[Nexus5]

From heise Security UK - it security news and services

"Apple is using security in general and the new firewall in particular to promote Leopard, the latest version of Mac OS X. However, initial functional testing has already uncovered cause for concern.

But a quick look at the firewall configuration in the Mac OS X Leopard shows that it is unable to do this. By default it is set to "Allow all incoming connections," i.e. it is deactivated. Worse still, a user who, for security purposes, has previously activated the firewall on his or her Mac will find that, after upgrading to Leopard, the system restarts with the firewall deactivated.

In contrast to, for example, Windows Vista, the Leopard firewall settings fail to distinguish between trusted networks, such as a protected company network, and potentially dangerous wireless networks in airports or even direct internet connections. Leopard initially takes the magnanimous position of trusting all networks equally."

Full article.

nexus5.

[Cold Warrior]

meh. It's just nitpicking when there are no exploits out there.

[besson3c]

Cold Warrior: don't be complacent. If you are exposed to the WAN and don't have a firewall on, any service you have open and listening is potentially vulnerable, and you are also vulnerable to DoS attacks.

[Cold Warrior]

by potentially you mean possibly, because it's possible someone will develop an exploit in the future.

But my statement stands: ripping Apple for not turning on a firewall by default is dumb when there are no known exploits in the wild.

[Person Man]

Originally Posted by Cold Warrior 

by potentially you mean possibly, because it's possible someone will develop an exploit in the future.

But my statement stands: ripping Apple for not turning on a firewall by default is dumb when there are no known exploits in the wild.

The article is not ripping Apple for not turning on the firewall by default; it's ripping Apple for including a firewall with holes. When I turn "block all incoming connections" on I expect ALL INCOMING CONNECTIONS to be blocked. I don't expect "block all connections except to ports x, y, and z, and sometimes g."

[besson3c]

Cold Warrior: No, you are wrong. You are conflating OS X security exploits with network service exploits. There are plenty of network service exploits. Apple does not write Samba, their own FTP server, OpenSSH, OpenSSL, PHP, MySQL, NTP, or several other of the services that are bundled into OS X. These are all subject to the same generally platform independent exploits. Moreover, Apple generally sucks at keeping these services up-to-date.

While these aren't enabled by default, if some software were to enable these, or a user were to enable one of these not knowing what they are doing, the user would be vulnerable. Of course, it is possible to open up a ipfw firewall port too, so there is no guarantee that by simply enabling the firewall everything would be grand.

That's just it, there are no guarantees. Apple *should* enable the firewall by default, because what do they have to lose? What if a exploit of some sort is released tomorrow? Apple would have to release an update that would enable the firewall, and between the the time of the release of this exploit and the time that a user either manually enables their firewall or downloads the update, they are vulnerable.

It's really interesting to me that Apple seems interested in security on one hand with things like Filevault and sandboxing and stuff, yet on the other hand makes really retarded decisions like making home directories world readable, not addressing the vulnerability involving receipts, not enabling the firewall by default, not keeping the bundled network services up-to-date, etc.


Have you read the article yet Cold Warrior?

[Cold Warrior]

these discussions crop up from time to time -- to firewall or not to firewall. It goes back and forth.

OS X is secure without a firewall.

Cold Warrior out. Конец связи.

[Horsepoo!!!]

Well, if you all think about it, did you feel any less safe in Leopard than you did in Tiger with the firewall off by default?

[sc_markt]

I read this earlier today and I agree that it's an issue that needs to be fixed.

- Mark

[kman42]

Didn't Tiger have the firewall on by default?

[Laminar]

I don't think so. I've never used it.

[voodoo]

I've never ever used the built-in OS X firewall. The router I use has a firewall that's perfectly fine and always on..

I feel very safe!

V

[fhoubi]

Originally Posted by kman42 

Didn't Tiger have the firewall on by default?

Tiger's off by default, I downgraded/reinstalled on Sunday.

