Welcome to the MacNN Forums.

markw10 · Apr 3, 2007, 01:04 AM

I'm relatively new to the Mac and am wondering if most people enabled the firewall on OS X or not? If so, do you use any special settings?

Curiosity · Apr 3, 2007, 01:34 AM

I use the firewall. I do not permit sharing of anything, and the only thing I do allow to get through is Network Time, because that is needed to keep the computer clock set correctly.

peeb · Apr 3, 2007, 01:42 AM

It is enabled by default. If you have to ask this, don't mess with it. Is there a problem that you are encountering with the firewall that makes you think that you need to change the settings?

besson3c · Apr 3, 2007, 01:49 AM

I do, but instead of just clicking things you don't understand (assuming this is the case for you), I'd take some time to learn what a firewall is, what it does, and how it can be used. You may or may not need it, we cannot determine this for you without knowing more about your setup there and what you do with your computer.

WJMoore · Apr 3, 2007, 05:21 AM

Originally Posted by peeb

It is enabled by default. If you have to ask this, don't mess with it. Is there a problem that you are encountering with the firewall that makes you think that you need to change the settings?

The firewall isn't on by default, "When you enable the personal firewall in Mac OS X..." from Apple - Mac OS X - Security. See also: Is the firewall enabled in Mac OS X by default, or not?.

Tomchu · Apr 3, 2007, 11:53 AM

I do, just as a precaution in case an exploit is discovered and released for one of the services that are running by default and listen on my network interfaces.

peeb · Apr 3, 2007, 12:12 PM

Originally Posted by WJMoore

The firewall isn't on by default, "When you enable the personal firewall in Mac OS X..." from Apple - Mac OS X - Security. See also: Is the firewall enabled in Mac OS X by default, or not?.

Oops! Thanks for pointing that out!

CatOne · Apr 3, 2007, 12:34 PM

I don't have it on. It's no on by default.

Not a bad idea to have it on, though your Mac is safe from remote attacks even without it running. By default, OS X ships with no services listening on any ports. If nothing's listening, you actually cannot be attacked because there's nothing to attack.

No ugly port 143 broadcasting your machine name, for example :-)

legacyb4 · Apr 3, 2007, 12:59 PM

Sure, why wouldn't you turn it on? You have to understand what it does so that if you have an application like Transmission running, you can make the necessary changes to maximize your transfer speeds, but otherwise it never hurts to have it running.

besson3c · Apr 3, 2007, 01:00 PM

Originally Posted by Tomchu

I do, just as a precaution in case an exploit is discovered and released for one of the services that are running by default and listen on my network interfaces.

Does your home computer sit behind a router? If so, your network services are not at risk unless your router is forwarding incoming requests for particular ports to machines in your LAN.

besson3c · Apr 3, 2007, 01:01 PM

Originally Posted by CatOne

I don't have it on. It's no on by default.

Not a bad idea to have it on, though your Mac is safe from remote attacks even without it running. By default, OS X ships with no services listening on any ports. If nothing's listening, you actually cannot be attacked because there's nothing to attack.

No ugly port 143 broadcasting your machine name, for example :-)

You could be brute force attacked though. If your machine is directly exposed to the internet (and it's important to understand exactly what this means), it should be protected.

Tomchu · Apr 3, 2007, 01:28 PM

Originally Posted by besson3c

Does your home computer sit behind a router? If so, your network services are not at risk unless your router is forwarding incoming requests for particular ports to machines in your LAN.

My MBP, when at home, sits behind a FreeBSD-based gateway running PF. :-)

My MBP, when not at home, is exposed to all sorts of environments: directly on the Internet when I'm at a datacenter working, at school on our wireless, on a stranger's wireless, etc.

besson3c · Apr 3, 2007, 01:30 PM

Originally Posted by Tomchu

My MBP, when at home, sits behind a FreeBSD-based gateway running PF. :-)

My MBP, when not at home, is exposed to all sorts of environments: directly on the Internet when I'm at a datacenter working, at school on our wireless, on a stranger's wireless, etc.

Cool

I've thought about doing this sort of thing with my FreeBSD machine too, but I've never gotten around to looking into what it would take to setup my FBSD machine as a wireless base station. Do you happen to know?

peeb · Apr 3, 2007, 01:32 PM

Does it slow the machine down?

