|
|
Tiger Firewall
|
|
|
|
Forum Regular
Join Date: May 2001
Location: Rockhampton, Australia
Status:
Offline
|
|
Have decided to try the firewall built into Tiger and not install Norton firewall (which I had been using in 10.3). I've noticed that the firewall, which is located under sharing, is:
1) Off by default - dangerous don't you think? (Win XP SP2 prompt users to turn on the inbuilt firewall immediately after installation)
2) Contains an item labeled "Network Time" - Anyone care to explain what it is? I'm guessing that if it is turned off I will not be able to access the internet because with it off I GET no internet...
So here's what every user should do:
1) Turn on the firewall
2) Enable "Network Time"
3) Enable any other sharing services they desire ( like Bonjour, iTunes sharing etc)
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Feb 2002
Location: USA
Status:
Offline
|
|
Originally Posted by neverwind
1) Off by default - dangerous don't you think?
Not entirely dangerous. Mac OS X doesn't have the many open ports as Windows does. But yes, I would turn in on if not behind a router.
|
|
|
|
|
|
|
|
|
Senior User
Join Date: Jan 2003
Location: Stuttgart, Germany
Status:
Offline
|
|
Originally Posted by neverwind
1) Off by default - dangerous don't you think?
Considering that no services are enabled by default, I'll have to say no.
2) Contains an item labeled "Network Time" - Anyone care to explain what it is? I'm guessing that if it is turned off I will not be able to access the internet because with it off I GET no internet...
It's opening port 123 UDP inbound which is NTP. I don't see why this should be open unless you're running a ntpd yourself. Toggling it has no effect on my ipfw rules so I don't know why it's even there.
So here's what every user should do:
1) Turn on the firewall
2) Enable "Network Time"
3) Enable any other sharing services they desire ( like Bonjour, iTunes sharing etc)
Your point is? This isn't Windows ...
|
|
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: Oct 2003
Location: UK
Status:
Offline
|
|
Hmm - I can still access the Internet with "Network Time" not set to allow. In fact - I'm posting this now with it set like that!
|
12" Rev B PB
|
|
|
|
|
|
|
|
Forum Regular
Join Date: May 2001
Location: Rockhampton, Australia
Status:
Offline
|
|
Originally Posted by Thorin
Hmm - I can still access the Internet with "Network Time" not set to allow. In fact - I'm posting this now with it set like that!
Will try again. Stupid question - but is your firewall "ON"?
Originally Posted by entrox
Considering that no services are enabled by default, I'll have to say no.
So you're happy to surf the internet WITHOUT the firewall turned on - are you serious?
|
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Feb 2005
Location: 888500128
Status:
Offline
|
|
FYI: "network time" has nothing to do with being able to access the internet.
From ntp.org
The Network Time Protocol (NTP) is used to synchronize the time of a computer
client or server to another server or reference time source, such as a radio...
|
|
|
|
|
|
|
|
|
Forum Regular
Join Date: May 2001
Location: Rockhampton, Australia
Status:
Offline
|
|
|
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Feb 2005
Location: 888500128
Status:
Offline
|
|
Originally Posted by neverwind
So you're happy to surf the internet WITHOUT the firewall turned on - are you serious?
Again: This is not really a problem, since no services are turned on, so - yes.
This is not Windows.
Sure, using a firewall adds an extra layer of protection, but OS X is very secure already, as it is.
Most all vulnerabilities that are discovered in OS X are fixed before any exploits can make the rounds, due to the open-source nature of the operating system (and most of the networking stuff is cross-platform OS X/*BSD/Linux/??? - you constantly have literally hundres of thousands of people scouring the code, analyzing for potential vulnerabilities and devising fixes).
In addition, nearly all such vulnerabilities are discovered in various networking services, such as Apache or ssh, all of which are turned OFF in OS X by default, making the system completely impervious to any exploits devised for such services.
Both of these things are the direct and complete opposite of how things are on Windows.
-s*
Just checked my firewall settings - I usually have it on, but I'd turned it off the other day to configure Jabber (just to ensure that nothing was blocked), and it hasn't particularly bothered me. I'll turn it back on again, now.
(
Last edited by analogika; May 1, 2005 at 08:54 AM.
