[ducasi]

Hi,

Conventional wisdom is to "turn your firewall on immediately". I recently saw a message in this forum that said as much (which I'd reference if search worked!), I've seen people criticise Apple for not having it on by default.

But I'd argue for 99% of Mac OS X users, the firewall is pretty much useless, it gets in the way, it's a waste of time, it's really only another "feature" to tick off - "yep, we've got one of them too."

The other 1% of people need a firewall and probably need a lot better way to configure it than Apple provides.

Who here agrees with me? Who here thinks I'm a total lunatic?

Cheers, D.

[Person Man]

Well, since Mac OS X is a Unix-based operating system, if you're sitting on a cable modem connection, you're a sitting duck for any script kiddie or hacker looking for a challenge. I'd say that's a good reason for a firewall.

Apple's tools are "good enough" for your average home user. If you need something stronger, there are plenty of third party tools out there to help you configure it. Apple provides more "industrial strength" configuration options in OS X Server.

[ducasi]

Originally posted by Person Man:
Well, since Mac OS X is a Unix-based operating system, if you're sitting on a cable modem connection

That's me.

you're a sitting duck for any script kiddie or hacker looking for a challenge. I'd say that's a good reason for a firewall.

How does Apple's firewall protect me?

[rantweasel]

Originally posted by Person Man:
Well, since Mac OS X is a Unix-based operating system, if you're sitting on a cable modem connection, you're a sitting duck for any script kiddie or hacker looking for a challenge.

Yes, if you have any services running (like a web server, a mail server, etc). If you don't run any servers, then it doesn't matter what sort of firewall you have, there wont be any place to attack. The firewall in OS X is nice, but there's no need to turn it on by default since there are no services running by default.

[soul searching]

Originally posted by ducasi:
That's me.

How does Apple's firewall protect me?

Every port is closed by default. Well, some are open but only the "localhost" has access to them. So you are protected from the start.

The Firewall doesn't actually become handy until you want to open spefic ports (and you don't want to deal with the terminal ).

EDIT: just a tad after rantweasel's post.

[CharlesS]

Well, it does do one thing for you even if all your ports are already closed. If some hacker is port scanning random IP addresses to see if they have any ports open, and your firewall is off, your Mac will refuse the connections, and they will at least know your computer exists. With the firewall turned on, their request will time out, and for all they know, no computer exists at that address. This will make it less likely that they will check your IP again to see if you've opened any ports since the last time they checked.

[delete]

I have a cable connection but I run it through a router that has a firewall. I don't run a server etc., just a couple of workstations. Does it benefit me at all to have the firewall active on the machines?

[ambush]

Originally posted by delete:
I have a cable connection but I run it through a router that has a firewall. I don't run a server etc., just a couple of workstations. Does it benefit me at all to have the firewall active on the machines?

Your router alreayd block the ports.

[justinkim]

Originally posted by soul searching:

The Firewall doesn't actually become handy until you want to open spefic ports (and you don't want to deal with the terminal ).

In which case, you're going to be opening those ports on the firewall anyway.

IMHO, it makes no sense not to run the firewall if you have one.

[entrox]

Originally posted by ducasi:
But I'd argue for 99% of Mac OS X users, the firewall is pretty much useless, it gets in the way, it's a waste of time, it's really only another "feature" to tick off - "yep, we've got one of them too."

That's the price of security. You can have either tight security or convenience, but not both. The art lies within finding the middle way.

[Arkham_c]

http://www.freebsd.org/doc/en_US.ISO...firewalls.html

The firewall is there for people who don't have a router. With that said, most of the routers on the market offer NAT as their primary means of firewall protection. As any half-decent hacker can tell you, NAT is pretty easily hackable. Turning on ipfw is a good idea for that reason.

ipfw (the firewall used by OSX) has LOTS of other features that are not enabled by the OSX GUI. You can add bandwidth filters (limiting upband or downband on a given port), limiting traffic on specific ports to specific hosts, and more. If you are or aspire to be an OSX guru, you need to learn how ipfw works so you can secure your systems and provide interesting port management options.

[entrox]

Originally posted by Arkham_c:
[url]You can add bandwidth filters (limiting upband or downband on a given port), limiting traffic on specific ports to specific hosts, and more.

You can? I was under the impression that dummynet wasn't implemented in the current version of Darwin (the one in Jaguar). The manpage is missing and last time I tried, it didn't work.

