[Tyler McAdams]

Does the jaguar firewall block icmp inbound requests?

[entrox]

Be more specific. Do you mean generally, only when you've specified some rules from the GUI or when disabled or what?

No matter what ports you close from the GUI, pings will always come through. If you want to block them, you'll have to go to the command line and specify special rules, which block ICMP requests.

Is that what you want?

[Tyler McAdams]

Originally posted by entrox:
Be more specific. Do you mean generally, only when you've specified some rules from the GUI or when disabled or what?

No matter what ports you close from the GUI, pings will always come through. If you want to block them, you'll have to go to the command line and specify special rules, which block ICMP requests.

Is that what you want?

My other firewall software has a selection that block all ping requests... it's called stealth mode..

[Millennium]

The GUI Apple provides for the firewall does not block ICMP ping requests. However, several third-party utilities -notably BrickHouse- can do this. Or you can use the Terminal.

[entrox]

I would advise against doing this, as things like pings or traceroute are rather useful things to have. Nevertheless, if you want to block those, just enter the following rules (you may want to have a rootshell first):

Code:
# This will block any ICMP traffic
/sbin/ipfw add 50 deny icmp from any to any

# You can now selectively allow certain ICMP types

# This will allow you to ping out and receive responses
/sbin/ipfw add 40 allow icmp from any to any icmptype 8 out
/sbin/ipfw add 41 allow icmp from any to any icmptype 0 in

# This will allow you to traceroute
/sbin/ipfw add 42 allow icmp from any to any icmptype 11 in

Note: I haven't tested these, so you may run into problems. You can delete rules with

Code:
/sbin/ipfw delete <rule-number>

I'd urge you to read some tutorials and manpages, if you want to do some more advanced firewalling.

[Cipher13]

No, it does not, but if you configure ipfw manually, as stated above, you can make it do so.

[Person Man]

Originally posted by entrox:
I would advise against doing this, as things like pings or traceroute are rather useful things to have. Nevertheless, if you want to block those, just enter the following rules (you may want to have a rootshell first):

Um, most people want to block *ALL* INCOMING pings, as that is what hackers like to do to find out which ports are open on a computer. When they find an open port they try all known vulnerabilities to try and get in. Even if ports are closed, they "know" about your computer and file away the IP address and try again in the hope that some of those ports will be open. However, if you block all incoming pings, then for all intents and purposes, your machine is invisible to the hackers. They have no way of knowing that a computer even exists at that IP address.

You have to weigh the advantages of being able to do pings and traceroutes (things most "normal" users don't need to do anyway-- notice I said *MOST*, not all) against the disadvantages of essentially advertising, "Hey Hackers! Here's a challenge for you! COME AND GET IT!!!"

[entrox]

Originally posted by Person Man:
Um, most people want to block *ALL* INCOMING pings, as that is what hackers like to do to find out which ports are open on a computer. When they find an open port they try all known vulnerabilities to try and get in.

Sorry, but this is bullshit. Ping has absolutely nothing to do with ports whatsoever, as it is a simple ICMP echo request. ICMP is a different protocol from TCP/UDP.
To probe for open ports, the cracker (and please get your terminology right - hackers and crackers are two very different things) tries to open a connection on every interesting port on a given IP. This is called a `portscan' and is usually run on whole netblock, when the cracker is just searching for a box to root.

Even if ports are closed, they "know" about your computer and file away the IP address and try again in the hope that some of those ports will be open. However, if you block all incoming pings, then for all intents and purposes, your machine is invisible to the hackers. They have no way of knowing that a computer even exists at that IP address.

Oh PLEASE! Read up on network technology - The mere thought that you are somehow invisible is ridiculous. Tools like nmap will get you no matter how - they can even deduce your operating system (sometimes even the exact version) by the way your kernel handles the packets.
Relying on the spurious fact, that you are somehow invisible to anybody on the internet is more than dangerous. Security through obscurity is no security at all.

You have to weigh the advantages of being able to do pings and traceroutes (things most "normal" users don't need to do anyway-- notice I said *MOST*, not all) against the disadvantages of essentially advertising, "Hey Hackers! Here's a challenge for you! COME AND GET IT!!!"

And what happens when you connect to webserver? To an IRC server? To a mailserver? Broadcast your IP on a filesharing network? Play Quake on the internet?
Do you honestly think you are somehow invisible to them because you disabled echo requests?

To quote from the FreeBSD handbook:

People often think that having a firewall between your internal network and the ``Big Bad Internet'' will solve all your security problems. It may help, but a poorly setup firewall system is more of a security risk than not having one at all. A firewall can add another layer of security to your systems, but it cannot stop a really determined cracker from penetrating your internal network. If you let internal security lapse because you believe your firewall to be impenetrable, you have just made the crackers job that much easier.

[IUJHJSDHE]

Originally posted by Person Man:
Um, most people want to block *ALL* INCOMING pings, as that is what hackers like to do to find out which ports are open on a computer.

I don't think you need to be able to ping someone, to port scan them.
Some port scanning programs do ping a host to see if it's up before scanning, but they don't HAVE to.

EDIT: Damn you entrox, if you had waited a few more seconds i would of been able to reply first

[GENERAL_SMILEY]

Originally posted by Person Man:
Um, most people want to block *ALL* INCOMING pings, as that is what hackers like to do to find out which ports are open on a computer.

...hahahaha. You are Steve Gibson and I claim my £5.

[Cipher13]

Entrox has it nailed...

nmap owns you.