)
|
|
|
|
|
|
|
|
|
Moderator
Join Date: May 2001
Location: Hilbert space
Status:
Offline
|
|
Switch on your firewall, it makes life safer. It's easy, just with the click of a button.
|
I don't suffer from insanity, I enjoy every minute of it.
|
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: Jan 2003
Location: Western MA
Status:
Offline
|
|
Originally Posted by OreoCookie
Switch on your firewall, it makes life safer. It's easy, just with the click of a button.
a great tip! and it's painless too.
|
|
|
|
|
|
|
|
|
Senior User
Join Date: Jan 2003
Location: Stuttgart, Germany
Status:
Offline
|
|
I think you're being lulled into a false sense of security. The built-in GUI for ipfw will just close all ports except for the specified ones to inbound connections, nothing more. If you don't have services listening, there's absolutely no point in running a firewall.
FWIW, a complete nmap-scan shows 3 running services on my machine: service location, personal file sharing and Rendezvous. Enabling the firewall through the GUI will just close the Rendezvous port (or Bonjour.. whatever), the other two are open by default.
What's the point?
|
|
|
|
|
|
|
|
|
Moderator
Join Date: May 2001
Location: Hilbert space
Status:
Offline
|
|
Originally Posted by entrox
I think you're being lulled into a false sense of security. The built-in GUI for ipfw will just close all ports except for the specified ones to inbound connections, nothing more. If you don't have services listening, there's absolutely no point in running a firewall.
FWIW, a complete nmap-scan shows 3 running services on my machine: service location, personal file sharing and Rendezvous. Enabling the firewall through the GUI will just close the Rendezvous port (or Bonjour.. whatever), the other two are open by default.
What's the point?
In a perfect world, you'd be right. Then Windows wouldn't need a firewall, too. A properly configured firewall does more than just close a few ports, you can have fine-grained control over who (as in what ip addresses) do have acces and which do not. Every service has (potential) weaknesses (as can be seen in the Linux world for instance), so not allowing someone to access a system in the first place just poses another hurdle.
|
I don't suffer from insanity, I enjoy every minute of it.
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Feb 2005
Location: 888500128
Status:
Offline
|
|
Originally Posted by OreoCookie
In a perfect world, you'd be right. Then Windows wouldn't need a firewall, too.
Huh?
I outlined above that the reason Windows HAS TO be used behind a firewall is because
a) scores of services are ON BY DEFAULT. Since it's usually the individual services that have vulnerabilities, that is a problem. This is especially bad on Windows, because
b) the system is closed-source, so that vulnerabilities don't get fixed unless/until Uncle Bill finally gets off their ass and actually does something - provided they even *CAN*, seeing as they themselves seem to have lost track of much of what actually goes on within their OS services architecture. (There was a great case recently where a security firm had found a serious exploit and confidentially alerted Microsoft. When nothing happened after something like nine MONTHS, they finally went public with the information - and were promptly sued. Anybody still have the link handy? I couldn't seem to find it again searching the net.)
-s*
|
|
|
|
|
|
|
|
|
Senior User
Join Date: Jan 2003
Location: Stuttgart, Germany
Status:
Offline
|
|
Originally Posted by OreoCookie
In a perfect world, you'd be right. Then Windows wouldn't need a firewall, too. A properly configured firewall does more than just close a few ports, you can have fine-grained control over who (as in what ip addresses) do have acces and which do not. Every service has (potential) weaknesses (as can be seen in the Linux world for instance), so not allowing someone to access a system in the first place just poses another hurdle.
Fine. Please show me the things that the GUI-configured firewall in OS X does besides closing ports. Yes, they have introduced three new options in Tiger - unfortunately, two of them are utterly retarded and the remaining option (logging) doesn't help security per se.
|
|
|
|
|
|
|
|
|
Forum Regular
Join Date: Sep 2000
Location: Chico, California
Status:
Offline
|
|
How many services are on in Windows XP by default? I was always under the impression that Mac OS X ships with NO services running (making the need for a firewall moot). But with my fresh install of Tiger, I did an nmap of myself with all things turned off in the Sharing System Preference, and I noticed 3 ports open:
631/tcp open ipp
1033/tcp open netinfo
3689/tcp open rendezvous
631... is that Internet Printing Protocol? What is that and why is it on? 1033, I have no idea why my Mac is serving Netinfo. 3689... I am NOT sharing any music in iTunes, so why is this on?
I never did this in Panther, but are these 3 same ports open in that OS? Granted, I'm not worried because none of these ports are being forwarded to my computer from my router, but I'm still curious.
|
|
|
|
|
|
|
|
|
Senior User
Join Date: Jan 2003
Location: Stuttgart, Germany
Status:
Offline
|
|
631 is the CUPS configuration, which can be accessed by going to http://localhost:631. It is only reachable from the local machine.
