[neverwind]

Have decided to try the firewall built into Tiger and not install Norton firewall (which I had been using in 10.3). I've noticed that the firewall, which is located under sharing, is:

1) Off by default - dangerous don't you think? (Win XP SP2 prompt users to turn on the inbuilt firewall immediately after installation)

2) Contains an item labeled "Network Time" - Anyone care to explain what it is? I'm guessing that if it is turned off I will not be able to access the internet because with it off I GET no internet...

So here's what every user should do:

1) Turn on the firewall

2) Enable "Network Time"

3) Enable any other sharing services they desire ( like Bonjour, iTunes sharing etc)

[sideus]

Originally Posted by neverwind

1) Off by default - dangerous don't you think?

Not entirely dangerous. Mac OS X doesn't have the many open ports as Windows does. But yes, I would turn in on if not behind a router.

[entrox]

Originally Posted by neverwind

1) Off by default - dangerous don't you think?

Considering that no services are enabled by default, I'll have to say no.

2) Contains an item labeled "Network Time" - Anyone care to explain what it is? I'm guessing that if it is turned off I will not be able to access the internet because with it off I GET no internet...

It's opening port 123 UDP inbound which is NTP. I don't see why this should be open unless you're running a ntpd yourself. Toggling it has no effect on my ipfw rules so I don't know why it's even there.

So here's what every user should do:

1) Turn on the firewall
2) Enable "Network Time"
3) Enable any other sharing services they desire ( like Bonjour, iTunes sharing etc)

Your point is? This isn't Windows ...

[Thorin]

Hmm - I can still access the Internet with "Network Time" not set to allow. In fact - I'm posting this now with it set like that!

[neverwind]

Originally Posted by Thorin

Hmm - I can still access the Internet with "Network Time" not set to allow. In fact - I'm posting this now with it set like that!

Will try again. Stupid question - but is your firewall "ON"?

Originally Posted by entrox

Considering that no services are enabled by default, I'll have to say no.

So you're happy to surf the internet WITHOUT the firewall turned on - are you serious?

[analogika]

FYI: "network time" has nothing to do with being able to access the internet.

From ntp.org

The Network Time Protocol (NTP) is used to synchronize the time of a computer
client or server to another server or reference time source, such as a radio...

[neverwind]

Cool. Was new to me.

[analogika]

Originally Posted by neverwind

So you're happy to surf the internet WITHOUT the firewall turned on - are you serious?

Again: This is not really a problem, since no services are turned on, so - yes.

This is not Windows.

Sure, using a firewall adds an extra layer of protection, but OS X is very secure already, as it is.

Most all vulnerabilities that are discovered in OS X are fixed before any exploits can make the rounds, due to the open-source nature of the operating system (and most of the networking stuff is cross-platform OS X/*BSD/Linux/??? - you constantly have literally hundres of thousands of people scouring the code, analyzing for potential vulnerabilities and devising fixes).

In addition, nearly all such vulnerabilities are discovered in various networking services, such as Apache or ssh, all of which are turned OFF in OS X by default, making the system completely impervious to any exploits devised for such services.

Both of these things are the direct and complete opposite of how things are on Windows.

-s*

Just checked my firewall settings - I usually have it on, but I'd turned it off the other day to configure Jabber (just to ensure that nothing was blocked), and it hasn't particularly bothered me. I'll turn it back on again, now.

[OreoCookie]

Switch on your firewall, it makes life safer. It's easy, just with the click of a button.

[pman68]

Originally Posted by OreoCookie

Switch on your firewall, it makes life safer. It's easy, just with the click of a button.

a great tip! and it's painless too.

[entrox]

I think you're being lulled into a false sense of security. The built-in GUI for ipfw will just close all ports except for the specified ones to inbound connections, nothing more. If you don't have services listening, there's absolutely no point in running a firewall.

FWIW, a complete nmap-scan shows 3 running services on my machine: service location, personal file sharing and Rendezvous. Enabling the firewall through the GUI will just close the Rendezvous port (or Bonjour.. whatever), the other two are open by default.

What's the point?

[OreoCookie]

Originally Posted by entrox

I think you're being lulled into a false sense of security. The built-in GUI for ipfw will just close all ports except for the specified ones to inbound connections, nothing more. If you don't have services listening, there's absolutely no point in running a firewall.

FWIW, a complete nmap-scan shows 3 running services on my machine: service location, personal file sharing and Rendezvous. Enabling the firewall through the GUI will just close the Rendezvous port (or Bonjour.. whatever), the other two are open by default.

