PDA

View Full Version : Leopard's Firewall Criticized




rpp3po
Oct 29, 2007, 10:12 PM
You wouldn't even believe Microsoft to be so stupid to expose open services (and even NetBIOS!!) to the internet when the firewall is setup to block ALL traffic. No kidding, Leopard does. Though, there is no proof of concept exploit, yet, that's a totally unneccessary design flaw, even a freshman CS student wouldn't be allowed to turn in.

From the article (German heise magazine) (http://www.heise-security.co.uk/articles/98120):


The Mac OS X Leopard firewall failed every test. It is not activated by default and, even when activated, it does not behave as expected. Network connections to non-authorised services can still be established and even under the most restrictive setting, "Block all incoming connections," it allows access to system services from the internet. Although the problems and peculiarities described here are not security vulnerabilities in the sense that they can be exploited to break into a Mac, Apple would be well advised to sort them out pronto.



Warbrain
Oct 29, 2007, 10:19 PM
You wouldn't even believe Microsoft to be so stupid to expose open services (and even NetBIOS!!) to the internet when the firewall is setup to block ALL traffic. No kidding, Leopard does. Though, there is no proof of concept exploit, yet, that's a totally unneccessary design flaw, even a freshman CS student wouldn't be allowed to turn in.

From the article (German heise magazine) (http://www.heise-security.co.uk/articles/98120):

It's no surprise. I loved the old firewall, this firewall is awful. It doesn't work right. Little Snitch is better than it.

vansouza
Oct 29, 2007, 10:21 PM
You wouldn't even believe Microsoft to be so stupid to expose open services (and even NetBIOS!!) to the internet when the firewall is setup to block ALL traffic. No kidding, Leopard does. Though, there is no proof of concept exploit, yet, that's a totally unneccessary design flaw, even a freshman CS student wouldn't be allowed to turn in.

From the article (German heise magazine) (http://www.heise-security.co.uk/articles/98120):

Thank God for hardware firewalls.

flyinmac
Oct 29, 2007, 10:41 PM
Thank God for hardware firewalls.

I wonder what degree of hardware firewall you would need to compensate.

Would a standard router with NAT work?

Or, would you actually need a router with a specific firewall to compensate?

flopticalcube
Oct 29, 2007, 10:45 PM
I wonder what degree of hardware firewall you would need to compensate.

Would a standard router with NAT work?

Or, would you actually need a router with a specific firewall to compensate?

I have an AEBS. It has a hardware firewall and it sucks. Apple can't even do hardware firewalls right. :rolleyes:

flyinmac
Oct 29, 2007, 10:53 PM
I have an AEBS. It has a hardware firewall and it sucks. Apple can't even do hardware firewalls right. :rolleyes:

I have a Linksys Router with a Hardware Firewall in it. I wonder if that is adequate, or if the Leopard issue would create an open door.

It's a BEFSX41 Labeled as a Broadband Firewall Router.

I've previously configured it, and it seems to have passed the online scanners. So, hopefully it will close the door that Apple is opening.

flopticalcube
Oct 29, 2007, 10:55 PM
I have a Linksys Router with a Hardware Firewall in it. I wonder if that is adequate, or if the Leopard issue would create an open door.

It's a BEFSX41 Labeled as a Broadband Firewall Router.

I've previously configured it, and it seems to have passed the online scanners. So, hopefully it will close the door that Apple is opening.

That should be more than adequate.

flyinmac
Oct 29, 2007, 10:58 PM
That should be more than adequate.

I sure hope so :confused:

Sun Baked
Oct 29, 2007, 11:03 PM
Anybody turn on the advanced settings, use stealth, then look at the logs awhile latter. :(

Edit: I miss the dead SPI enabled router.

flyinmac
Oct 29, 2007, 11:09 PM
Anybody turn on the advanced settings, use stealth, then look at the logs awhile latter. :(

Edit: I miss the dead SPI enabled router.

From reading the article, I couldn't tell.

SPI, I seem to recall something about that when I was researching my router / firewall purchase. Seems it was a feature of the Linksys Router if I remember correctly. But, then I could just be mixing things up at the moment.

iJawn108
Oct 29, 2007, 11:15 PM
I sure hope so :confused:

turn of Universal Plug n' play

flyinmac
Oct 29, 2007, 11:18 PM
turn of Universal Plug n' play

I believe I did do that. I spent hours comparing the settings with descriptions of what they did on the Internet. Hopefully I got everything.

motulist
Oct 29, 2007, 11:24 PM
Are they saying the OS X firewall has always been terrible, or that 10.5 is a brand new firewall under the hood and it replaces a very good firewall that was in 10.4?

flyinmac
Oct 29, 2007, 11:28 PM
Are they saying the OS X firewall has always been terrible, or that 10.5 is a brand new firewall under the hood and it replaces a very good firewall that was in 10.4?

It sounds to me like they are saying that 10.5 is worse. But, I could be wrong.

Daiden
Oct 29, 2007, 11:37 PM
Well this is somewhat disappointing.

weaverra
Oct 30, 2007, 12:01 AM
Has anyone else tested this? I'm not so quick to jump on this one yet. Why has it taken this long to figure this out?

Edited: I did a port scan on my local network with the firewall on block all and stealth and it would not pick up anything until the very second I allowed all incoming connections. Am I missing something here???

flyinmac
Oct 30, 2007, 12:19 AM
turn of Universal Plug n' play

Just double-checked, and I did have that disabled already. So, hopefully I'm protected.

I just updated my firmware to the latest revision (on the router / firewall). I was one revision behind there.

And, I just went back through my settings, and all looks good there.

So, hopefully Leopard won't open the door on me.

Well this is somewhat disappointing.

Yes. If this is true, then Leopard will definitely be a let-down there.

Has anyone else tested this? I'm not so quick to jump on this one yet. Why has it taken this long to figure this out?

Edited: I did a port scan on my local network with the firewall on block all and stealth and it would not pick up anything until the very second I allowed all incoming connections. Am I missing something here???


Did you do this in the new Leopard (10.5)? Or, were you in Tiger (10.4.x)?

Sun Baked
Oct 30, 2007, 12:21 AM
Has anyone else tested this? I'm not so quick to jump on this one yet. Why has it taken this long to figure this out?

He harped on netbios, then said that came from the Samba package.

I looked and have Bonjour and the time server open.

flyinmac
Oct 30, 2007, 12:25 AM
He harped on netbios, then said that came from the Samba package.

I looked and have Bonjour and the time server open.


Hesitant to read between the lines... What is your belief based on your observations?

weaverra
Oct 30, 2007, 12:28 AM
Did you do this in the new Leopard (10.5)? Or, were you in Tiger (10.4.x)?

Leopard (10.5) I'm no security expert but from what I gathered something should have showed up according to their claim.

00:19 is when I allowed all incoming connections


Oct 30 00:16:56 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
Oct 30 00:16:56 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
Oct 30 00:16:56 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
Oct 30 00:16:57 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
Oct 30 00:16:57 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
Oct 30 00:16:57 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
Oct 30 00:16:58 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
Oct 30 00:16:58 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
Oct 30 00:16:58 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
Oct 30 00:16:59 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
Oct 30 00:16:59 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
Oct 30 00:16:59 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
Oct 30 00:17:00 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
Oct 30 00:17:00 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
Oct 30 00:17:00 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
Oct 30 00:17:01 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
Oct 30 00:17:01 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
Oct 30 00:17:01 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
Oct 30 00:17:03 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
Oct 30 00:17:03 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
Oct 30 00:17:03 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
Oct 30 00:17:07 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
Oct 30 00:17:07 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
Oct 30 00:17:07 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
Oct 30 00:19:06 bobby-weavers-macbook-pro-15 Firewall[40]: Allow cupsd listening from :::631 uid = 0 proto=6
Oct 30 00:19:06 bobby-weavers-macbook-pro-15 Firewall[40]: Allow cupsd listening from 0.0.0.0:631 uid = 0 proto=6
Oct 30 00:21:18 bobby-weavers-macbook-pro-15 Firewall[40]: Stealth Mode connection attempt to UDP 192.168.x.xxx:49429 from 66.82.x.x:xx

Peace
Oct 30, 2007, 12:36 AM
This guy/site doesn't understand the Leopard firewall..

Sun Baked
Oct 30, 2007, 12:42 AM
Hesitant to read between the lines... What is your belief based on your observations?

They said Apple allows every process started by the user into the execptions list ... even if you run a trojan.

Almost sounded like they stayed there til you restarted.

Which is basically how all Apple firewalls are typically punched in the contests, getting at them through stuff the user runs.

Detektiv-Pinky
Oct 30, 2007, 03:41 AM
This guy/site doesn't understand the Leopard firewall..

This is entirely possible. However, I honestly think that the apple firewall is not an easily usable and confidence inspiring product. And it is turned 'OFF' by default!:eek:

I do not know the English version of the UI, but in the German version Apple tells you that 'normally the OS is choosing for which programms it allows incoming connection', that is not something I want my firewall to do.

So if you have in-depth knowledge of the workings of the Mac OS X firewall, maybe you like to share it with us.

boz0
Oct 30, 2007, 05:15 AM
I have a Linksys Router with a Hardware Firewall in it.

This is nonsense.

To begin with, there's no such thing as a "hardware firewall". A better (and commonly used) designation is "appliance". A firewall appliance is a dedicated box, running an OS (in many cases a tweaked Linux or *BSD, though there are of course many other possibilities, like IOS on Cisco firewalls), on top of which the actual firewall software sits.

Now, assuming you call a "hardware firewall" any kind of dedicated firewall appliance, well, obviously, since your wireless router does wireless routing, it's not a dedicated firewall, is it? :)

That said, whether you have a dedicated firewall box or not, it's the quality of the firewall software that has to be taken into account. It's always a very bad idea to make a product insecure by default. Microsoft has been bashed repeatedly for that, and so should Apple! :mad:

However, I'm not yet ready to believe that their firewall is as flawed as the article says. I'll have a look in a couple days!

joelovesapple
Oct 30, 2007, 05:19 AM
Thanks for the info. I'll be keeping my eye out for a software update to combat this problem. :)

Wild-Bill
Oct 30, 2007, 05:52 AM
This new firewall in Leopard is disappointing. I liked Tiger's much much better.

Glad I'm behind a router...

boz0
Oct 30, 2007, 05:55 AM
Edited: I did a port scan on my local network with the firewall on block all and stealth and it would not pick up anything until the very second I allowed all incoming connections. Am I missing something here???

Well, that sounds like the kind of behaviour you'd expect from a firewall, which is, in view of this thread, kinda reassuring :)

What protocols did you scan for? Only tcp, or did you try udp, icmp, others?

joelovesapple
Oct 30, 2007, 06:04 AM
This new firewall in Leopard is disappointing. I liked Tiger's much much better.

Glad I'm behind a router...

I'll join the club - on both counts.

wrboyce
Oct 30, 2007, 09:07 AM
there is nothing wrong with the leopard firewall, even if the gui is a little poorly done..

`man ipfw`

savar
Oct 30, 2007, 09:28 AM
You wouldn't even believe Microsoft to be so stupid to expose open services (and even NetBIOS!!) to the internet when the firewall is setup to block ALL traffic. No kidding, Leopard does. Though, there is no proof of concept exploit, yet, that's a totally unneccessary design flaw, even a freshman CS student wouldn't be allowed to turn in.

From the article (German heise magazine) (http://www.heise-security.co.uk/articles/98120):

How bizarre...I didn't want to believe it, but the article is pretty clear cut.

Just to be clear to the others here: if you're behind a NAT router (and you haven't done anything weird like forward ports or DMZ), then you're still safe to attacks from the outside.

But anybody on your network would be able to attack the services that are running -- which could be problematic if you were on a public wifi, e.g. That doesn't necessarily mean they could compromise those services or take control of your computer, but it should still be a concern to Apple to send out an update ASAP.

It seems that this was on a fresh install of Leopard. When I get home tonight I'll check out the settings on my MacBook -- I upgraded from Tiger to Leopard -- and see if it actually degraded my security.

vansouza
Oct 30, 2007, 11:11 AM
You wouldn't even believe Microsoft to be so stupid to expose open services (and even NetBIOS!!) to the internet when the firewall is setup to block ALL traffic. No kidding, Leopard does. Though, there is no proof of concept exploit, yet, that's a totally unneccessary design flaw, even a freshman CS student wouldn't be allowed to turn in.

From the article (German heise magazine) (http://www.heise-security.co.uk/articles/98120):

I just visited www.grc.com and tested Leopard and I passed all tests; is there a UNIX specific site we can visit to test our Macs?

weaverra
Oct 30, 2007, 12:05 PM
I just visited www.grc.com and tested Leopard and I passed all tests; is there a UNIX specific site we can visit to test our Macs?

I did this with allowing all incoming allowed and still passed with all green.

killmoms
Oct 30, 2007, 12:11 PM
Who gives a ****? I've run with no firewall and several different specific services exposed to the world through a NAT router for the last 4 years on both Windows and Apple machines and have never had a single problem with a worm, virus, or other exploit. Being careful about where you go online is much more crucial to security than running some stupid firewall.

flyinmac
Oct 30, 2007, 12:36 PM
This is nonsense.

To begin with, there's no such thing as a "hardware firewall". A better (and commonly used) designation is "appliance". A firewall appliance is a dedicated box, running an OS (in many cases a tweaked Linux or *BSD, though there are of course many other possibilities, like IOS on Cisco firewalls), on top of which the actual firewall software sits.

Now, assuming you call a "hardware firewall" any kind of dedicated firewall appliance, well, obviously, since your wireless router does wireless routing, it's not a dedicated firewall, is it? :)

That said, whether you have a dedicated firewall box or not, it's the quality of the firewall software that has to be taken into account. It's always a very bad idea to make a product insecure by default. Microsoft has been bashed repeatedly for that, and so should Apple! :mad:

However, I'm not yet ready to believe that their firewall is as flawed as the article says. I'll have a look in a couple days!

The router I'm using is a Wired Router. I don't allow wireless in the house. So, the router has no wireless capabilities.

But, it does have a firewall built-in. Basically, it is supposed to filter all incoming and outgoing communications. It appears to be pretty thorough. I've configured all the settings, and such and used various online scanners, and none of them have reported a weakness.

Hopefully, it is good. It's one of those things where you never know how good something is until it fails.

The link is rather long, so here's a tinyURL to the page with information on the router / Firewall I'm using:

http://tinyurl.com/25shvh

It definitely has more firewall features to configure than the OS X firewall. So, it seems pretty thorough. Hopefully it is a secure as it seems.

vansouza
Oct 30, 2007, 12:42 PM
Who gives a ****? I've run with no firewall and several different specific services exposed to the world through a NAT router for the last 4 years on both Windows and Apple machines and have never had a single problem with a worm, virus, or other exploit. Being careful about where you go online is much more crucial to security than running some stupid firewall.

Well it's obvious that you don't but some do give a fig. I am trying to understand the concern and passion of the OP; because I don't share it. Not for lack of passion or concern but because, like you said, exercise some care about the sites you visit and after all Leopard is UNIX.

If someone can explain why, given Leopard is UNIX based, I need to be concerned about leaving my firewall off, I would very much like to learn.

Cromulent
Oct 30, 2007, 12:49 PM
The Apple firewall comes with certain default settings, you can play with it as much as you like though and configure it to your hearts desire. Just type man ipfw in the Terminal for instructions or Google ipfw (IP Firewall).

If your not happy do something about it rather than waiting for Apple to fix it. If you can't be bothered to learn how to fix it or do it yourself then you are obviously happy enough with it in its current form.

flyinmac
Oct 30, 2007, 12:53 PM
Well it's obvious that you don't but some do give a fig. I am trying to understand the concern and passion of the OP; because I don't share it. Not for lack of passion or concern but because, like you said, exercise some care about the sites you visit and after all Leopard is UNIX.

If someone can explain why, given Leopard is UNIX based, I need to be concerned about leaving my firewall off, I would very much like to learn.

The issue is not so much whether something can get in and infect your system.

Rather, the issue is whether someone with time on their hands can locate your system through the internet and start browsing around through information on your hard drive.

Without an effective firewall, anyone with time and skill can get into your computer and browse around.

I've had previous alerts that have come up (before I had a firewall router) that showed IP addresses and such of users who were out on the Internet trying to find a hole in my firewall to exploit and gain access (of course I was using a software firewall at the time that reported such attempts).

I would then track down the IP address of the offender, and send a note to their Service Provider (which obviously may have done nothing, but may have been taken seriously).

Either way, if you don't have a Firewall, then the websites are not the concern to me. It's the individuals trying to gain access and looking for whatever is on your computer (or using your computer to mask what they are doing and from where).

Edit: Just for information purposes, my firewall router does offer alerting and reporting services like other software routers do.

VoodooDaddy
Oct 30, 2007, 01:12 PM
I did this with allowing all incoming allowed and still passed with all green.

Same here. I tested every setting with "allow all incoming" and everything passed. Only when I set a specific port to test, one that is open for bittorrent, did it find anything.

Avatar74
Oct 30, 2007, 01:20 PM
If you want a serious low cost (no kidding, compared to PIX, Checkpoint, etc.) firewall... get a Netgear FWG-114P firewall/wireless router (part of the blue metal Pro SoHo series, not the white/grey plastic boxes).

It's SPI, ICSA-certified, has user-definable implict rules (can allow/deny both inbound and outbound) and user definable filtering, logging, NAT, VPN, syslog forwarding, email alerts;/event alerts, DoS attack mitigation, TCP/UDP flood protection, MAC Address auth, WEP/WPA, etc. etc.

A consumer grade software firewall may as well be no firewall.

flyinmac
Oct 30, 2007, 01:52 PM
Same here. I tested every setting with "allow all incoming" and everything passed. Only when I set a specific port to test, one that is open for bittorrent, did it find anything.

I would have concerns about the accuracy of that test then.

A person trying to get through a firewall is going to be checking for specific ports. Their not just going to say "show me what's open".

VoodooDaddy
Oct 30, 2007, 01:54 PM
I would have concerns about the accuracy of that test then.

A person trying to get through a firewall is going to be checking for specific ports. Their not just going to say "show me what's open".

Who knows how accurate it is, but when you see the "all ports closed, you are stealth" if makes you feel better. :D

BTW, Id think if someone were trying to get through, they wouldnt be looking for specific ports but looking for any open port.

flyinmac
Oct 30, 2007, 01:58 PM
Who knows how accurate it is, but when you see the "all ports closed, you are stealth" if makes you feel better. :D

BTW, Id think if someone were trying to get through, they wouldnt be looking for specific ports but looking for any open port.

A person who wants in, will obviously first scan for open ports. But, knowing that firewalls attempt to hide them, they would then try deliberately entering through ports that they expect will have weaker protection or through any port that they typically have success with.

They know that just because you don't immediately see them, that they are not actually gone.

It would be a pretty wimpy hacker that would just say well, it says the doors closed, I'm done.

Cromulent
Oct 30, 2007, 02:13 PM
A consumer grade software firewall may as well be no firewall.

Your joking right? The Mac OS X firewall is in no way a consumer grade firewall. It is a firewall used in a consumer grade product but that does not make it any more of a consumer solution. Sure the default setup may not be great but with proper configuration is just as good as any other firewall out there.

VideoFreek
Oct 30, 2007, 02:35 PM
If you want a serious low cost (no kidding, compared to PIX, Checkpoint, etc.) firewall... get a Netgear FWG-114P firewall/wireless router ... A consumer grade software firewall may as well be no firewall.Actually, although I'm a BIG fan of Netgear routers, I would consider them to be consumer- or at best SOHO-grade machines. :o But if by "consumer grade" you mean NAT-only routers, and there we are in pretty good agreement. NAT provides some protection, but a stateful packet inspection (SPI) router that actually examines each packet to determine whether it is solicited or unsolicited is a major step up in security. The problem, however, is that there is no standard implementation for "SPI," every vendor implements his own algorithms, which means that not all SPI routers are created equal. Presumably, what you pay for when you move from Netgear equipment to SMB equipment to enterprise-class gear is more sophisticated and robust algorithms, but few of us really have the competence to assess this, so at the end of the day you must trust that your vendor has done a good job. Hey, you have to trust somebody!

It would be a pretty wimpy hacker that would just say well, it says the doors closed, I'm done.You're certainly correct if the hacker is specifically targeting YOU, but for most of us as private citizens, the real threat comes from "script kiddies" and hackers looking for random vulnerable machines on the internet to host zombies, spambots, etc. In this scenario, securing your home network is like securing your car--you can't make it impervious to the most determined attacker or thief, but you can harden it to the point where the most likely attackers will simply move on to a softer target. If you're running a decent SPI firewall and haven't done anything stupid to the firewall configuration, and you're running WPA or WPA2 wireless security with a strong key, as a home user you're going to be fine. If you are Microsoft, on the other hand, you'll need far more sophisticated protection as people certainly will be targeting you specifically, all the time!

flyinmac
Oct 30, 2007, 02:42 PM
Actually, although I'm a BIG fan of Netgear routers, I would consider them to be consumer- or at best SOHO-grade machines. :o But if by "consumer grade" you mean NAT-only routers, and there we are in pretty good agreement. NAT provides some protection, but a stateful packet inspection (SPI) router that actually examines each packet to determine whether it is solicited or unsolicited is a major step up in security. The problem, however, is that there is no standard implementation for "SPI," every vendor implements his own algorithms, which means that not all SPI routers are created equal. Presumably, what you pay for when you move from Netgear equipment to SMB equipment to enterprise-class gear is more sophisticated and robust algorithms, but few of us really have the competence to assess this, so at the end of the day you must trust that your vendor has done a good job. Hey, you have to trust somebody!

You're certainly correct if the hacker is specifically targeting YOU, but for most of us as private citizens, the real threat comes from "script kiddies" and hackers looking for random vulnerable machines on the internet to host zombies, spambots, etc. In this scenario, securing your home network is like securing your car--you can't make it impervious to the most determined attacker or thief, but you can harden it to the point where the most likely attackers will simply move on to a softer target. If you're running a decent SPI firewall and haven't done anything stupid to the firewall configuration, and you're running WPA or WPA2 wireless security with a strong key, as a home user you're going to be fine. If you are Microsoft, on the other hand, you'll need far more sophisticated protection as people certainly will be targeting you specifically, all the time!


I can agree with that.

The issue for me, is that I have had several instances where firewall software has detected deliberate attempts to enter the system (although that was before I had a firewall router). So, it does appear that they do attempt from time to time to enter private systems.

pgwalsh
Oct 30, 2007, 02:59 PM
This is nonsense.

To begin with, there's no such thing as a "hardware firewall". A hardware firewall is a dedicated piece of hardware used as a firewall. Yes it uses software, but it's a hardware firewall. I use a dedicated machine as a hardware firewall running IPCOP. It's a dedicated hardware firewall. This is in contrast to a software firewall, as in Zone Alarm, which runs as a service on a personal computer.

Who knows how accurate it is, but when you see the "all ports closed, you are stealth" if makes you feel better. :D
Stealth just means that port 113 does not respond to pings. However this doesn't mean that outbound ports are closed. So technically not all ports are closed.

VideoFreek
Oct 30, 2007, 03:00 PM
The issue for me, is that I have had several instances where firewall software has detected deliberate attempts to enter the system (although that was before I had a firewall router). So, it does appear that they do attempt from time to time to enter private systems.Absolutely, all the time. The latest estimates I've read indicate that an unprotected, unpatched Windows machine connected to the internet will be compromised in an astonishingly short time--as little as 15 minutes! See, for example, this (http://www.safeinternet.org.uk/broadband.htm). The thing to understand, however, is that these "attacks" you see in your firewall log are almost certainly random--initiated by automated scanning routines downloaded from the internet by teenagers with too much free time on their hands and used to look for vulnerable machines to screw with. Or, spammers and phishers looking for easy targets. That is why, in home network security, a little protection goes a long way.

VideoFreek
Oct 30, 2007, 03:08 PM
Stealth just means that port 113 does not respond to pings. However this doesn't mean that outbound ports are closed. So technically not all ports are closed.Stealth, as relentlessly pounded into us by Steve Gibson (http://www.grc.com/default.htm), involves much more than port 113. It means that there is no evidence whatsoever that a computer even exists at a given IP address. This is not the same as closed ports--which respond that they are "closed," and thus betray the existence of a computer. Although I'm with Gibson on this (invisibility is better), this viewpoint is not uncontested--detractors argue that stealthing machines is not compliant with Internet design and actually generates more nuisance traffic than a simple "closed" response.

pgwalsh
Oct 30, 2007, 03:12 PM
Absolutely, all the time. The latest estimates I've read indicate that an unprotected, unpatched Windows machine connected to the internet will be compromised in an astonishingly short time--as little as 15 minutes! See, for example, this (http://www.safeinternet.org.uk/broadband.htm). The thing to understand, however, is that these "attacks" you see in your firewall log are almost certainly random--initiated by automated scanning routines downloaded from the internet by teenagers with too much free time on their hands and used to look for vulnerable machines to screw with. Or, spammers and phishers looking for easy targets. That is why, in home network security, a little protection goes a long way.That's true. You don't want to be naked on the net.

I just looked at my IDS log and on Saturday I had 258 intrusion detections, but most were bad traffic. However some were the follow:

MS-SQL Worm propagation attempt
Priority: 2 Type: Misc Attack
http://www.snort.org/pub-bin/sigs.cgi?sid=2003

MS-SQL version overflow attempt
Priority: 3 Type: Misc activity
http://www.snort.org/pub-bin/sigs.cgi?sid=2050

(http_inspect) DOUBLE DECODING ATTACK

Name: (portscan) TCP Portsweep
Priority: n/a Type: n/a

Name: ICMP PING CyberKit 2.2 Windows
Priority: 3 Type: Misc activity
An attacker may attempt to determine live hosts in a network prior to launching an attack.

I get a ton of CyberKit, MySQL attacks and port sweeps. Google has even done several ports sweeps. Nothing for me to worry about, but if you leave your machine open someone will find it.

pgwalsh
Oct 30, 2007, 03:25 PM
Stealth, as relentlessly pounded into us by Steve Gibson (http://www.grc.com/default.htm), involves much more than port 113. It means that there is no evidence whatsoever that a computer even exists at a given IP address. This is not the same as closed ports--which respond that they are "closed," and thus betray the existence of a computer. Although I'm with Gibson on this (invisibility is better), this viewpoint is not uncontested--detractors argue that stealthing machines is not compliant with Internet design and actually generates more nuisance traffic than a simple "closed" response. You're right, but I believe Tiger just closed port 113 in stealth mode. Port 113 is the identification port and what's normally used to identify a machine.

Phil A.
Oct 30, 2007, 04:20 PM
As long as you connect through a NAT router you're pretty safe whatever the state of a software firewall (at least to external attacks - if you use a shared internet connection you are still vulnerable to other clients behind the router). Software firewalls were only really useful when everyone used dial up connections and your computer effectively was the router.
Also, in spite of scare stories from sites such as grc.com, it's simply not true to say that any open ports mean you are exposing yourself to anyone who wants to having a look around: if that were the case then there would be no servers on the internet! As long as you're sensible about passwords, all you are risking is the exploit of any security holes in services you may be exposing
I've never run the software firewall in OSX (or windows for that matter) and sit behind a wireless NAT router with a tunnel through for ssh so I can connect to my mac over the internet. With ssh configured properly I feel pretty secure in doing that.

MacRumors
Oct 30, 2007, 10:05 PM
http://www.macrumors.com/images/macrumorsthreadlogo.gif (http://www.macrumors.com)

A security research firm is criticizing Leopard's security, namely the new system's firewall.

Heise Security was highly critical of the firewall and declared that it failed every test (http://www.heise-security.co.uk/articles/print/98120). The tests centered around Apple's default configuration and whether the firewall configured correctly due to user input.

[Leopard's firewall] is not activated by default and, even when activated, it does not behave as expected. Network connections to non-authorised services can still be established and even under the most restrictive setting, "Block all incoming connections," it allows access to system services from the internet.

The company does acknowledge that the system services that it communicated with in its tests did not seem immediately exploitable (though one, ntpd was out of date). However, the company does advise that the issues be addressed by Apple and users beware of the shortcomings.

Apple has been touting Leopard's security as one of the many features (http://www.apple.com/macosx/features/300.html#security) of Leopard.

Article Link (http://www.macrumors.com/2007/10/30/leopards-firewall-criticized/)

Eidorian
Oct 30, 2007, 10:06 PM
I never really knew OS X for it's Firewall GUI.

flopticalcube
Oct 30, 2007, 10:07 PM
Does anyone use software firewalls anymore?

Eidorian
Oct 30, 2007, 10:08 PM
Does anyone use software firewalls anymore?I'm behind NAT but I at least like to know when an application is trying to establish a connection ala Little Snitch.

darthraige
Oct 30, 2007, 10:11 PM
Has anyone ever gotten a virus on an Apple product? lol

Eidorian
Oct 30, 2007, 10:12 PM
Has anyone ever gotten a virus on an Apple product? lolI'd prefer not to have unsolicited connections having access.

darthraige
Oct 30, 2007, 10:17 PM
I'd prefer not to have unsolicited connections having access.

It's just weird. When I owned a PC, I'd get like 1-5 viruses a day. On a Mac, never got one, never, never, never got one. Very impressive. lol

Eidorian
Oct 30, 2007, 10:18 PM
It's just weird. When I owned a PC, I'd get like 1-5 viruses a day. On a Mac, never got one, never, never, never got one. Very impressive. lolI can say that never got a virus on my PC as well.

darthraige
Oct 30, 2007, 10:22 PM
I can say that never got a virus on my PC as well.

No viruses on your PC? Were you even connected to the net? lol Never cared to use a Virus protection program. That's probably why though. lol But, I've been loving the Mac for 6 years now.

Eidorian
Oct 30, 2007, 10:22 PM
No viruses on your PC? Were you even connected to the net? lol Never cared to use a Virus protection program. That's probably why though. lol But, I've been loving the Mac for 6 years now.I've been using a PC at home now for nearly 5 months. (e.g. right now)

I got nothing.

SiliconAddict
Oct 30, 2007, 10:23 PM
Yah I started looking at how to configure the firewall in 10.5 and lo and behold up there really isn't anything to configure. :eek:

I've been using a PC at home now for nearly 5 months. (e.g. right now)

I got nothing.

I've used Windows since win 3.0 days. I've had ONE virus back in 95 on 3.11. It was a master boot record virus. Since then NOTHING. a little proactive security goes a long way. AV software\Firewall\Firefox\Solid E-mail client\patches will generally keep you protected on windows. OS X. *shrugs* Just make sure to have the firewall turned off\patches\limited account.


That should be more than adequate.

Yah until you are off network with a laptop. :rolleyes:

darthraige
Oct 30, 2007, 10:27 PM
I've been using a PC at home now for nearly 5 months. (e.g. right now)

I got nothing.

Ahhh, I got ya. When are you going all Mac?

Eidorian
Oct 30, 2007, 10:28 PM
Ahhh, I got ya. When are you going all Mac?When Apple releases hardware worth buying?

harmless
Oct 30, 2007, 10:29 PM
A security research firm is criticizing Leopard's security, namely the new system's firewall.


Heise is a publisher.

They sell several computer magazines. While those are among the best the market has to offer in Germany, sadly that doesn't mean a lot. Especially c't has become more of an consumer related magazine with a focus on Windows, Linux and stuff like digital cameras and (HD/flat panel) TV sets.

They try to broaden their market by opening up several sub sections on their web site, which include 'Heise Security' - but also 'Heise Autos' (cars).

While their news *reporting* is generally reliable, the same can not be said about their own 'research'; especially regarding Macs.

Unfortunately, they have a broad audience anyway.

Masquerade
Oct 30, 2007, 10:31 PM
good news in time for IT managers that are willing to install mac os x 10.5 server on their machines.

JNB
Oct 30, 2007, 10:32 PM
I would have concerns about the accuracy of that test then.

A person trying to get through a firewall is going to be checking for specific ports. Their not just going to say "show me what's open".

Gibson Research's tests are very reliable - the "full" port scan hits ports 0-1055 sequentially and gives specific results on each. You can also specifically choose to scan any ports beyond that range (though I don't have the time or real concern to hit all 64K ports!)

I just completed all tests--on a public network--on both 10.5 through Camino and XP through Firefox and have a full stealth posture on each. Much better than my old native Win98 Frankenputer.

On a side (but semi-related) note, I am also now seeing a bunch of other PC's & Macs (at least a dozen different ones so far) out there in the sidebar. Most of the Macs are offering up Screen Sharing. I'm pretty sure they're all on the same network as I am in the hotel, but it's still a little unnerving. ALL of my sharing is now off, to be turned on only as needed. Just a little too much like walking around with my fly unzipped...

darthraige
Oct 30, 2007, 10:36 PM
I've used Windows since win 3.0 days.

The good 'ol 3.0 days. Commander Keen, The Amazing Spiderman, Hostage, The Original Duke Nukem. Miss those days.

Rodimus Prime
Oct 30, 2007, 10:36 PM
Does anyone use software firewalls anymore?

it is really a good practice to use both. Software firewalls are much better at stopping outbound connections. Also each one has its own strengths and weaknesses. One might get around a hardware firewall but not get around a software firewalls.

I would say I am behind a hardware firewall but I set my computer to be DMZ host because I am to lazy to figure out what ports I needed to forward (yeah bad practice) but when I lived on campus damn skimpy I sat behind a software and hardware firewall. It was rather annoying coming back to my room my first year and seeing 8+ warning sitting on my screen all from external attacks mostly because people have virus and other crap on there computer.

Hardware firewall and oh so much nicer with a huge drop in messages.

Eidorian
Oct 30, 2007, 10:39 PM
I've used Windows since win 3.0 days. I've had ONE virus back in 95 on 3.11. It was a master boot record virus. Since then NOTHING. a little proactive security goes a long way. AV software\Firewall\Firefox\Solid E-mail client\patches will generally keep you protected on windows. OS X. *shrugs* Just make sure to have the firewall turned off\patches\limited account.
Shucks, all that I can bring to the table for my Windows experience is MS-DOS 5.0 and Windows 3.1. :rolleyes:

I may have gotten one virus but my memory isn't what it used to be.

mdriftmeyer
Oct 30, 2007, 10:40 PM
The entire claim from Heise is getting debated over at Slashdot and OSNews and others.

Let's make it clear. The Security Model Heise it expecting isn't the Security Model deployed by Leopard and until they get the Server Docs and Darwin 9 to see what they claim is skewed you can continue to believe the fear.

Security has vastly improved in the Userspace.

DavidCar
Oct 30, 2007, 10:40 PM
What does "Allow Safari Listening" mean. I see that several times in my Leopard firewall log.

Also it appears someone was scanning some of my ports sequentially this morning.

Oct 30 00:19:05 Macintosh Firewall[39]: Allow Safari listening from ::ffff:0.0.0.0:0 uid = 501 proto=6

Oct 30 00:23:17 Macintosh Firewall[39]: Stealth Mode connection attempt to UDP 10.0.1.3:53795 from 10.0.1.1:53

deathshrub
Oct 30, 2007, 10:44 PM
Software firewalls are basically useless anyway.

mdriftmeyer
Oct 30, 2007, 10:44 PM
What does "Allow Safari Listening" mean. I see that several times in my Leopard firewall log.

Also it appears someone was scanning some of my ports sequentially this morning.

Oct 30 00:19:05 Macintosh Firewall[39]: Allow Safari listening from ::ffff:0.0.0.0:0 uid = 501 proto=6

Oct 30 00:23:17 Macintosh Firewall[39]: Stealth Mode connection attempt to UDP 10.0.1.3:53795 from 10.0.1.1:53

Case in point on the Userspace Security in Leopard. Read up on sandboxing at the application level. Apple hasn't even released their Documentation for Leopard to further explain the changes in their Security Model.

On User-Level Sandboxing: Technical document on the approach:

http://www.cs.bu.edu/~richwest/sandboxing.html

vitaflo
Oct 30, 2007, 10:49 PM
I don't get it. They're basing most of their assessment on nmap's output:

# nmap -sU 192.168.69.21
PORT STATE SERVICE
123/udp open|filtered ntp
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
631/udp open|filtered unknown
5353/udp open|filtered zeroconf
MAC Address: 00:17:F2:DF:CD:B3 (Apple Computer)

And saying "open|filtered" means the ports are open. But if know about nmap, and read the documentation on it, it says:

"Filtered" means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed. [...] Nmap reports the state combinations "open|filtered" and "closed|filtered" when it cannot determine which of the two states describe a port.

http://insecure.org/nmap/man/

Basically, this means the ports are firewalled, and not only that, but OS X isn't giving *any* info about those ports at all. The fact that it says "open" is just a guess as far as nmap is concerned. It doesn't know.

Rodimus Prime
Oct 30, 2007, 10:52 PM
Gibson Research's tests are very reliable - the "full" port scan hits ports 0-1055 sequentially and gives specific results on each. You can also specifically choose to scan any ports beyond that range (though I don't have the time or real concern to hit all 64K ports!)

I just completed all tests--on a public network--on both 10.5 through Camino and XP through Firefox and have a full stealth posture on each. Much better than my old native Win98 Frankenputer.

On a side (but semi-related) note, I am also now seeing a bunch of other PC's & Macs (at least a dozen different ones so far) out there in the sidebar. Most of the Macs are offering up Screen Sharing. I'm pretty sure they're all on the same network as I am in the hotel, but it's still a little unnerving. ALL of my sharing is now off, to be turned on only as needed. Just a little too much like walking around with my fly unzipped...

I woudl of taken the chance to try to screw around with the person screen and told them that they really should turn it off.

It's just weird. When I owned a PC, I'd get like 1-5 viruses a day. On a Mac, never got one, never, never, never got one. Very impressive. lol

I have to say that is an insane number to get. Since startnig to use a PC back with windows 95 I can count on one hand the number of viruses I have gotten. One of them was just plan stupidity on my part and I installed a trogin the other was msbalaster off a fresh reformat that I had walk off for a while n my college campus network which makes it very easy to pick it up. Both my fault.
Now I have seen my AV software log a few but it was off a files sent to me by some one else or I downloaded in a risky area. It really only takes very minor proactive procection to stop everything.

Now if you leave a computer unprotected viruses seem to multiply very quickly (that could explain you 1-5 a day you had some viruses that you never knew about) some one in the dorms who computer I spent a better part of a few hours cleaning up had no AV software and we got Symantec corp ed. installed and then ran it. I believe it removed 150+ viruses off the computer. They multiple because they start leaving you open to other viruses that will get them selves installed. Got to love how they breed.
This was virus scan was followed by a spyware scan and that removed well over 1k worth of crap. His computer work night and day difference.

As for the random virus that was the caused it to be brought to my attention and caused me to have to started working on it is a good laugh. It was something that was making him print all sorts of random crap. All those poor thieves out there taking stuff from this computer ended because of a printing virus.

jaw04005
Oct 30, 2007, 10:56 PM
I turned my firewall on. Now where is the firewall for my AirPort Extreme Base Station (802.11g)? I can't seem to find it in the new AirPort Admin Utility.

seanneko
Oct 30, 2007, 10:58 PM
I've used Windows since win 3.0 days. I've had ONE virus back in 95 on 3.11. It was a master boot record virus. Since then NOTHING.

Same here. I've been using Windows since 3.1, and I've also had ONE virus. It was a DOS virus that added an echo statement to autoexec.bat.

Windows doesn't get viruses unless you download and run a program that has a virus in it. It's just common sense - don't click on things that say "free screensaver - best program ever 100% free click here!"

brownbird
Oct 30, 2007, 11:01 PM
There ought to be a few people out there that are proficient with Unix. Some of you must be familiar with ipfw (Apple's firewall). Can someone post some suggested settings for ipfw? A tutorial for us who want to build the best firewall protection possible?

CANEHDN
Oct 30, 2007, 11:01 PM
It's no surprise. I loved the old firewall, this firewall is awful. It doesn't work right. Little Snitch is better than it.

I agree. Tiger's firewall was excellent. Easy to use and could easily be changed to open and close any or all ports. In Leopard they moved it and mad it more confusing and more complicating than it needed to be. I couldn't even open my firewall logs. I'd click the button and nothing would happen. I think it may be time to get one of the old computers from storage and build myself a hardware firewall.

eme jota ce
Oct 30, 2007, 11:07 PM
Can anyone explain to a noob what decent Network settings would be for a macbook that joins a variety of wired / wireless networks for reaonsalbe level of security?

MagnusVonMagnum
Oct 30, 2007, 11:11 PM
I've been using a PC at home now for nearly 5 months. (e.g. right now)

I got nothing.


I've had a PC for 7 years and I've NEVER gotten a virus on it (had to clear spyware off before, though) and I've had broadband for over 3 years now and internet access from day 1. I guess it matters WHAT you download. And I've never used IE on it on any kind of regular basis (went from Netscape to Mozilla to Firefox for my regular browser).

It's kind of hard to get a virus on a Mac when there really aren't any out there to get.... Still, you'd think Apple would improve their firewall from Tiger, not make it worse. I can't even put Tiger on this Mac (dual 553 G4) without buying an accelerator card so I guess it'll stay Tiger and be used mostly for Internet browsing and downloading. Hopefully the new Macbook will at least have the newer Santa Rosa integrated graphics so I can get my first Intel Mac (waiting on MacPro to update graphics cards before I consider one for a desktop; I hate the new iMacs so no show there...possibly a MacMini for now if it gets better graphics too, though. I don't need bleeding edge, just the ability to run current games at a reasonable rate. I need the laptop for LogicPro8 music production and pinball game development under WinXP or Vista).

diehldun
Oct 30, 2007, 11:11 PM
I'm sorry, I guess I'm a little confused right now, because it seems everything was "automatic" in Tiger before I upgraded to Leopard.

As a college student using a new MBP via ethernet, what should I do in terms of changing settings to set up the firewall and ensure security? Under "Firewall" under System Preferences, I changed it to "block all incoming connections", and under "Advanced", clicked "Enable Stealth Mode"; "Enable Firewall Logging" was already selected. Is this good enough? I made these changes just by glancing at a few of the posts scattered throughout. Sorry if I sound paranoid, but I'm kind of concerned...

SMM
Oct 30, 2007, 11:11 PM
Shucks, all that I can bring to the table for my Windows experience is MS-DOS 5.0 and Windows 3.1. :rolleyes:

I may have gotten one virus but my memory isn't what it used to be.

I am sure you could recount every one if it was a Mac, Shucks. :rolleyes:

Eidorian
Oct 30, 2007, 11:12 PM
I am sure you could recount every one if it was a Mac, Shucks. :rolleyes:Someone maliciously posted that old iChat trojan on MacRumors.

So 1 trojan to say maybe 1-2 Windows junk?

I think we can all say we have ancient Windows experience. No need to compare. :rolleyes:

jaw04005
Oct 30, 2007, 11:17 PM
This is regarding the new(er) AirPort Extreme Base Station (802.11n/gigabit):

Still, if all other routers are set as stealth, why isn't Apple's? I asked Jai Chulani, the senior product manager for the Airport Extreme, why this router doesn't have a feature found on almost all its competitors' products. Chulani argued it's not that important for a router to operate in stealth mode, and then made a very Applesque point:

"We decided it doesn't add enough value. We're not going to add something just because the other guy is doing it."

http://blogs.chron.com/techblog/archives/2007/05/just_how_important_is_it_to_be_stealthy_on_th.html

...

[Steve Gibson] also made the point that, while Apple may not provide a stealth mode for its routers, its Mac OS X operating system includes the feature in its built-in firewall. In the System Preferences, click on Sharing, the Firewall button, then Advanced.

Apparently, our AirPort routers will fail GRC's Shields Up stealth tests. However, enabling stealth mode in Mac OS X's software firewall sort of makes up for it.

yg17
Oct 30, 2007, 11:19 PM
The new Leopard firewall SUCKS. I want the good old fashioned "allow this port, block that port" firewall that Tiger had.


And, for most people, your basic router works as a firewall by design. Your computer is on a private network, it cannot be directly accessed from the outside world without port forwarding or DMZ. Lets say there's an attack that exploits a service running on port 12345. So an attacker tries to connect to your IP at port 12345, and unless you have that port forwarded, or you DMZed your computer, your router has no idea what to do with that packet and drops it. So that's why you don't do DMZ, and only forward when you need to.

I had the Tiger firewall enabled just for that extra layer of security (although really isn't needed since I'm behind a router) but I disabled the Leopard firewall. I'm not going to mess with that piece of junk.

diehldun
Oct 30, 2007, 11:20 PM
On a side (but semi-related) note, I am also now seeing a bunch of other PC's & Macs (at least a dozen different ones so far) out there in the sidebar. Most of the Macs are offering up Screen Sharing. I'm pretty sure they're all on the same network as I am in the hotel, but it's still a little unnerving. ALL of my sharing is now off, to be turned on only as needed. Just a little too much like walking around with my fly unzipped...


I'm curious, but aren't almost all the options except for Bluetooth sharing turned off by default in Leopard? It is (at least) on mine...

I have to agree, I'm in my dorm right now (do we have firewalls, or am I in "the wild"?), and its really awkward and unsettling to see a bunch of people's computers right in my Finder. I'll be honest I don't like this one bit.

jaw04005
Oct 30, 2007, 11:24 PM
I have to agree, I'm in my dorm right now (do we have firewalls, or am I in "the wild"?), and its really awkward and unsettling to see a bunch of people's computers right in my Finder. I'll be honest I don't like this one bit.

Just because you see them, doesn't mean they can see you. They have some type of sharing turned on. I wouldn't worry about it too much. If your firewall is on, and sharing is off, you should be fine.

hulugu
Oct 30, 2007, 11:26 PM
The new Leopard firewall SUCKS. I want the good old fashioned "allow this port, block that port" firewall that Tiger had.


And, for most people, your basic router works as a firewall by design. Your computer is on a private network, it cannot be directly accessed from the outside world without port forwarding or DMZ. Lets say there's an attack that exploits a service running on port 12345. So an attacker tries to connect to your IP at port 12345, and unless you have that port forwarded, or you DMZed your computer, your router has no idea what to do with that packet and drops it. So that's why you don't do DMZ, and only forward when you need to.

I had the Tiger firewall enabled just for that extra layer of security (although really isn't needed since I'm behind a router) but I disabled the Leopard firewall. I'm not going to mess with that piece of junk.

Yep, they dorked this up.

Although knowing what each port number did seemed like needless esoteric knowledge, the descriptions were usually good enough to figure out what it did. The new system removes all the old information and becomes more opaque.
Do I want iTunes to allow incoming connections? Or not? It's not easy for the user to know and you can't make granular decisions because it appears to be based entirely on the applications.

yg17
Oct 30, 2007, 11:32 PM
Yep, they dorked this up.

Although knowing what each port number did seemed like needless esoteric knowledge, the descriptions were usually good enough to figure out what it did. The new system removes all the old information and becomes more opaque.
Do I want iTunes to allow incoming connections? Or not? It's not easy for the user to know and you can't make granular decisions because it appears to be based entirely on the applications.


Easy way to solve that:

Simple Mode and Advanced Mode.

Simple Mode would be the app-based thing like Leopard has now, Advanced Mode would be pre-Leopard firewall.

hulugu
Oct 30, 2007, 11:33 PM
Easy way to solve that:

Simple Mode and Advanced Mode.

Simple Mode would be the app-based thing like Leopard has now, Advanced Mode would be pre-Leopard firewall.

That's funny, I was just thinking the same thing. The advanced section should give more options for allow/disallow. Sometimes knowing that the iChat port is blocked by the firewall is helpful.

shawnce
Oct 30, 2007, 11:49 PM
From firewall help topic... (it obvious that the firewall is utilizing the new trust abilities that code signing allows to simplify management of the firewall by the average user)

Setting firewall access for services and applications
Mac OS X includes a firewall: a security measure that protects your computer when you’re connected to a network or the Internet. If you turn on a sharing service, such as file sharing, Mac OS X opens a specific port in the firewall for the service to communicate through. When you open the Firewall pane of Security preferences, any sharing services turned on in Sharing preferences, such as File Sharing or Remote Apple Events, appear in the list.

In addition to the sharing services you turned on in Sharing preferences, the list may include other services, applications, and programs that are allowed to open ports in the firewall. An application or program might have requested and been given access through the firewall, or might be digitally signed by a trusted certificate and therefore allowed access.

IMPORTANT: Some programs have access through the firewall although they don’t appear in the list. These might include system applications, services, and processes (for example, those running as “root”). They can also include digitally signed programs that are opened automatically by other programs. You might be able to block these programs’ access through the firewall by adding them to the list.

To add an application to the list, select “Set access for specific services and applications” in the Firewall pane of Security preferences, click Add (+) at the bottom of the list, and then select what you want to add. After the program is added, click its up and down arrows to allow or block connections through the firewall.

Blocking a program’s access through the firewall could affect the performance of other applications and services you use.

rockosmodurnlif
Oct 30, 2007, 11:53 PM
I always love when I see these I've run Windows since before Windows existed and I never got a virus. Congratulations. Let me share a short story.

I did a fresh install, silly me I left the cable connection in, I go to start downloading the security packs and Internet Explorer (which accesses the Windows Update) stays open for a bit then closes. This happens repeatedly. I'm confused. This is a fresh install, I think to myself, whiskey tango foxtrot? So I install Norton and it finds a worm but it can't get rid of it. It has to restart the computer to fix it. I say, to hell with that, unplug the machine from the net, do a new fresh install and then Norton afterward. Plug back in to download the updates, Norton catches the worm before it can install.

So I got infected without visiting anywhere. I'm sure there are others who have similar experiences. Please don't clog a good thread with your blame the user nonsense. Sorry for going off topic.

Eidorian
Oct 30, 2007, 11:56 PM
I always love when I see these I've run Windows since before Windows existed and I never got a virus. Congratulations. Let me share a short story.

I did a fresh install, silly me I left the cable connection in, I go to start downloading the security packs and Internet Explorer (which accesses the Windows Update) stays open for a bit then closes. This happens repeatedly. I'm confused. This is a fresh install, I think to myself, whiskey tango foxtrot? So I install Norton and it finds a worm but it can't get rid of it. It has to restart the computer to fix it. I say, to hell with that, unplug the machine from the net, do a new fresh install and then Norton afterward. Plug back in to download the updates, Norton catches the worm before it can install.

So I got infected without visiting anywhere. I'm sure there are others who have similar experiences. Please don't clog a good thread with your blame the user nonsense. Sorry for going off topic.You need to take into account internet background radiation.

An unprotected and non-updated Windows installation will just pick who knows what up.

weaverra
Oct 31, 2007, 12:07 AM
Of course the media is gonna have a hay day with this, but I think it's gonna be funny when it comes out it's not as they say it is. I find it interesting how these other researchers and analyst like to base their comments on what a security magazine says having not even tried it themselves. I'm calling bull on this whole claim. There probably is a reason :apple: hasn't contacted them for help. :D

sulhaq
Oct 31, 2007, 12:08 AM
Not being able to set specific ports for programs is irritating me to no end. Not only that, I can't turn the damn firewall off so I can use a third party one.....

breal8406
Oct 31, 2007, 12:10 AM
So it's very apparent we all agree that the Leopard firewall sucks. Instead of beating a dead horse....may I suggest we not encourage the problem and for those of us running our computers constantly in Admin, take an extra step and do all your day to day computing as a "Standard User" mode.

I read that piece of advice on MacWorld.com once and have been doing it every since. I run in Standard User, then I do maintenance tasks in Admin....then for random people I don't really trust, or people I know that are going to download a lot, I have the Guest Account option enabled.

That way when the unthinkable happens and OS X has a security flaw like this...we're all prepared.

If you wanna get really stringent you could also change your Keychain login...

Dwight Schrute
Oct 31, 2007, 12:16 AM
Actually, although I'm a BIG fan of Netgear routers, I would consider them to be consumer- or at best SOHO-grade machines. :o But if by "consumer grade" you mean NAT-only routers, and there we are in pretty good agreement. NAT provides some protection, but a stateful packet inspection (SPI) router that actually examines each packet to determine whether it is solicited or unsolicited is a major step up in security. The problem, however, is that there is no standard implementation for "SPI," every vendor implements his own algorithms, which means that not all SPI routers are created equal. Presumably, what you pay for when you move from Netgear equipment to SMB equipment to enterprise-class gear is more sophisticated and robust algorithms, but few of us really have the competence to assess this, so at the end of the day you must trust that your vendor has done a good job. Hey, you have to trust somebody!

You're certainly correct if the hacker is specifically targeting YOU, but for most of us as private citizens, the real threat comes from "script kiddies" and hackers looking for random vulnerable machines on the internet to host zombies, spambots, etc. In this scenario, securing your home network is like securing your car--you can't make it impervious to the most determined attacker or thief, but you can harden it to the point where the most likely attackers will simply move on to a softer target. If you're running a decent SPI firewall and haven't done anything stupid to the firewall configuration, and you're running WPA or WPA2 wireless security with a strong key, as a home user you're going to be fine. If you are Microsoft, on the other hand, you'll need far more sophisticated protection as people certainly will be targeting you specifically, all the time!

Although I run Macs exclusively at home, at work I manage Cisco firewall appliances and Symantec enterprise software firewalls for a Windows network. I know a little but about this stuff :) and would like to say that you, VideoFreek, have the best handle on this topic so far.

NAT is merely a good start. To the guy who only runs a NAT hard-wired router: if that's all you have between you and the Internet, WPA2 is tougher to get around than NAT so you may as well cut the cord already and enjoy some freedom.

Software firewalls are in fact very useful. Once you have your outside interface stealthing or blocking inbound activity, and SPI (Stateful Packet Inspection) is running ,unless you want to block all programs from using all ports outbound through the inside interface (good luck using the Internet), what else but a software firewall will decide who/what can initiate requests? :D

What am I talking about - this is a Mac forum. We don't have to worry about this crap.

mmccaskill
Oct 31, 2007, 12:18 AM
Well apparently ipfw isn't being used. I've set the GUI firewall to deny everything except a few programs. But here is the output for ipfw


> sudo ipfw list
33300 deny icmp from any to me in icmptypes 8
65535 allow ip from any to any


Not sure why/where icmp restriction came from

yetanotherdave
Oct 31, 2007, 12:19 AM
I always love when I see these I've run Windows since before Windows existed and I never got a virus. Congratulations. Let me share a short story.

I did a fresh install, silly me I left the cable connection in, I go to start downloading the security packs and Internet Explorer (which accesses the Windows Update) stays open for a bit then closes. This happens repeatedly. I'm confused. This is a fresh install, I think to myself, whiskey tango foxtrot? So I install Norton and it finds a worm but it can't get rid of it. It has to restart the computer to fix it. I say, to hell with that, unplug the machine from the net, do a new fresh install and then Norton afterward. Plug back in to download the updates, Norton catches the worm before it can install.

So I got infected without visiting anywhere. I'm sure there are others who have similar experiences. Please don't clog a good thread with your blame the user nonsense. Sorry for going off topic.

I had the exact same thing happen. It was the final tipping point for me, I spent a good 12 hours installing windows that day, I then installed linux in 20 minutes, including patches.
I wiped windows after that, never ran it since.

yg17
Oct 31, 2007, 12:52 AM
A big problem with software firewalls is there's a lot that can go wrong and you'd never know. It could crash. A configuration file could get messed up and it wouldn't be doing what it's supposed to. The firewall itself may have an exploit that can let an attacker remotely turn off the firewall and gain full access. The advantage of using NAT, is that by design, it acts as a firewall. If it crashes, you'll know because you wont be able to access the internet and you can reboot it, replace it, whatever. I suppose an attacker can get in if you have remote management enabled, so thats why it should be disabled and you should have a really good password, to reduce the chance of anything like that happening. Even for people who have 1 computer and no need for wireless, I'd still recommend a cheap router, even if they don't need it for routing purposes, it still provides a huge security increase for little money. Very cost effective for home users.


As far as the issue of blocking outgoing traffic from applications, I have never found a use for it. If you do, then I suppose a software firewall (or some expensive layer 7 hardware firewall appliance if you have thousands of dollars to blow :D) is the only way to do that. But the few times I tried something like that (ZoneAlarm/Little Snitch, etc), I've found it a huge annoyance. But that's all personal preference.

For me, I just have a router...no software firewall. The only port I need to forward is my BitTorrent port, and I use UPnP in Transmission, so it's only forwarded when Transmission is open (Yeah, I know UPnP has its own security issues, but I use a Mac, what do I need to worry about? :D) No attacks yet and I don't think I'll ever get anything, it's a pretty good, secure setup for a home user.

Westside guy
Oct 31, 2007, 01:10 AM
Don't have Leopard yet, so don't know what firewall is running. OS X seemed to be the only BSD using ipfw (as my BSD friends liked to point out); so maybe Leopard's moved to packetfilter (pf)?

If indeed the report is accurate, and you can reach a service (that shouldn't even be running) through the firewall by default - that's not good. That's almost exactly the sort of thing that bit XP multiple times back in the bad old days.

I will say that people posting that their Airport's "hardware firewall" sucks likely don't have a good grasp on the technical details. NAT is NAT is NAT, no matter who makes the router. NAT's not a firewall at all; but unless there's a flaw in that particular NAT implementation, it's pretty darn good protection unless you're actively doing something to defeat it (e.g. putting gaming machines in the DMZ; port forwarding through to an internal server, etc.). Private address space packets are simply not routable over the internet. Also, if you know how to use nmap, you know "stealth mode" is overrated.

It has always bugged me, though, that OS X doesn't have the firewall on by default. You could have it turned on with bonjour's ports open, or something to that effect, without losing much "ease of use".

andy721
Oct 31, 2007, 01:13 AM
it wouldnt effect us anyways, the majority of us are on hardware firewalls and routers.:mad:


because if it is something serious, it would effect some people

trakais
Oct 31, 2007, 01:42 AM
This is nonsense.

To begin with, there's no such thing as a "hardware firewall". A better (and commonly used) designation is "appliance". A firewall appliance is a dedicated box, running an OS (in many cases a tweaked Linux or *BSD, though there are of course many other possibilities, like IOS on Cisco firewalls), on top of which the actual firewall software sits.

Now, assuming you call a "hardware firewall" any kind of dedicated firewall appliance, well, obviously, since your wireless router does wireless routing, it's not a dedicated firewall, is it? :)

That said, whether you have a dedicated firewall box or not, it's the quality of the firewall software that has to be taken into account. It's always a very bad idea to make a product insecure by default. Microsoft has been bashed repeatedly for that, and so should Apple! :mad:

However, I'm not yet ready to believe that their firewall is as flawed as the article says. I'll have a look in a couple days!

Finally someone said it :)

adrianm
Oct 31, 2007, 01:42 AM
I assumed that 10.5 would respect the overall settings of 10.4 after upgrading, but it did not.

Firewall was set to allow all incoming after upgrade.

That's a bit disappointing, but fortunately, I'm only exposed to other machines on my local network, not the interweb as my router blocks all incoming traffic.

trakais
Oct 31, 2007, 01:46 AM
This is regarding the new(er) AirPort Extreme Base Station (802.11n/gigabit):

Still, if all other routers are set as stealth, why isn't Apple's? I asked Jai Chulani, the senior product manager for the Airport Extreme, why this router doesn't have a feature found on almost all its competitors' products. Chulani argued it's not that important for a router to operate in stealth mode, and then made a very Applesque point:

"We decided it doesn't add enough value. We're not going to add something just because the other guy is doing it."

http://blogs.chron.com/techblog/archives/2007/05/just_how_important_is_it_to_be_stealthy_on_th.html

...

[Steve Gibson] also made the point that, while Apple may not provide a stealth mode for its routers, its Mac OS X operating system includes the feature in its built-in firewall. In the System Preferences, click on Sharing, the Firewall button, then Advanced.

Apparently, our AirPort routers will fail GRC's Shields Up stealth tests. However, enabling stealth mode in Mac OS X's software firewall sort of makes up for it.

Do you even know what this stealth mode is, what it does and how it works? this stealth word is just marketing BS and I totally agree with Chulani's response.

If you have an Airport Base Station, you are already behind NAT, which will make you 99% secure (I guess you are not the pentagon which gets hack attacks every day) unless you forward some obscure ports apart from the needed 80, 443 etc. which is exactly what your stealth mode would achieve. NAT will only forward the configured ports, and the rest would not work.

mrfrosty
Oct 31, 2007, 01:48 AM
This is nonsense.

To begin with, there's no such thing as a "hardware firewall". A better (and commonly used) designation is "appliance". A firewall appliance is a dedicated box, running an OS (in many cases a tweaked Linux or *BSD, though there are of course many other possibilities, like IOS on Cisco firewalls), on top of which the actual firewall software sits.

Now, assuming you call a "hardware firewall" any kind of dedicated firewall appliance, well, obviously, since your wireless router does wireless routing, it's not a dedicated firewall, is it? :)

That said, whether you have a dedicated firewall box or not, it's the quality of the firewall software that has to be taken into account. It's always a very bad idea to make a product insecure by default. Microsoft has been bashed repeatedly for that, and so should Apple! :mad:

However, I'm not yet ready to believe that their firewall is as flawed as the article says. I'll have a look in a couple days!

Actually pretty much all firewalls also route by design / function. They just base their decisions on additional parameters, so it's pretty unfair to criticize someone for using the phrase "dedicated firewall" in the context of a router. How many of the appliances you say are dedicated offer VPN functionality ? Pretty much all of them i think.

mrfrosty
Oct 31, 2007, 01:55 AM
I had the exact same thing happen. It was the final tipping point for me, I spent a good 12 hours installing windows that day, I then installed linux in 20 minutes, including patches.
I wiped windows after that, never ran it since.

I switched to mac's a about 4 years ago, i have seen my collegues do exactly the same things.....The average time to infection on our internal network at work was around 17 seconds at the time (it is a very big global network). That said .......it's foolish to build windows machines in an environment where they can be exposed to infection and yet unprotected because the build hasn't finished. IMHO

Jahz
Oct 31, 2007, 02:07 AM
This is FUD! The article isn't completely inaccurate because it leaves out some important facts... the truth is quite a bit less terrible. I did some of my own tests and found that the firewall isn't horrible. It needs some minor patching, but thats all. Read:

1)
The tester first set up a fake trojan server to test incoming connections. He found that he could connect to it when using the selective access setting ("Set access for specific services and applications"). I did my own tests and came to a similar but perfectly acceptable conclusion.

"Only Apple can explain what precisely is going on here."

Verdict: WRONG!

I can explain what is going on you because it's quite simple. OSX knows what programs are listening for incoming connections at any given time (try command 'netstat -l'). When you turn on this "selective" setting, you are giving OSX permission to decide on some sensible defaults for allowing external access. When the setting is first enabled, the OS looks at what servers are currently listening for connections and allows them to continue listening. Clearly the purpose of this setting is to not cut off any applications that were already in the process of communicating, while preventing any new applications (legitimate or otherwise) from being access externally.

Despite the criticism, this feature *does* make sense. Had the reviewer started up his fake trojan after choosing selective access, he would have been presented with a popup asking whether to allow or deny access to the program. Apple is trying to allow users to secure their computers with minimal frustration and impact on their computing. Additionally there is a little warning under the button that says it basically allows the OS to determine what is right.

2)
NTP and NetBIOS. Access to these services doesn't seem to be logged properly and can't be restricted via the GUI. This is the real bug, and it needs to be fixed. Although I couldn't get NTP working externally (my isp might block it?), it's definitely not working properly.

Here is a perl server that I used to test the firewall:
use IO::Socket::INET;

my $sock = new IO::Socket::INET(
LocalPort => '7778', Proto => 'tcp', Listen => 1, Reuse => 1,
) or die "Could not crbate socket: $!\n";

while (1) {
my $in = $sock->accept();
while (<$in>) { print "$_\n"; }
close($in);
}
Test externally with telnet your.ip 7778 and type stuff

ksgant
Oct 31, 2007, 02:26 AM
The Leopard firewall also will break World of Warcraft.

You can read about this bug here at the WoW forums (http://forums.worldofwarcraft.com/thread.html?topicId=2647255853&sid=1&pageNo=2).

In short, one of the Blizzard support team wrote:

" I was able to reproduce one instance of this problem internally. When I put the WoW game executable (application) in the Firewall config dialog where you can "set access for specific services and applications", the OS changes something about the application contents and then the signature check at login fails because the bits have changed.

The OS has added a new file "CodeResources" into the application bundle, and also made some change to the executable itself, causing the checksum to no longer match what the server expects.

My advice until we get this sorted out would be, don't mess with the Leopard firewall and do not put any of our applications on the special treatment list that the firewall panel provides.

Additional info: if you have no backup copy of the WoW executable, you will probably need to reinstall to get it running again. Once you get to that point I would make a backup copy of the WoW application using Duplicate or (dare I say it) Time Machine, so this issue can be resolved quickly should it come up again."

Jahz
Oct 31, 2007, 02:36 AM
Also, if you know how to use nmap, you know "stealth mode" is overrated.

Negative.

NMAP will not be able to scan your computer if you block all connections AND use stealth mode. What stealth mode does is prevent your computer from responding properly to requests. Normally when requests come into a computer and are filtered by the firewall, your computer sends a "Connection Refused" message back to the sender. With stealth mode is enabled, your computer will remain silent after blocking packets from the firewall.

Therefore with stealth mode enabled, your computer is invisible to basically any internet scans. It can still be found in the arp table of your local lan router, but past the first switch it will invisible. An internet scanner couldn't tell whether your computer is on or off.

koobcamuk
Oct 31, 2007, 02:39 AM
Are they saying the OS X firewall has always been terrible, or that 10.5 is a brand new firewall under the hood and it replaces a very good firewall that was in 10.4?

Good Q.

Furthermore - does anyone else think that system prefs in 10.5 are a little... dumbed down? I really feel like it's XP and windows control panel ish.

hulugu
Oct 31, 2007, 02:42 AM
I switched to mac's a about 4 years ago, i have seen my collegues do exactly the same things.....The average time to infection on our internal network at work was around 17 seconds at the time (it is a very big global network). That said .......it's foolish to build windows machines in an environment where they can be exposed to infection and yet unprotected because the build hasn't finished. IMHO

I agree, although I did try it once to see what would happen and I was just amazed how fast something evil found my install. I keep all my Windows systems behind a good router, but every once in a while one of my clients manages to download a rootkit or some other horror.

boz0
Oct 31, 2007, 02:45 AM
A hardware firewall is a dedicated piece of hardware used as a firewall. Yes it uses software, but it's a hardware firewall. I use a dedicated machine as a hardware firewall running IPCOP. It's a dedicated hardware firewall.

So, let's see, if I run a dedicated Linux box running Netfilter, it's a hardware firewall, but if I suddenly decide I want to use that box as well as a media player or to do some kind of office work, it's no longer a hardware firewall?

The only reason people started talking about hardware firewalls is stupid vendors pretending their products were different.

This is in contrast to a software firewall, as in Zone Alarm, which runs as a service on a personal computer.

There's certainly a huge difference between the kind of "applicative" firewalling done by ZoneAlarm and the like, and robust solutions like Ipf and Netfilter. However, you could argue that both categories can be run as services on a personal computer (notwithstanding the fact that one sits above the system and one is really hooked into the kernel's IP stack).

Anyway, I was just making a point for non-security literate users, a description which obviously doesn't fit you :)

boz0
Oct 31, 2007, 02:51 AM
I've used Windows since win 3.0 days. I've had ONE virus back in 95 on 3.11. It was a master boot record virus. Since then NOTHING. a little proactive security goes a long way. AV software\Firewall\Firefox\Solid E-mail client\patches will generally keep you protected on windows. OS X. *shrugs* Just make sure to have the firewall turned off\patches\limited account.

And the two main measures that will save a Windows PC (I mean, beyond replacing the OS by Linux or a *BSD and unplugging the network cable) :

- don't click on something if you don't trust the source
- don't use IE and Outlook

flyinmac
Oct 31, 2007, 02:58 AM
This is nonsense.

To begin with, there's no such thing as a "hardware firewall". A better (and commonly used) designation is "appliance". A firewall appliance is a dedicated box, running an OS (in many cases a tweaked Linux or *BSD, though there are of course many other possibilities, like IOS on Cisco firewalls), on top of which the actual firewall software sits.

Now, assuming you call a "hardware firewall" any kind of dedicated firewall appliance, well, obviously, since your wireless router does wireless routing, it's not a dedicated firewall, is it? :)

That said, whether you have a dedicated firewall box or not, it's the quality of the firewall software that has to be taken into account. It's always a very bad idea to make a product insecure by default. Microsoft has been bashed repeatedly for that, and so should Apple! :mad:

However, I'm not yet ready to believe that their firewall is as flawed as the article says. I'll have a look in a couple days!

And


Finally someone said it :)



I think that's basically splitting hairs.

Obviously, software (in a generic term), or perhaps more appropriately referred to as a "Computer Program" in this context, has to be used to process rules and determine what should happen.

In the case of a router with a firewall, you essentially have a hardware appliance that is programmed to respond to events in a specific fashion. Those of us from the early days of computing will distinguish hardware / firmware from software based on a simple criteria. Hardware / Firmware was used to refer to physical product or code that was embedded into a physical product such as an EPROM / ROM chip (which more recently would equate to a Flash ROM).

Software was a term reserved for a program or code that resided on "soft" media such as a floppy disk (or any disk media at the time).

Firm=Hardware / Chip or code contained in said firm item.

Soft=Floppy / media that was generally a disk.

Of course, for those who's entry point into computers didn't originate in the 70's, perhaps software could be looked at as any form of computer code. But, that is not the origins of the meaning.

But, the term "Hardware Firewall" is generally used to distinguish a Firewall device / appliance from a program running on a PC (or computer).

It's pretty clear and obvious what is meant.

Those that like to nitpick, will obviously flock to picking where picking isn't necessary. At least it makes them feel like big tough men (or is that nerds who need an ego boost?).

I would imagine that most would see the simple term of hardware firewall and associate it appropriately with a product that is dedicated to that purpose.

And, likewise, a person of reasonable intelligence would also associate software firewalls with programs that run directly on their computer.

Those would be appropriate and reasonable associations. And, are simple terms to convey an idea without extended and unnecessary descriptions.

It would be far more useful to discuss the topic at hand than to debate whether a given term meets with your literal interpretation. As such, the given terms do fit with the origins of the terms as they originated back before most here were out of their diapers.

boz0
Oct 31, 2007, 02:59 AM
Basically, this means the ports are firewalled, and not only that, but OS X isn't giving *any* info about those ports at all. The fact that it says "open" is just a guess as far as nmap is concerned. It doesn't know.

Yup. Since nmap gets no reply at all, it assumes that either the port is open (and since UDP is a connectionless protocol, unless you send precisely the right message for the application that might be sitting behind that port, you won't get any kind of answer), or that it's silently (or "stealthily", as Leopard puts it) filtered by a firewall.

However, there's a reason nmap identified these ports and not others as open/filtered : after all, all other UDP ports on the scanned host are likely closed, which means they wouldn't answer either. The thing is, there are tricks for making the system answer with an "ICMP unreachable" packet when addressing a closed UDP port, which allows nmap to rule these out.

Evangelion
Oct 31, 2007, 03:03 AM
*shrug* I never bothered to waste time with OS X's firewall. Mine is turned off, and I use my routers firewall instead, and that seems to do good job at protecting my network.

That said, I still don't understand how Apple could make a basic error like this. It's pretty simple really: Default it to "On", default it to block everything. Then open those ports that you really need, no more, no less. that is the correct way to secure the system. If it defaults to off, that is a huge hole. If it defaults to open everything after you enable it, that is a huge hole.

flyinmac
Oct 31, 2007, 03:04 AM
So, let's see, if I run a dedicated Linux box running Netfilter, it's a hardware firewall, but if I suddenly decide I want to use that box as well as a media player or to do some kind of office work, it's no longer a hardware firewall?

The only reason people started talking about hardware firewalls is stupid vendors pretending their products were different.



They are different. The term is derived from the origins of their terms in the computer industry. Read the previous post regarding such.

Either way, they are different. "hardware firewalls" are dedicated appliances designed for a specific purpose.

A computer could serve the same purpose. But, it is not a product explicitly designed for and limited to that purpose.

Your argument would equate to insisting that a tape deck and a computer are the same thing since they can both play music.

Of course, the tape deck is specifically designed and limited to that purpose.

The computer can serve that purpose by using a program, but it is also not limited to that purpose or explicitly designed for that purpose.

Evangelion
Oct 31, 2007, 03:08 AM
If someone can explain why, given Leopard is UNIX based, I need to be concerned about leaving my firewall off, I would very much like to learn.

Do you believe that since Leopard is UNIX, you don't need a firewall? Even the most secure OS'es out there (think OpenBSD and the like) have a firewall, and the firewall is one of the reasons they are so secure. Saying stuff like "Since Leopard is UNIX, I don't need firewall" is like saying "my house is so hard to break in to, that I don't need to lock my doors"...

boz0
Oct 31, 2007, 03:13 AM
I think that's basically splitting hairs.

Fair enough :)

Still ...
And, likewise, a person of reasonable intelligence would also associate software firewalls with programs that run directly on their computer.

Those would be appropriate and reasonable associations. And, are simple terms to convey an idea without extended and unnecessary descriptions.


They might be reasonable, only ... well, they're not. They're not because the real distinction is between what I would call "traditional" firewalls, which work on TCP/IP resources, and "application" firewalls (precisely those that have been called "software firewalls"), which try to work at the application level by allowing or disallowing access (incoming and outgoing) to applications.

The point is not, and has never been, whether the firewall sits on its own box or not. So, while the term "software firewall" can be understood (as in, the stuff I'm firewalling is software, instead of TCP/IP packets), a "hardware firewall" doesn't mean anything.

It would be far more useful to discuss the topic at hand than to debate whether a given term meets with your literal interpretation.

Ah, but it is closely related to the topic at hand : Leopard provides an interface that, to the user, looks like an "application" (or software, if you insist) firewall. Part of the question we're trying to address here is really : to which category of firewall does Leopard's belong? Is it simply creating some kind of ruleset for ipfw (the "traditional" firewall), or are there other mechanisms behind the scenes?

This is why I thought, and still think, the difference had to be made. But I promise I'll stop nitpicking :D

Evangelion
Oct 31, 2007, 03:14 AM
No viruses on your PC? Were you even connected to the net? lol Never cared to use a Virus protection program. That's probably why though. lol But, I've been loving the Mac for 6 years now.

I dualboot my MBP between XP and OS X. I have no virusprotection on XP. None. I also have no firewall installed on XP. And no problems. No viruses, no crap.

lol

boz0
Oct 31, 2007, 03:16 AM
> sudo ipfw list
33300 deny icmp from any to me in icmptypes 8
65535 allow ip from any to any


Not sure why/where icmp restriction came from

ICMP type 8 are echo-requests packets, more commonly known as "ping". So basically, your system is refusing to answer a ping.

Guess Steve Jobs doesn't like pong.

Babasyzygy
Oct 31, 2007, 03:19 AM
Shrug. I'll take my OpenBSD "software" firewall over a commercial vendor's "hardware," weak web interface-driven firewall any day. Especially in the way that too many people install them - on the same wire as a wireless router with default passwords (and even default network name).

But hey, they've got a hardware firewall...

Nobody's shipping a product that's close to secure when installed by clueless admins, which is most end users. I submit that anything that defaults to a single well-known password and exposes direct control via an insecure network channel (like the web interfaces) can at best be considered "potentially secure," and all of the consumer grade "hardware" firewalls I've seen fall into this category. Remember, the overwhelming majority of intruders go after the low-hanging fruit.

Detektiv-Pinky
Oct 31, 2007, 03:21 AM
This is FUD! The article isn't completely inaccurate because it leaves out some important facts... the truth is quite a bit less terrible. I did some of my own tests and found that the firewall isn't horrible. It needs some minor patching, but thats all. Read:

1)
The tester first set up a fake trojan server to test incoming connections. He found that he could connect to it when using the selective access setting ("Set access for specific services and applications"). I did my own tests and came to a similar but perfectly acceptable conclusion.



Verdict: WRONG!

I can explain what is going on you because it's quite simple. OSX knows what programs are listening for incoming connections at any given time (try command 'netstat -l'). When you turn on this "selective" setting, you are giving OSX permission to decide on some sensible defaults for allowing external access. When the setting is first enabled, the OS looks at what servers are currently listening for connections and allows them to continue listening. Clearly the purpose of this setting is to not cut off any applications that were already in the process of communicating, while preventing any new applications (legitimate or otherwise) from being access externally.

Despite the criticism, this feature *does* make sense. Had the reviewer started up his fake trojan after choosing selective access, he would have been presented with a popup asking whether to allow or deny access to the program. Apple is trying to allow users to secure their computers with minimal frustration and impact on their computing. Additionally there is a little warning under the button that says it basically allows the OS to determine what is right.

2)
NTP and NetBIOS. Access to these services doesn't seem to be logged properly and can't be restricted via the GUI. This is the real bug, and it needs to be fixed. Although I couldn't get NTP working externally (my isp might block it?), it's definitely not working properly.

Here is a perl server that I used to test the firewall:
use IO::Socket::INET;

my $sock = new IO::Socket::INET(
LocalPort => '7778', Proto => 'tcp', Listen => 1, Reuse => 1,
) or die "Could not crbate socket: $!\n";

while (1) {
my $in = $sock->accept();
while (<$in>) { print "$_\n"; }
close($in);
}
Test externally with telnet your.ip 7778 and type stuff

Thank's Jahz, for this explanation. I, also, would not go as far as to claim that the article as such is incorrect. Maybe some of their conclusions are, and some maybe not.

You have given a reasonable explantion what might be behind the 'automatic' decisions made by the OS. I would agree that this might be sensible if the default setting for the FW would be 'ON'. It is however, 'OFF' by default and who knows what programms might be running when a user finally gets around to turn it on. By this time it basically gives the 'OK' for anything that is running, which I think is not such a good idea.

On another note, most people here think that a FW is primarily about defense against viruses. This is not the case. It is important to understand the multitude of threads that your machine is exposed on the network and it would most likely be Worms, deliberate hacking attempts (manual and automatic), Denial-of-Service attempts, Trojans and Spyware that a FW can block. Nothing about viruses here.

Evangelion
Oct 31, 2007, 03:45 AM
Shrug. I'll take my OpenBSD "software" firewall over a commercial vendor's "hardware," weak web interface-driven firewall any day.

Well, quite often that hardware-firewall IS OpenBSD's software-firewall :). so there's no difference there, only difference is that there's a dedicated piece of hardware for the firewall, as opposed to something that does several things, one of which is firewall.

aLoC
Oct 31, 2007, 03:52 AM
It's just so suspicious when things like this happen. Writing a firewall config file is not that hard. Hobbyists can do it let alone pros at Apple. So it just makes you wonder whether the NSA asked them to leave some holes.

I mean, I know there's the saying "don't attribute to mailce what can be explained by stupidity" (paraphrasing), but you can only stretch that so far before incredulity takes over.

rpp3po
Oct 31, 2007, 03:52 AM
I am the OP of the link to Heise. I'm afraid to tell you that I think there have surfaced sufficient indications that the Heise story may be false. Read this (http://leofud.blogspot.com)!

rasputnik
Oct 31, 2007, 04:07 AM
Without an effective firewall, anyone with time and skill can get into your computer and browse around.


That's untrue. You'd need to be offering browsing services in order for them to be exploited.

This kind of thinking is very common and is the main reason the article linked to is nonsense. 'no firewall by default? Oh noes!".

For example, Ubuntu Linux also runs no firewall by default. Because it has no services enabled this is a total non-issue.

rasputnik
Oct 31, 2007, 04:10 AM
It would be a pretty wimpy hacker that would just say well, it says the doors closed, I'm done.

Can you explain how a 'super' hacker is going to connect to a closed port?

No, didn't think so.

rasputnik
Oct 31, 2007, 04:13 AM
Does anyone use software firewalls anymore?

Anyone who roams between networks and has any sense :)

boz0
Oct 31, 2007, 04:17 AM
Shrug. I'll take my OpenBSD "software" firewall over a commercial vendor's "hardware," weak web interface-driven firewall any day. Especially in the way that too many people install them - on the same wire as a wireless router with default passwords (and even default network name).

But hey, they've got a hardware firewall...

Nobody's shipping a product that's close to secure when installed by clueless admins, which is most end users. I submit that anything that defaults to a single well-known password and exposes direct control via an insecure network channel (like the web interfaces) can at best be considered "potentially secure," and all of the consumer grade "hardware" firewalls I've seen fall into this category. Remember, the overwhelming majority of intruders go after the low-hanging fruit.

Amen.

boz0
Oct 31, 2007, 04:21 AM
I am the OP of the link to Heise. I'm afraid to tell you that I think there have surfaced sufficient indications that the Heise story may be false. Read this (http://leofud.blogspot.com)!

This article has a point, there may be some amount of FUD at work here.

Still, Leopard's firewall should have been enabled by default. All the more since Apple targets also non-technical-savvy users.

rasputnik
Oct 31, 2007, 04:24 AM
This article has a point, there may be some amount of FUD at work here.

Still, Leopard's firewall should have been enabled by default. All the more since Apple targets also non-technical-savvy users.

There are 2 ways of looking at this. You either block by default, or you know what services you are running. Apple chose the second approach.

If you aren't running services, a firewall is a waste of time. It isn't going to protect you from the 2 dozen known holes in Firefox, and it isn't going to make a secure service insecure.

boz0
Oct 31, 2007, 04:37 AM
There are 2 ways of looking at this. You either block by default, or you know what services you are running. Apple chose the second approach.

Which is, IMO, a bad idea in general, and goes contrary to Apple's policy of "works by default".

If you aren't running services, a firewall is a waste of time. It isn't going to protect you from the 2 dozen known holes in Firefox, and it isn't going to make a secure service insecure.

Definitely true, though there's something to say for not appearing on every script-kiddie's port scan.

rasputnik
Oct 31, 2007, 04:44 AM
(Apple chose to know what services you're running and not block by default)

Which is, IMO, a bad idea in general, and goes contrary to Apple's policy of "works by default".

But 'block by default' only 'works by default' if you know what services you're running :)

boz0
Oct 31, 2007, 04:55 AM
But 'block by default' only 'works by default' if you know what services you're running :)

No, no, they should block *everything*, regardless of the active services.

Besides, not doing so is illogical, as Leopard asks the user to explicitly declare which services they want to share. So, as long as the user hasn't decided to share a service, all ports should be firewalled.

Orge
Oct 31, 2007, 05:18 AM
By the look of it, the original report definitely has some holes in it - specifically, for the "block all incoming connections" results. However, this is still a poor show from Apple. I think there 4 are main issues here:

1. Shipping the firewall in a default state off.
2. Disabling the firewall settings even if you're upgrading from a configuration where it was originally on.
3. Potentially, leaving default services open with no clear indication in the firewall settings - in application mode.
4. Making it harder for savvy users to specify the exact configuration they would like to implement.

I appreciate that they have made some of these changes in an attempt to improve security for all users. However, I don't understand why they have shipped it with a default state of off?? Additionally, it would have been better if there was an "advanced" dialogue which allowed explicit configurations and explained what the firewall was doing. It looks as if this may have changed from earlier leopard builds FW Gui from Nov '06 (http://static.flickr.com/118/297927440_25a52d7a3a_o.jpg)?

Many people run behind "reasonable" hardware firewall's whilst at home. However, in addition to redundancy, the proliferation of wi-fi and Apple's success in the portable market means that the software firewall is an important feature for OS X. I appreciate that mac's are less of a target for malicious attacks and virus's, but leaving the door open like this is like an invitation...

For those interested in improving the security of their mac's, you may want to have a look at configuring ipfw. There's a number of gui's - waterroof seems to work ok on leopard.

J

boz0
Oct 31, 2007, 05:38 AM
For those interested in improving the security of their mac's, you may want to have a look at configuring ipfw. There's a number of gui's - waterroof seems to work ok on leopard.


We'll have to check how the Leopard firewall settings in system preferences interact with active ipfw rules, and to make sure that starting a new service doesn't automatically open a hole in ipfw.

Beyond that, I can only recommend this excellent introduction to ipfw, called Exploring the MacOS X Firewall (http://www.macdevcenter.com/pub/a/mac/2005/03/15/firewall.html), including a step-by-step tutorial to set up ipfw.

Orge
Oct 31, 2007, 05:49 AM
We'll have to check how the Leopard firewall settings in system preferences interact with active ipfw rules, and to make sure that starting a new service doesn't automatically open a hole in ipfw.


Having checked, it doesn't appear that new rules are being added to ipfw... I imagine this is part of the reason that the ipfw is initially set to allow all. Apple have effectively dumped it completely in favour of an application level firewall. A better, albeit more complicated to develop, would have integrated these two components.

J

Evangelion
Oct 31, 2007, 06:06 AM
But 'block by default' only 'works by default' if you know what services you're running :)

Well, there are two ways to go about here: "block by default" or "allow by default". Either case, you need to know what services you are using. In the first case, you need to know them so you can actually make them work by opening the ports they need. In the latter case you need to know them so you can close the unneeded ports in order to secure your system.

Of the two, I would rather choose the former.

twoodcc
Oct 31, 2007, 06:08 AM
i'm sure they'll be a fix out for this shortly

aLoC
Oct 31, 2007, 06:13 AM
Can you explain how a 'super' hacker is going to connect to a closed port?

No, didn't think so.

How super? Even if there is no service running on a port, code still runs when a packet arrives. It is the OS code which inspects the packet to determine it's destination port and whether there is a service to redirect it to or not. A maliciously crafted packet could compromise this program and get it to start running the packet payload.

But then the same could be said of a firewall program I suppose. It doesn't make you fundamentally safer. There is still the fact that anyone on the Internet can cause code to run on your computer just by firing some comms your way.

mrpdn
Oct 31, 2007, 06:20 AM
I get the impression that the guy who wrote the original firewall review article was intentionally looking for a way to make the firewall look bad. I'm pretty OS agnostic, and am convinced that you can have a decent on-host firewall for any OS, and that you can also misconfigure it to offer little protection. Following are my test results, performed using nmap on the same LAN as a Macbook running OS X 10.5. The Macbook had no sharing of any kind enabled, but was using many SMB shares and other network applications.

http://padilla.net/osx-10.5_firewall_test

kakiser56
Oct 31, 2007, 06:36 AM
There is a good discussion on Slashdot about this: http://it.slashdot.org/article.pl?sid=07/10/30/188214

which may explain the issue. It appears to be a question of poor UI wording.
I'll let more knowledgeable people than me decide.

aliquis-
Oct 31, 2007, 06:39 AM
Can one use (I)PF with OS X?

Washac
Oct 31, 2007, 07:24 AM
turn of Universal Plug n' play

Sorry to sound stupid, but where is the Universal Plug N Play setting ?

gnasher729
Oct 31, 2007, 07:26 AM
You wouldn't even believe Microsoft to be so stupid to expose open services (and even NetBIOS!!) to the internet when the firewall is setup to block ALL traffic. No kidding, Leopard does. Though, there is no proof of concept exploit, yet, that's a totally unneccessary design flaw, even a freshman CS student wouldn't be allowed to turn in.

If you want to stop all incoming traffic, there is a very simple solution. Unplug the network cable and/or turn WiFi off.

boz0
Oct 31, 2007, 07:50 AM
If you want to stop all incoming traffic, there is a very simple solution. Unplug the network cable and/or turn WiFi off.

What if I want to stop all unwanted incoming traffic and still use my laptop, both at home where I can comfortably sit behind my perimeter firewall, and on the road, using various hotspots?

Mr.damien
Oct 31, 2007, 08:05 AM
Software firewalls are basically useless anyway.

Firewall IS a software dude. Your sentence means nothing. :rolleyes:

What you call a hardware firewall is only a hardware box dedicated for running the firewall SOFTWARE.

MikeTheC
Oct 31, 2007, 08:23 AM
I can't speak to Leopard (since I don't run it and probably won't for some time), but I've really never had any complaints about Tiger's firewall.

Of course, I'm also sitting behind a DD-WRT-based router, so I'm not that worried.

legacyb4
Oct 31, 2007, 08:37 AM
Interesting. Since the weekend, I've had the firewall turned on with connections limited to specific applications (Remote Login, Screen Sharing, and Apple File Sharing). I'm behind a Linksys WRV54G with only web sharing being passed to my desktop on a WAP-enabled wireless network.

Yet, my firewall logs show the following:

Oct 29 03:24:48 MacBook Firewall[53]: Allow AppleVNCServer connecting from 66.7.212.29:3665 uid = 0 proto=6
Oct 29 03:58:36 MacBook Firewall[53]: Allow AppleVNCServer connecting from 70.49.174.70:32916 uid = 0 proto=6
Oct 29 03:58:36 MacBook Firewall[53]: Allow AppleVNCServer connecting from 70.49.174.70:32922 uid = 0 proto=6
Oct 29 03:58:36 MacBook Firewall[53]: Allow AppleVNCServer connecting from 70.49.174.70:32916 uid = 0 proto=6
Oct 30 04:21:35 MacBook Firewall[47]: Allow AppleVNCServer connecting from 81.202.69.250:4289 uid = 0 proto=6
Oct 30 04:21:36 MacBook Firewall[47]: Allow AppleVNCServer connecting from 81.202.69.250:4291 uid = 0 proto=6
Oct 30 04:21:36 MacBook Firewall[47]: Allow AppleVNCServer connecting from 81.202.69.250:4289 uid = 0 proto=6
Oct 30 04:21:36 MacBook Firewall[47]: Allow AppleVNCServer connecting from 81.202.69.250:4291 uid = 0 proto=6
Oct 30 04:21:38 MacBook Firewall[47]: Allow AppleVNCServer connecting from 81.202.69.250:4311 uid = 0 proto=6
Oct 31 03:47:34 MacBook Firewall[47]: Allow AppleVNCServer connecting from 222.216.28.172:3095 uid = 0 proto=6

The fact that these are even being logged is a bit odd since these are totally random IP addresses...

Not to mention the fact that I've had a steady stream of non-stop SSH login attempts from a few determined parties. All the better reason to tweak your SSH servers settings for better security (pubkey auth only, explicitly deny PasswordAuth, using the AllowUsers and DenyUsers, etc.)

cohibadad
Oct 31, 2007, 09:20 AM
Seems rather unbelievable to fail "every" test. I tend to assume such articles are FUD until confirmed. FWIW I haven't used a firewall for years and I have both Windows and Macs. I am behind a NAT router. I am tempted to take a Mac and place it into the DMZ totally unprotected and see what happens. I doubt anything will but I could be surprised. I had a PC bare naked to the internet once. It was practically taken over with the strangest window advertising.

kingtj
Oct 31, 2007, 09:39 AM
Someone there suggested that this "security test" was completely flawed, because it appeared they tested whether these ports were "open" or "closed" from terminal prompts on the SAME MACHINE!

If that's true, that proves NOTHING. Even if you tell a firewall to deny all access to services, you're talking about denying them from over your ethernet connection. It wouldn't necessarily deny them from the localhost address on the same box.


Seems rather unbelievable to fail "every" test. I tend to assume such articles are FUD until confirmed. FWIW I haven't used a firewall for years and I have both Windows and Macs. I am behind a NAT router. I am tempted to take a Mac and place it into the DMZ totally unprotected and see what happens. I doubt anything will but I could be surprised. I had a PC bare naked to the internet once. It was practically taken over with the strangest window advertising.

hayesk
Oct 31, 2007, 10:06 AM
I have an AEBS. It has a hardware firewall and it sucks. Apple can't even do hardware firewalls right.

The firewall in the AEBS works just fine. It's not the be all and end all of firewalls, nor was it intended to be. It's meant to be a simply incoming port based firewall, which it does just fine.

hayesk
Oct 31, 2007, 10:14 AM
How super? Even if there is no service running on a port, code still runs when a packet arrives. It is the OS code which inspects the packet to determine it's destination port and whether there is a service to redirect it to or not. A maliciously crafted packet could compromise this program and get it to start running the packet payload.

Could? Well, if that code is poorly written - but is that the case? There is a belief portrayed by the media that a skilled hacker can get into anything which is simply not true. If there is a flaw in the code the routes network packets, then yes, but I haven't seen evidence of that in MacOS X.

jaw04005
Oct 31, 2007, 10:17 AM
Do you even know what this stealth mode is, what it does and how it works? this stealth word is just marketing BS and I totally agree with Chulani's response.

If you have an Airport Base Station, you are already behind NAT, which will make you 99% secure (I guess you are not the pentagon which gets hack attacks every day) unless you forward some obscure ports apart from the needed 80, 443 etc. which is exactly what your stealth mode would achieve. NAT will only forward the configured ports, and the rest would not work.

I understand that if your router is functioning properly, and you don't have unnecessary ports open—your achieving the same protection as stealth mode. However, I do think the option to have a router not respond to certain outside requests is a good idea, and a feature that should be included in a $179 wireless router. There is something to it or Apple wouldn't have purposely built it in to Mac OS X's firewall. And yes, I do realize this is contrary to how the Internet is supposed to work—but I'm no web server.

0racle
Oct 31, 2007, 10:26 AM
Leopard is UNIX.

If someone can explain why, given Leopard is UNIX based, I need to be concerned about leaving my firewall off, I would very much like to learn.
Non Sequitur. Being or not being UNIX means nothing. The UNIX brand is not a seal of infallibility.

The more daemon processes that are listening for incoming connections, the larger the target you present. A firewall is supposed to lower your profile to prevent outside users from hitting those open ports. If this review is correct, the Leopard firewall is doing a poor job of it.

Because of development times, Leopard is running some versions of OSS that have many well known remotely exploitable bugs in them. If indeed the firewall is not preventing access to them, then being UNIX is not, and never, going to save you.

The short if it is simply this, UNIX is not a security brand.

tuartboy
Oct 31, 2007, 10:27 AM
I just visited www.grc.com and tested Leopard and I passed all tests; is there a UNIX specific site we can visit to test our Macs?

Are you directly connected to your cable/DSL/FIOS modem or is it being routed? These days, 99.9% of the time there is a NAT router built in to your modem and that external IP is what Shields Up is testing, not your computer. To test your machine you would need to hook up directly to the internet or DMZ your machine, neither of which is a good idea.

Here are some important points for those newer to networking:

There is no such thing as a hardware firewall. A standalone firewall, yes, but all firewalls run firewalling software.
A NAT router is a firewall
NAT routers default to allowing any outbound traffic on any port, but only inbound traffic that was solicited by an outbound connection.
If you are behind a NAT router (most are) you are protected from any unsolicited networks attacks UNLESS:
You have any open ports you have explicitly set up
You have a DMZ'd machine (hope not)
You have UPnP on and an active service has opened a port (or the router didn't close it)
Your router stinks
A compromised system on your network means game over for that computer and potentially any other system on your network not protected by a software firewall (This is why a bad Leopard firewall is a big deal)
Once malware is on a system you can never be totally sure it is ever 100% OK until a complete OS wipe and reinstall.
An open port is only useful to a bad guy if there is an exploitable service listening to it. Historically, OS X has been very good about this and Windows has been poor.
Nothing will save you from a social engineering attack on OS X or Windows. (InSta1l ThIs for freE PRON!!!1)


Hope that helps to allay some fears.

tuartboy
Oct 31, 2007, 10:29 AM
Non Sequitur. Being or not being UNIX means nothing. The UNIX brand is not a seal of infallibility.

The more daemon processes that are listening for incoming connections, the larger the target you present. A firewall is supposed to lower your profile to prevent outside users from hitting those open ports. If this review is correct, the Leopard firewall is doing a poor job of it.

Because of development times, Leopard is running some versions of OSS that have many well known remotely exploitable bugs in them. If indeed the firewall is not preventing access to them, then being UNIX is not, and never, going to save you.

The short if it is simply this, UNIX is not a security brand.

Agreed. My previous post didn't make this point at all, but it's very true.

OS X is not infallible. Especially running older packages.

ccroo
Oct 31, 2007, 11:10 AM
Is the firewall "on" when you choose "Set access for specific services and applications?"

In Tiger you could choose a similar option and indicate which apps get past the firewall -- you could even assign them a specific port. A list gets populated in the Leopard firewall panel too, but it includes apps you blocked as well as the apps you've opened a port for. Are apps missing from this list not blocked until you add them as blocked? Confusing to me and not very confidence inspiring.

Raoul

Samuca
Oct 31, 2007, 11:24 AM
Why am I showing the following activities in my log?

This thread made me check my firewall in 10.5 and to check the log. I connect via an airport express (firewall 1) connected to a voip router (firewall 2). But I have logged the following messages:

Oct 30 23:36:55 Macintosh-2 Firewall[65]: Stealth Mode connection attempt to TCP 10.0.x.x:50625 from 12.129.xxx.xx:80
Oct 30 23:36:56 Macintosh-2 Firewall[65]: Stealth Mode connection attempt to TCP 10.0.x.x.:50626 from 12.129.xxx.xx:80
Oct 30 23:36:57 Macintosh-2 Firewall[65]: Stealth Mode connection attempt to TCP 10.0.x.x:50627 from 12.129.xxx.xx:80
Oct 30 23:36:57 Macintosh-2 Firewall[65]: Stealth Mode connection attempt to TCP 10.0.x.x:50628 from12.129.xxx.xx:80
Oct 30 23:36:58 Macintosh-2 Firewall[65]: Stealth Mode connection attempt to TCP 10.0.x.x:50630 from 12.129.xxx.xx:80
Oct 30 23:37:01 Macintosh-2 Firewall[65]: Stealth Mode connection attempt to UDP 10.0.x.x:52392 from 10.0.x.x:53
Oct 30 23:37:17 Macintosh-2 Firewall[65]: Stealth Mode connection attempt to TCP 10.0.x.x:50647 from 206.191.xxx.x:80
Oct 30 23:37:47: --- last message repeated 2 times ---
Oct 30 23:57:42 Macintosh-2 Firewall[65]: Stealth Mode connection attempt to TCP 10.0.x.x:50871 from 64.154.xx.x:80

Shouldn't I not be able to see these attempts on my 10.5 firewall log? Or is this a sign that my airport and voip router are not effective? Thanks for your thoughts.:)

Mitch1984
Oct 31, 2007, 11:35 AM
Thing is Mac users have never said that the OS is more secure because of the technology, they mean it's more secure because no one bothers to hack it, I always read or get people touting that Mac isn't anymore secure. I think people have missunderstood.

glennyboiwpg
Oct 31, 2007, 11:43 AM
So I don't get it.

wasn't leopard in public beta (testing) mode for the last... forever?


Didn't anyone point this out? How did something as public as firewall configuration/performance get missed?

hmmfe
Oct 31, 2007, 11:47 AM
Are you directly connected to your cable/DSL/FIOS modem or is it being routed? These days, 99.9% of the time there is a NAT router built in to your modem and that external IP is what Shields Up is testing, not your computer. To test your machine you would need to hook up directly to the internet or DMZ your machine, neither of which is a good idea.

Here are some important points for those newer to networking:

1) There is no such thing as a hardware firewall. A standalone firewall, yes, but all firewalls run firewalling software.
2) A NAT router is a firewall


All firewalls run on hardware too, so I guess there is no such thing as software firewalls either? You need both hardware and software to make a firewall device work. This is not the critical distinction and is really just semantics. There are host-based firewalls, network-based firewalls and gateway firewalls. All of the above run software and run on hardware. In the business, hardware firewalls specifically refer to security appliances that use ASICs rather than general purpose CPUs to process packets. Yes, you still need software to make everything work but the processing is done in hardware (this is similar to the hardware/software RAID distinction).

A NAT router provides some protection but it is not a firewall even though some people use it as such. It is similar to using saran wrap instead of a condom. Yes, it does provide some protection but saran wrap is still not a condom.

Rodimus Prime
Oct 31, 2007, 11:55 AM
I might want to point out this thread shows a lot of problems with mac users.

If some one bring up something apple screwed up on they bash it and refused to believe it could be true. This attitude will cause them to get hurt when someone some one finally makes something take advantage of a hole in the OS.

As it has been pointed out a lot of the attacks that hit windows are targeting non updated computers and a lot of people (mac users included) do not keep up to day. If you noticed M$ quite saying what the security threat was in their updates beyond being very general about it because people where using that infomatoin to figure out how to exploit it in people who fail to stay updated.

compuguy1088
Oct 31, 2007, 12:12 PM
The router I'm using is a Wired Router. I don't allow wireless in the house. So, the router has no wireless capabilities.

But, it does have a firewall built-in. Basically, it is supposed to filter all incoming and outgoing communications. It appears to be pretty thorough. I've configured all the settings, and such and used various online scanners, and none of them have reported a weakness.

Hopefully, it is good. It's one of those things where you never know how good something is until it fails.

The link is rather long, so here's a tinyURL to the page with information on the router / Firewall I'm using:

http://tinyurl.com/25shvh

It definitely has more firewall features to configure than the OS X firewall. So, it seems pretty thorough. Hopefully it is a secure as it seems.

I have the same router as well....it seems to be pretty secure....though I do not use the OSX firewall, nor did I use it with Tiger. I don't share any folders anyway.

speedbird
Oct 31, 2007, 12:22 PM
Well this is somewhat disappointing.

Worry not. I wouldn't put too much thought on it, In my humble opinion, this is a typical FUD (http://en.wikipedia.org/wiki/Fear%2C_uncertainty_and_doubt) case article.

Anyone concerned about security that relies on software-only for security protection deserves a smack in the head.

Even if you are behind your good'ol "Linksys" router, "firewalled" et al, the chances of your Mac being hacked are rather slim, now, enable this "insecure" firewall on your Mac and I bet the chances will be even slimmer.

Here's a hint, get yourself a nice and secure router with firewall option (around $50.00-ish), configure the firewall for your security needs (unpingeable, close ports for idiotic broadcast services, etc), disable your "insecure" Mac firewall and live happy..