1033 is the local NetInfo port, which can also only be accessed from the local machine, so no worries here.
3689 is iTunes music sharing, which can be disabled in the iTunes preferences ("Share my music").
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Jan 2003
Location: 127.0.0.1
Status:
Offline
|
|
Originally Posted by entrox
631 is the CUPS configuration, which can be accessed by going to http://localhost:631. It is only reachable from the local machine.
You don't need an admin password to access the admin section? Bad...
|
|
|
|
|
|
|
|
|
Senior User
Join Date: Jan 2003
Location: Stuttgart, Germany
Status:
Offline
|
|
Originally Posted by alphasubzero949
You don't need an admin password to access the admin section? Bad...
I see that you didn't even bother to click on the "Administration" link before posting.
|
|
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Aug 2003
Location: Los Angeles
Status:
Offline
|
|
I think the firewall is on by default. If somebody had Norton Firewall on a previous installation, but decides not to reinstall it on 10.4, then the archive and install will copy the settings of the previous setup, and therefore, your Mac firewall had been off if you were using Norton, which you trashed. I wasn't using Norton, but the Mac Firewall, and when I looked at the control panel, it was ON.
If you do an Erase and Install, I betcha the firewall is ON.
|
|
|
|
|
|
|
|
|
Senior User
Join Date: Jan 2003
Location: Stuttgart, Germany
Status:
Offline
|
|
Originally Posted by Swift
If you do an Erase and Install, I betcha the firewall is ON.
It's off.
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Jan 2003
Location: 127.0.0.1
Status:
Offline
|
|
Originally Posted by entrox
I see that you didn't even bother to click on the "Administration" link before posting.
I did.
|
|
|
|
|
|
|
|
|
Senior User
Join Date: Jan 2003
Location: Stuttgart, Germany
Status:
Offline
|
|
Originally Posted by alphasubzero949
I did.
Then what's this? I even created a test user without administrative privileges to double-check.
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Jan 2003
Location: 127.0.0.1
Status:
Offline
|
|
Originally Posted by entrox
Then what's this? I even created a test user without administrative privileges to double-check.
Nope...I was never prompted for a password.
|
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Feb 2005
Location: 888500128
Status:
Offline
|
|
Originally Posted by alphasubzero949
Nope...I was never prompted for a password.
Is it possible that you were, once, the first time you opened that page, and that Safari saved your login to the keychain?
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Jan 2003
Location: 127.0.0.1
Status:
Offline
|
|
Originally Posted by analogika
Is it possible that you were, once, the first time you opened that page, and that Safari saved your login to the keychain?
Bingo. I'm guessing that I saved the password when I tried to login using Panther (and it didn't work). So it does work as it should (duh).
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
What is the purpose of Norton Firewall or any other firewall software when ipfw can be configured to do anything you'd want out of a firewall (using a tool like Brickhouse even provides a GUI to do so)? I wouldn't pay Symantec a cent for their firewall product, especially given their track record for developing poor software for OS X. I'd trust the BSD/IPFW firewall over anything you could buy.
I think too few people understand what a firewall is and does - people seem to think it is this magical thing which makes everything secure.
1) If you are behind a router, having it enabled is not necessary
I don't claim to be a firewall expert, but as far as I understand it:
2) Having a port closed and a firewall protecting this port basically shuts down all communication attempts to a port at the kernel level. Instead of the OS having to deal with thinking "is this port open, what do we do with this request?" and creating potential for a denial of service or another sort of attack, the firewall just intercepts all incoming requests and shuts them down (i.e. a wall of fire).
3) Protecting closed ports is not all a firewall can do. A firewall can play traffic cop and permit and prohibit certain IPs to doing certain things. A firewall can apply to either incoming or outgoing traffic, TCP or UDP packets.
In OS X, by default having the firewall active allows all outgoing traffic, but blocks ports to incoming requests. Not being a router and being on the internet with no firewall properly configured and blocking incoming requests can pose problems in some circumstances, depending on what services you have enabled.
I'm sure that most of the general OS attack scripts are written for Windows, so we are probably better off, but we are not invincible.
(
Last edited by besson3c; May 1, 2005 at 09:13 PM.