Uisce · Apr 3, 2007, 02:03 PM

It won't slow the machine down unless you're trying to do something through a closed port, and in that case you're not going anywhere!

I have it on, with only printer sharing and network time on by default. I'll turn file sharing on when I need it, but otherwise, its closed. I'm also behind a Linksys router, so that makes two firewalls.

besson3c · Apr 3, 2007, 02:14 PM

Originally Posted by Uisce

It won't slow the machine down unless you're trying to do something through a closed port, and in that case you're not going anywhere!

I have it on, with only printer sharing and network time on by default. I'll turn file sharing on when I need it, but otherwise, its closed. I'm also behind a Linksys router, so that makes two firewalls.

All outgoing connections from your firewalled machine are accepted, it is the incoming connections from outside that are blocked. THere is nothing you can do (except for making repeated requests to your own services that leave your computer and loop back) to slow yourself down.

I'm not sure why Apple provides an NTP/Network Time preset in the firewall GUI, as most people are most likely using a public NTP server, not a personal workstation.

besson3c · Apr 3, 2007, 02:16 PM

The rule that permits all outgoing tcp traffic is as follows:

02050 allow tcp from any to any out

This rule allows your network services to speak to each other:

02000 allow ip from any to any via lo*

You can view all of your rules by doing a:

sudo ipfw list

In your terminal.

slpdLoad · Apr 3, 2007, 04:04 PM

I don't, but it doesn't hurt. I just prefer not to ever have to bother with it.

indigoimac · Apr 3, 2007, 04:34 PM

I have it on, even though I'm behind a router, it's not going to hurt nething, I just leave the services that I need open, iPhoto, iTunes, AFS, and Torrents

kick52 · Apr 3, 2007, 08:11 PM

i dont have it on.. i just find it annoying changing something everytime you download a net-based app. (if they use different ports.) anyway, i'm behind a powermac.. i dont even know if that makes any difference so meh.

besson3c · Apr 3, 2007, 08:34 PM

Originally Posted by kick52

i dont have it on.. i just find it annoying changing something everytime you download a net-based app. (if they use different ports.) anyway, i'm behind a powermac.. i dont even know if that makes any difference so meh.

Like I said, having the firewall on does not affect your outgoing connections.

The fact you use a Powermac is also irrelevant.

ghporter · Apr 3, 2007, 09:37 PM

Since I move around with my MBP, I use the firewall. You bet your asterisk I do! I have specific functions enabled through it, but it's basically "closed" to almost everything.

utw-Mephisto · Apr 3, 2007, 09:48 PM

I have not switched of actually .. but I think I will when I reinstall it .. something is messed up here .. I just wait for the release of Pantha

but then I will probably use it ..

Chuckit · Apr 3, 2007, 09:52 PM

Originally Posted by kick52

i dont have it on.. i just find it annoying changing something everytime you download a net-based app. (if they use different ports.) anyway, i'm behind a powermac.. i dont even know if that makes any difference so meh.

As Besson said, the firewall won't make a difference to most network apps. Your computer is free to connect anywhere regardless of the firewall. The firewall just keeps other computers from touching yours unless you've talked to them first.

kcmac · Apr 3, 2007, 10:26 PM

I don't have it on. Don't see any reason to. Everything else is off by default. Travel. Wireless most everywhere. Freedom.

mac128k-1984 · Apr 4, 2007, 08:00 AM

I have it on, I do have some sharing turned on to facilitate moving files from one mac to another.
There's enough bad things going on out there on the net not to turn it on. Heck M$ saw the light and started providing a decent firewall with windows - if there was no reason, then they wouldn't have done that.

No, I don't want hackers getting at my system for any reason.

kick52 · Apr 4, 2007, 10:24 AM

Originally Posted by besson3c

Like I said, having the firewall on does not affect your outgoing connections.

The fact you use a Powermac is also irrelevant.

yeah, but i connect to my ibook with my powermac doing different stuff.

besson3c · Apr 4, 2007, 11:25 AM

Originally Posted by kick52

yeah, but i connect to my ibook with my powermac doing different stuff.

As long as you are behind a router, this is fine. If you aren't, you need to protect your machines.