[Spheric Harlot]

Originally posted by entrox:
You can? I was under the impression that dummynet wasn't implemented in the current version of Darwin (the one in Jaguar). The manpage is missing and last time I tried, it didn't work.

CarraFix does this. (I have no idea what protocol it implements, though, but it does work with ipfw.)

-s*

[legionare]

Originally posted by entrox:
You can? I was under the impression that dummynet wasn't implemented in the current version of Darwin (the one in Jaguar). The manpage is missing and last time I tried, it didn't work.

I tried putting a couple of dummynet commands in my ipfw config. The upshot was very very ugly

Anyone remember the other name for dummynet?

[clarkgoble]

What underlying programs does brickhouse use? It provides a fairly nice front end for more features than the Apple supplied front end for its firewall.

[Millennium]

Originally posted by clarkgoble:
What underlying programs does brickhouse use? It provides a fairly nice front end for more features than the Apple supplied front end for its firewall.

Actually, BrickHouse uses the same firewall backend that Apple uses.

Apple's firewall frontend is decent enough for Joe User, but it doesn't even come close to scratching the surface of what the firewall can actually do.

[justinkim]

The problem with BrickHouse is that it doesn't seem to handle more than two ethernet interfaces. I've got three (2x Ethernet 1x Airport) and could never get it to properly configure everything.

Ipfw isn't that hard to learn how to configure manually and it's worth the time to get familiar with it if you're of a technical bent.

[ducasi]

Originally posted by soul searching:
The Firewall doesn't actually become handy until you want to open spefic ports (and you don't want to deal with the terminal ).

justinkim said it for me - every port I open I will want to make available through my firewall. In effect, I'm firewalling all the closed ports and opening up all the open ports. Really, a total waste of time.

Of course the ipfw firewall has lots of other useful features which might make it worthwhile using it on a stand-alone box. Can't really find one for my situation though...

One thing I might have used ipfw for is to protect my ssh ports from the new security hole revealed today (expect a security update from Apple any day now), except that I can use TCP wrappers to block ssh connections from places I'm not expecting them.

It would be good if I could block pings coming from the nachi worm, unfortunately I think that would require looking further into the packet than ipfw allows.

Really, the only good reason I see the firewall being useful to your average user is if they have turned on Internet Sharing, which already makes them less than typical.

I guess a firewall might help stop you leaking private information via rendezvous - until I stopped it, rendezvous and apache were effectively giving out a complete list of the users on my box to my neighbours on the same cable modem segment. Not a big problem, and again, I solved it by changing the configuration of the application rather than needing to use a firewall.

I tried out BrickHouse for a while back in the 10.1 days, but found it also to be a nuisance. It would mess up my tweaks I had done to the rules it produced when I wanted to use its admin-type functions, like its logging window.

So, again, I decided that that firewall wasn't worth the bother.

It should be possible to create a ZoneAlarm-type firewall for Mac OS X. This is useful for blocking applications you don't trust on your own computer. A gap in the market perhaps...

Cheers, D.

[legacyb4]

Like Little Snitch?

http://www.obdev.at/

Cheers.

Originally posted by ducasi:
It should be possible to create a ZoneAlarm-type firewall for Mac OS X. This is useful for blocking applications you don't trust on your own computer. A gap in the market perhaps...

Cheers, D.

[justinkim]

There are some really, really, really good reason to keep the firewall up by default.

It protects you from attacks on services that you may not realize are running and are vulnerable. Say, something that gets turned on during a software update or some insecure application you start.

As has been said, you can also use it to block (or allow) specific hosts and use it to log suspicious activity.

Blocking outgoing ports could also mitigate the operation and spread of worms and adware/spyware.

[clarkgoble]

Little Snitch is a very good program. It is helpful when trying to figure out what ports a program is using for setting your NAT to tunnel properly. It is also surprising what programs "call out" unexpectedly.

[Andrman]

Does anyone know of a utility or easy way to view the built-in firewall's log? I'm assuming it's available via Console.

[CharlesS]

Originally posted by Andrman:
Does anyone know of a utility or easy way to view the built-in firewall's log? I'm assuming it's available via Console.

The Apple firewall doesn't turn on logging. According to rumor, 10.4 is supposed to fix that.

Using a third-party firewall program like BrickHouse allows you to enable logging.