What's the point?

In a perfect world, you'd be right. Then Windows wouldn't need a firewall, too. A properly configured firewall does more than just close a few ports, you can have fine-grained control over who (as in what ip addresses) do have acces and which do not. Every service has (potential) weaknesses (as can be seen in the Linux world for instance), so not allowing someone to access a system in the first place just poses another hurdle.

[analogika]

Originally Posted by OreoCookie

In a perfect world, you'd be right. Then Windows wouldn't need a firewall, too.

Huh?

I outlined above that the reason Windows HAS TO be used behind a firewall is because

a) scores of services are ON BY DEFAULT. Since it's usually the individual services that have vulnerabilities, that is a problem. This is especially bad on Windows, because

b) the system is closed-source, so that vulnerabilities don't get fixed unless/until Uncle Bill finally gets off their ass and actually does something - provided they even *CAN*, seeing as they themselves seem to have lost track of much of what actually goes on within their OS services architecture. (There was a great case recently where a security firm had found a serious exploit and confidentially alerted Microsoft. When nothing happened after something like nine MONTHS, they finally went public with the information - and were promptly sued. Anybody still have the link handy? I couldn't seem to find it again searching the net.)

-s*

[entrox]

Originally Posted by OreoCookie

In a perfect world, you'd be right. Then Windows wouldn't need a firewall, too. A properly configured firewall does more than just close a few ports, you can have fine-grained control over who (as in what ip addresses) do have acces and which do not. Every service has (potential) weaknesses (as can be seen in the Linux world for instance), so not allowing someone to access a system in the first place just poses another hurdle.

Fine. Please show me the things that the GUI-configured firewall in OS X does besides closing ports. Yes, they have introduced three new options in Tiger - unfortunately, two of them are utterly retarded and the remaining option (logging) doesn't help security per se.

[bborofka]

How many services are on in Windows XP by default? I was always under the impression that Mac OS X ships with NO services running (making the need for a firewall moot). But with my fresh install of Tiger, I did an nmap of myself with all things turned off in the Sharing System Preference, and I noticed 3 ports open:

631/tcp open ipp
1033/tcp open netinfo
3689/tcp open rendezvous

631... is that Internet Printing Protocol? What is that and why is it on? 1033, I have no idea why my Mac is serving Netinfo. 3689... I am NOT sharing any music in iTunes, so why is this on?

I never did this in Panther, but are these 3 same ports open in that OS? Granted, I'm not worried because none of these ports are being forwarded to my computer from my router, but I'm still curious.

[entrox]

631 is the CUPS configuration, which can be accessed by going to http://localhost:631. It is only reachable from the local machine.

1033 is the local NetInfo port, which can also only be accessed from the local machine, so no worries here.

3689 is iTunes music sharing, which can be disabled in the iTunes preferences ("Share my music").

[alphasubzero949]

Originally Posted by entrox

631 is the CUPS configuration, which can be accessed by going to http://localhost:631. It is only reachable from the local machine.

You don't need an admin password to access the admin section? Bad...

[entrox]

Originally Posted by alphasubzero949

You don't need an admin password to access the admin section? Bad...

I see that you didn't even bother to click on the "Administration" link before posting.

[Swift]

I think the firewall is on by default. If somebody had Norton Firewall on a previous installation, but decides not to reinstall it on 10.4, then the archive and install will copy the settings of the previous setup, and therefore, your Mac firewall had been off if you were using Norton, which you trashed. I wasn't using Norton, but the Mac Firewall, and when I looked at the control panel, it was ON.

If you do an Erase and Install, I betcha the firewall is ON.

[entrox]

Originally Posted by Swift

If you do an Erase and Install, I betcha the firewall is ON.

It's off.

[alphasubzero949]

Originally Posted by entrox

I see that you didn't even bother to click on the "Administration" link before posting.

I did.

[entrox]

Originally Posted by alphasubzero949

I did.

Then what's this? I even created a test user without administrative privileges to double-check.

[alphasubzero949]

Originally Posted by entrox

Then what's this? I even created a test user without administrative privileges to double-check.

Nope...I was never prompted for a password.

[analogika]

Originally Posted by alphasubzero949

Nope...I was never prompted for a password.

Is it possible that you were, once, the first time you opened that page, and that Safari saved your login to the keychain?

[alphasubzero949]

Originally Posted by analogika

Is it possible that you were, once, the first time you opened that page, and that Safari saved your login to the keychain?