Keda · Apr 4, 2007, 01:55 PM

I run w/the FireWall active on all my Macs. I haven't noticed any detrimental effect, so why not?

parsec_kadets · Apr 4, 2007, 05:18 PM

Originally Posted by besson3c

As long as you are behind a router, this is fine. If you aren't, you need to protect your machines.

If your only rule is that you're behind A router, then you need to reexamine your own security setup. You should only be turning off the firewall when you are behind a router that you maintain, restrict access to, and trust all the systems that do have access to it. When you open up your laptop at Starbucks, or wherever, you're usually behind a router as well. A firewall only protects systems behind it from the outside world. It doesn't protect them from each other though. My rule of thumb is this: if any of your systems ever leave the confines of your home network (going to a coffee shop, business travel, etc) then you should have the firewall enabled on all your systems. This is because the system that leaves the network, then comes back, may have been compromised while is was gone and could attempt to comprise the other systems upon its return. In my setup I have an iMac, a PowerBook G4, and a TiVo. Both the Macs have their firewall enabled since the laptop comes and goes (the TiVo doesn't have a firewall to enable). However if I had a bunch of desktop Macs that stayed put, only then would I consider turning off the firewalls on the individual systems. Even then though I would probably leave them enabled since my friends tend to bring their laptops when they visit.

besson3c · Apr 4, 2007, 05:25 PM

Good points!

I was thinking specifically of being behind your personal router at home that you have secured and locked down (how this is done wirelessly would make for another good thread)... In a controlled home network where you are perfectly aware of what machines are on the network and what their status is, it can be acceptable to leave the firewall off. However, for novice users running Windows and susceptible to viruses, I wouldn't recommend this.

Really, your best bet is to turn on the firewall and call it a day. I think Apple should have enabled the firewall by default, I see no compelling reason that explains why they wouldn't have done this.

Hal Itosis · Apr 4, 2007, 07:09 PM

Here is the past 5 minutes, as seen by my /private/var/log/ipfw.log
[codex]
Apr 4 18:36:38 Mac ipfw: 12190 Deny TCP 4.170.78.119:3790 4.234.162.118:139 in via ppp0
Apr 4 18:36:41 Mac ipfw: 12190 Deny TCP 4.170.78.119:3790 4.234.162.118:139 in via ppp0
Apr 4 18:37:09 Mac ipfw: Stealth Mode connection attempt to TCP 4.234.162.118:1024 from 195.197.175.21:6667
Apr 4 18:40:05 Mac ipfw: 20000 Deny ICMP:8.0 4.232.81.188 4.234.162.118 in via ppp0
Apr 4 18:40:06 Mac ipfw: 12190 Deny TCP 4.231.213.173:1488 4.234.162.118:445 in via ppp0
Apr 4 18:40:09 Mac ipfw: 12190 Deny TCP 4.231.213.173:1488 4.234.162.118:445 in via ppp0
Apr 4 18:41:29 Mac ipfw: 12190 Deny TCP 4.231.213.173:3411 4.234.162.118:445 in via ppp0
Apr 4 18:41:32 Mac ipfw: 12190 Deny TCP 4.231.213.173:3411 4.234.162.118:445 in via ppp0
Apr 4 18:43:59 Mac ipfw: 12190 Deny TCP 4.234.36.220:3174 4.234.162.118:139 in via ppp0
Apr 4 18:44:03 Mac ipfw: 12190 Deny TCP 4.234.36.220:3174 4.234.162.118:139 in via ppp0
Apr 4 18:44:48 Mac ipfw: 20000 Deny ICMP:8.0 4.231.26.4 4.234.162.118 in via ppp0
Apr 4 18:45:09 Mac ipfw: 12190 Deny TCP 76.4.147.154:15020 4.234.162.118:445 in via ppp0
Apr 4 18:45:10 Mac ipfw: Stealth Mode connection attempt to TCP 4.234.162.118:50909 from 64.154.80.250:80
Apr 4 18:48:04 Mac ipfw: 12190 Deny TCP 4.234.18.238:3686 4.234.162.118:135 in via ppp0
Apr 4 18:51:44 Mac ipfw: 12190 Deny TCP 4.234.0.173:2639 4.234.162.118:445 in via ppp0
Apr 4 18:53:53 Mac ipfw: 35000 Deny UDP 55.226.26.64:30444 4.234.162.118:1026 in via ppp0
Apr 4 18:56:23 Mac ipfw: 35000 Deny UDP 221.12.113.252:33564 4.234.162.118:1027 in via ppp0
Apr 4 18:56:23 Mac ipfw: 35000 Deny UDP 221.12.113.252:33563 4.234.162.118:1026 in via ppp0
Apr 4 18:59:22 Mac ipfw: 35000 Deny UDP 202.97.238.130:51192 4.234.162.118:1026 in via ppp0
Apr 4 19:00:46 Mac ipfw: 20000 Deny ICMP:8.0 4.235.193.217 4.234.162.118 in via ppp0
[/codex]

