Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Leopard's Firewall Criticized

R

rpp3po

macrumors regular
Original poster
Aug 16, 2003
171
0
Germany
You wouldn't even believe Microsoft to be so stupid to expose open services (and even NetBIOS!!) to the internet when the firewall is setup to block ALL traffic. No kidding, Leopard does. Though, there is no proof of concept exploit, yet, that's a totally unneccessary design flaw, even a freshman CS student wouldn't be allowed to turn in.

From the article (German heise magazine):

The Mac OS X Leopard firewall failed every test. It is not activated by default and, even when activated, it does not behave as expected. Network connections to non-authorised services can still be established and even under the most restrictive setting, "Block all incoming connections," it allows access to system services from the internet. Although the problems and peculiarities described here are not security vulnerabilities in the sense that they can be exploited to break into a Mac, Apple would be well advised to sort them out pronto.
Click to expand...
 
Article Link
https://www.macrumors.com/2007/10/30/leopards-firewall-criticized/
Warbrain

Warbrain

macrumors 603
Jun 28, 2004
5,702
293
Chicago, IL
rpp3po said:
You wouldn't even believe Microsoft to be so stupid to expose open services (and even NetBIOS!!) to the internet when the firewall is setup to block ALL traffic. No kidding, Leopard does. Though, there is no proof of concept exploit, yet, that's a totally unneccessary design flaw, even a freshman CS student wouldn't be allowed to turn in.

From the article (German heise magazine):
Click to expand...

It's no surprise. I loved the old firewall, this firewall is awful. It doesn't work right. Little Snitch is better than it.
 
vansouza

vansouza

macrumors 68000
Mar 28, 2006
1,735
3
West Plains, MO USA Earth
The sky is falling...

rpp3po said:
You wouldn't even believe Microsoft to be so stupid to expose open services (and even NetBIOS!!) to the internet when the firewall is setup to block ALL traffic. No kidding, Leopard does. Though, there is no proof of concept exploit, yet, that's a totally unneccessary design flaw, even a freshman CS student wouldn't be allowed to turn in.

From the article (German heise magazine):
Click to expand...

Thank God for hardware firewalls.
 
flyinmac

flyinmac

macrumors 68040
Sep 2, 2006
3,579
2,465
United States
flopticalcube said:
I have an AEBS. It has a hardware firewall and it sucks. Apple can't even do hardware firewalls right. :rolleyes:
Click to expand...

I have a Linksys Router with a Hardware Firewall in it. I wonder if that is adequate, or if the Leopard issue would create an open door.

It's a BEFSX41 Labeled as a Broadband Firewall Router.

I've previously configured it, and it seems to have passed the online scanners. So, hopefully it will close the door that Apple is opening.
 
flopticalcube

flopticalcube

macrumors G4
Sep 7, 2006
10,456
186
In the velcro closure of America's Hat
flyinmac said:
I have a Linksys Router with a Hardware Firewall in it. I wonder if that is adequate, or if the Leopard issue would create an open door.

It's a BEFSX41 Labeled as a Broadband Firewall Router.

I've previously configured it, and it seems to have passed the online scanners. So, hopefully it will close the door that Apple is opening.
Click to expand...

That should be more than adequate.
 
Sun Baked

Sun Baked

macrumors G5
May 19, 2002
14,937
157
Anybody turn on the advanced settings, use stealth, then look at the logs awhile latter. :(

Edit: I miss the dead SPI enabled router.
 
flyinmac

flyinmac

macrumors 68040
Sep 2, 2006
3,579
2,465
United States
Sun Baked said:
Anybody turn on the advanced settings, use stealth, then look at the logs awhile latter. :(

Edit: I miss the dead SPI enabled router.
Click to expand...

From reading the article, I couldn't tell.

SPI, I seem to recall something about that when I was researching my router / firewall purchase. Seems it was a feature of the Linksys Router if I remember correctly. But, then I could just be mixing things up at the moment.
 
motulist

motulist

macrumors 601
Dec 2, 2003
4,234
611
Are they saying the OS X firewall has always been terrible, or that 10.5 is a brand new firewall under the hood and it replaces a very good firewall that was in 10.4?
 
W

weaverra

macrumors 6502
Sep 27, 2006
250
2
Has anyone else tested this? I'm not so quick to jump on this one yet. Why has it taken this long to figure this out?

Edited: I did a port scan on my local network with the firewall on block all and stealth and it would not pick up anything until the very second I allowed all incoming connections. Am I missing something here???
 
flyinmac

flyinmac

macrumors 68040
Sep 2, 2006
3,579
2,465
United States
iJawn108 said:
turn of Universal Plug n' play
Click to expand...

Just double-checked, and I did have that disabled already. So, hopefully I'm protected.