Bingo. I'm guessing that I saved the password when I tried to login using Panther (and it didn't work). So it does work as it should (duh).

[besson3c]

What is the purpose of Norton Firewall or any other firewall software when ipfw can be configured to do anything you'd want out of a firewall (using a tool like Brickhouse even provides a GUI to do so)? I wouldn't pay Symantec a cent for their firewall product, especially given their track record for developing poor software for OS X. I'd trust the BSD/IPFW firewall over anything you could buy.


I think too few people understand what a firewall is and does - people seem to think it is this magical thing which makes everything secure.

1) If you are behind a router, having it enabled is not necessary

I don't claim to be a firewall expert, but as far as I understand it:

2) Having a port closed and a firewall protecting this port basically shuts down all communication attempts to a port at the kernel level. Instead of the OS having to deal with thinking "is this port open, what do we do with this request?" and creating potential for a denial of service or another sort of attack, the firewall just intercepts all incoming requests and shuts them down (i.e. a wall of fire).

3) Protecting closed ports is not all a firewall can do. A firewall can play traffic cop and permit and prohibit certain IPs to doing certain things. A firewall can apply to either incoming or outgoing traffic, TCP or UDP packets.

In OS X, by default having the firewall active allows all outgoing traffic, but blocks ports to incoming requests. Not being a router and being on the internet with no firewall properly configured and blocking incoming requests can pose problems in some circumstances, depending on what services you have enabled.

I'm sure that most of the general OS attack scripts are written for Windows, so we are probably better off, but we are not invincible.

[Big Mac]

I decided to revive this thread because I have noticed something interesting about the OS X (10.4) firewall that I would like to explore: Even in Stealth Mode, Tiger's Firewall shows ports 0 and 1 as closed, according to Shields Up! I know that complete stealth violates protocol, but it's a nice thing to have available. Any comments?

[JKT]

Doh, deleted my post because it was stupid

[OreoCookie]

Originally Posted by Big Mac

I decided to revive this thread because I have noticed something interesting about the OS X (10.4) firewall that I would like to explore: Even in Stealth Mode, Tiger's Firewall shows ports 0 and 1 as closed, according to Shields Up! I know that complete stealth violates protocol, but it's a nice thing to have available. Any comments?

I stops the computer from replying to any signals such as pings. This makes diagnostics for instance much harder, and I don't think this is needed in a small network.

[besson3c]

Originally Posted by OreoCookie

I stops the computer from replying to any signals such as pings. This makes diagnostics for instance much harder, and I don't think this is needed in a small network.

It might be useful if you deal with sensitive information on a WiFI or something, as it is possible to sniff and decrypt even a secure WiFI network.

[OreoCookie]

Originally Posted by besson3c

It might be useful if you deal with sensitive information on a WiFI or something, as it is possible to sniff and decrypt even a secure WiFI network.

I don't think so. The sole purpose is to stop someone from discovering your network. If they know a computer is already there and they have cracked the WLAN security already, they can monitor all your transmissions via a packet sniffer.

[Big Mac]

Wouldn't the kinds of diagnostics one would run would be run within the LAN? Stealth applies to WAN connects, right? The chief virtue of having a stealthed response is that port scans can't detect anything at all. It would just be nice if the built-in firewall did stealth all ports if the stealth option is checked, the way one would assume it should.

[ghporter]

Network Time DOES access the Internet to receive standard time signals from a time server. The protocol is not one that is prone to attack, and the packets are not only tiny but (if I remember correctly) specific to the time protocol. Unless you have your own special atomic clock (or a direct link to a GPS receiver) to get Network Time to work you MUST connect to the Internet.

I'd keep the firewall on to keep the outside from knowing there's anything behind the Internet IP you have. If they don't know there's anything on your side, they can't try to hurt it.

[Big Mac]

Originally Posted by ghporter

Network Time DOES access the Internet to receive standard time signals from a time server. The protocol is not one that is prone to attack, and the packets are not only tiny but (if I remember correctly) specific to the time protocol. Unless you have your own special atomic clock (or a direct link to a GPS receiver) to get Network Time to work you MUST connect to the Internet.

I'd keep the firewall on to keep the outside from knowing there's anything behind the Internet IP you have. If they don't know there's anything on your side, they can't try to hurt it.

That's what I'm saying, Glenn. The current version of Apple's Firewall rules close rather than stealth ports 0 and 1 (even in "stealth mode"), as revealed by GRC's Shields Up!. Therefore, a port scan will reveal the existence of some machine at my IP.