[sc_markt]

Originally Posted by voodoo 

I've never ever used the built-in OS X firewall. The router I use has a firewall that's perfectly fine and always on..

I feel very safe!

V

I'm connected wirelessly via a (I think a netgear) wireless system. Is this considered a firewall?

- Mark

[nikstar101]

I was expecting a more robust Firewall app, since Apple did make a point about mentioning updated security as part of Leopard. I would also expect that i would be at least on by default if not on the highest setting. It adds to my general concern for Leopard.

[Gee4orce]

This article is bogus.

Also, I don't think Apple has ever shipped Mac OS X with the firewall on by default - what makes the OS secure is the services that are or aren't running by default. On Mac OS X, there are few if any vulnerable services accepting internet connection by default, firewall or not

[frdmfghtr]

Originally Posted by Person Man 

The article is not ripping Apple for not turning on the firewall by default; it's ripping Apple for including a firewall with holes. When I turn "block all incoming connections" on I expect ALL INCOMING CONNECTIONS to be blocked. I don't expect "block all connections except to ports x, y, and z, and sometimes g."

I have to agree with you here. I was quite surprised when, with all incoming traffic blocked and stealth mode on, my MacBook was still answering pings.

Cold Warrior: you say OS X is secure without a firewall. Given that the firewall itself seems to have some problems, can you REALLY say OS X is secure? If the firewall, a service that is supposed to provide security, has leaks, what else in the OS could have leaks?

I'm not trying to be paranoid here--just bringing up a point.

[voodoo]

Originally Posted by sc_markt 

I'm connected wirelessly via a (I think a netgear) wireless system. Is this considered a firewall?

- Mark

If the router has a firewall (very likely) and it is turned on (don't know about that).

A firewall is usually on a router anyway, not a computer in my experience. Many routers don't have the firewall turned on by default though. Much like OS X.

V

[Ganesha]

Apple poorly worded the firewall controls. When I turn my firewall on, I expect it to auto-configure so applications that have to be listening are still allowed to listen. Otherwise all sort of things that 'just work' such as auto-discovery services would break. And it's NOT a solution to allow these services to listen only when they 'speak' first.

[CharlesS]

Originally Posted by Gee4orce 

This article is bogus.

Also, I don't think Apple has ever shipped Mac OS X with the firewall on by default - what makes the OS secure is the services that are or aren't running by default. On Mac OS X, there are few if any vulnerable services accepting internet connection by default, firewall or not

Did you read the article? It doesn't only rip Apple for leaving the firewall off by default. That's the minor part of the article. The problem is that:

1. The firewall is off by default. Tiger was this way too.

2. When you turn the firewall on, it sucks. Tiger was not this way.

If you set the firewall to block all incoming connections, it should not leave a bunch of ports open!! This kind of nonsense is what allows worms like Blaster to work! Sure, there aren't any such worms now, but if you make it possible for someone to write one, they'll pop up! Is that what we want?!

Every computer needs a firewall, and it needs to work. If Apple is leaving a bunch of ports open in the default installation , then it especially needs a firewall, because that's the same stupid ridiculous mistake that Microsoft made that led to all those damn Blaster/Sasser type worms showing up. This is bad stuff, guys.

[Don Pickett]

Originally Posted by CharlesS 

Did you read the article? It doesn't only rip Apple for leaving the firewall off by default. That's the minor part of the article. The problem is that:

1. The firewall is off by default. Tiger was this way too.

2. When you turn the firewall on, it sucks. Tiger was not this way.

If you set the firewall to block all incoming connections, it should not leave a bunch of ports open!! This kind of nonsense is what allows worms like Blaster to work! Sure, there aren't any such worms now, but if you make it possible for someone to write one, they'll pop up! Is that what we want?!

Every computer needs a firewall, and it needs to work. If Apple is leaving a bunch of ports open in the default installation , then it especially needs a firewall, because that's the same stupid ridiculous mistake that Microsoft made that led to all those damn Blaster/Sasser type worms showing up. This is bad stuff, guys.