)
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Oct 2000
Location: Los Angeles
Status:
Offline
|
|
I decided to revive this thread because I have noticed something interesting about the OS X (10.4) firewall that I would like to explore: Even in Stealth Mode, Tiger's Firewall shows ports 0 and 1 as closed, according to Shields Up! I know that complete stealth violates protocol, but it's a nice thing to have available. Any comments?
|
"The natural progress of things is for liberty to yield and government to gain ground." TJ
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Jan 2002
Location: London, UK
Status:
Offline
|
|
Doh, deleted my post because it was stupid
|
|
|
|
|
|
|
|
|
Moderator
Join Date: May 2001
Location: Hilbert space
Status:
Offline
|
|
Originally Posted by Big Mac
I decided to revive this thread because I have noticed something interesting about the OS X (10.4) firewall that I would like to explore: Even in Stealth Mode, Tiger's Firewall shows ports 0 and 1 as closed, according to Shields Up! I know that complete stealth violates protocol, but it's a nice thing to have available. Any comments?
I stops the computer from replying to any signals such as pings. This makes diagnostics for instance much harder, and I don't think this is needed in a small network.
|
I don't suffer from insanity, I enjoy every minute of it.
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
Originally Posted by OreoCookie
I stops the computer from replying to any signals such as pings. This makes diagnostics for instance much harder, and I don't think this is needed in a small network.
It might be useful if you deal with sensitive information on a WiFI or something, as it is possible to sniff and decrypt even a secure WiFI network.
|
|
|
|
|
|
|
|
|
Moderator
Join Date: May 2001
Location: Hilbert space
Status:
Offline
|
|
Originally Posted by besson3c
It might be useful if you deal with sensitive information on a WiFI or something, as it is possible to sniff and decrypt even a secure WiFI network.
I don't think so. The sole purpose is to stop someone from discovering your network. If they know a computer is already there and they have cracked the WLAN security already, they can monitor all your transmissions via a packet sniffer.
|
I don't suffer from insanity, I enjoy every minute of it.
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Oct 2000
Location: Los Angeles
Status:
Offline
|
|
Wouldn't the kinds of diagnostics one would run would be run within the LAN? Stealth applies to WAN connects, right? The chief virtue of having a stealthed response is that port scans can't detect anything at all. It would just be nice if the built-in firewall did stealth all ports if the stealth option is checked, the way one would assume it should.
|
"The natural progress of things is for liberty to yield and government to gain ground." TJ
|
|
|
|
|
|
|
|
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status:
Offline
|
|
Network Time DOES access the Internet to receive standard time signals from a time server. The protocol is not one that is prone to attack, and the packets are not only tiny but (if I remember correctly) specific to the time protocol. Unless you have your own special atomic clock (or a direct link to a GPS receiver) to get Network Time to work you MUST connect to the Internet.
I'd keep the firewall on to keep the outside from knowing there's anything behind the Internet IP you have. If they don't know there's anything on your side, they can't try to hurt it.
|
Glenn -----OTR/L, MOT, Tx
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Oct 2000
Location: Los Angeles
Status:
Offline
|
|
Originally Posted by ghporter
Network Time DOES access the Internet to receive standard time signals from a time server. The protocol is not one that is prone to attack, and the packets are not only tiny but (if I remember correctly) specific to the time protocol. Unless you have your own special atomic clock (or a direct link to a GPS receiver) to get Network Time to work you MUST connect to the Internet.
I'd keep the firewall on to keep the outside from knowing there's anything behind the Internet IP you have. If they don't know there's anything on your side, they can't try to hurt it.
That's what I'm saying, Glenn. The current version of Apple's Firewall rules close rather than stealth ports 0 and 1 (even in "stealth mode"), as revealed by GRC's Shields Up!. Therefore, a port scan will reveal the existence of some machine at my IP.
|
"The natural progress of things is for liberty to yield and government to gain ground." TJ
|
|
|
|
|
|
|
|
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status:
Offline
|
|
Originally Posted by Big Mac
That's what I'm saying, Glenn. The current version of Apple's Firewall rules close rather than stealth ports 0 and 1 (even in "stealth mode"), as revealed by GRC's Shields Up!. Therefore, a port scan will reveal the existence of some machine at my IP.
Hackers usually only scan port ranges they can use-there isn't much anyone can do with ports 0 and 1 unless they get their jollies out of messing with your system clock. I can't for the life of me figure out why ANY firewall would stealth everything but those two ports though.
|
Glenn -----OTR/L, MOT, Tx
|
|
|
|
|
|
|
|
Forum Regular
Join Date: Jun 2000
Location: Milwaukee, WI,USA
Status:
Offline
|
|
From what I have experienced, the firewall in my Netgear router is much better than the one built into Tiger, and with Little Snitch, I'm fairly safe on both ends (knock on wood, fingers crossed, spit in the wind, fill my socks with chocolate, etc.)
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Oct 2000
Location: Los Angeles
Status:
Offline
|
|
It's true that hardware firewalls are better in most respects, although software is more configurable. I'm sure if I were an ipfw guru I'd have ports 0 and 1 stealthed in a second, but my kung foo aint that great. Anyway, the only reason why I'm using OS X's firewall is my Asante wired router finally gave out on me, and while a replacement router is en route I thought I'd try out the firewall.
|
"The natural progress of things is for liberty to yield and government to gain ground." TJ
|
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: May 2005
Status:
Offline
|
|
I was just playing around with the firewall settings, and then went over to symantec and used their security scan which apparently tells me if I am vulnerable or not. In the "advanced" tab, I first checked enable stealth mode (with logging). When I ran symantecs scan, I was safe from hackers, but not from trojan horses. When I enabled "block udp traffic", I rescanned and found out I was vulnerable to hackers and trojan horses.
How vulnerable am I? This is my first mac and I have had it for about a month, I've used Windows much longer. Are the Symantec results just a way to scare people into buying their software?
|
PB12 / 1.5 / 80 / 1.25 / SD
|
|
|
|
|
|
|
|
Forum Regular
Join Date: Jan 2004
Location: Way up there!
Status:
Offline
|
|
Originally Posted by warra
Are the Symantec results just a way to scare people into buying their software?
I thinkso, as the results were similar when even though my network is behind a router when I first got it just to see.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Oct 2000
Location: Los Angeles
Status:
Offline
|
|
Originally Posted by warra
I was just playing around with the firewall settings, and then went over to symantec and used their security scan which apparently tells me if I am vulnerable or not. In the "advanced" tab, I first checked enable stealth mode (with logging). When I ran symantecs scan, I was safe from hackers, but not from trojan horses. When I enabled "block udp traffic", I rescanned and found out I was vulnerable to hackers and trojan horses.
How vulnerable am I? This is my first mac and I have had it for about a month, I've used Windows much longer. Are the Symantec results just a way to scare people into buying their software?
There are no Trojan Horses or viruses currently being disseminated for the Mac - to date Mac OS X has been virtually malware free. So the Symantec scanner is just trying to frighten you. The Tiger firewall does fail to stealth a few ports (as I detailed in my previous posts to this thread), giving a closed response instead. This does not mean you're vulnerable, but it does mean that port scanners can detect the presence of a computer at that IP address (not knowing necessarily what type).
(
Last edited by Big Mac; Oct 2, 2005 at 06:58 AM.
)
|
"The natural progress of things is for liberty to yield and government to gain ground." TJ
|
|
|
|
|
|
|
|
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status:
Offline
|
|
Symantec is not trying to scare you. They're trying to tell you every single possible chance that your computer could be compromised-or used to compromise someone else's computer. Most of the hits I've seen with Symantec AV for the Mac have been from emails that had Windows viruses as attachments. Does that mean that you can ignore those threats? Not unless you know you'll NEVER, EVER contact ANYONE with a Windows computer for any reason.
The two platforms are different enough that only Java (or Java-like) code can be run on both-and that depends on a working implementation of Java on both machines. But while they can't run each others' code, many document and other data file formats are converging rather quickly, so you could easily be at risk for losing an Excel spreadsheet or a Word document because of something that works through Office's cross-program underpinnings.
Further, is it being a good neighbor to ignore potential problems that you might pass on to your neighbors? I feel that using an antivirus program (one that really works and doesn't hose up yor system) on a Mac (or a Linux platform, for that matter) is at the very least being a good neighbor.
|
Glenn -----OTR/L, MOT, Tx
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
If you want to run antivirus software, support Open Source and install ClamAV, or the ClamAV GUI for OS X. It's very well accepted and supported software, it does email scanning on many servers (such as my own). It does the trick.
I'd personally rather not be dominated and controlled by a company when it comes to this kind of software.
|
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Feb 2005
Location: 888500128
Status:
Offline
|
|
Originally Posted by ghporter
Most of the hits I've seen with Symantec AV for the Mac have been from emails that had Windows viruses as attachments. Does that mean that you can ignore those threats? Not unless you know you'll NEVER, EVER contact ANYONE with a Windows computer for any reason.
Frankly, other people's bad judgement is not my responsibility.
I am not in any way obliged to pay money for other people's failure to run a secure system. Windows - and appropriate malware protection - is THEIR problem.
Period.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|