I just updated my firmware to the latest revision (on the router / firewall). I was one revision behind there.

And, I just went back through my settings, and all looks good there.

So, hopefully Leopard won't open the door on me.

Daiden said:
Well this is somewhat disappointing.
Click to expand...

Yes. If this is true, then Leopard will definitely be a let-down there.

weaverra said:
Has anyone else tested this? I'm not so quick to jump on this one yet. Why has it taken this long to figure this out?

Edited: I did a port scan on my local network with the firewall on block all and stealth and it would not pick up anything until the very second I allowed all incoming connections. Am I missing something here???
Click to expand...


Did you do this in the new Leopard (10.5)? Or, were you in Tiger (10.4.x)?
 
Sun Baked

Sun Baked

macrumors G5
May 19, 2002
14,937
157
weaverra said:
Has anyone else tested this? I'm not so quick to jump on this one yet. Why has it taken this long to figure this out?
Click to expand...

He harped on netbios, then said that came from the Samba package.

I looked and have Bonjour and the time server open.
 
W

weaverra

macrumors 6502
Sep 27, 2006
250
2
flyinmac said:
Did you do this in the new Leopard (10.5)? Or, were you in Tiger (10.4.x)?
Click to expand...

Leopard (10.5) I'm no security expert but from what I gathered something should have showed up according to their claim.

00:19 is when I allowed all incoming connections


Oct 30 00:16:56 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
Oct 30 00:16:56 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
Oct 30 00:16:56 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
Oct 30 00:16:57 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
Oct 30 00:16:57 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
Oct 30 00:16:57 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
Oct 30 00:16:58 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
Oct 30 00:16:58 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
Oct 30 00:16:58 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
Oct 30 00:16:59 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
Oct 30 00:16:59 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
Oct 30 00:16:59 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
Oct 30 00:17:00 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
Oct 30 00:17:00 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
Oct 30 00:17:00 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
Oct 30 00:17:01 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
Oct 30 00:17:01 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
Oct 30 00:17:01 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
Oct 30 00:17:03 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
Oct 30 00:17:03 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
Oct 30 00:17:03 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
Oct 30 00:17:07 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
Oct 30 00:17:07 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
Oct 30 00:17:07 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
Oct 30 00:19:06 bobby-weavers-macbook-pro-15 Firewall[40]: Allow cupsd listening from :::631 uid = 0 proto=6
Oct 30 00:19:06 bobby-weavers-macbook-pro-15 Firewall[40]: Allow cupsd listening from 0.0.0.0:631 uid = 0 proto=6
Oct 30 00:21:18 bobby-weavers-macbook-pro-15 Firewall[40]: Stealth Mode connection attempt to UDP 192.168.x.xxx:49429 from 66.82.x.x:xx
 
Sun Baked

Sun Baked

macrumors G5
May 19, 2002
14,937
157
flyinmac said:
Hesitant to read between the lines... What is your belief based on your observations?
Click to expand...

They said Apple allows every process started by the user into the execptions list ... even if you run a trojan.

Almost sounded like they stayed there til you restarted.

Which is basically how all Apple firewalls are typically punched in the contests, getting at them through stuff the user runs.
 
Detektiv-Pinky

Detektiv-Pinky

macrumors 6502a
Feb 25, 2006
848
192
Berlin, Germany
Peace said:
This guy/site doesn't understand the Leopard firewall..
Click to expand...

This is entirely possible. However, I honestly think that the apple firewall is not an easily usable and confidence inspiring product. And it is turned 'OFF' by default!:eek:

I do not know the English version of the UI, but in the German version Apple tells you that 'normally the OS is choosing for which programms it allows incoming connection', that is not something I want my firewall to do.

So if you have in-depth knowledge of the workings of the Mac OS X firewall, maybe you like to share it with us.
 
B

boz0

macrumors regular
May 21, 2007
166
1
/dev/null
flyinmac said:
I have a Linksys Router with a Hardware Firewall in it.
Click to expand...

This is nonsense.

To begin with, there's no such thing as a "hardware firewall". A better (and commonly used) designation is "appliance". A firewall appliance is a dedicated box, running an OS (in many cases a tweaked Linux or *BSD, though there are of course many other possibilities, like IOS on Cisco firewalls), on top of which the actual firewall software sits.

Now, assuming you call a "hardware firewall" any kind of dedicated firewall appliance, well, obviously, since your wireless router does wireless routing, it's not a dedicated firewall, is it? :)

That said, whether you have a dedicated firewall box or not, it's the quality of the firewall software that has to be taken into account. It's always a very bad idea to make a product insecure by default. Microsoft has been bashed repeatedly for that, and so should Apple! :mad:

However, I'm not yet ready to believe that their firewall is as flawed as the article says. I'll have a look in a couple days!
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom