Port 8089 in macOS Firewall Security & Privacy System Preferences Pane

How do you enable port forwarding of TCP 8089 on a Mac? I'm going to hardwire Ethernet straight into to my Mac from my condo apartment building Internet (Google Fiber Webpass / Monkeybrains point to point).

Since there's no Channels DVR.app (unlike Plex Server), do I simply enable "Automatically allow signed software to receive incoming connections" in System Preferences.app > Security and Privacy > Firewall tab > Advanced Settings button? Is Channels DVR for Mac "signed by a valid certificate authority"?

https://support.apple.com/en-us/HT201642 writes:

Applications that are signed by a valid certificate authority are automatically added to the list of allowed apps, rather than prompting the user to authorize them. Apps included in OS X are signed by Apple and are allowed to receive incoming connections when this setting is enabled. For example, since iTunes is already signed by Apple, it is automatically allowed to receive incoming connections through the firewall.

If you run an unsigned app that is not listed in the firewall list, a dialog appears with options to Allow or Deny connections for the app. If you choose Allow, OS X signs the application and automatically adds it to the firewall list. If you choose Deny, OS X adds it to the list but denies incoming connections intended for this app.

If you want to deny a digitally signed application, you should first add it to the list and then explicitly deny it.

Some apps check their own integrity when they are opened without using code signing. If the firewall recognizes such an app it doesn't sign it. Instead, it the "Allow or Deny" dialog appears every time the app is opened. This can be avoided by upgrading to a version of the app that is signed by its developer.

The app process is here /Users/USER/Library/Application Support/ChannelsDVR/*/channels-dvr

That said, I have had the Firewall on in stealth mode and haven't had any issues remotely accessing the DVR

Port forwarding is setup on your router.

What if I don’t use a router? I understand the security considerations, but is the “app” certificate signed in macOS or is it a service that’ll work with macOS built-in Firewall?

Firewall and router are different things. The firewall will allow or deny connections, but without the router sending them to the Mac in the first place the firewall can't do anything.

If the IP assigned to your Mac is 192.168.x.x that means there's a router on the other end which is handing out addresses and doing network address translation. That's where the port forwarding must occur.

If I understand, your Mac is directly connected to the internet and you're concerned that the application firewall built into macOS won't allow the Channels DVR traffic since it's an unsigned app. Correct? If this is the case, then you may need to set up a separate port-based firewall on your Mac. I think "pf" is still installed by default on macOS and you should be able to Google the necessary info.

The answer to this is yes.

Thanks. Google Fiber Webpass assigns my unit a public static IP. I planned to connect my Mac directly to the service via Ethernet in my building without a router that has port forwarding. Again, I understand the security concerns. I presume that since Channels DVR is signed, Channels DVR Server shouldn't have issues with port TCP 8089.

I'll check on @benmarks' suggestion that a pf system service(?) may still need to be configured in macOS High Sierra, but it also sounds like macOS built-in Firewall's Stealth Mode would work fine from @kor's experience.

The inbuilt firewall is inbound only. As suggested pf rules are required to route outbound traffic so if you want remote access to the dvr Plenty of literature around but I am not aware of a ui so you will need to use command line

Running 2020.10.13.2207 on Google Fiber Webpass, macOS High Sierra has Stealth Mode enabled. I had to set the Channels DVR Settings to Manual instead of Automatic in order to get it working Away from Home; Away from Home didn’t work with Automatic even though portchecker.co showed port 8089 open.