[Simon]

To make a long story short: I had a daemon running on my Powerbook and I actually didn't know it was there and making connections to half the world.
At the lab where I work the network security guys noticed this, monitored it and eventually cut me off the network. They could show that this stupid daemon had opened over 100 connections to other computers on the internet and had tons of traffic going on port 2500 (Gnutella I think). This got me into quite an uncomfortable situation and made me look like some stupid newbie. Actually, I was in really deep sh!t.

So, due to my ignorance of the way the OS X firewall works I thought only the services I checked in the Sharing system pref are allowed to connect.
Baloney of course, because these obviously are only the ports that allow connections from the outside, but what about those from the inside?

How can I get the OS X firewall to block requests coming from local apps? For example, how can I block port 2500 completely? Or, how can I block all ports (internal and external requests) except http, ssh, smtp and pop?

Can somebody give me command line examples? Or suggest a good little app to help me do this? And what about logging? Any good tools that write newly opened ports to the console or to some other file I can monitor?

I really have to avoid this from happening again, or else the network guys are going to butcher me.

Thanks in advance for any help.

[dharknes]

Originally posted by Simon:
To make a long story short: I had a daemon running on my Powerbook and I actually didn't know it was there and making connections to half the world.
At the lab where I work the network security guys noticed this, monitored it and eventually cut me off the network. They could show that this stupid daemon had opened over 100 connections to other computers on the internet and had tons of traffic going on port 2500 (Gnutella I think). This got me into quite an uncomfortable situation and made me look like some stupid newbie. Actually, I was in really deep sh!t.

So, due to my ignorance of the way the OS X firewall works I thought only the services I checked in the Sharing system pref are allowed to connect.
Baloney of course, because these obviously are only the ports that allow connections from the outside, but what about those from the inside?

How can I get the OS X firewall to block requests coming from local apps? For example, how can I block port 2500 completely? Or, how can I block all ports (internal and external requests) except http, ssh, smtp and pop?

Can somebody give me command line examples? Or suggest a good little app to help me do this? And what about logging? Any good tools that write newly opened ports to the console or to some other file I can monitor?

I really have to avoid this from happening again, or else the network guys are going to butcher me.

Thanks in advance for any help.

First I would recommend getting one of the more advanced firewall admin tools, such as Brickhouse. There are several out there. Otherwise you'll be spending a lot of time at the terminal. Running commands like,

ipfw add deny tcp from any to any 2500

see man ipfw for more details.

Second start monitoring what's running on your system. It's never a good idea to have rouge programs making connects in the background.

[K++]

First off, dharkness why did you quote the original post even though its the topic of the thread and comes right before yours?

That said:

Little Snitch is what your looking for Simon, http://www.versiontracker.com/dyn/moreinfo/macosx/17642

However, I would be more concerned with what deamon, if any was making these connections, luckily Little Snitch will tell you that.

[clarkgoble]

Just an other vote for Little Snitch. It can sometimes be a bit annoying when new software brings up its window. But overall it is a very useful program. Especially for configuring your firewall so as to allow programs to get through.

[Thinine]

Have you run Poisoned lately? Because that leaves giftd running after you quit it. And that shares over Gnutella.

[Simon]

OK, thanks a million guys.

I will look into Little Snitch and Brickhouse as well as ipfw.

For those who asked or are wondering: I know my machine fairly well and I am rather careful with what I install. BUT, and this is a big but, I sometimes let my g/f use it if she happens to need a mobile machine. She's very careful and has never screwed up anything. She mentioned that she used iSwipe to try to find a song. OK. But obviously she checked a pref setting which installed a thing called "giFT". And then I got the PowerBook back, went to the lab on Friday and hooked it up without knowing that this stupid gift thing was still running...

As I already mentioned the network security guys went nuts and made a big fuss (which I kind of understand). They really let me have it for being so naive. Guess I deserved it.

I later found this gift crap in my /Library and managed to reproduce the behavior up to the point where this stupid gift keeps running as a daemon.

Of course I told the story to my g/f and she felt terribly sorry because she of course didn't want to get me into this mess. She just checked it by mistake obviously.

Stupid of me to not do a ps -aux after getting the PowerBook back.

In order to avoid that something like this happens ever again, I want to close all ports I don't need regularly and monitor the traffic.

[Love Calm Quiet]

Yes: Always practice safe aux !

[Thinine]

I would just use Little Snitch. No need to close up all your ports since you don't know which ones you'll need for an app.

[parsec_kadets]

Originally posted by Simon:
As I already mentioned the network security guys went nuts and made a big fuss (which I kind of understand). They really let me have it for being so naive. Guess I deserved it.

I completely disagree here. I highly doubt you deserved to be chewed out by some guy on a power trip. If these guys showed any sort of professionalism they would have cut your access and warned you politely about what you did wrong. If they had done that and you did it again, then you would have deserved it. Network admins very routinely forget that people sometimes make mistakes.

[parsec_kadets]

Originally posted by Simon:
As I already mentioned the network security guys went nuts and made a big fuss (which I kind of understand). They really let me have it for being so naive. Guess I deserved it.

I completely disagree here. I highly doubt you deserved to be chewed out by some guy on a power trip. If these guys showed any sort of professionalism they would have cut your access and warned you politely about what you did wrong. If they had done that and you did it again, then you would have deserved it. Network admins very routinely forget that people sometimes make mistakes.

[dharknes]

Originally posted by K++:
First off, dharkness why did you quote the original post even though its the topic of the thread and comes right before yours?

That said:

Little Snitch is what your looking for Simon, http://www.versiontracker.com/dyn/moreinfo/macosx/17642

However, I would be more concerned with what deamon, if any was making these connections, luckily Little Snitch will tell you that.

First off, I felt like making everyone read the post twice. Didn't want anyone missing the finer points.

Second Little Snitch is a very interesting application. Would be even better if it was GPL'd but hey nothing perfect.

On a technical note does anyone have any details on where Little Snitch hooks into the IP stack? It doesn't appear to run any daemons.

[WJMoore]

Originally posted by dharknes:
On a technical note does anyone have any details on where Little Snitch hooks into the IP stack? It doesn't appear to run any daemons.

I've never used it but based on this from the Little Snitch website:

Little Snitch runs in the background and hooks into the operating system kernel while you are logged in...

It sounds like it uses a kernel extension.

[brachiator]

Hey, thanks for the reminder about the Little Snitch! A key utility... that I'd forgotten after I installed Panther.

[Simon]

Originally posted by parsec_kadets:
If these guys showed any sort of professionalism they would have cut your access and warned you politely about what you did wrong. If they had done that and you did it again, then you would have deserved it.

Ah, I think they are just trying to do their job.

They cut me off, but even if they wanted they couldn't have contacted me directly, because this is my private PowerBook and they don't know who it belongs to. All they had is the MAC address and an arbitrary machine name.

They are generally not unprofessional, it's just that they try to administrate a lab with 1400 employees and they don't have very many resources to do all the work. They think fast, talk fast and lose their temper fast.

I'm back on the net and everything is working again. And I learned an important lesson and some interesting software. All is fine again.