup dissapears, and doesn't allow me to click allow or deny. This continues to happen no matter my firewall settings. I have tried the following firewall settings: >√ Block all incoming connections >☐ Automatically allow built-in software to receive incoming connections >☐ Automatically allow downloaded signed software to receive incoming connections >√ Enable stealth mode Then with: > ☐ Block all incoming connections >> mediasharingd (blocked) >☐ Automatically allow built-in software to receive incoming connections >☐ Automatically allow downloaded signed software to receive incoming connections >☐ Enable stealth mode and finally with: > ☐ Block all incoming connections >> mediasharingd (blocked) >☐ Automatically allow built-in software to receive incoming connections >☐ Automatically allow downloaded signed software to receive incoming connections >√ Enable stealth mode Regardless of my Firewall settings, this popup continues to open, then immediately close right after login. My questions are... 1. What is mediasharingd, and how can I trace back which app is using it and where exactly it is coming from, so I can delete it? 2. Why is mediasharingd seemingly being able to request internet access before my firewall activates? 3. How do I debug this and STOP this pop-up from happening on login, and permanently block mediasharingd? Screenshots below. Thanks for any help!

I'd like to have the firewall rewrite outbound packets with a destination network of 192.168.99.0/24 to 10.1.10.0/24, for example, so ping -b utun7 192.168.99.5 sends ICMP packets to the host 10.1.10.5. If the rewriting the whole subnet isn't feasible, I'd settle for rewriting for a specific destination address. I've tried:

$ sudo pfctl -d
$ sudo pfctl -f /dev/stdin  192.168.99.0/24
rdr on utun7 from any to 192.168.99.5 -> 10.1.10.5
EOF
$ sudo pfctl -e

The first rule has a syntax error. The second rule is accepted but looking at outbound traffic there is no change to the destination address. If possible, I'd like to do this in a stateless way (I don't care about it being able to NAT the return traffic).

I have a specific port (8000) open on my Mac (macOS 11.6) for local web development testing. The networking isn’t set up for all machines on my subnet to see this port so I need help with networking setup. Let’s say my computer’s NAT IP is 192.168.1.10. If I go to 192.168.1.10:8000, I get nothing. nmap also tells me the port is closed. I can access the port on 127.0.0.1:8000, though. I’m not doing anything with my router to give WLAN access, this is just so other computers and mobile devices on my local Wi-Fi network can access the server. I have turned off the application firewall, and also have tried adjusting the packet filter (PF) settings, and it kept saying that there was a syntax error in the PF list. I even tried disabling pfctl, which I did, but macOS is still blocking port 8000 and generally still seemed to be running a firewall. Is there another/different firewall system I need to configure to have my networking stack setup to allow any machine on my subnet to see the locally opened port as open?

Macbook asks Do you want the application “Music” to accept incoming network connections?" Why would Music need to do that, and is there risk to saying allow?