Hopefully this will be fixed in 10.5.1

Dumb question: I have never used the Firewall panel from the Sharing System Pref pane. However, I've had ipfw with my own list of allowed and disallowed ports running since 10.1. Is ipfw safer than the Firewall pref pane, or is it as accessible?

[CharlesS]

Yeah, ipfw is a lot safer than the Leopard firewall as things stand right now.

[Don Pickett]

Originally Posted by CharlesS 

Yeah, ipfw is a lot safer than the Leopard firewall as things stand right now.

Thanks. I'm also behind a router.

I've always thought it weird that Apple didn't just make the Firewall pref pane a front end to ipfw.

[CharlesS]

In Tiger, it was a front-end to ipfw. That's what all the fuss is about. In Leopard, they decided to ditch that and go write their own firewall for some mysterious reason.

[Don Pickett]

Originally Posted by CharlesS 

In Tiger, it was a front-end to ipfw. That's what all the fuss is about. In Leopard, they decided to ditch that and go write their own firewall for some mysterious reason.

Ahhh. I missed that detail.

[mduell]

GUI options/notes that don't accurately reflect what the back end is doing are inexcusable.

Block all incoming except for those items checked should mean just that; not block incoming only for items unchecked in the list.

[aux]

Can anyone confirm that ipfw2 is still present in Leopard (in addition to the new firewall)? It is listed in the 10.5 Server specifications, but not in the standard version.

[fortepianissimo]

Originally Posted by CharlesS 

In Tiger, it was a front-end to ipfw. That's what all the fuss is about. In Leopard, they decided to ditch that and go write their own firewall for some mysterious reason.

Hm is that true? You can try to change settings in Firewall preferences and do a "ipfw list" to observe the change of the ruleset. I say it's still using ipfw as backend.

I think the major problem is not how broken the firewall per se is. The problem is how poorly the GUI (frontend) of the firewall is designed. For that I'm still sticking with Flying Buttress as my GUI of choice.

[fortepianissimo]

Originally Posted by aux 

Can anyone confirm that ipfw2 is still present in Leopard (in addition to the new firewall)? It is listed in the 10.5 Server specifications, but not in the standard version.

ipfw2 is not present in my installation (non-server).

[besson3c]

Leopard is not using ipfw as its firewall for whatever reason, but I'm not clear whether ipfw was built with the ipfw2 additions... Some version of ipfw is included.

[CharlesS]

Originally Posted by fortepianissimo 

Hm is that true? You can try to change settings in Firewall preferences and do a "ipfw list" to observe the change of the ruleset. I say it's still using ipfw as backend.

I think the major problem is not how broken the firewall per se is. The problem is how poorly the GUI (frontend) of the firewall is designed. For that I'm still sticking with Flying Buttress as my GUI of choice.

sudo ipfw list always results in this:

Code:
65535 allow ip from any to any

If you have stealth mode turned on, it sets it to this:

Code:
33300 deny icmp from any to me in icmptypes 8
65535 allow ip from any to any

No other change seems to affect it as far as I can tell. So ipfw might be used for some really basic thing, but it's not doing the bulk of the work. The ipfw firewall is a port-based firewall - you can use it to block all applications trying to connect to port 80 on your Mac, for instance. Apple seems to have decided that that's not user friendly enough, so they have switched to an application-based firewall, the code for which is presumably in /System/Library/CoreServices/ApplicationFirewall.bundle. Instead of blocking port numbers, it detects when an application tries to open a port and asks you whether you'd like to allow or deny that application to open ports. This is actually pretty handy for discovering when some application is opening ports when it really shouldn't (*cough* MS Word *cough*), but it seems like Apple has added some of their own apps to the whitelist, with the incredibly incredibly bad result that Mac OS X has ports open by default out of the box even with the firewall on. This is seriously a recipe for an OS X Blaster worm, and I really hope Apple fixes this ASAP.

edit: why aren't the code tags working?