[Person Man]

Originally posted by entrox:
Sorry, but this is bullshit. Ping has absolutely nothing to do with ports whatsoever, as it is a simple ICMP echo request. ICMP is a different protocol from TCP/UDP.
To probe for open ports, the cracker (and please get your terminology right - hackers and crackers are two very different things) tries to open a connection on every interesting port on a given IP. This is called a `portscan' and is usually run on whole netblock, when the cracker is just searching for a box to root.

You are, of course, correct. I had "ping" confused with port scans.

Oh PLEASE! Read up on network technology - The mere thought that you are somehow invisible is ridiculous. Tools like nmap will get you no matter how - they can even deduce your operating system (sometimes even the exact version) by the way your kernel handles the packets.
Relying on the spurious fact, that you are somehow invisible to anybody on the internet is more than dangerous. Security through obscurity is no security at all.

Ok then, nmap is new to me (I don't profess to be an expert in networking security), and I admit that the information posted on grc.com led me to believe that it was sufficient enough to block ports to render a computer "invisible" to port scans.

These days, you need to almost have a degree in computer security to keep up with hackers/crackers/script kiddies/whatever.

To quote from the FreeBSD handbook:

People often think that having a firewall between your internal network and the ``Big Bad Internet'' will solve all your security problems. It may help, but a poorly setup firewall system is more of a security risk than not having one at all. A firewall can add another layer of security to your systems, but it cannot stop a really determined cracker from penetrating your internal network. If you let internal security lapse because you believe your firewall to be impenetrable, you have just made the crackers job that much easier.

I know a firewall is not enough; you also have to make sure you don't turn on common vulnerable services (unless you have a real need for them), make sure you don't keep sensitive information on your machine, keep up with the latest security patches, etc.

Do tell me this, though: I have a NAT router between my computer and cable modem, which has a basic incoming firewall on it (meaning no inbound traffic on specific ports unless I open them specifically on the router). Assuming I don't open any ports on the router and keep the router's firmware up to date, and configure the firewall in OS X (with something like BrickHouse, and not Apple's control panel) properly, and not open any services (with the exception of Apple File Service, which I use for filesharing between my PowerBook and desktop), is there anything else I should be doing to protect my network?

Keep in mind that I have enough knowledge to be dangerous and know enough that I'm not afraid of anything requiring a command line and I am able to read and understand information on an "advanced" level. I also don't have my computers on 24/7 either. They are on when I use them and off (not sleeping) when I'm not using them. Most of the time, anyone using nmap on the address I'm on will just see the router. Also, I consider myself an "average user." My machine has no secrets and doesn't really have much of anything on it that I wouldn't want to fall into other hands.

Can you recommend a book on security that is simple enough to understand that is geared towards the user that has no need to provide any services on the internet (i.e. just uses it to surf mostly) and not be so big as to require a lot of time to read and understand the information?

[King Bob On The Cob]

Originally posted by Person Man:
You are, of course, correct. I had "ping" confused with port scans.



Ok then, nmap is new to me (I don't profess to be an expert in networking security), and I admit that the information posted on grc.com led me to believe that it was sufficient enough to block ports to render a computer "invisible" to port scans.

These days, you need to almost have a degree in computer security to keep up with hackers/crackers/script kiddies/whatever.



I know a firewall is not enough; you also have to make sure you don't turn on common vulnerable services (unless you have a real need for them), make sure you don't keep sensitive information on your machine, keep up with the latest security patches, etc.

Do tell me this, though: I have a NAT router between my computer and cable modem, which has a basic incoming firewall on it (meaning no inbound traffic on specific ports unless I open them specifically on the router). Assuming I don't open any ports on the router and keep the router's firmware up to date, and configure the firewall in OS X (with something like BrickHouse, and not Apple's control panel) properly, and not open any services (with the exception of Apple File Service, which I use for filesharing between my PowerBook and desktop), is there anything else I should be doing to protect my network?

Keep in mind that I have enough knowledge to be dangerous and know enough that I'm not afraid of anything requiring a command line and I am able to read and understand information on an "advanced" level. I also don't have my computers on 24/7 either. They are on when I use them and off (not sleeping) when I'm not using them. Most of the time, anyone using nmap on the address I'm on will just see the router. Also, I consider myself an "average user." My machine has no secrets and doesn't really have much of anything on it that I wouldn't want to fall into other hands.

Can you recommend a book on security that is simple enough to understand that is geared towards the user that has no need to provide any services on the internet (i.e. just uses it to surf mostly) and not be so big as to require a lot of time to read and understand the information?

Unless someone wants to get you, (and nothing commercially availible will stop those sorts of people), Your doing all you can to keep your personal info in it's little turtle shell

[entrox]

I'd say that what you're doing right now is more than enough. If you're on a dial-up without a static IP there's even less to worry about. The only use for your machine to a script kiddy would be as a zombie participating in a distributed denial of service attack. But if you close off unneeded ports and always install the latest security updates, you should be fairly safe.

If you do all this, it will take a lot of dedication to penetrate your defenses and your machine simply won't be worth the time it would take to get root. And think about your processor: It's a PPC, meaning 99% of the typical off-the-shelf rootkits and tools won't run, as they're all compiled for x86. Since the average script kiddy doesn't possess the necessary skills to do something without them this poses another barrier. You can make it even harder if you don't have an compiler installed, as a potential cracker can't just compile his rootkit for PPC!

It's far far easier to send some unsuspecting Windows-user an e-mail or IM with "hot_teens.jpg.vbs" attached, than to root a moderately secured Mac. Also keep in mind that no matter what you do, there will be always people who'll manage to break in. But rest assured that those (skilled) people won't even bother (and why should they? Unless you're a government server with something interesting...)

If you want to learn about this topic anyway, just google away! There's lot of info on the net - search for "freebsd security howto" or something like that. Most of the information should apply 1:1 to Darwin.