[Andrman]

Oh that stinks, thanks for letting me know. That's kinda disappointing, especially since it uses that great UNIX firewall. You'd think they would allow a way to turn it on.

[DigitalEl]

Say you just went from dial-up to cable and are running your very first home network... Is there a way to test your setup to make sure you're protected BEFORE something nasty happens?

Setup:

-Cable modem
-Linksys WRT54G wireless router/hub
-iMac connected via ethernet
-PowerBook connected via Airport Extreme card
-TiVo connected via Linksys wireless "B" USB adapter

Settings:

-OS X Firewall on
-File sharing on
-Printer sharing on
-TiVo Home Media on

[Dr.Michael]

erased
hey, the delete checkbox does not work!

[Maflynn]

Originally posted by DigitalEl:
Say you just went from dial-up to cable and are running your very first home network... Is there a way to test your setup

This place Shields Up
is good place to test your security.

Mike

[DigitalEl]

This place Shields Up
is good place to test your security.

Nice. That's exactly the kind of thing I was hoping someone would come back with.

Since this thread is already one that should be in the Networking Forum, I'll ask one more question. With File Sharing... Should you turn that off except for when you're actually using it or is the fact my machines are almost always sleeping a good thing there?

[Maflynn]

Originally posted by DigitalEl:
Should you turn that off except for when you're actually using it [/B]

Its one of those depends answers. If you rarely do file transers its definitely safer to have it off and not exposed. If your unning behind a NAT router and have the firewall turned on then its probably ok. I had mine on and shields up couldn't find the port. Off is still better.

Mike

[Arkham_c]

Originally posted by ducasi:
justinkim said it for me - every port I open I will want to make available through my firewall. In effect, I'm firewalling all the closed ports and opening up all the open ports. Really, a total waste of time.

Another example -- what if you wish to allow a certain type of connection only from a certain IP or range of IPs? This is easy in ipfw. What if you wish to limit outgoing connections to a list of approved sites? Also easy with ipfw.

The truth is, ipfw is very useful, but Apple just doesn't give you the flexibility in its GUIs to use it.

[iv_zar]

What would be a good firewall for mac then.

I was looking at Norton

Any suggestions?????????????????

[Brass]

Originally posted by iv_zar:
What would be a good firewall for mac then.

I was looking at Norton

Any suggestions?????????????????

The built in Mac OS X firewall is fine. The UI for it in Systems Preferences is fairly limitted (not utilising much of the firewall's actual functionality). So you might like to download a different UI. But the firewall itself is very good.

[Andrman]

What other UI's are available? Is Brickhouse one of those?

[CharlesS]

BrickHouse is good. In general, I stay away from Norton products.

[yukon]

ducasi, not knowing about the firewall isn't a good place to start in arguing against it. Actually, it's too normal to start from a place like that. "man ipfw", visit a few security forums, then try to argue against IPFW. You actually could come up with something, like praise for PF, I've seen many argue for IPTABLES (I prefer IPFW's straightforward yet still powerful configuration syntax). IPFW may be software, but it's the real deal...if you're arguing about firewalls in general, that's probably not going to take you anywhere.

Dummynet wasn't enabled in 10.2 at least, you'd have to recompile XNU with support (Apple may add proprietary code to XNU before release as MacOS X), I'm not sure about Panther because I no longer use OS X for the server function I needed dummynet for.

Having IPFW on behind a NAT or hardware firewall may seem redundant, and it is, but just a few rules might be nice, redundant-yet-different is a good thing in computer security. For example, a worm that attacks an OS X (never heard of one, but who knows) vulnerability could be stopped by IPFW when transmitted from an infected machine on your network. If your firewall/NAT has a default password (many hardware products, like BIOSes, recently Cisco's routers ISTR, etc have hidden back-door passwords) then one on IPFW may protect you if your firewall is compromised. Your firewall may not do much more than block ports, more protection is possible (even Snort might be an idea).

Brickhouse....hmm, there was one named FirewallFX or something....Apple's....they're all useful, but arguably more useful when you don't actually use the configurations they create but look at them, the changes certain explained settings make, etc, in order to create your own even more customized ruleset for IFPW.

[CharlesS]

Originally posted by yukon:
Brickhouse....hmm, there was one named FirewallFX or something....Apple's....they're all useful, but arguably more useful when you don't actually use the configurations they create but look at them, the changes certain explained settings make, etc, in order to create your own even more customized ruleset for IFPW.

I think Firewalk didn't use IPFW, but used something else instead of which I'm not sure what it was. For that reason, I recommend BrickHouse instead - it's an interface for IPFW rather than trying to reinvent the wheel.

[Millennium]

Originally posted by CharlesS:
I think Firewalk didn't use IPFW, but used something else instead of which I'm not sure what it was. For that reason, I recommend BrickHouse instead - it's an interface for IPFW rather than trying to reinvent the wheel.

FireWalk can be made to use IPFW, but it normally uses its own firewall system. This is not entirely bad; for one thing, FireWalkX lets you exclude specific applications from connecting to the Net at all, much like ZoneAlarm on Windows.

There are plenty of reasons that one might choose to use their own firewall over IPFW. IPFW is good for gateways and such, but you can't use it for application-based rules or time-based rules, for example (to be fair, FwX doesn't do time-based firewalling either).

This said, IPFW is far from useless. I use it myself, and it works quite well for what it is. Apple's interface to it is extremely poor, but there are ways around that (such as the excellent BrickHouse, which others have already mentioned here).

[Millennium]

Norton is a very sad case. Back in the days of OS9, their stuff was not just good but great. Arguably the best in the business. Ever since the advent of OSX, however, their quality went way downhill very quickly, even for the OS9 releases they continued to do for a while. Nowadays, Norton stuff has a reputation for causing more problems than it solves.

I don't claim to know why this happened. Perhaps it was simple neglect, as the company increased its focus on Windows.

[CharlesS]

Originally posted by Millennium:
Norton is a very sad case. Back in the days of OS9, their stuff was not just good but great. Arguably the best in the business. Ever since the advent of OSX, however, their quality went way downhill very quickly, even for the OS9 releases they continued to do for a while. Nowadays, Norton stuff has a reputation for causing more problems than it solves.

That may be true for some of their other products, but their firewall was never very good. I've used it on OS 9 before - it didn't stealth the ports, it only closed them, so you'd fail the test on www.grc.com pretty spectacularly.

I think the OS X version is just another interface for IPFW, but even so, why bother? BrickHouse is an interface for IPFW, and it's very good. Probably cheaper, too, although I'm not sure how much the Norton firewall costs these days.

[yukon]

"Stealthing" isn't necessarily the best thing, I tend to prefer it (hey, more security, good) but many will argue it's against the RFC or whatever standard it is, bad for whatever reasons. Most consumer routers seem to do it, I have nothing against simply dropping requests to closed ports, it works for me. The term "stealth" I've seen objected to, nmap has a different term, but I think "stealth" has the marketing appeal that security needs (after all, grc.com, to me, is about marketing security).

Just checked, yeah, that firewall did have it's own mechanism. I thought I had another one, orange "F W" letters as the icon, apparently it was firewalk and the icon changed. I've also used SunShield, ISTR it wasn't bad but not as complete as brickhouse. I even remember using NetBarrier back on OS 9, conciderably complete for a firewall, but no reason to use it over IPFW on OS X when I last checked, and possibly not on OS9 even (ooh, people using SubSeven and BackOrifice on me).

Norton has always caused problems for me when I come across it. I remember a friend's machine being taken down by Norton Crashguard, as dialogs would pop up on boot faster than you could close them, "Norton Crashguard has crashed, use Norton Crashguard to repair Norton Crashguard?". Even lately on a friend's PC, WinXP, it's causing a P4 to act slower than a K6-II. For virus protection on Windows I prefer McAfee, they haven't let me down much, but don't use their firewall (maybe even the general consumer suite, 2004 was annoying, "security center"? no more manual updates?), I've had to remove the firewall from two machines when it simply broke networking with no way to fix it (2k, XP SP1). On the Mac, well, we don't need a whole lot of "protection", the UNIX tools are more than enough so far (as if chkrootkit will ever find anything on my machine).

[Amorya]

Originally posted by CharlesS:
That may be true for some of their other products, but their firewall was never very good. I've used it on OS 9 before - it didn't stealth the ports, it only closed them, so you'd fail the test on www.grc.com pretty spectacularly.

Stealthing the ports is, of course, against TCP/IP specification (I think - or some other spec) which states something along the lines of All stations MUST respond to PINGs.

So if you use it and have problems on the net, then basically you're on your own.

Amorya

[Don Pickett]

Who's There gives you a GUI for ipfw's log, as well as allowing you to easily trace the offending machine.