[besson3c]

Originally Posted by Cold Warrior 

these discussions crop up from time to time -- to firewall or not to firewall. It goes back and forth.

OS X is secure without a firewall.

Cold Warrior out. Конец связи.

No OS is secure on an open network without a firewall, period. If nothing more, an OS w/o a firewall is vulnerable to DoS attacks which can be used to trigger buffer overrun exploits.

[kman42]

There seems to be a lot of confusion surrounding this: ipfw or not, etc. Are there any definitive facts as a starting point? What ports does the new ApplicationFirewall open by default, for instance?

kman

[fortepianissimo]

Originally Posted by CharlesS 

sudo ipfw list always results in this:

Code:
65535 allow ip from any to any

If you have stealth mode turned on, it sets it to this:

Code:
33300 deny icmp from any to me in icmptypes 8
65535 allow ip from any to any

No other change seems to affect it as far as I can tell. So ipfw might be used for some really basic thing, but it's not doing the bulk of the work. The ipfw firewall is a port-based firewall - you can use it to block all applications trying to connect to port 80 on your Mac, for instance. Apple seems to have decided that that's not user friendly enough, so they have switched to an application-based firewall, the code for which is presumably in /System/Library/CoreServices/ApplicationFirewall.bundle. Instead of blocking port numbers, it detects when an application tries to open a port and asks you whether you'd like to allow or deny that application to open ports. This is actually pretty handy for discovering when some application is opening ports when it really shouldn't (*cough* MS Word *cough*), but it seems like Apple has added some of their own apps to the whitelist, with the incredibly incredibly bad result that Mac OS X has ports open by default out of the box even with the firewall on. This is seriously a recipe for an OS X Blaster worm, and I really hope Apple fixes this ASAP.

edit: why aren't the code tags working?

Thanks for the clarification (regarding ipfw). Like kman42 I'd also like to see where the definitive explanation is about this new ApplicationFirewall.

[CharlesS]

Originally Posted by besson3c 

No OS is secure on an open network without a firewall, period. If nothing more, an OS w/o a firewall is vulnerable to DoS attacks which can be used to trigger buffer overrun exploits.

You don't even need that, since Leopard leaves several ports open by default. All you have to do is find a vulnerability in any one of those ports and voilà, you're in.

In its current state, Leopard is not secure at all unless you either use a third-party firewall such as Flying Buttress or are behind a router with its own firewall (and which is turned on!).

[kman42]

Originally Posted by CharlesS 

You don't even need that, since Leopard leaves several ports open by default. All you have to do is find a vulnerability in any one of those ports and voilà, you're in.

In its current state, Leopard is not secure at all unless you either use a third-party firewall such as Flying Buttress or are behind a router with its own firewall (and which is turned on!).

Which ports are open when you select "Block all incoming traffic"?

[besson3c]

I'm sure you guys noticed this process, but just in case:

Code:
/usr/libexec/ApplicationFirewall/Firewall

[fortepianissimo]

/usr/libexec/ApplicationFirewall/com.apple.alf.plist

This seems to include all exempt processes.

[Gee4orce]

Originally Posted by Ganesha 

Apple poorly worded the firewall controls. When I turn my firewall on, I expect it to auto-configure so applications that have to be listening are still allowed to listen. Otherwise all sort of things that 'just work' such as auto-discovery services would break. And it's NOT a solution to allow these services to listen only when they 'speak' first.

...and that's exactly what happens. At least for me.

this whole story is a storm in a teacup, just some obscure security firm nobody has ever heard of piggybacking on the Leopard publicity. Oldest trick in the book - and you've all fallen for it.

Tiger doesn't have it's firewall on by default, and even when on ipfw is not regarded by many people as a robust firewall anyway. I know plenty of people (technical Linux-types) who run Mac OS X with the firewall off alltogether.

[besson3c]

Since when is ipfw not regarded as a robust firewall?

The GUI controls for the firewall are unclear, and the fact that upgrades to Leopard cause the firewall to be disabled is a problem, simple as that.

[bearcatrp]

Has anyone or can someone do a port scan of a system with leopard and see what ports are actually open?
Randy

[Big Mac]

Go to grc.com and use Shields Up. There ways to do it in Network Utility and the Terminal.

[besson3c]

Code:
sudo nmap -v -O -sS mymachine

Code:
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3689/tcp open  rendezvous
5900/tcp open  vnc

Of course, ssh, http, and VNC are ports I opened myself

[Person Man]

Originally Posted by Big Mac 

Go to grc.com and use Shields Up. There ways to do it in Network Utility and the Terminal.

Has someone gone to grc.com and used Shields Up to scan Leopard when the firewall is set to "Block all incoming connections?"

Someone at Slashdot has doubts about what Heise is saying, based on the default behavior of nmap is when it encounters something it's never seen before.

Here is the link. Reading it, is sounds like Heise might possibly be overreacting just a bit. What does everyone else think?

EDIT: And here is another refutation of Heise's claims. What do people think of this one?

[besson3c]

Why is Apple using ntpd anyway rather than ntpdate?

[kman42]

Well, I did a port scan on my machine with "Block all incoming connections" and then "Allow all incoming connections" and the results were exactly the same:


Open TCP Port: 88 kerberos
Open TCP Port: 548 afpovertcp
Open TCP Port: 5900 vnc-server


I have afp and screen sharing turned on in Sharing.

kman

[fortepianissimo]

Originally Posted by fortepianissimo 

Hm is that true? You can try to change settings in Firewall preferences and do a "ipfw list" to observe the change of the ruleset. I say it's still using ipfw as backend.

I think the major problem is not how broken the firewall per se is. The problem is how poorly the GUI (frontend) of the firewall is designed. For that I'm still sticking with Flying Buttress as my GUI of choice.

This is just perfect - even after "Install startup file" in Flying Buttress, the ruleset installed doesn't survive between boots. Actually from time to time the ipfw ruleset is just reverted by some mysterious force!

So how do we make ipfw ruleset stick?

[Gee4orce]

Originally Posted by kman42 

Well, I did a port scan on my machine with "Block all incoming connections" and then "Allow all incoming connections" and the results were exactly the same:


Open TCP Port: 88 kerberos
Open TCP Port: 548 afpovertcp
Open TCP Port: 5900 vnc-server


I have afp and screen sharing turned on in Sharing.

kman

But why would you turn on sharing protocols, and then expect the firewall to block them ? As I said earlier, the correct way to secure your system is to turn off any non-essential sharing processes.

If a security team says that Leopard ships with several non-essential services running that are listening on network ports...now THAT would be a security risk, and worthy of a story.

[besson3c]

Originally Posted by Gee4orce 

But why would you turn on sharing protocols, and then expect the firewall to block them ? As I said earlier, the correct way to secure your system is to turn off any non-essential sharing processes.

If a security team says that Leopard ships with several non-essential services running that are listening on network ports...now THAT would be a security risk, and worthy of a story.

So then, what's the difference between "block all" and "set access for specific services" (the latter set to defaults)?

Very confusing GUI.

[kman42]

Originally Posted by Gee4orce 

But why would you turn on sharing protocols, and then expect the firewall to block them ? As I said earlier, the correct way to secure your system is to turn off any non-essential sharing processes.

If a security team says that Leopard ships with several non-essential services running that are listening on network ports...now THAT would be a security risk, and worthy of a story.

I didn't expect it to block them. Actually, my point was just the opposite: Allow all incoming connections didn't suddenly open all the ports on my machine. I am perfectly happy that only the ports I want to be open are open. Although I'm not sure why kerberos is open. Is it necessary for local login or something?

I think this is mostly a UI issue, but it would still be great if someone could outline all the facts about what is happening with each of the options selected, which apps have access through the firewall, etc.

kman