|
|
Leopard with chinks in its armour
|
|
|
|
Mac Enthusiast
Join Date: Nov 2001
Location: fourth sector
Status:
Offline
|
|
From heise Security UK - it security news and services
"Apple is using security in general and the new firewall in particular to promote Leopard, the latest version of Mac OS X. However, initial functional testing has already uncovered cause for concern.
But a quick look at the firewall configuration in the Mac OS X Leopard shows that it is unable to do this. By default it is set to "Allow all incoming connections," i.e. it is deactivated. Worse still, a user who, for security purposes, has previously activated the firewall on his or her Mac will find that, after upgrading to Leopard, the system restarts with the firewall deactivated.
In contrast to, for example, Windows Vista, the Leopard firewall settings fail to distinguish between trusted networks, such as a protected company network, and potentially dangerous wireless networks in airports or even direct internet connections. Leopard initially takes the magnanimous position of trusting all networks equally."
Full article.
nexus5.
|
|
|
|
|
|
|
|
|
Moderator
Join Date: Jan 2001
Location: Polwaristan
Status:
Offline
|
|
meh. It's just nitpicking when there are no exploits out there.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
Cold Warrior: don't be complacent. If you are exposed to the WAN and don't have a firewall on, any service you have open and listening is potentially vulnerable, and you are also vulnerable to DoS attacks.
|
|
|
|
|
|
|
|
|
Moderator
Join Date: Jan 2001
Location: Polwaristan
Status:
Offline
|
|
by potentially you mean possibly, because it's possible someone will develop an exploit in the future.
But my statement stands: ripping Apple for not turning on a firewall by default is dumb when there are no known exploits in the wild.
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Jun 2001
Location: Northwest Ohio
Status:
Offline
|
|
Originally Posted by Cold Warrior
by potentially you mean possibly, because it's possible someone will develop an exploit in the future.
But my statement stands: ripping Apple for not turning on a firewall by default is dumb when there are no known exploits in the wild.
The article is not ripping Apple for not turning on the firewall by default; it's ripping Apple for including a firewall with holes. When I turn "block all incoming connections" on I expect ALL INCOMING CONNECTIONS to be blocked. I don't expect "block all connections except to ports x, y, and z, and sometimes g."
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
Cold Warrior: No, you are wrong. You are conflating OS X security exploits with network service exploits. There are plenty of network service exploits. Apple does not write Samba, their own FTP server, OpenSSH, OpenSSL, PHP, MySQL, NTP, or several other of the services that are bundled into OS X. These are all subject to the same generally platform independent exploits. Moreover, Apple generally sucks at keeping these services up-to-date.
While these aren't enabled by default, if some software were to enable these, or a user were to enable one of these not knowing what they are doing, the user would be vulnerable. Of course, it is possible to open up a ipfw firewall port too, so there is no guarantee that by simply enabling the firewall everything would be grand.
That's just it, there are no guarantees. Apple *should* enable the firewall by default, because what do they have to lose? What if a exploit of some sort is released tomorrow? Apple would have to release an update that would enable the firewall, and between the the time of the release of this exploit and the time that a user either manually enables their firewall or downloads the update, they are vulnerable.
It's really interesting to me that Apple seems interested in security on one hand with things like Filevault and sandboxing and stuff, yet on the other hand makes really retarded decisions like making home directories world readable, not addressing the vulnerability involving receipts, not enabling the firewall by default, not keeping the bundled network services up-to-date, etc.
Have you read the article yet Cold Warrior?
|
|
|
|
|
|
|
|
|
Moderator
Join Date: Jan 2001
Location: Polwaristan
Status:
Offline
|
|
these discussions crop up from time to time -- to firewall or not to firewall. It goes back and forth.
OS X is secure without a firewall.
