How do I create firewall rules to limit AirPlay communication (Port 7000 on Apple devices) to only trusted devices?

Question

Level 1

18 points

How do I create firewall rules to limit AirPlay communication (Port 7000 on Apple devices) to only trusted devices?

In light of the recent announcement about "Airborne..."

...how do I "create firewall rules to limit AirPlay communication (Port 7000 on Apple devices) to only trusted devices, enhancing network security and reducing exposure?” I have already restricted AirPlay settings on my devices by changing the "Allow AirPlay for" setting to "Current User" in the system settings and disabled AirPlay Receiver on the devices, but...I am not sure how to configure the firewall.

I have an Xfinity xFI router with an Airport Extreme attached to it (set up as an extended network), along with numerous Airport Express (1st and 2nd gen) units that I am using to stream audio to (and one that is connected via USB to a printer).

I got this response from AI, (but have no idea how to configure the firewall for my specific setup/situation):

----------->

To create firewall rules that limit AirPlay communication on port 7000 to only trusted devices, you can follow these steps:

Identify the IP addresses or MAC addresses of the trusted devices.
Configure your firewall to allow traffic only from these trusted devices on port 7000. This can typically be done by specifying the source IP addresses or MAC addresses in the firewall rule.

For example, if you are using a Ubiquiti EdgeRouter, you can add a rule to your firewall configuration to allow traffic only from the trusted devices. Here is an example of how to do this:

set firewall name trusted-zone rule 100 action accept
set firewall name trusted-zone rule 100 protocol tcp
set firewall name trusted-zone rule 100 destination port 7000
set firewall name trusted-zone rule 100 source address <trusted_device_ip>

Replace <trusted_device_ip> with the actual IP address of the trusted device. You can add multiple rules for each trusted device.

-----------|

Finally, once I create the firewall rules, will that completely ensure my network is not susceptible to the Airborne vulnerabilities? Any help would be greatly appreciated!

Thanks!

Posted on May 7, 2025 5:29 PM

Reply

Answer 1

May 29, 2025 11:43 AM in response to Gizmology

In no particular order…

Airborne was fixed in Apple gear back in March.

AI is ideally suited for generating “filler” text, for sabotaging others’ activities, for spam, for social media engagement and related posting fodder, and other related uses. It is not a reliable technical reference source.

Usual approach for network isolation would put all untrusted gear in an untrusted VLAN, or fully physically segment the wired or Wi-Fi network trusted and untrusted. And probably add a DMZ, if you’re opening firewall ports into your internal servers. The DMZ to isolate potential breaches of the servers.

Here, the network firewall should be blocking any inbound traffic without a matching outbound connection, and you can further block network-inbound and/or network-outbound connects from or to TCP 7000. (But that should not be arising inbound, absent an override in the firewall.) It is fairly common to block and alarm certain outbound connections at the network firewall (at the Xfinity gateway box, here) though, such as outbound connections originating from TCP 25.

As for your quest to block AirPlay, AirPlay uses the following ports, plus mDNS:

TCP: 5000, 7000, 7001, 7100, 8612, and the ephemeral range (49152-65535)

UDP: 6001, 6002, 7000, 7010, 7011, 8150, 8151, 8612, and the ephemeral range (49152-65535)

This port list from the following resource, and any errors in that list are probably mine:

TCP and UDP ports used by Apple software products - Apple Support

A better solution would likely involve RADIUS (and 802.1X), but the Xfinity and AirPort gear likely won’t support that. This as MAC addressing can be spoofed, and as Apple devices intentionally spoof MAC addresses. The spoofing is usually consistent per network, but the selected MAC can be re-randomized on occasion.

Reply

Answer 2

Gizmology Author

Level 1

18 points

May 27, 2025 8:08 PM in response to g_wolfman

Hi, Thanks for getting back to me. Someone else responded earlier, but it seems their reply is now gone. I still have their response in my email, though. They mentioned using MAC Address Filtering to block untrusted devices from joining my Wi-FI. They also mentioned disabling Multicast/Broadcast for untrusted devices. Not entirely sure how to go about that, but here are some screenshots of the options in my router admin:

IPv4 currently set to:

Has the ability to custom set instead with the following possible options:

IPv6 currently set to:

Has the ability to custom set instead with the following possible options:

Finally, under WI-FI there is this (with the pull-down menu for the MAC Filtering Mode having the option to: Allow-All, Allow, or Disable):

Any more thoughts or instruction on how I may want to adjust the router settings would be most welcomed. As far as replacing the Airport devices...not really an option as (I previously mentioned) my entire streaming audio system is reliant upon the multiple Airport Express units. My printer is hooked into one too, and buying a new printer with built-in air printing would not be that big a deal, but...loosing all the audio streaming capabilities is not an option. So...just trying to do the best I can with my current setup. If you can advise as to how to configure my Xfi router in an effort to give me as much protection as possible, I'd greatly appreciate it.

Thanks again!

Reply

Answer 3

g_wolfman

Level 4

3,340 points

May 8, 2025 7:28 PM in response to Gizmology

Are your devices even vulnerable, given that all or nearly all of the CVEs have already been fixed? Are your devices vulnerable to CVEs that permit arbitrary code execution initiated from outside your firewall (and does your firewall allow arbitrary devices outside the firewall to connect to other devices inside of it)? Are you forwarding port 7000 for some reason?

Why not just turn off airplay in any device that doesn't need it - especially those that routinely leave the network? I don't think this is an issue where tweaking your firewall is going to help you.

Reply

Answer 4

Gizmology Author

Level 1

18 points

May 9, 2025 1:37 PM in response to g_wolfman

Hi,

Thanks for the reply! I was looking to create the firewall rules based on the advice on the Oligo website/announcement. They suggest to restrict access by creating the specific firewall rules I mentioned (along with disabling AirPlay Receiver, and changing "Allow AirPlay for" to "Current User" on devices).

I have the firewall toggle switch on all my Macs flipped to active (and: "Automatically allow built-in software to receive incoming connections, " Automatically allow downloaded signed software to receive incoming connections," and "Enable stealth mode" also switched on/active).

I have an old 2012 Mac Mini running Mojave OS 10.14.6 which I use to stream audio through Audirvana Studio. Also, I used Airport Utility 5.6.1 Launcher to inject the old Apple80211 system file so I can run Audirvana in Direct Mode. On the Mini's firewall, I added Audirvana Studio, Airfoil, and Airfoil Satellite and selected "Allow incoming connections"for each.

Other than that, I have one Airport express connected to my main stereo amp via RCA (to get audio for my TV, as my amp is old and has no HDMI connection). I have another one attached to a different amp, and one plugged into some powered desktop speakers. I stream audio to those using TIDAL from my iPhone app. And, there is also the previously mentioned Airport that is hooked to my printer via USB.

So...with that in mind, I am just trying to lock down my network (especially, given the old mini/old Airports, etc.) so I can protect myself from any CVEs that I may still be susceptible to.

Based on all that, please let me know what you think.

Thanks again for the help!

Reply

Answer 5

g_wolfman

Level 4

3,340 points

May 27, 2025 3:31 PM in response to Gizmology

The firewall and security settings on the router from the ISP will prevent most anything getting onto your network - especially if it is serving your LAN addresses. If none of your mobile devices that leave the your local network (phones, laptops) are vulnerable, then they can't bring an "airborne" infection back in.

The "wormable zero-click RCE" relies on infected devices to propagate the malware to other vulnerable devices on your local network. If no infection comes in and vulnerable devices are protected by your ISP firewalls and NAT on the router, then no infection can happen.

If anything, you should consider replacing your Airport Wifi devices with something modern that supports WPA3 security.

Reply

Answer 6

g_wolfman

Level 4

3,340 points

May 28, 2025 5:10 PM in response to Gizmology

On the ISP's router, typical security is going to give you pretty much what you need - it's already basically blocking all WAN-LAN traffic that doesn't correspond to a communications channel that started from LAN to WAN.

MAC Address filtering won't hurt - but it's security theatre, not real security. The Firewall and IDS are already blocking intrusions from outside the LAN, and if an attacker is inside and on your LAN, they can spoof MAC addresses and poison the router's ARP cache.

Honestly, if you are determined to run a firewall to the effect you describe - then either each device you want to protect (computers only) needs a host-based firewall, or you need a network firewall sitting between the router and all the devices in a router <-> dedicated firewall <-> switch <-> LAN configuration. In either case, you are talking about learning the pf firewall and pfctl - the built-in Application Firewall won't cut it.

Once again, I caution that this is a huge undertaking for a very small incremental security improvement (if that).

Reply

Answer 7

g_wolfman

Level 4

3,340 points

May 27, 2025 3:47 PM in response to g_wolfman

Also, I highly doubt you can configure your ISP-provided router's firewall with specific rules and you can't do much at all on Airport devices.

Reply

Answer 8

Gizmology Author

Level 1

18 points

May 29, 2025 10:30 AM in response to g_wolfman

I hear ya. Guess I'll just keep things as they are and hope for the best. Thanks so much for all your help and for your time. Take care!

Reply