-- sb

vansouza
Oct 31, 2007, 12:41 PM
With the Leopard firewall set at the Apple default, I visited the Gibson site and tested my iMac. The result was that the ports, not one of them, showed a result of even existing, but closed. They just presented a black hole of no response. I use a Netgear wireless router with its firewall protection on: Now for the question. How is that not sufficient protection. I am not the pentagon, or the Bank of America or anything else that would be tempting to anyone.

I think much has been made about nothing. Get back to work!

savar
Oct 31, 2007, 12:52 PM
Who gives a ****? I've run with no firewall and several different specific services exposed to the world through a NAT router for the last 4 years on both Windows and Apple machines and have never had a single problem with a worm, virus, or other exploit. Being careful about where you go online is much more crucial to security than running some stupid firewall.

That's a weird thing to say: "where you go online is much more crucial to security than running some stupid firewall."

If you have exposed ports, it doesn't matter "where you go" (whatever that even means)...people will come find you.

If your router can capture logs, turn that feature on and take a look at it sometime. There are thousands of people all around the world who have computers scanning the net (which in IP4 is still pretty small, about 4bn addresses) for open ports. You will see your own computer receiving literally hundreds or thousands of probes every day. Those probes are usually bad (or perhaps just mischievous) people trying to see what services you have exposed on your computer, and once they find out you're running those services they run the battery of attacks that exploit that service. The tools to do so are actually shocking powerful. They can potentially finger print what kind of OS/hardware you're running, then automatically run all of the potential cracks against that OS/hardware combination that are known to exist.

Rodimus Prime
Oct 31, 2007, 12:53 PM
With the Leopard firewall set at the Apple default, I visited the Gibson site and tested my iMac. The result was that the ports, not one of them, showed a result of even existing, but closed. They just presented a black hole of no response. I use a Netgear wireless router with its firewall protection on: Now for the question. How is that not sufficient protection. I am not the pentagon, or the Bank of America or anything else that would be tempting to anyone.

I think much has been made about nothing. Get back to work!

The problem with just a hardware firewall like the netgear is it great for stopping inbound traffic but it worthless at stopping outbound traffic.

A software firewall is not as good at stopping inbound but much better at stopping outbound traffic. This is the reason why it is a good idea to run both. One handles inbound better the other handles outbound better.

weaverra
Oct 31, 2007, 12:57 PM
I might want to point out this thread shows a lot of problems with mac users.

If some one bring up something apple screwed up on they bash it and refused to believe it could be true. This attitude will cause them to get hurt when someone some one finally makes something take advantage of a hole in the OS.

As it has been pointed out a lot of the attacks that hit windows are targeting non updated computers and a lot of people (mac users included) do not keep up to day. If you noticed M$ quite saying what the security threat was in their updates beyond being very general about it because people where using that infomatoin to figure out how to exploit it in people who fail to stay updated.
The point is that this Heise Security was guessing at the risk if there ever was any. They obviously need to do some more research before they reach a conclusion. What I find funny is that all the Mac vulnerabilities have alleged security risk which means they are not sure and most likely it's nothing anyway.

baummer
Oct 31, 2007, 01:02 PM
To test which ports are open, use the network utility found in the utilities folder.

katorga
Oct 31, 2007, 01:12 PM
I have my mac set to stealth, deny incoming connections and no services enabled. I ran some of the tests in the article and could not match his results. Nmap returns no open ports. But, if the firewall allows any application to open ports and start listening, it will be very easy to drive-by-download a trojan or RAT that starts a listener.

That said, the firewall was DISABLED by default. That is BAD.

The firewall is not running ipfw.

The running process appears to be /usr/libexec/ApplicationFirewall/socketfilterfw

I have no clue how to handle rules with this; if they can be manually tweaked; and what happens if I run ipfw.

legacyb4
Oct 31, 2007, 01:19 PM
I have a feeling this might have to do with the "Back to my Mac" functionality that was enabled on .Mac. Turning it off now since it's just as easy to tunnel Shared Screens (VNC) through an SSH tunnel.

Interesting. Since the weekend, I've had the firewall turned on with connections limited to specific applications (Remote Login, Screen Sharing, and Apple File Sharing). I'm behind a Linksys WRV54G with only web sharing being passed to my desktop on a WAP-enabled wireless network.

Yet, my firewall logs show the following:

Oct 29 03:24:48 MacBook Firewall[53]: Allow AppleVNCServer connecting from 66.7.212.29:3665 uid = 0 proto=6
Oct 29 03:58:36 MacBook Firewall[53]: Allow AppleVNCServer connecting from 70.49.174.70:32916 uid = 0 proto=6
Oct 29 03:58:36 MacBook Firewall[53]: Allow AppleVNCServer connecting from 70.49.174.70:32922 uid = 0 proto=6
Oct 29 03:58:36 MacBook Firewall[53]: Allow AppleVNCServer connecting from 70.49.174.70:32916 uid = 0 proto=6
Oct 30 04:21:35 MacBook Firewall[47]: Allow AppleVNCServer connecting from 81.202.69.250:4289 uid = 0 proto=6
Oct 30 04:21:36 MacBook Firewall[47]: Allow AppleVNCServer connecting from 81.202.69.250:4291 uid = 0 proto=6
Oct 30 04:21:36 MacBook Firewall[47]: Allow AppleVNCServer connecting from 81.202.69.250:4289 uid = 0 proto=6
Oct 30 04:21:36 MacBook Firewall[47]: Allow AppleVNCServer connecting from 81.202.69.250:4291 uid = 0 proto=6
Oct 30 04:21:38 MacBook Firewall[47]: Allow AppleVNCServer connecting from 81.202.69.250:4311 uid = 0 proto=6
Oct 31 03:47:34 MacBook Firewall[47]: Allow AppleVNCServer connecting from 222.216.28.172:3095 uid = 0 proto=6

The fact that these are even being logged is a bit odd since these are totally random IP addresses...

Not to mention the fact that I've had a steady stream of non-stop SSH login attempts from a few determined parties. All the better reason to tweak your SSH servers settings for better security (pubkey auth only, explicitly deny PasswordAuth, using the AllowUsers and DenyUsers, etc.)

rpp3po
Oct 31, 2007, 01:21 PM
Everything has been said about this story. Just read http://leofud.blogspot.com.

bogman12
Oct 31, 2007, 01:26 PM
AWESOME! THanks.. more reason not to get Leopard

savar
Oct 31, 2007, 01:26 PM
I might want to point out this thread shows a lot of problems with mac users.

If some one bring up something apple screwed up on they bash it and refused to believe it could be true. This attitude will cause them to get hurt when someone some one finally makes something take advantage of a hole in the OS.

I don't think anybody is defending Apple here...I'm just personally surprised that such a widely tested system would have such a fundamental flaw in it.

Thousands of developers tested this software for months, and having a missing firewall should have been pretty obvious to somebody. And if Apple tweaked the firewall settings right before they pressed the GM disc...then they are really stupid.

Until we get confirmation from some other authorities, I think we need to take any news like this skeptically. (Unknown site outs security flaws without explicitly showing how to recreate their results? Yawn...I'll pass.)

hassiman
Oct 31, 2007, 01:28 PM
Hi,

I support WinDoze machines for a living in an EDU enviroment and you better believe that viruses and malware are a real problem... even with a pro level harware firewall on our network we still have problems.

I have yet to learn the ins and out so the Lepoard firewall as I just installed it last night... but within the first 45 Mins I turned the firewall on and set to reject all incoming and Stealth. I am also behind a LinkSys WRTG54s router/wireless but I have the wireless turned off and my MacPro is hardwired to it.

Apple has enough time to improve Leopard security for the attacks that are sure to come:eek:... I think Leopard is a good start:D

astewart
Oct 31, 2007, 01:49 PM
It's no surprise. I loved the old firewall, this firewall is awful. It doesn't work right. Little Snitch is better than it.

doesn't Little Snitch only block outgoing traffic from ones Computer? Not incoming?

vansouza
Oct 31, 2007, 01:56 PM
AWESOME! THanks.. more reason not to get Leopard

Did you read it carefully?

hagjohn
Oct 31, 2007, 01:56 PM
Worry not. I wouldn't put too much thought on it, In my humble opinion, this is a typical FUD (http://en.wikipedia.org/wiki/Fear%2C_uncertainty_and_doubt) case article.

Anyone concerned about security that relies on software-only for security protection deserves a smack in the head.

Even if you are behind your good'ol "Linksys" router, "firewalled" et al, the chances of your Mac being hacked are rather slim, now, enable this "insecure" firewall on your Mac and I bet the chances will be even slimmer.

Here's a hint, get yourself a nice and secure router with firewall option (around $50.00-ish), configure the firewall for your security needs (unpingeable, close ports for idiotic broadcast services, etc), disable your "insecure" Mac firewall and live happy..

-- sb

I guess you don't leave your house with your Mac... laptops are mobile. I hook up to customer networks/WIFI sites numerous times a week. I would rather not rely on others for my protection. ... not to mention Leopard update had the firewall off. If I had not been here reading, I probably would have thought it was still on.

paja
Oct 31, 2007, 02:07 PM
LOL,

Another one of Leopard's secret features revealed.

The elusive Firewall

Don't bogart that port my friend

vansouza
Oct 31, 2007, 02:28 PM
Originally Posted by Rodimus Prime View Post
"I might want to point out this thread shows a lot of problems with mac users.

If some one bring up something apple screwed up on they bash it and refused to believe it could be true. This attitude will cause them to get hurt when someone some one finally makes something take advantage of a hole in the OS."

And why do you always presume the opposite? The article is FUD, we are correct in assessing as such; the firewall works for crap sakes; even in the off position I report out as safely hidden. What else do we need to do?

brownbird
Oct 31, 2007, 02:38 PM
My Mac passed all the shields up tests. I'm on 10.5. So, just because the Leopard firewall isn't as informative as the Tiger firewall doesn't mean it's not working.

breal8406
Oct 31, 2007, 02:41 PM
I passed Symantec's security check feature on their website with Leopard's firewall enabled

flyinmac
Oct 31, 2007, 02:49 PM
I passed Symantec's security check feature on their website with Leopard's firewall enabled

I've run their test several times in the past. I've passed each time.

The interesting thing, is that it always says I've passed, and then says it recommends Norton Internet Security as a "Fix".

It always suggests a "Fix" or "Solution" even if there is no problem.

I've always found it humorous that they actually propose to fix the problem I have of a functioning and secure firewall.

Apparently I need a Norton product to fix the problem of it doing it's job.

"Hey, it's working, I know how to fix this. Install our program and the problem is gone. Oh, wait, you want security, oh, sorry" :D

breal8406
Oct 31, 2007, 03:05 PM
I've run their test several times in the past. I've passed each time.

The interesting thing, is that it always says I've passed, and then says it recommends Norton Internet Security as a "Fix".

It always suggests a "Fix" or "Solution" even if there is no problem.

I've always found it humorous that they actually propose to fix the problem I have of a functioning and secure firewall.

Apparently I need a Norton product to fix the problem of it doing it's job.

"Hey, it's working, I know how to fix this. Install our program and the problem is gone. Oh, wait, you want security, oh, sorry" :D

I just thought it was interesting cuz if what these criticisms are saying is true than you'd think that Norton would be trying to capitalize on it and sell some software. It's not like they haven't tried to capitalize on it before if my memory serves me well....but on false alarms about that Mac virus that finally popped up:eek:

I think MDN just published an article where Intego issued a statement about this Trojan horse that apparently is going around porn sites posing as a video codec for QuickTime. Capitalizes on the fact you need an admin password to install such things to gain root access. Anyways..... they're using it to try to sell software.

When my Mac starts behaving like a Windows machine, maybe I'll buy into their sales pitch. So far though, the native security in OS X has done me just fine. Although I will concede that perhaps I hardware based firewall isn't a half bad idea...

Detektiv-Pinky
Oct 31, 2007, 03:16 PM
With the Leopard firewall set at the Apple default, I visited the Gibson site and tested my iMac. The result was that the ports, not one of them, showed a result of even existing, but closed. They just presented a black hole of no response. I use a Netgear wireless router with its firewall protection on: Now for the question. How is that not sufficient protection. I am not the pentagon, or the Bank of America or anything else that would be tempting to anyone.

I think much has been made about nothing. Get back to work!

Can it be that there is a serious flaw in your reasoning here?

With your setting you are testing the Firewall features of your Netgear router and not the Leopard Firewall.
Turn off the Firewall and any NAT in your Netgear router and than repeat those tests.

ChrisA
Oct 31, 2007, 03:32 PM
Apple tells you that 'normally the OS is choosing for which programms it allows incoming connection', that is not something I want my firewall to do.

Why not? This is the real issue here. Can anyone answer this?

WHat Apple did was to put in some automation so that typical users would not do something stupid in the name of "Security". From reading all these posts I think Apple did the right thing. Users seem to not even understand what firewalls do.

Here is what they did that caused to "hole": When a user turns on a service like say "FTP" the firewall ports associated with FTP (20 and 21 from memory) are unblocked automatically. Why is this bad? If you wanted the FTP server what good is it if you block the associated ports? You server would be useless. Same goes for SSH and 100 other services, I can't see any reason to run the service behind a closed firewall.

Now things get a lot different if the firewall is running inside it's own box. because in this case there could be any number of computers going through the router. Then it WOULD make sense to run an FTP server on and office machine and close the ports on the hardware router box so everyone in the office can get to the FTP server but no one on the Internet could.

But you would never want to block the ports on the machine running the server.

Next question: Why would we EVER need a software firewall on a Mac? Seriously. Is there a scenario where it helps? Lets go back to FTP. Lets say I have a Mac directly connected to the Internet with no firewall. Someone finds my computer and tries to open a connection of Port 21. What will happen? Nothing, because I'm not running FTP and not listening on 21. So if I block 21 or not I get the same result, nothing. So why block it?

Firewalls make the most sense in a larger organization where we don't know if some idiot is running a misconfigured FTP server on his PC, so we add a firewall which makes that imposable.

flyinmac
Oct 31, 2007, 03:33 PM
I just thought it was interesting cuz if what these criticisms are saying is true than you'd think that Norton would be trying to capitalize on it and sell some software. It's not like they haven't tried to capitalize on it before if my memory serves me well....but on false alarms about that Mac virus that finally popped up:eek:

I think MDN just published an article where Intego issued a statement about this Trojan horse that apparently is going around porn sites posing as a video codec for QuickTime. Capitalizes on the fact you need an admin password to install such things to gain root access. Anyways..... they're using it to try to sell software.

When my Mac starts behaving like a Windows machine, maybe I'll buy into their sales pitch. So far though, the native security in OS X has done me just fine. Although I will concede that perhaps I hardware based firewall isn't a half bad idea...

I'm sure Symantec will attempt to capitalize on it if the claims are proven true.

It's only been a couple of days. So, I expect it will take a bit longer for an absolute answer to prevail.

The one Virus I have gotten on a Mac was discovered by Norton Antivirus though.

It was back in 1998 or 1999. I was running OS 8.1 or 8.5 (not sure at the moment - been a long time). I had wrongly assumed I was safe because I was using a Mac and not Windows (although I had other Windows computers around).

And, it was not until I decided to buy Norton Antivirus and installed it that I discovered the virus. I don't recall what it was called, but it was easily removed and taken care of.

I was quite surprised because I had never even used the machine on the Internet (it was a stand alone system). It was just for messing around. So, the only thing ever installed on it came from trusted publishers on CD-ROM (usually retail purchases).

Eventually, I tracked down the source. It was a CD that came with Mac Addict magazine. It came with a demo of Tomb Raider. Turns out that Tomb Raider was carrying a virus. It was a Mac OS virus. It was not simply a Windows virus residing on the system.

Mac Addict confirmed it to be true. They sent out an apology to their subscribers, and printed a statement in the next issue of their magazine.

They promised a replacement disk (which was virus free), but despite asking for it, I never did receive the replacement CD.

That is my one experience with a Mac Virus. I'm sure someday someone will care enough to write another one.

gwangung
Oct 31, 2007, 03:39 PM
A lot of this doesn't pass the sniff test; that's such an egregious flaw that no one noticed seems incredible.

On the other hand, the firewall being turned off by default is bad---why on heaven's name would that be a good thing as a default?

vansouza
Oct 31, 2007, 03:40 PM
Can it be that there is a serious flaw in your reasoning here?

With your setting you are testing the Firewall features of your Netgear router and not the Leopard Firewall.
Turn off the Firewall and any NAT in your Netgear router and than repeat those tests.

I want and need the protection of my hardware; I want and need the protection that Leopard provides. I would not dare be on the net/www without my hardware protection. I just meant I am done with this, I feel safe with the hardware and software protection that I have in place; it is totally sufficient that probes report that nothing is here to report on. I did set the firewall to block all incoming connections. I will just have to see if that diminishes my performance any.

I did not mean to be rude to anyone; I just think that the article that started this all is to be held in suspicion as it is a MS house. Sorry if I offended anyone. The crowd reminds me, this Halloween, of the mob chasing the monster Frankenstein; I am just not convinced the monster is real.

Detektiv-Pinky
Oct 31, 2007, 03:53 PM
Why not? This is the real issue here. Can anyone answer this?

WHat Apple did was to put in some automation so that typical users would not do something stupid in the name of "Security". From reading all these posts I think Apple did the right thing. Users seem to not even understand what firewalls do.

Here is what they did that caused to "hole": When a user turns on a service like say "FTP" the firewall ports associated with FTP (20 and 21 from memory) are unblocked automatically. Why is this bad? If you wanted the FTP server what good is it if you block the associated ports? You server would be useless. Same goes for SSH and 100 other services, I can't see any reason to run the service behind a closed firewall.

Now things get a lot different if the firewall is running inside it's own box. because in this case there could be any number of computers going through the router. Then it WOULD make sense to run an FTP server on and office machine and close the ports on the hardware router box so everyone in the office can get to the FTP server but no one on the Internet could.

But you would never want to block the ports on the machine running the server.

Next question: Why would we EVER need a software firewall on a Mac? Seriously. Is there a scenario where it helps? Lets go back to FTP. Lets say I have a Mac directly connected to the Internet with no firewall. Someone finds my computer and tries to open a connection of Port 21. What will happen? Nothing, because I'm not running FTP and not listening on 21. So if I block 21 or not I get the same result, nothing. So why block it?

Firewalls make the most sense in a larger organization where we don't know if some idiot is running a misconfigured FTP server on his PC, so we add a firewall which makes that imposable.

Hi Chris,

why do I think it is bad to have this automatism in the firewall?
Quite simple. Maybe because I distrust automatisms? Just because some program is started that listens on a port, the OS decides the FW should get a rule that lets traffic through?
Think of a rootkit or backdoor in your computer. You download some shiny freeware from some website, install it and anybody out there can now connect to your Mac - scarry!
I would at least expect to get some confirmation message from the FW asking me ('Are you OK with the fact that your computer is now reachable for everyone on the Internet?')

Regarding your second question: You are right. The best thing for security would be not to have any programs listening for connections at all - End of Story! Hoewever, sometimes this is just not convenient or feasible. A firewall is usefull here to control who can connect to your computer. On a public server (e.g. FTP) it makes no sense to have a FW. On your private computer you are usually not offering a service to everyone, but a small circle of trusted users/sites. Here a firewall gives you control over who this trusted few might be.

So in short: If there would be no services listening for connections on your Mac (which is not be the case on an out of the box system) you would need no firewall. Since this is not the case I want a system that is deterministic and can be trusted to not make arbitrary choices.

Maybe this clarifies the issue a little.

Detektiv-Pinky
Oct 31, 2007, 03:58 PM
I want and need the protection of my hardware; I want and need the protection that Leopard provides. I would not dare be on the net/www without my hardware protection. I just meant I am done with this, I feel safe with the hardware and software protection that I have in place; it is totally sufficient that probes report that nothing is here to report on. I did set the firewall to block all incoming connections. I will just have to see if that diminishes my performance any.

I did not mean to be rude to anyone; I just think that the article that started this all is to be held in suspicion as it is a MS house. Sorry if I offended anyone. The crowd reminds me, this Halloween, of the mob chasing the monster Frankenstein; I am just not convinced the monster is real.

I am most certainly not offended. I only want to point out that there are situations (such as taking your Macbook on the road) where your sole line of defense is the inbuild defenses of the OS and no fancy HW router/firewall to help you.

This is what had been tested and has failed the test.
You are quite right to take this extra precaution in your set-up. But please do not talk as if there is no issue here with what has been implemented by Leopard. It might be no issue for your particular set-up, but this is not the general case for everybody.

hexor
Oct 31, 2007, 04:05 PM
I can not believe MacRumors posted a reference to this company and this "test". It was completely flawed and bogus test just to get PR. Haven't we learned from the Airport wireless fiasco? MacRumors should remove this article from their front page and quit spreading garbage.

Please read the following:


Setting firewall access for services and applications
Mac OS X includes a firewall: a security measure that protects your computer when you’re connected to a network or the Internet. If you turn on a sharing service, such as file sharing, Mac OS X opens a specific port in the firewall for the service to communicate through. When you open the Firewall pane of Security preferences, any sharing services turned on in Sharing preferences, such as File Sharing or Remote Apple Events, appear in the list.

In addition to the sharing services you turned on in Sharing preferences, the list may include other services, applications, and programs that are allowed to open ports in the firewall. An application or program might have requested and been given access through the firewall, or might be digitally signed by a trusted certificate and therefore allowed access.

IMPORTANT: Some programs have access through the firewall although they don’t appear in the list. These might include system applications, services, and processes (for example, those running as “root”). They can also include digitally signed programs that are opened automatically by other programs. You might be able to block these programs’ access through the firewall by adding them to the list.

To add an application to the list, select “Set access for specific services and applications” in the Firewall pane of Security preferences, click Add (+) at the bottom of the list, and then select what you want to add. After the program is added, click its up and down arrows to allow or block connections through the firewall.

Blocking a program’s access through the firewall could affect the performance of other applications and services you use.

Detektiv-Pinky
Oct 31, 2007, 04:08 PM
I can not believe MacRumors posted a reference to this company and this "test". It was completely flawed and bogus test just to get PR. Haven't we learned from the Airport wireless fiasco? MacRumors should remove this article from their front page and quit spreading garbage.

Please read the following:


Setting firewall access for services and applications
Mac OS X includes a firewall: a security measure that protects your computer when you’re connected to a network or the Internet. If you turn on a sharing service, such as file sharing, Mac OS X opens a specific port in the firewall for the service to communicate through. When you open the Firewall pane of Security preferences, any sharing services turned on in Sharing preferences, such as File Sharing or Remote Apple Events, appear in the list.

In addition to the sharing services you turned on in Sharing preferences, the list may include other services, applications, and programs that are allowed to open ports in the firewall. An application or program might have requested and been given access through the firewall, or might be digitally signed by a trusted certificate and therefore allowed access.

IMPORTANT: Some programs have access through the firewall although they don’t appear in the list. These might include system applications, services, and processes (for example, those running as “root”). They can also include digitally signed programs that are opened automatically by other programs. You might be able to block these programs’ access through the firewall by adding them to the list.

To add an application to the list, select “Set access for specific services and applications” in the Firewall pane of Security preferences, click Add (+) at the bottom of the list, and then select what you want to add. After the program is added, click its up and down arrows to allow or block connections through the firewall.

Blocking a program’s access through the firewall could affect the performance of other applications and services you use.

Proving exactly what?

Edit:
Similar to the Microsoft favourite 'It is not a bug - it is a feature!"?

123
Oct 31, 2007, 06:08 PM
There's obviously something wrong with the "Block all incoming connections" setting:

TCP scan with firewall turned off:

sepp@deesli:~$ sudo nmap -sS 192.168.2.250

Starting Nmap 4.20 ( http://insecure.org ) at 2007-10-31 23:16 CET
Interesting ports on 192.168.2.250:
Not shown: 1694 closed ports
PORT STATE SERVICE
22/tcp open ssh
88/tcp open kerberos-sec
548/tcp open afpovertcp


After blocking everything:

sepp@deesli:~$ sudo nmap -sS 192.168.2.250

Starting Nmap 4.20 ( http://insecure.org ) at 2007-10-31 23:20 CET
Interesting ports on 192.168.2.250:
Not shown: 1694 closed ports
PORT STATE SERVICE
22/tcp filtered ssh
88/tcp open kerberos-sec
548/tcp filtered afpovertcp


And indeed, port 88 is still completely open:

sepp@deesli:~$ telnet 192.168.2.250 88
Trying 192.168.2.250...
Connected to 192.168.2.250.
Escape character is '^]'.


Same for UDP stuff, for example ntp can still be accessed even if all incoming connections are supposedly blocked:

sepp@deesli:~$ sudo /usr/sbin/ntpdate -d 192.168.2.250
31 Oct 23:33:23 ntpdate[1959]: ntpdate 4.2.4p3@1.1502-o Mon Aug 13 16:20:20 UTC 2007 (1)
transmit(192.168.2.250)
receive(192.168.2.250)
transmit(192.168.2.250)
receive(192.168.2.250)
transmit(192.168.2.250)
receive(192.168.2.250)
transmit(192.168.2.250)
receive(192.168.2.250)
transmit(192.168.2.250)
192.168.2.250: Server dropped: strata too high
server 192.168.2.250, port 123
stratum 16, precision -20, leap 11, trust 000
refid [192.168.2.250], delay 0.02582, dispersion 0.00000
transmitted 4, in filter 4
reference time: 00000000.00000000 Thu, Feb 7 2036 7:28:16.000
originate timestamp: cad3812e.1b99ef55 Wed, Oct 31 2007 23:33:18.107
transmit timestamp: cad38133.678476f2 Wed, Oct 31 2007 23:33:23.404
filter delay: 0.02594 0.02582 0.02582 0.02582
0.00000 0.00000 0.00000 0.00000
filter offset: -5.29667 -5.29670 -5.29670 -5.29670
0.000000 0.000000 0.000000 0.000000
delay 0.02582, dispersion 0.00000
offset -5.296705

31 Oct 23:33:23 ntpdate[1959]: no server suitable for synchronization found


but should look like this: (using a real firewall: sudo ipfw add 100 deny all from any to any 123 in)

sepp@deesli:~$ sudo /usr/sbin/ntpdate -d 192.168.2.250
31 Oct 23:34:12 ntpdate[1960]: ntpdate 4.2.4p3@1.1502-o Mon Aug 13 16:20:20 UTC 2007 (1)
transmit(192.168.2.250)
transmit(192.168.2.250)
transmit(192.168.2.250)
transmit(192.168.2.250)
transmit(192.168.2.250)
192.168.2.250: Server dropped: no data
server 192.168.2.250, port 123
stratum 0, precision 0, leap 00, trust 000
refid [192.168.2.250], delay 0.00000, dispersion 64.00000
...

breal8406
Oct 31, 2007, 06:08 PM
I'm sure Symantec will attempt to capitalize on it if the claims are proven true.

It's only been a couple of days. So, I expect it will take a bit longer for an absolute answer to prevail.

The one Virus I have gotten on a Mac was discovered by Norton Antivirus though.

It was back in 1998 or 1999. I was running OS 8.1 or 8.5 (not sure at the moment - been a long time). I had wrongly assumed I was safe because I was using a Mac and not Windows (although I had other Windows computers around).

And, it was not until I decided to buy Norton Antivirus and installed it that I discovered the virus. I don't recall what it was called, but it was easily removed and taken care of.

I was quite surprised because I had never even used the machine on the Internet (it was a stand alone system). It was just for messing around. So, the only thing ever installed on it came from trusted publishers on CD-ROM (usually retail purchases).

Eventually, I tracked down the source. It was a CD that came with Mac Addict magazine. It came with a demo of Tomb Raider. Turns out that Tomb Raider was carrying a virus. It was a Mac OS virus. It was not simply a Windows virus residing on the system.

Mac Addict confirmed it to be true. They sent out an apology to their subscribers, and printed a statement in the next issue of their magazine.

They promised a replacement disk (which was virus free), but despite asking for it, I never did receive the replacement CD.

That is my one experience with a Mac Virus. I'm sure someday someone will care enough to write another one.

Yeah...I'll run a trial download of an anti-virus program every once in a while just to make sure stuff like that doesn't happen.

jt2ga65
Oct 31, 2007, 06:17 PM
This is nonsense.

To begin with, there's no such thing as a "hardware firewall". A better (and commonly used) designation is "appliance". A firewall appliance is a dedicated box, running an OS (in many cases a tweaked Linux or *BSD, though there are of course many other possibilities, like IOS on Cisco firewalls), on top of which the actual firewall software sits.

I agree that it is nonsense, but you are adding to it.

To start with, there are devices which are dedicated firewall appliances that run a dedicated firewall OS on them. Many of these devices actually perform the screening in the hardware via programmable asics. Ok, it's still "software" running on dedicated chips, but the traffic is not handled by the operating system and is not inspected by the general processor.

These same firewall appliances will sometimes include more than just ethernet interfaces. Sometimes they have DSL, Cable or T1/T3 and wireless interfaces. Make no mistake, though, they are a firewall first, and a router second. In fact, they make pretty poor routers, but excellent firewalls. These would be like the Cisco PIX, Juniper Netscreen or the SonicWall firewalls. There may be more, but these are the ones I'm more familiar with.

For residential use, these are probably overkill, although I do use a Netscreen at home. Using any broadband router with NAT enabled is going to secure you from MOST incoming connection attempts. The exception would be if you have port forwarding or UPnP enabled.

Sorry, I just couldn't let this one go.

-jt2

rpp3po
Oct 31, 2007, 06:25 PM
Same for UDP stuff, for example ntp can still be accessed even if all incoming connections are supposedly blocked:

It's interesting that you mention ntp, but not netbios. The leofud page claims that ntp does indeed work, but not the more dangerous netbios as the original article is asserting.

dunc85
Oct 31, 2007, 06:47 PM
and yet another biased report from the BBC about Apple

http://news.bbc.co.uk/1/hi/technology/7071017.stm

cal6n
Oct 31, 2007, 06:53 PM
and yet another biased report from the BBC about Apple

http://news.bbc.co.uk/1/hi/technology/7071017.stm

Yes and no...

Read to the end of the article. Money quote: Mikko Hypponen, chief research officer at F-Secure, said: "Year after year, Macs continue to have these potential security problems.

"However, in practice they just don't seem to become real-world problems," he added. "The old wisdom still stands: if you want to avoid viruses and worms, get a Mac."

123
Oct 31, 2007, 07:08 PM
It's interesting that you mention ntp, but not netbios. The leofud page claims that ntp does indeed work, but not the more dangerous netbios as the original article is asserting.

I don't find that very interesting considering I don't have a netbios port open...

However, I did also test mDNSResponder/Bonjour with "Block all...": (port 5353 UDP)

sepp@deesli:~$ avahi-resolve -a 192.168.2.250
192.168.2.250 Quad.local


should be: (sudo ipfw add 101 deny ip from any to any 5353 in)

sepp@deesli:~$ avahi-resolve -a 192.168.2.250
Failed to resolve address '192.168.2.250': Timeout reached

dunc85
Oct 31, 2007, 07:08 PM
Yes and no...

Read to the end of the article. Money quote:

Exactly, end of the article, a couple of lines.

A bit of research on their part would have shown that the interpretation of the test results was flawed.

EagerDragon
Oct 31, 2007, 07:34 PM
Thank God for hardware firewalls.

Yea the other firewall can protect you, assuming you are not on the road with your laptop in which case all you have is a lame firewall with build in false-sense of security.

I head about this about 3 days ago and was not a happy camper.

123
Oct 31, 2007, 07:38 PM
OK, it seems that everything that runs as root is not blocked.


bash-3.2$ ./listen.pl 2000
uid 501. Listening on port 2000...
-- --
sepp@deesli:~$ telnet 192.168.2.250 2000
Trying 192.168.2.250...
telnet: Unable to connect to remote host: Connection timed out


whereas:

bash-3.2$ sudo ./listen.pl 2000
uid 0. Listening on port 2000...
-- --
sepp@deesli:~$ telnet 192.168.2.250 2000
Trying 192.168.2.250...
Connected to 192.168.2.250.
Escape character is '^]'.


So, at least there is a pattern, but it's just wrong to call this "Block all incoming connections".

EagerDragon
Oct 31, 2007, 07:41 PM
I have a Linksys Router with a Hardware Firewall in it. I wonder if that is adequate, or if the Leopard issue would create an open door.

It's a BEFSX41 Labeled as a Broadband Firewall Router.

I've previously configured it, and it seems to have passed the online scanners. So, hopefully it will close the door that Apple is opening.

Most NAT firewalls (linksys for example) are sufficient for 99% of the cases, they stop all but extremely dedicated hackers.

However firewall main function is to block a connection attempt on a specific port. Any port you open is subject to attack. Even if the firewall is perfect and lets say you open port 80 (www) for people to use your web server, the web server it self can come under attack and the application being run by your web server / application server (example Tomcat) can come under attack. Main purpose of a firewall is to protect you at the network level, if your web server has a flaw or your application has a flaw you are still dead meat.

Don't open any inbound ports (from internet to your computer or network) and you should be ok 99$ of the time.

However with this flaw, your chances are closer to 60%.

Orge
Oct 31, 2007, 09:56 PM
As ever, there's a lot of "apology" for this clear mistake on Apple's part... Whilst the article has some flaws, anybody with the opinion that it has no substance is either blinkered or ignorant. It's true that there are mitigating factors which may reduce the real exposure to attacks, but it's hardly good practice. If a comparable setup was deployed by MS, the media would probably make an even bigger deal about it (and the fan-boys would be s******ing in their corners).

What makes it worse, is that Apple could almost certainly have avoided much of this. There's a packet firewall installed with leopard by default (ipfw). This has proved adequate for previous versions of OS X (and many other operating systems). However, it's set to allow all ingoing and outgoing traffic - presumably so it works more effectively with Apple's new application layer firewall. They have chosen to "dumb down" the security of OS X, at the expense of making the OS less secure by default. To make matters worse, the application firewall does not behave as you would expect from the UI and allow's root services to access the internet unchecked (and without any notification to the user). Whilst it may have had techy jargon (port numbers etc) and been less user friendly, Tiger's setup was clearly superior.

If they felt an application firewall would be easier for user's to configure, it should have (and could have) been implemented in such a way that it worked hand in hand with ipfw or incorporates both levels of functionality - i.e. when you authorised an application, it suggests opening an appropriate port on the ip firewall and by default everything else is blocked.

This halfway house is both deceiving to casual users and frustrating for people with more understanding of the implications. Personally, I can't see any use for the application firewall, it does not meet my needs and I don't see the point of managing two sets of rules (one of which may have "vague" behaviour). I have installed waterroof and will continue to configure access to services through ipfw. However, I know that I will be in a minority (as will the script-kiddies...).

Maybe nobody will take the opportunity to give Apple a bloody nose, but I would have thought that pressure is mounting for the first successful worm/virus. Arrogance like this just makes it more likely.

J

compuguy1088
Oct 31, 2007, 10:40 PM
There are 2 ways of looking at this. You either block by default, or you know what services you are running. Apple chose the second approach.

If you aren't running services, a firewall is a waste of time. It isn't going to protect you from the 2 dozen known holes in Firefox, and it isn't going to make a secure service insecure.

Agreed, I recall hearing what you said with similar things with firewalls and Linux...

Sorry to sound stupid, but where is the Universal Plug N Play setting ?

I have absolutely no clue how of turning that off....personally I see a use for it on both Vista, and OSX, as long as the machines that use it are secure.

bigpics
Nov 1, 2007, 12:03 AM
This is nonsense.

To begin with, there's no such thing as a "hardware firewall". A better (and commonly used) designation is "appliance". A firewall appliance is a dedicated box, running an OS (in many cases a tweaked Linux or *BSD, though there are of course many other possibilities, like IOS on Cisco firewalls), on top of which the actual firewall software sits.

Now, assuming you call a "hardware firewall" any kind of dedicated firewall appliance, well, obviously, since your wireless router does wireless routing, it's not a dedicated firewall, is it? :)

That said, whether you have a dedicated firewall box or not, it's the quality of the firewall software that has to be taken into account. It's always a very bad idea to make a product insecure by default. Microsoft has been bashed repeatedly for that, and so should Apple! :mad:

However, I'm not yet ready to believe that their firewall is as flawed as the article says. I'll have a look in a couple days!My understanding is that a router is an inherently unhackable device (because it's too stupid to be taken over), and that if you stealth it, e.g., turn off pings, close ports, etc., it will easily pass the test Steve Gibson has set up set up (https://www.grc.com/x/ne.dll?bh0bkyd2), you're in pretty good shape.

Whether this can be called a "firewall" or not my feeble brain's forgotten, if someone wants to clarify.

Analog Kid
Nov 1, 2007, 02:42 AM
My Mac passed all the shields up tests. I'm on 10.5. So, just because the Leopard firewall isn't as informative as the Tiger firewall doesn't mean it's not working.
Actually, it does. If nobody understands what's going on, nobody can trust it. Everything I'm reading here indicates that I'm far from alone in not having a clue about how this Firewall actually works. People have quoted the help text twice, and I've read it about a dozen times myself, and it still isn't clear. Apple has always been bad at documentation, but here's a place where it would be really useful.

To the best of my understanding, "allow all incoming connections" should essentially turn the firewall off. "Block all incoming connections" should actually say "block all unsolicited connections", because I think it will still allow responses to outgoing requests (ie. Safari). That last option, is a freaking mess. I don't get how it works or what it does. Everytime I open an app, Leopard asks me if I want to allow it to receive incoming connections, but why would it ask me that about Excel? I think it just asks as a matter of form, unless Excel is really requesting a port connection. I can choose between "always allow" which scares the bejeezus out of me, or "deny and affect performance", which isn't inviting in regards to an app I just launched for a reason.

Then there's that whole caveat about how Leopard may let all kinds of other stuff talk out the ports without user intervention (system processes, processes launched by other processes-- all the kinds of stuff you'd actually want to know about because you didn't explicitly launch the process yourself). I can't quite tell if that note applies only to the selection list or if it's a general warning about all the operating modes.

I have the feeling that Apple came up with a reasonably user friendly system here-- tying access to applications and services, which people understand, rather than port ranges and protocols, which people don't. The problem is I can't figure out what it's doing and simply can't trust it.

For completeness, I should mention that I'm not behind a router-- I've relied on the Tiger firewall as the only defense between me and my ISP. Logs indicate port scans and mostly ssh attacks, but no indication that anyone's been successful yet. I only run the services I'm interested in using, so I'd punch them through a router anyway.

Next question: Why would we EVER need a software firewall on a Mac? Seriously. Is there a scenario where it helps? Lets go back to FTP. Lets say I have a Mac directly connected to the Internet with no firewall. Someone finds my computer and tries to open a connection of Port 21. What will happen? Nothing, because I'm not running FTP and not listening on 21. So if I block 21 or not I get the same result, nothing. So why block it?

Firewalls make the most sense in a larger organization where we don't know if some idiot is running a misconfigured FTP server on his PC, so we add a firewall which makes that imposable.
Firewalls do allow local services to send requests and receive responses. They just don't allow unsolicited incoming requests. There is still value in having it running.

vansouza
Nov 1, 2007, 02:55 AM
My understanding is that a router is an inherently unhackable device (because it's too stupid to be taken over), and that if you stealth it, e.g., turn off pings, close ports, etc., it will easily pass the test Steve Gibson has set up set up (https://www.grc.com/x/ne.dll?bh0bkyd2), you're in pretty good shape.

Whether this can be called a "firewall" or not my feeble brain's forgotten, if someone wants to clarify.

I just ran the test, I am behind a Netgear wireless router/firewall device, and with the Leopard firewall enabled and disabled, I got the same results at the Gibson site. Passed with flying colors. Totally and completely. I offer this for what ever it may or may not be worth; I am just trying to learn.

Detektiv-Pinky
Nov 1, 2007, 04:46 AM
I have a certain feeling that the happy times of 'nobody cares to attack my Mac' are over.

I give you just 2 reasons:


Market-share in the private domain is well over 10% now (see latest figures of rising OSX popularity)


For the typical phisher and cyber-attacker the Mac crowd is actually a much juicier target than the 16-year old hardcore Windows gamer: reasonably well off, totally trusting Apple and their OS


Just look into the mindset of a phisher who tries to steal your password for online-banking: Would he rather get it from the Dell user or from somebody who queues for a nice and shiny iMac as soon as they hit the store.

I only hope that Apple can react as fast as these attacks are rising, see:

http://sunbeltblog.blogspot.com/2007/10/mackanapes-can-now-can-feel-pain-of.html

dnedved
Nov 1, 2007, 05:09 AM
I did a fresh install, silly me I left the cable connection in...

I've had a similar experience. I've never had a windows virus or worm (probably due to how little I've used it) but I have had a linux box owned. I put a fresh install of RedHat 6.2 on several years ago. This was pre-broadband for me (and this box WAS my firewall) so I got the modem working, and started downloading the updates right away before doing any hardening. It was late so I just went to sleep for the night. I figured the modem would finish the download and hang up after an hour of inactivity. Well, that was long enough for an NFS exploit in RH62 to get my freshly-installed box owned over freaking dialup! Woke up to a rootkit :)

It's not just MS... other vendors have been equally guilty of having too many services turned on out-of-the-box. It seems Apple is guilty of that to some degree now. Just because there's not an exploit for it on release day doesn't mean one won't come out before the OS is totally end-of-lifed. Turn everything off by default!!!

rasputnik
Nov 1, 2007, 05:19 AM
A maliciously crafted packet could compromise this program and get it to start running the packet payload.


It really can't. Packets aren't executable.

rasputnik
Nov 1, 2007, 05:23 AM
A software firewall is not as good at stopping inbound but much better at stopping outbound traffic. This is the reason why it is a good idea to run both. One handles inbound better the other handles outbound better.

That's pretty nonsensical. If your machine is running spyware, the first thing it will do is mess with a local firewall.

rasputnik
Nov 1, 2007, 06:14 AM
Sorry to sound stupid, but where is the Universal Plug N Play setting ?

I think he means on the router. Macs use zeroconf rather that uPnP.

rasputnik
Nov 1, 2007, 06:23 AM
On the other hand, the firewall being turned off by default is bad---why on heaven's name would that be a good thing as a default?

Because then things work out of the box. A firewall only becomes an issue when you need to limit access to your services - if you're not running services, there's no need for it.

goosnarrggh
Nov 1, 2007, 07:26 AM
It really can't. Packets aren't executable.

Well, if you've got a braindead operating system which ignores the NIC's report of how large the packet physically is, but rather bases its buffer size solely on the EtherType/Length field of the packet header and just keeps on pulling in bytes until there aren't any more bytes to get, then I suppose it conceivably could become the victim of a buffer overflow attack.

But that would require a severely braindead OS, and such an attack could not propagate to you in the first place unless the hacker is originating the attack on a computer that's a member of the same subnetwork as your computer.

Rodimus Prime
Nov 1, 2007, 08:59 AM
That's pretty nonsensical. If your machine is running spyware, the first thing it will do is mess with a local firewall.


minus the fact that very little spyware will target the local firewall. Most will not even try to touch it. On top of that a lot of the firewall software makes it very diffcult for another piece of software to have any effect on changing something. Now if the spyware is installed before the firewall then yes it can do something about it.

lorductape
Nov 1, 2007, 09:11 AM
i'm sorry, but if you are using a firewall built into your computer I think you've got enough problems.

my netgear router works just fine.

gwangung
Nov 1, 2007, 10:05 AM
i'm sorry, but if you are using a firewall built into your computer I think you've got enough problems.

Or you do a lot of computing outside your home and office.

A lot of people's WORK makes them do this. I'd say you do have problems if you can't get out of the office to do your job....

pgwalsh
Nov 1, 2007, 10:13 AM
i'm sorry, but if you are using a firewall built into your computer I think you've got enough problems.

my netgear router works just fine.
That's a meaningless statement. If someone is using a wireless connection in a starbucks, having a firewall on his or her laptop is a good thing and not a problem.

Having a router is fine, but it's certainly not the security holy grail. You could have a router with wifi and if you don't secure that wifi network or if is using WEP, then you have a very insecure network.

johnny-salieris
Nov 1, 2007, 11:34 AM
I don't yet have leopard, but the default configuration in Tiger (10.4.10)
is still fundamentally broken. If someone uses the configuration tool
from preferences and explicitly denies everything (allow nothing), also
blocks UDP traffic and enables 'stealth' mode this is he ends up with:

02050 allow tcp from any to any out
02060 allow tcp from any to any established
02065 allow tcp from any to any frag
12190 deny tcp from any to any

20310 allow udp from any to any dst-port 53 in
20320 allow udp from any to any dst-port 68 in
20321 allow udp from any 67 to me in
20322 allow udp from any 5353 to me in
20340 allow udp from any to any dst-port 137 in
20350 allow udp from any to any dst-port 427 in
20360 allow udp from any to any dst-port 631 in
20370 allow udp from any to any dst-port 5353 in
30510 allow udp from me to any out keep-state
30520 allow udp from any to any in frag
35000 deny udp from any to any in

(Some lines snipped)

As you see, certain udp services are still allowed. This is nothing however.
The ridiculus part is in the following two rules:

02065 allow tcp from any to any frag
30520 allow udp from any to any in frag

What these rules do is allow EVERY fragmented packet. So, effectivelly
what we have here is a severely bad implementation of the fw configuration tool that undermines ALL other rules. No matter what the user blocks,
these two rules allow complete unrestricted access to every service running
on the machine as if THE FIREWALL NEVER EXISTED AT ALL.
Using tools such as fragrouter, the attack process becomes extremely easy
and the firewall is completely bypassed.

I read somewhere that the reason Apple did this is because of some faulty
routers that fragmented packets but it doesn't really matter. The only way
to fix this is to stop using the graphical configuration tool in preferences
and ONLY use the command line to input manually the ipfw rules you want.
Every time you use the graphical config tool, the above rules are restored.

Apple needs to understand that security is not a collection of shiny new 'features' that appeal to people impressed by catchy words but a _CHAIN_
that is as strong as its _WEAKEST_ link. They really need to focus on this,
as the danger is clearly there (mDNSResponder exploit comes to mind)

Also, they need to fix their graphical config tool and have it output sane
rules but also make it more powerful and give users the choice of advanced
firewall configuration without resorting to the command line.

bigpics
Nov 1, 2007, 11:39 AM
Most NAT firewalls (linksys for example) are sufficient for 99% of the cases, they stop all but extremely dedicated hackers.

However firewall main function is to block a connection attempt on a specific port. Any port you open is subject to attack. Even if the firewall is perfect and lets say you open port 80 (www) for people to use your web server, the web server it self can come under attack and the application being run by your web server / application server (example Tomcat) can come under attack. Main purpose of a firewall is to protect you at the network level, if your web server has a flaw or your application has a flaw you are still dead meat.

Don't open any inbound ports (from internet to your computer or network) and you should be ok 99$ of the time.

However with this flaw, your chances are closer to 60%.OK, lots of very erudite (and other) discussion here, and I've read endless articles on security over the years, retaining some of the less technical, but I have a simple, naive question:

If you close all your ports, turn off ping, etc., how do sites with web 2.0 features and programs like iTunes get into your computer to automatically update part or all of the page content, download new podcasts, etc? And what keeps malicious agents from doing the same thing?

And after writing and posting this, I immediately came across a new MacWorld article (http://www.macworld.com/news/2007/11/01/myspacehack/index.php) about hackers entering through an established MySpace session connection, which isn't exactly what I was talking about above, but is certainly related.

johnny-salieris
Nov 1, 2007, 11:42 AM
OK, lots of very erudite (and other) discussion here, and I've read endless articles on security over the years, retaining some of the less technical, but I have a simple, naive question:

If you close all your ports, turn off ping, etc., how do sites with web 2.0 features and programs like iTunes get into your computer to automatically update part or all of the page content, download new podcasts, etc? And what keeps malicious agents from doing the same thing?

Usually they don't. Your browser makes the request (e.g AJAX via XMLHttpRequest) and there is client-to-server communication (and not the
reverse).

aLoC
Nov 1, 2007, 11:57 AM
If you close all your ports, turn off ping, etc., how do sites with web 2.0 features and programs like iTunes get into your computer to automatically update part or all of the page content, download new podcasts, etc? And what keeps malicious agents from doing the same thing?

It all comes down to who establishes the connection. When you lock down the firewall, you cancel the ability of outsiders to establish a connection to your computer. But it's still ok for you to establish a connection out to them, and once established, data can flow both ways, even inwards.

bigpics
Nov 1, 2007, 12:27 PM
It all comes down to who establishes the connection. When you lock down the firewall, you cancel the ability of outsiders to establish a connection to your computer. But it's still ok for you to establish a connection out to them, and once established, data can flow both ways, even inwards.Thanks to you and Johhny Salieris for your concise and understandable clarifications.

Here's an excerpt of another new article about how, when you log into a compromised site, you can easily download a Trojan (designed to attack Macs), and if using Safari, the download will proceed automatically along with the porn you wanted to watch if you give permission to "update Quicktime." Proving, I guess, there is no "firewall" for user behavior.....

November 01, 2007 (Computerworld (http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9044998&source=rss_topic123)) -- A Trojan horse targeting Macs -- among the rarest of security events -- has been spotted on numerous pornographic Web sites, researchers said Wednesday.

First reported by Mac security software maker Intego of Austin, Tex. and later confirmed by Sunbelt Software, McAfee Inc., and the SANS Institute's Internet Storm Center, "OSX.RSPlug.a" changes the Mac's DNS (Domain Name System) settings to redirect users to alternate or spoofed sites.

"The whole Trojan is relatively simple and works almost exactly the same as its brother for Windows," said Bojan Zdrnja, an analyst at Internet Storm Center (ISC) in a warning posted early Thursday. The DNSChanger exploit is well-known to Windows Trojan watchers.

"The bad guys are taking Mac seriously now," Zdrnja added. "This is a professional attempt at attacking Mac systems, and they could have been much more damaging."

Alex Eckelberry, Sunbelt's CEO, echoed Zdrnja. "This is the first targeted, real attack on Mac users by a professional malware group," said Eckelberry in a posting to his blog.

When users click on a link to watch video on one of the malicious porn sites, a dialog box tells them QuickTime needs to install additional software. "Quicktime Player is unable to play movie file. Please click here to download new version of codec."

Depending on the browser's settings, the download may mount a disk image and launch an installer automatically. In Safari, for instance, the checked-by-default "Open 'safe' files after downloading" option will mount and launch. Firefox, however, does not have a comparable setting, and will not auto-mount the image or launch the installer. In every case, the user must enter an administrator password to install the masquerading Trojan.

Detektiv-Pinky
Nov 1, 2007, 02:01 PM
That's pretty nonsensical. If your machine is running spyware, the first thing it will do is mess with a local firewall.

This is exactly the reason why you should NEVER do your regular work and Web-surfing from an administrative account on your system.
Have a non-adminstrative account on your machine an USE it to do your surfing. This way it would be pretty hard for any malicious peace of code to install itself without you knowing it.

Detektiv-Pinky
Nov 1, 2007, 02:01 PM
That's pretty nonsensical. If your machine is running spyware, the first thing it will do is mess with a local firewall.

This is exactly the reason why you should NEVER do your regular work and Web-surfing from an administrative account on your system.
Have a non-adminstrative account on your machine an USE it to do your surfing. This way it would be pretty hard for any malicious peace of code to install itself without you knowing it.

Edit:
Hhm, somehow I managed to post this twice. Anyhow, it is probably important enough to be read and remembered properly.

johnnybluejeans
Nov 1, 2007, 06:00 PM
AWESOME! THanks.. more reason not to get Leopard

What were the other reasons? Or are you just being a troll? My money is on troll.

mooncaine
Nov 2, 2007, 10:16 AM
Uh oh, is that ... [sniff]... Windows I smell?

coffey7
Nov 3, 2007, 09:13 PM
I still love little snitch.

killerrobot
Nov 3, 2007, 10:17 PM
Can anyone explain how Leopard's firewall actually differs from Tiger's?
Are there any clear back-steps?
I just recently installed Tiger on a new iMac and it's firewall was inactive at first as well. The user has to enable it and set the ports to stealth etc.
It seems to me that whenever a new OS comes out (be it Windows or OSX) there is someone screaming bloody murder about it's built-in firewall.

DavidCar
Nov 3, 2007, 10:22 PM
Maybe someone has mentioned this, but I find I have to have the whole firewall off to do a video iChat. If I had the firewall set to block, but iChat is allowed, I can't get a video or screen sharing iChat to work.

aquajet
Nov 4, 2007, 10:54 AM
This is exactly the reason why you should NEVER do your regular work and Web-surfing from an administrative account on your system.
Have a non-adminstrative account on your machine an USE it to do your surfing. This way it would be pretty hard for any malicious peace of code to install itself without you knowing it.

This is a good point. I've always configured my user account as a standard user account. It includes all my docs, music, pics etc. And then I have a separate admin account. If I need to install a program or otherwise need admin privileges, I can simply enter the name and password of my admin account within my daily standard user account. I generally never have to actually log into the admin account.

Just another small thing everyone can do to significantly increase security.

Analog Kid
Nov 4, 2007, 06:59 PM
I still love little snitch.
I'm not finding Little Snitch to be all that stable on Leopard yet... The new features (seeing what apps are contacting where in real time) are pretty slick though.

greenpflyer
Nov 4, 2007, 09:47 PM
I'm worried about that thing. I have never used a Mac computer and was planning on buying one really soon until now. So I wanted some info to convince me to still go mac. Is it still safe to use a mac computer and how do I avoid this trojan? The phishing thing, a similar site , makes me feel uncomfortable. Yes, I have gone to porn sites on my XPS m170 soon to be 2 year old computer and seen the download the codec thing. As far as I remember I never clicked to download, I would click the back button several quickly to avoid seeing it again. It is my fault on that part. That's why I'm looking for a computer namely a mac. I set one of my goals to avoid looking at porn sites. The new experience to a mac computer might haunt me with the leopard's critcized firewall and this trojan. So I don't want to waste my money on a new computer if it is going to get dirty and infected. Let me know about the security of mac computers. Sorry for being a newb. Thank you.

greenpflyer
Nov 4, 2007, 09:50 PM
Also, is there a suggesting that I should wait for a better macbook in january? I do'nt want the pricey macbook pro so omit that. I was planning on buying the new macbook (black) by this coming friday so I can play with it when I get home from college for Thanksgiving. Any suggestions for problems with leopard and time to buy macbook would be helpful. Thank you.

cohibadad
Nov 4, 2007, 11:00 PM
Standard accounts are for newbs and children

jk standard accounts are safer if you are afraid you will repeatedly click porn things and enter your admin info into the boxes. Here is a little run down on the differences between account types for anyone interested http://www.macusersforum.com/index.php?showtopic=16966&mode=threaded

sblasl
Nov 4, 2007, 11:36 PM
You probably would be best served by doing a search or looking in the MacBook & MacBook Pro forums. Here is thread that might help you with your decision.

http://forums.macrumors.com/showthread.php?t=379594

Also, is there a suggesting that I should wait for a better macbook in january? I don't want the pricey macbook pro so omit that. I was planning on buying the new macbook (black) by this coming friday so I can play with it when I get home from college for Thanksgiving. Any suggestions for problems with leopard and time to buy macbook would be helpful. Thank you.

boz0
Nov 5, 2007, 02:46 AM
To start with, there are devices which are dedicated firewall appliances that run a dedicated firewall OS on them. Many of these devices actually perform the screening in the hardware via programmable asics. Ok, it's still "software" running on dedicated chips, but the traffic is not handled by the operating system and is not inspected by the general processor.

Could you give a few examples. Last I checked (which, admittedly, is quite some time ago), no commercial firewall appliances were doing filtering at the ASIC level (I guess this would simply be because reprogramming the ASIC each time you wanted to change a rule isn't efficient).

EDIT : I was wrong on that count. Some companies appear to use ASICs to insert firewall rules in their routing components, like Juniper and Fortinet. I haven't found anything beyond commercial buzzwords, though, so I'm not sure exactly what they do. Still, it seems to me they remain a minority, for high-end firewalls.

The fact that they run a dedicated OS or not doesn't seem relevant, and neither would the fact that the OS is some tweaked version of Linux or *BSD, or rather some completely closed and dedicated solution like Nokia's IPSO for Checkpoint firewalls.

My real point is : yes, there are different kinds of firewalls. But the real difference is between Application Level Firewalls (a la ZoneAlarm), which try to identify the application itself, whether for incoming or outgoing connections, and the more traditional IP stack-based firewalls, whatever extensions, protocol helpers and the like they may use.

Why make the difference here instead of between "software" and "hardware" firewalls? Because you can have an IP-based firewall on your desktop : this is exactly what ipfw does on your MacOS box. Using ipfw on your desktop or laptop, then using it to build a dedicated firewall on a dedicated server at the edge of your network does not magically change the nature of ipfw from a "software" to a "hardware" firewall.

ben24ben
Nov 6, 2007, 07:54 PM
It's unbelievable. Mr. Schmidt, the author of the heise security articles, describe now the new Leopard Firewall with these words:

"The background to all this is that, in contrast to Tiger, the firewall in Leopard no longer operates at the packet level but rather it works with applications, to which it permits or denies specific network activities. In order to unambiguously identify applications, Apple uses code signatures, something which has also been introduced for the first time in Leopard. Certain applications signed by Apple are automatically permitted to communicate with the network past the firewall without showing that in the user interface -- even if the firewall is set to "Block all incoming connections".

By contrast, if an application which does not have a valid signature opens a network port, the firewall swings into action. In the "Block all incoming connections" state, it blocks incoming connections to unsigned services and records this with entries such as:

Deny evilserver connecting from 10.10.22.75:60957 uid = 0 proto=6

In restricted mode, simply trying to start a service brings up a window asking the user for permission. The user can then allow or forbid this. The system records this choice and enters it into the firewall's exceptions list. To achieve this, Apple furnishes unsigned programs with a digital signature in the process. If changes are made to the program subsequently, the permission is withdrawn."

http://www.heise-security.co.uk/news/98492

In his first articles, Mr. Schmidt don't know nothing about code signatures and a application based firewall. Maybe it would be better for all, Mr. Schmidt study first the new apple os security design before he wrote his articles. It's only FUD.

aLoC
Nov 7, 2007, 05:52 AM
Apple has posted this explanation of the Leopard firewall now.
http://docs.info.apple.com/article.html?artnum=306938

Clearly it is application-centric.

IMO the most common scenario for a home user is to want to stealth all ports on their computer to make themselves invisible to attackers. Unfortunately this new firewall doesn't allow for that.

Did they even make a list of common usage scenarios in the design phase, or did they just get carried away with the wonders of application-centricity?

flyinmac
Nov 7, 2007, 02:22 PM
Apple has posted this explanation of the Leopard firewall now.
http://docs.info.apple.com/article.html?artnum=306938

Clearly it is application-centric.

IMO the most common scenario for a home user is to want to stealth all ports on their computer to make themselves invisible to attackers. Unfortunately this new firewall doesn't allow for that.

Did they even make a list of common usage scenarios in the design phase, or did they just get carried away with the wonders of application-centricity?


Yep, I just read their new article on the Apple site.

Glad I have the firewall built-in to my router. This new Leopard one seems a bit simple and more for those who assume they are already mostly safe anyway.

It's probably good enough for those who know little, and don't think anyone would try to get into their system. But, for those who are concerned about security, this seems to be a major step backwards.

Why is Microsoft improving in security, and Apple is trying to go backwards. Are we in Bizarro land now?


If it were my primary firewall, I would feel very open and exposed.

boz0
Nov 8, 2007, 02:18 AM
IMO the most common scenario for a home user is to want to stealth all ports on their computer to make themselves invisible to attackers. Unfortunately this new firewall doesn't allow for that.

That's true for home users, and that's even more true when you intend to use your laptop on the road.

Ah, well, at least they're confirming that ipfw *does* override the Application Level Firewall rules.

knweiss
Mar 1, 2008, 10:33 AM
I'm new to Mac. I bought a Mac Pro two weeks ago and today I've looked into Apple's Firewall for the first time because I was debugging a network problem in my LAN.

After reading Apple' article About the Application Firewall (http://docs.info.apple.com/article.html?artnum=306938) I am really can't believe that they really released a firewall with such a flawed security concept. In my opinion the key problem is that they seem to think that their users *only* want to be protected from malicious 3rd-party software.

However, they completely ignore the fact that we also need protection from flaws (e.g. buffer overruns) in Apple's *own* (system) software! Digitally signing a program and thereby allowing all incoming traffic just because it's from Apple and they think it's flawless is a ridiculous security concept!

Also, not showing all the digitally signed applications (which are allowed to receive traffic!) in the Firewall security preferences is simply *misleading*. I bet most user's would be upset if they saw the entire list.

Finally, disabling the firewall by default? What were they thinking? "Apple Leopard - Insecure by default" maybe?
I'm not impressed!

intoxicated662
Mar 2, 2008, 12:39 PM
yeah that is a risk everyone is taking now but it's being talked about more as they are releasing new products. also, just because it is harder to have problems and viruses, etc. on an apple than on a windows pc doesn't still make it right for them to leave it open and vulnerable like that. disabling firewalll? gotta be kidding me..