Cold Warrior out. Конец связи.
|
|
|
|
|
|
|
|
|
Banned
Join Date: Jun 2003
Status:
Offline
|
|
Well, if you all think about it, did you feel any less safe in Leopard than you did in Tiger with the firewall off by default?
|
|
|
|
|
|
|
|
|
Forum Regular
Join Date: Aug 2002
Location: Southern Ca.
Status:
Offline
|
|
I read this earlier today and I agree that it's an issue that needs to be fixed.
- Mark
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Sep 2000
Location: San Francisco
Status:
Offline
|
|
Didn't Tiger have the firewall on by default?
|
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Apr 2007
Location: Iowa, how long can this be? Does it really ruin the left column spacing?
Status:
Offline
|
|
I don't think so. I've never used it.
|
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Mar 2001
Location: Salamanca, España
Status:
Offline
|
|
I've never ever used the built-in OS X firewall. The router I use has a firewall that's perfectly fine and always on..
I feel very safe!
V
|
I could take Sean Connery in a fight... I could definitely take him.
|
|
|
|
|
|
|
|
Senior User
Join Date: Mar 2001
Location: The Netherlands
Status:
Offline
|
|
Originally Posted by kman42
Didn't Tiger have the firewall on by default?
Tiger's off by default, I downgraded/reinstalled on Sunday.
|
I'm-a trying to wonder, wonder, wonder why you, wonder, wonder why you act so.
|
|
|
|
|
|
|
|
Forum Regular
Join Date: Aug 2002
Location: Southern Ca.
Status:
Offline
|
|
Originally Posted by voodoo
I've never ever used the built-in OS X firewall. The router I use has a firewall that's perfectly fine and always on..
I feel very safe!
V
I'm connected wirelessly via a (I think a netgear) wireless system. Is this considered a firewall?
- Mark
|
|
|
|
|
|
|
|
|
Junior Member
Join Date: Jul 2001
Location: London UK
Status:
Offline
|
|
I was expecting a more robust Firewall app, since Apple did make a point about mentioning updated security as part of Leopard. I would also expect that i would be at least on by default if not on the highest setting. It adds to my general concern for Leopard.
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Dec 2000
Location: Staffs, UK
Status:
Offline
|
|
This article is bogus.
Also, I don't think Apple has ever shipped Mac OS X with the firewall on by default - what makes the OS secure is the services that are or aren't running by default. On Mac OS X, there are few if any vulnerable services accepting internet connection by default, firewall or not
|
|
|
|
|
|
|
|
|
Senior User
Join Date: Nov 2005
Status:
Offline
|
|
Originally Posted by Person Man
The article is not ripping Apple for not turning on the firewall by default; it's ripping Apple for including a firewall with holes. When I turn "block all incoming connections" on I expect ALL INCOMING CONNECTIONS to be blocked. I don't expect "block all connections except to ports x, y, and z, and sometimes g."
I have to agree with you here. I was quite surprised when, with all incoming traffic blocked and stealth mode on, my MacBook was still answering pings.
Cold Warrior: you say OS X is secure without a firewall. Given that the firewall itself seems to have some problems, can you REALLY say OS X is secure? If the firewall, a service that is supposed to provide security, has leaks, what else in the OS could have leaks?
I'm not trying to be paranoid here--just bringing up a point.
|
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Mar 2001
Location: Salamanca, España
Status:
Offline
|
|
Originally Posted by sc_markt
I'm connected wirelessly via a (I think a netgear) wireless system. Is this considered a firewall?
- Mark
If the router has a firewall (very likely) and it is turned on (don't know about that).
A firewall is usually on a router anyway, not a computer in my experience. Many routers don't have the firewall turned on by default though. Much like OS X.
V
|
I could take Sean Connery in a fight... I could definitely take him.
|
|
|
|
|
|
|
|
Senior User
Join Date: Jul 2002
Location: Arizona Wasteland
Status:
Offline
|
|
Apple poorly worded the firewall controls. When I turn my firewall on, I expect it to auto-configure so applications that have to be listening are still allowed to listen. Otherwise all sort of things that 'just work' such as auto-discovery services would break. And it's NOT a solution to allow these services to listen only when they 'speak' first.
|
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Dec 2000
Status:
Offline
|
|
Originally Posted by Gee4orce
This article is bogus.