[ghporter]

Originally Posted by Big Mac

That's what I'm saying, Glenn. The current version of Apple's Firewall rules close rather than stealth ports 0 and 1 (even in "stealth mode"), as revealed by GRC's Shields Up!. Therefore, a port scan will reveal the existence of some machine at my IP.

Hackers usually only scan port ranges they can use-there isn't much anyone can do with ports 0 and 1 unless they get their jollies out of messing with your system clock. I can't for the life of me figure out why ANY firewall would stealth everything but those two ports though.

[Bogartte]

From what I have experienced, the firewall in my Netgear router is much better than the one built into Tiger, and with Little Snitch, I'm fairly safe on both ends (knock on wood, fingers crossed, spit in the wind, fill my socks with chocolate, etc.)

[Big Mac]

It's true that hardware firewalls are better in most respects, although software is more configurable. I'm sure if I were an ipfw guru I'd have ports 0 and 1 stealthed in a second, but my kung foo aint that great. Anyway, the only reason why I'm using OS X's firewall is my Asante wired router finally gave out on me, and while a replacement router is en route I thought I'd try out the firewall.

[warra]

I was just playing around with the firewall settings, and then went over to symantec and used their security scan which apparently tells me if I am vulnerable or not. In the "advanced" tab, I first checked enable stealth mode (with logging). When I ran symantecs scan, I was safe from hackers, but not from trojan horses. When I enabled "block udp traffic", I rescanned and found out I was vulnerable to hackers and trojan horses.

How vulnerable am I? This is my first mac and I have had it for about a month, I've used Windows much longer. Are the Symantec results just a way to scare people into buying their software?

[voo]

Originally Posted by warra

Are the Symantec results just a way to scare people into buying their software?

I thinkso, as the results were similar when even though my network is behind a router when I first got it just to see.

[Big Mac]

Originally Posted by warra

I was just playing around with the firewall settings, and then went over to symantec and used their security scan which apparently tells me if I am vulnerable or not. In the "advanced" tab, I first checked enable stealth mode (with logging). When I ran symantecs scan, I was safe from hackers, but not from trojan horses. When I enabled "block udp traffic", I rescanned and found out I was vulnerable to hackers and trojan horses.

How vulnerable am I? This is my first mac and I have had it for about a month, I've used Windows much longer. Are the Symantec results just a way to scare people into buying their software?

There are no Trojan Horses or viruses currently being disseminated for the Mac - to date Mac OS X has been virtually malware free. So the Symantec scanner is just trying to frighten you. The Tiger firewall does fail to stealth a few ports (as I detailed in my previous posts to this thread), giving a closed response instead. This does not mean you're vulnerable, but it does mean that port scanners can detect the presence of a computer at that IP address (not knowing necessarily what type).

[ghporter]

Symantec is not trying to scare you. They're trying to tell you every single possible chance that your computer could be compromised-or used to compromise someone else's computer. Most of the hits I've seen with Symantec AV for the Mac have been from emails that had Windows viruses as attachments. Does that mean that you can ignore those threats? Not unless you know you'll NEVER, EVER contact ANYONE with a Windows computer for any reason.

The two platforms are different enough that only Java (or Java-like) code can be run on both-and that depends on a working implementation of Java on both machines. But while they can't run each others' code, many document and other data file formats are converging rather quickly, so you could easily be at risk for losing an Excel spreadsheet or a Word document because of something that works through Office's cross-program underpinnings.

Further, is it being a good neighbor to ignore potential problems that you might pass on to your neighbors? I feel that using an antivirus program (one that really works and doesn't hose up yor system) on a Mac (or a Linux platform, for that matter) is at the very least being a good neighbor.

[besson3c]

If you want to run antivirus software, support Open Source and install ClamAV, or the ClamAV GUI for OS X. It's very well accepted and supported software, it does email scanning on many servers (such as my own). It does the trick.

I'd personally rather not be dominated and controlled by a company when it comes to this kind of software.

[analogika]

Originally Posted by ghporter

Most of the hits I've seen with Symantec AV for the Mac have been from emails that had Windows viruses as attachments. Does that mean that you can ignore those threats? Not unless you know you'll NEVER, EVER contact ANYONE with a Windows computer for any reason.

Frankly, other people's bad judgement is not my responsibility.

I am not in any way obliged to pay money for other people's failure to run a secure system. Windows - and appropriate malware protection - is THEIR problem.

Period.