Welcome to the MacNN Forums.

mattyb · Jan 9, 2009, 07:49 AM

I'm trying to figure out if there is a better way to manage the OS X supplied firewall. Specifically I'd like to have different rules for the Ethernet (read Internet) interface and the Airport (Internet and file sharing from my MacBook) interface.

I have Little Snitch, but this isn't really a firewall (IMHO). If I can't manage the OS X supplied firewall with a bit more finesse, is there a 'real' firewall for OS X where I can manage interfaces, rules for each interface etc. Googling only seems to come up with the inbuilt OS X firewall.

Cheers.

Big Mac · Jan 9, 2009, 09:25 AM

There's still ipfw in Leopard, right? That's about as real as you can find, but you have to configure it. This external thread may help:

http://forums.macosxhints.com/showthread.php?p=423516

bearcatrp · Jan 9, 2009, 08:45 PM

http://www.intego.com/netbarrier . I used it a while back and liked the firewall better than OS X.

besson3c · Jan 9, 2009, 09:59 PM

Why would you spend $50 for some firewall that replaces something that is available for free, and has been hammered on by far more people for a far longer time than this proprietary black box? That's like trading in a free car for a horse you have to pay for

I mean, some pretty freakin' expensive network appliances are based on various flavors of BSD which use ipfw. Who in their right mind would turn down that?

If all you want is a nice GUI for setting up your firewall rules, doesn't Brickhouse still exist? Heck, steal the default firewall script from FreeBSD and use it for examples. Setting up custom ipfw rules is really not that hard if you know what you are doing, and you ought to know what you are doing when you setup your firewall anyway.

I think products like this are for people that are happy to pay $50 for "safety", even they have no clue what they are buying, what makes it safe, and why they really need it.

Either that or they've been watching too many movies and think that a "stronger" firewall (or even better, multiple firewalls) will keep their family safe from internet invaders who want to steal their credit card numbers...

ghporter · Jan 10, 2009, 07:22 AM

I think for most people it's the lack of a nice, "Apple-like" GUI that causes their low comfort level with the OS X firewall. For some reason, a command line scares a lot of people...

seanc · Jan 10, 2009, 07:58 AM

Just a quick thought, Matt, do you have any old PCs ~200mhz, 128MB RAM, 2GB HDD & 2 network cards (or higher)?
If you do or can get one from somewhere (should be pretty easy) then build yourself a Smoothwall .

This will enable you to plug the modem into it and then feed it into the iMac. You can set it to give out DHCP leases to other devices on the network (MacBook) and this way you won't have to worry about configuring two firewalls or the firewalls on either computer getting in the way of something.

OreoCookie · Jan 10, 2009, 01:09 PM

OS X has two firewalls, the new one (not sure what the name is) and ipfw. Up until Tiger, ipfw was the firewall of choice, now you have to switch it on manually. There are free and easy GUI config tools for ipfw (Flying Buttress is one of them), so you can use that as well.

The now-standard firewall was way too noisy and stupid for me to use, ipfw works much nicer for me.

besson3c · Jan 10, 2009, 01:39 PM

Originally Posted by ghporter

I think for most people it's the lack of a nice, "Apple-like" GUI that causes their low comfort level with the OS X firewall. For some reason, a command line scares a lot of people...

I don't get it. What's wrong with the Apple-like GUI that Apple themselves provided? I was assuming that the main purpose of a product like NetBarrier (aside from giving naive users peace of mind as I've described) is for configurations that go beyond what the Apple GUI helps with? My point is, at this point if you want to go this far you should understand what you are doing, and there is little point in trusting a proprietary black box over the highly regarded free firewall that is already included.

Besides, for most people a firewall is something you configure once and just leave set. If you are one of these users that knows what they are doing enough to do more than what the OS X GUI provides, by the time you pay for this thing, download it, install it, and learn it, you could just have Googled how to do this with ipfw.

Big Mac · Jan 10, 2009, 07:26 PM

It's not like configuring ipfw is the easiest task the world, to be fair.

OreoCookie · 03:57 AM

It is if you use Flying Buttress or another GUI to configure it. Took about a minute or so.

Big Mac · Jan 11, 2009, 04:46 AM

Oh, yeah, I meant the real, CLI way.

ghporter · Jan 11, 2009, 09:36 AM

Originally Posted by seanc

Just a quick thought, Matt, do you have any old PCs ~200mhz, 128MB RAM, 2GB HDD & 2 network cards (or higher)?
If you do or can get one from somewhere (should be pretty easy) then build yourself a Smoothwall .

I have a number of PCs sitting around-faster than 200MHz, plenty of power. And loud. This is why I don't have a humongo router/firewall/QOS manager on the shelf. Way too loud. Now if I could find one of those integrated CPU motherboards VIA makes, that would be a different story...

Originally Posted by OreoCookie

OS X has two firewalls, the new one (not sure what the name is) and ipfw. Up until Tiger, ipfw was the firewall of choice, now you have to switch it on manually. There are free and easy GUI config tools for ipfw (Flying Buttress is one of them), so you can use that as well.

The now-standard firewall was way too noisy and stupid for me to use, ipfw works much nicer for me.

Flying Buttress is now on my "check it out" list.

Originally Posted by besson3c

I don't get it. What's wrong with the Apple-like GUI that Apple themselves provided? I was assuming that the main purpose of a product like NetBarrier (aside from giving naive users peace of mind as I've described) is for configurations that go beyond what the Apple GUI helps with? My point is, at this point if you want to go this far you should understand what you are doing, and there is little point in trusting a proprietary black box over the highly regarded free firewall that is already included.

Besides, for most people a firewall is something you configure once and just leave set. If you are one of these users that knows what they are doing enough to do more than what the OS X GUI provides, by the time you pay for this thing, download it, install it, and learn it, you could just have Googled how to do this with ipfw.

I find the built in GUI to be disappointing. I can do basic stuff with it, but only if I already know what I want to do. I'm used to Apple GUIs giving me some background information, guidance and even examples for complex things. You get three choices with the built in GUI: Allow it all, allow only "essential" services (what these are is not mentioned), and set access for individual services and programs (and how would I know in detail about what these programs need?). No information about what I really need, what is optional, etc. They could do a lot better than that.

Originally Posted by Big Mac

It's not like configuring ipfw is the easiest task the world, to be fair.

Basic configuration isn't that complex, but you're right that anything beyond the very basic stuff is pretty darn involved.

seanc · 10:06 AM

Heh, I've got an old Dell Optiplex GX1 with a passive cooled Pentium 2 in it. The power supply is a thin one with a tiny fan in it - the only fan. Pretty silent.
It sits under the desk on it's side next to my Dads Optiplex GX270.
The fridge is louder than everything in that room.

You'd really want to get something along the Pentium 2 or 3 era which is passively cooled. An older Compaq Deskpro 5000 would also be a good option.
For what is essentially a free, completely customizable Linux firewall with a nice web GUI, it's a good setup. Been running it for 5 years previously on an old Pentium 166 Gateway but when Smoothwall 3 came out it wasn't good enough, so I replaced it with the Dell..