Also, I don't think Apple has ever shipped Mac OS X with the firewall on by default - what makes the OS secure is the services that are or aren't running by default. On Mac OS X, there are few if any vulnerable services accepting internet connection by default, firewall or not
Did you read the article? It doesn't only rip Apple for leaving the firewall off by default. That's the minor part of the article. The problem is that:
1. The firewall is off by default. Tiger was this way too.
2. When you turn the firewall on, it sucks. Tiger was not this way.
If you set the firewall to block all incoming connections, it should not leave a bunch of ports open!! This kind of nonsense is what allows worms like Blaster to work! Sure, there aren't any such worms now, but if you make it possible for someone to write one, they'll pop up! Is that what we want?!
Every computer needs a firewall, and it needs to work. If Apple is leaving a bunch of ports open in the default installation , then it especially needs a firewall, because that's the same stupid ridiculous mistake that Microsoft made that led to all those damn Blaster/Sasser type worms showing up. This is bad stuff, guys.
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Mar 2000
Location: New York, NY, USA
Status:
Offline
|
|
Originally Posted by CharlesS
Did you read the article? It doesn't only rip Apple for leaving the firewall off by default. That's the minor part of the article. The problem is that:
1. The firewall is off by default. Tiger was this way too.
2. When you turn the firewall on, it sucks. Tiger was not this way.
If you set the firewall to block all incoming connections, it should not leave a bunch of ports open!! This kind of nonsense is what allows worms like Blaster to work! Sure, there aren't any such worms now, but if you make it possible for someone to write one, they'll pop up! Is that what we want?!
Every computer needs a firewall, and it needs to work. If Apple is leaving a bunch of ports open in the default installation , then it especially needs a firewall, because that's the same stupid ridiculous mistake that Microsoft made that led to all those damn Blaster/Sasser type worms showing up. This is bad stuff, guys.
Hopefully this will be fixed in 10.5.1
Dumb question: I have never used the Firewall panel from the Sharing System Pref pane. However, I've had ipfw with my own list of allowed and disallowed ports running since 10.1. Is ipfw safer than the Firewall pref pane, or is it as accessible?
|
The era of anthropomorphizing hardware is over.
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Dec 2000
Status:
Offline
|
|
Yeah, ipfw is a lot safer than the Leopard firewall as things stand right now.
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Mar 2000
Location: New York, NY, USA
Status:
Offline
|
|
Originally Posted by CharlesS
Yeah, ipfw is a lot safer than the Leopard firewall as things stand right now.
Thanks. I'm also behind a router.
I've always thought it weird that Apple didn't just make the Firewall pref pane a front end to ipfw.
|
The era of anthropomorphizing hardware is over.
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Dec 2000
Status:
Offline
|
|
In Tiger, it was a front-end to ipfw. That's what all the fuss is about. In Leopard, they decided to ditch that and go write their own firewall for some mysterious reason.
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Mar 2000
Location: New York, NY, USA
Status:
Offline
|
|
Originally Posted by CharlesS
In Tiger, it was a front-end to ipfw. That's what all the fuss is about. In Leopard, they decided to ditch that and go write their own firewall for some mysterious reason.
Ahhh. I missed that detail.
|
The era of anthropomorphizing hardware is over.
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Oct 2005
Location: Houston, TX
Status:
Offline
|
|
GUI options/notes that don't accurately reflect what the back end is doing are inexcusable.