What's up with that?

besson3c · Apr 4, 2007, 07:18 PM

That's exactly why it is good to run a firewall - to cut off this sort of communication at the kernel level rather than the network stack level.

With the firewall off, you are letting people knock at your door and allowing them to see what kind of response they get. With the firewall on, you aren't even letting them get to the door

Sherman Homan · Apr 4, 2007, 07:44 PM

besson3c nails it, port scanners are constantly looking for potential exploits. Turning on the firewall stops them at the kernel, long before they can find any thing open on your machine.
Obviously, if you are not running any services you have nothing to fear, but why even let someone bang on your door? If they can see an active broadband connection and see open ports, you are leaving yourself at least open for the attempt. The firewall requires next to no resources, turn it on!

Parvez · Apr 4, 2007, 07:50 PM

I connect through my router so do I need to turn on the firewall? My router already has SPI firewall on. It's a Netgear Wireless Router.

Sherman Homan · Apr 4, 2007, 08:05 PM

Parvez, if you let your router run a firewall then you do not need to do so on your Mac.

parsec_kadets · Apr 4, 2007, 09:06 PM

Originally Posted by Sherman Homan

Parvez, if you let your router run a firewall then you do not need to do so on your Mac.

That's not entirely true. The router will only protect your system from the outside world. If any system on your network leaves, gets compromised, and comes back it could comprise your other systems. Yes, we are talking about OS X here which is pretty secure to begin with, but the moment you assume that you're impervious to attack because of that is the moment you become vulnerable. Am I being a bit paranoid? Perhaps. But I do keep financial records on my system, and it only has to be compromised once for my identity to be stolen. The firewall uses almost no resources and enhances the security of your information, so why not use it?

Sherman Homan · Apr 4, 2007, 09:22 PM

parsec_kadets
You are right, the level of security can be matched to the level of concern.

MacSmiley · Apr 5, 2007, 02:47 PM

I have an iMac desktop at home. No Airport or wireless network. I don't share any of the services available.

AND I keep my firewall ON. Why? Because when it comes to security, redundancy is a good thing.

Parvez · Apr 5, 2007, 03:45 PM

Thanks Sherman and parsec. I just enabled my firewall

OwlBoy · Apr 5, 2007, 05:48 PM

I use a hardware firewall (Router!).

-Owl

gradient · Apr 10, 2007, 02:36 AM

yup, I use the os x firewall even though I'm behind a router because.....well...... redundancy makes me feel better

CatOne · Apr 10, 2007, 10:17 AM

Originally Posted by besson3c

You could be brute force attacked though. If your machine is directly exposed to the internet (and it's important to understand exactly what this means), it should be protected.

Brute force attacked how? That's like yelling at a deaf person when their back is turned. They're not going to hear you.

It's easy to verify this -- run a port scan against a Mac in its "out of the box" configuration. Notice there are no ports open. What's to attack?

besson3c · Apr 10, 2007, 11:09 AM

Originally Posted by CatOne

Brute force attacked how? That's like yelling at a deaf person when their back is turned. They're not going to hear you.

It's easy to verify this -- run a port scan against a Mac in its "out of the box" configuration. Notice there are no ports open. What's to attack?

Denial of service attacks and buffer overrun/overflow issues seem to go hand in hand. I'm not a security expert, so I'm not sure if this is entirely accurate and why this is, but regardless a denial of service attack at the TCP stack level is something that should be avoided.

Creating firewall rules establishes a kernel level ruleset that will block these requests at a much lower level before requests can even reach your network stack.