Block all incoming except for those items checked should mean just that; not block incoming only for items unchecked in the list.
|
|
|
|
|
|
|
|
|
Junior Member
Join Date: Apr 2005
Status:
Offline
|
|
Can anyone confirm that ipfw2 is still present in Leopard (in addition to the new firewall)? It is listed in the 10.5 Server specifications, but not in the standard version.
|
|
|
|
|
|
|
|
|
Senior User
Join Date: Nov 2002
Location: US
Status:
Offline
|
|
Originally Posted by CharlesS
In Tiger, it was a front-end to ipfw. That's what all the fuss is about. In Leopard, they decided to ditch that and go write their own firewall for some mysterious reason.
Hm is that true? You can try to change settings in Firewall preferences and do a "ipfw list" to observe the change of the ruleset. I say it's still using ipfw as backend.
I think the major problem is not how broken the firewall per se is. The problem is how poorly the GUI (frontend) of the firewall is designed. For that I'm still sticking with Flying Buttress as my GUI of choice.
|
|
|
|
|
|
|
|
|
Senior User
Join Date: Nov 2002
Location: US
Status:
Offline
|
|
Originally Posted by aux
Can anyone confirm that ipfw2 is still present in Leopard (in addition to the new firewall)? It is listed in the 10.5 Server specifications, but not in the standard version.
ipfw2 is not present in my installation (non-server).
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
Leopard is not using ipfw as its firewall for whatever reason, but I'm not clear whether ipfw was built with the ipfw2 additions... Some version of ipfw is included.
|
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Dec 2000
Status:
Offline
|
|
Originally Posted by fortepianissimo
Hm is that true? You can try to change settings in Firewall preferences and do a "ipfw list" to observe the change of the ruleset. I say it's still using ipfw as backend.
I think the major problem is not how broken the firewall per se is. The problem is how poorly the GUI (frontend) of the firewall is designed. For that I'm still sticking with Flying Buttress as my GUI of choice.
sudo ipfw list always results in this:
Code:
65535 allow ip from any to any
If you have stealth mode turned on, it sets it to this:
Code:
33300 deny icmp from any to me in icmptypes 8
65535 allow ip from any to any
No other change seems to affect it as far as I can tell. So ipfw might be used for some really basic thing, but it's not doing the bulk of the work. The ipfw firewall is a port-based firewall - you can use it to block all applications trying to connect to port 80 on your Mac, for instance. Apple seems to have decided that that's not user friendly enough, so they have switched to an application-based firewall, the code for which is presumably in /System/Library/CoreServices/ApplicationFirewall.bundle. Instead of blocking port numbers, it detects when an application tries to open a port and asks you whether you'd like to allow or deny that application to open ports. This is actually pretty handy for discovering when some application is opening ports when it really shouldn't (*cough* MS Word *cough*), but it seems like Apple has added some of their own apps to the whitelist, with the incredibly incredibly bad result that Mac OS X has ports open by default out of the box even with the firewall on. This is seriously a recipe for an OS X Blaster worm, and I really hope Apple fixes this ASAP.
edit: why aren't the code tags working?
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
Originally Posted by Cold Warrior
these discussions crop up from time to time -- to firewall or not to firewall. It goes back and forth.
OS X is secure without a firewall.
Cold Warrior out. Конец связи.
No OS is secure on an open network without a firewall, period. If nothing more, an OS w/o a firewall is vulnerable to DoS attacks which can be used to trigger buffer overrun exploits.
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Sep 2000
Location: San Francisco
Status:
Offline
|
|
There seems to be a lot of confusion surrounding this: ipfw or not, etc. Are there any definitive facts as a starting point? What ports does the new ApplicationFirewall open by default, for instance?
kman
|
|
|
|
|
|
|
|
|
Senior User
Join Date: Nov 2002
Location: US
Status:
Offline
|
|
Originally Posted by CharlesS
sudo ipfw list always results in this:
Code:
65535 allow ip from any to any
If you have stealth mode turned on, it sets it to this:
Code:
33300 deny icmp from any to me in icmptypes 8
65535 allow ip from any to any
No other change seems to affect it as far as I can tell. So ipfw might be used for some really basic thing, but it's not doing the bulk of the work. The ipfw firewall is a port-based firewall - you can use it to block all applications trying to connect to port 80 on your Mac, for instance. Apple seems to have decided that that's not user friendly enough, so they have switched to an application-based firewall, the code for which is presumably in /System/Library/CoreServices/ApplicationFirewall.bundle. Instead of blocking port numbers, it detects when an application tries to open a port and asks you whether you'd like to allow or deny that application to open ports. This is actually pretty handy for discovering when some application is opening ports when it really shouldn't (*cough* MS Word *cough*), but it seems like Apple has added some of their own apps to the whitelist, with the incredibly incredibly bad result that Mac OS X has ports open by default out of the box even with the firewall on. This is seriously a recipe for an OS X Blaster worm, and I really hope Apple fixes this ASAP.
edit: why aren't the code tags working?
Thanks for the clarification (regarding ipfw). Like kman42 I'd also like to see where the definitive explanation is about this new ApplicationFirewall.
|
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Dec 2000
Status:
Offline
|
|
Originally Posted by besson3c
No OS is secure on an open network without a firewall, period. If nothing more, an OS w/o a firewall is vulnerable to DoS attacks which can be used to trigger buffer overrun exploits.
You don't even need that, since Leopard leaves several ports open by default. All you have to do is find a vulnerability in any one of those ports and voilà, you're in.
In its current state, Leopard is not secure at all unless you either use a third-party firewall such as Flying Buttress or are behind a router with its own firewall (and which is turned on!).
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Sep 2000
Location: San Francisco
Status:
Offline
|
|
Originally Posted by CharlesS
You don't even need that, since Leopard leaves several ports open by default. All you have to do is find a vulnerability in any one of those ports and voilà, you're in.
In its current state, Leopard is not secure at all unless you either use a third-party firewall such as Flying Buttress or are behind a router with its own firewall (and which is turned on!).
Which ports are open when you select "Block all incoming traffic"?
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
I'm sure you guys noticed this process, but just in case:
Code:
/usr/libexec/ApplicationFirewall/Firewall
|
|
|
|
|
|
|
|
|
Senior User
Join Date: Nov 2002
Location: US
Status:
Offline
|
|
/usr/libexec/ApplicationFirewall/com.apple.alf.plist
This seems to include all exempt processes.
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Dec 2000
Location: Staffs, UK
Status:
Offline
|
|
Originally Posted by Ganesha
Apple poorly worded the firewall controls. When I turn my firewall on, I expect it to auto-configure so applications that have to be listening are still allowed to listen. Otherwise all sort of things that 'just work' such as auto-discovery services would break. And it's NOT a solution to allow these services to listen only when they 'speak' first.
...and that's exactly what happens. At least for me.
this whole story is a storm in a teacup, just some obscure security firm nobody has ever heard of piggybacking on the Leopard publicity. Oldest trick in the book - and you've all fallen for it.
Tiger doesn't have it's firewall on by default, and even when on ipfw is not regarded by many people as a robust firewall anyway. I know plenty of people (technical Linux-types) who run Mac OS X with the firewall off alltogether.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
Since when is ipfw not regarded as a robust firewall?
The GUI controls for the firewall are unclear, and the fact that upgrades to Leopard cause the firewall to be disabled is a problem, simple as that.
|
|
|
|
|
|
|
|
|
Senior User
Join Date: Dec 2005
Location: Minnesota
Status:
Offline
|
|
Has anyone or can someone do a port scan of a system with leopard and see what ports are actually open?
Randy
|
2010 Mac Mini, 32GB iPod Touch, 2 Apple TV (1)
Home built 12 core 2.93 Westmere PC (almost half the cost of MP) Win7 64.
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Oct 2000
Location: Los Angeles
Status:
Offline
|
|
Go to grc.com and use Shields Up. There ways to do it in Network Utility and the Terminal.
|
"The natural progress of things is for liberty to yield and government to gain ground." TJ
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
Code:
sudo nmap -v -O -sS mymachine
Code:
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3689/tcp open rendezvous
5900/tcp open vnc
Of course, ssh, http, and VNC are ports I opened myself
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Jun 2001
Location: Northwest Ohio
Status:
Offline
|
|
Originally Posted by Big Mac
Go to grc.com and use Shields Up. There ways to do it in Network Utility and the Terminal.
Has someone gone to grc.com and used Shields Up to scan Leopard when the firewall is set to "Block all incoming connections?"
Someone at Slashdot has doubts about what Heise is saying, based on the default behavior of nmap is when it encounters something it's never seen before.
Here is the link. Reading it, is sounds like Heise might possibly be overreacting just a bit. What does everyone else think?
EDIT: And here is another refutation of Heise's claims. What do people think of this one?
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
Why is Apple using ntpd anyway rather than ntpdate?
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Sep 2000
Location: San Francisco
Status:
Offline
|
|
Well, I did a port scan on my machine with "Block all incoming connections" and then "Allow all incoming connections" and the results were exactly the same:
Open TCP Port: 88 kerberos
Open TCP Port: 548 afpovertcp
Open TCP Port: 5900 vnc-server
I have afp and screen sharing turned on in Sharing.
kman
|
|
|
|
|
|
|
|
|
Senior User
Join Date: Nov 2002
Location: US
Status:
Offline
|
|
Originally Posted by fortepianissimo
Hm is that true? You can try to change settings in Firewall preferences and do a "ipfw list" to observe the change of the ruleset. I say it's still using ipfw as backend.
I think the major problem is not how broken the firewall per se is. The problem is how poorly the GUI (frontend) of the firewall is designed. For that I'm still sticking with Flying Buttress as my GUI of choice.
This is just perfect - even after "Install startup file" in Flying Buttress, the ruleset installed doesn't survive between boots. Actually from time to time the ipfw ruleset is just reverted by some mysterious force!
So how do we make ipfw ruleset stick?
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Dec 2000
Location: Staffs, UK
Status:
Offline
|
|
Originally Posted by kman42
Well, I did a port scan on my machine with "Block all incoming connections" and then "Allow all incoming connections" and the results were exactly the same:
Open TCP Port: 88 kerberos
Open TCP Port: 548 afpovertcp
Open TCP Port: 5900 vnc-server
I have afp and screen sharing turned on in Sharing.
kman
But why would you turn on sharing protocols, and then expect the firewall to block them ? As I said earlier, the correct way to secure your system is to turn off any non-essential sharing processes.
If a security team says that Leopard ships with several non-essential services running that are listening on network ports...now THAT would be a security risk, and worthy of a story.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
Originally Posted by Gee4orce
But why would you turn on sharing protocols, and then expect the firewall to block them ? As I said earlier, the correct way to secure your system is to turn off any non-essential sharing processes.
If a security team says that Leopard ships with several non-essential services running that are listening on network ports...now THAT would be a security risk, and worthy of a story.
So then, what's the difference between "block all" and "set access for specific services" (the latter set to defaults)?
Very confusing GUI.
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Sep 2000
Location: San Francisco
Status:
Offline
|
|
Originally Posted by Gee4orce
But why would you turn on sharing protocols, and then expect the firewall to block them ? As I said earlier, the correct way to secure your system is to turn off any non-essential sharing processes.
If a security team says that Leopard ships with several non-essential services running that are listening on network ports...now THAT would be a security risk, and worthy of a story.
I didn't expect it to block them. Actually, my point was just the opposite: Allow all incoming connections didn't suddenly open all the ports on my machine. I am perfectly happy that only the ports I want to be open are open. Although I'm not sure why kerberos is open. Is it necessary for local login or something?
I think this is mostly a UI issue, but it would still be great if someone could outline all the facts about what is happening with each of the options selected, which apps have access through the firewall, etc.
kman
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|