Leopard's Firewall Criticized

[rpp3po]

You wouldn't even believe Microsoft to be so stupid to expose open services (and even NetBIOS!!) to the internet when the firewall is setup to block ALL traffic. No kidding, Leopard does. Though, there is no proof of concept exploit, yet, that's a totally unneccessary design flaw, even a freshman CS student wouldn't be allowed to turn in.

From the article (German heise magazine):

Quote:

The Mac OS X Leopard firewall failed every test. It is not activated by default and, even when activated, it does not behave as expected. Network connections to non-authorised services can still be established and even under the most restrictive setting, "Block all incoming connections," it allows access to system services from the internet. Although the problems and peculiarities described here are not security vulnerabilities in the sense that they can be exploited to break into a Mac, Apple would be well advised to sort them out pronto.

[Warbrain]

Quote:

Originally Posted by rpp3po

You wouldn't even believe Microsoft to be so stupid to expose open services (and even NetBIOS!!) to the internet when the firewall is setup to block ALL traffic. No kidding, Leopard does. Though, there is no proof of concept exploit, yet, that's a totally unneccessary design flaw, even a freshman CS student wouldn't be allowed to turn in.

From the article (German heise magazine):

It's no surprise. I loved the old firewall, this firewall is awful. It doesn't work right. Little Snitch is better than it.

[vansouza]

Quote:

Originally Posted by rpp3po

You wouldn't even believe Microsoft to be so stupid to expose open services (and even NetBIOS!!) to the internet when the firewall is setup to block ALL traffic. No kidding, Leopard does. Though, there is no proof of concept exploit, yet, that's a totally unneccessary design flaw, even a freshman CS student wouldn't be allowed to turn in.

From the article (German heise magazine):

Thank God for hardware firewalls.

[flyinmac]

Quote:

Originally Posted by vansouza

Thank God for hardware firewalls.

I wonder what degree of hardware firewall you would need to compensate.

Would a standard router with NAT work?

Or, would you actually need a router with a specific firewall to compensate?

[flopticalcube]

Quote:

Originally Posted by flyinmac

I wonder what degree of hardware firewall you would need to compensate.

Would a standard router with NAT work?

Or, would you actually need a router with a specific firewall to compensate?

I have an AEBS. It has a hardware firewall and it sucks. Apple can't even do hardware firewalls right.

[flyinmac]

Quote:

Originally Posted by flopticalcube

I have an AEBS. It has a hardware firewall and it sucks. Apple can't even do hardware firewalls right.

I have a Linksys Router with a Hardware Firewall in it. I wonder if that is adequate, or if the Leopard issue would create an open door.

It's a BEFSX41 Labeled as a Broadband Firewall Router.

I've previously configured it, and it seems to have passed the online scanners. So, hopefully it will close the door that Apple is opening.

[flopticalcube]

Quote:

Originally Posted by flyinmac

I have a Linksys Router with a Hardware Firewall in it. I wonder if that is adequate, or if the Leopard issue would create an open door.

It's a BEFSX41 Labeled as a Broadband Firewall Router.

I've previously configured it, and it seems to have passed the online scanners. So, hopefully it will close the door that Apple is opening.

That should be more than adequate.

[flyinmac]

Quote:

Originally Posted by flopticalcube

That should be more than adequate.

I sure hope so

[Sun Baked]

Anybody turn on the advanced settings, use stealth, then look at the logs awhile latter.

Edit: I miss the dead SPI enabled router.

[flyinmac]

Quote:

Originally Posted by Sun Baked

Anybody turn on the advanced settings, use stealth, then look at the logs awhile latter.

Edit: I miss the dead SPI enabled router.

From reading the article, I couldn't tell.

SPI, I seem to recall something about that when I was researching my router / firewall purchase. Seems it was a feature of the Linksys Router if I remember correctly. But, then I could just be mixing things up at the moment.

[iJawn108]

Quote:

Originally Posted by flyinmac

I sure hope so

turn of Universal Plug n' play

[flyinmac]

Quote:

Originally Posted by iJawn108

turn of Universal Plug n' play

I believe I did do that. I spent hours comparing the settings with descriptions of what they did on the Internet. Hopefully I got everything.

[motulist]

Are they saying the OS X firewall has always been terrible, or that 10.5 is a brand new firewall under the hood and it replaces a very good firewall that was in 10.4?

[flyinmac]

Quote:

Originally Posted by motulist

Are they saying the OS X firewall has always been terrible, or that 10.5 is a brand new firewall under the hood and it replaces a very good firewall that was in 10.4?

It sounds to me like they are saying that 10.5 is worse. But, I could be wrong.

[Daiden]

Well this is somewhat disappointing.

[weaverra]

Has anyone else tested this? I'm not so quick to jump on this one yet. Why has it taken this long to figure this out?

Edited: I did a port scan on my local network with the firewall on block all and stealth and it would not pick up anything until the very second I allowed all incoming connections. Am I missing something here???

[flyinmac]

Quote:

Originally Posted by iJawn108

turn of Universal Plug n' play

Just double-checked, and I did have that disabled already. So, hopefully I'm protected.

I just updated my firmware to the latest revision (on the router / firewall). I was one revision behind there.

And, I just went back through my settings, and all looks good there.

So, hopefully Leopard won't open the door on me.

Quote:

Originally Posted by Daiden

Well this is somewhat disappointing.

Yes. If this is true, then Leopard will definitely be a let-down there.

Quote:

Originally Posted by weaverra

Has anyone else tested this? I'm not so quick to jump on this one yet. Why has it taken this long to figure this out?

Edited: I did a port scan on my local network with the firewall on block all and stealth and it would not pick up anything until the very second I allowed all incoming connections. Am I missing something here???

Did you do this in the new Leopard (10.5)? Or, were you in Tiger (10.4.x)?

[Sun Baked]

Quote:

Originally Posted by weaverra

Has anyone else tested this? I'm not so quick to jump on this one yet. Why has it taken this long to figure this out?

He harped on netbios, then said that came from the Samba package.

I looked and have Bonjour and the time server open.

[flyinmac]

Quote:

Originally Posted by Sun Baked

He harped on netbios, then said that came from the Samba package.

I looked and have Bonjour and the time server open.

Hesitant to read between the lines... What is your belief based on your observations?

[weaverra]

Quote:

Originally Posted by flyinmac

Did you do this in the new Leopard (10.5)? Or, were you in Tiger (10.4.x)?

Leopard (10.5) I'm no security expert but from what I gathered something should have showed up according to their claim.

00:19 is when I allowed all incoming connections


Oct 30 00:16:56 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
Oct 30 00:16:56 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
Oct 30 00:16:56 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
Oct 30 00:16:57 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
Oct 30 00:16:57 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
Oct 30 00:16:57 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
Oct 30 00:16:58 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
Oct 30 00:16:58 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
Oct 30 00:16:58 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
Oct 30 00:16:59 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
Oct 30 00:16:59 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
Oct 30 00:16:59 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
Oct 30 00:17:00 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
Oct 30 00:17:00 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
Oct 30 00:17:00 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
Oct 30 00:17:01 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
Oct 30 00:17:01 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
Oct 30 00:17:01 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
Oct 30 00:17:03 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
Oct 30 00:17:03 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
Oct 30 00:17:03 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
Oct 30 00:17:07 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
Oct 30 00:17:07 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
Oct 30 00:17:07 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
Oct 30 00:19:06 bobby-weavers-macbook-pro-15 Firewall[40]: Allow cupsd listening from :::631 uid = 0 proto=6
Oct 30 00:19:06 bobby-weavers-macbook-pro-15 Firewall[40]: Allow cupsd listening from 0.0.0.0:631 uid = 0 proto=6
Oct 30 00:21:18 bobby-weavers-macbook-pro-15 Firewall[40]: Stealth Mode connection attempt to UDP 192.168.x.xxx:49429 from 66.82.x.x:xx

[Peace]

This guy/site doesn't understand the Leopard firewall..

[Sun Baked]

Quote:

Originally Posted by flyinmac

Hesitant to read between the lines... What is your belief based on your observations?

They said Apple allows every process started by the user into the execptions list ... even if you run a trojan.

Almost sounded like they stayed there til you restarted.

Which is basically how all Apple firewalls are typically punched in the contests, getting at them through stuff the user runs.

[Detektiv-Pinky]

Quote:

Originally Posted by Peace

This guy/site doesn't understand the Leopard firewall..

This is entirely possible. However, I honestly think that the apple firewall is not an easily usable and confidence inspiring product. And it is turned 'OFF' by default!

I do not know the English version of the UI, but in the German version Apple tells you that 'normally the OS is choosing for which programms it allows incoming connection', that is not something I want my firewall to do.

So if you have in-depth knowledge of the workings of the Mac OS X firewall, maybe you like to share it with us.

[boz0]

Quote:

Originally Posted by flyinmac

I have a Linksys Router with a Hardware Firewall in it.

This is nonsense.

To begin with, there's no such thing as a "hardware firewall". A better (and commonly used) designation is "appliance". A firewall appliance is a dedicated box, running an OS (in many cases a tweaked Linux or *BSD, though there are of course many other possibilities, like IOS on Cisco firewalls), on top of which the actual firewall software sits.

Now, assuming you call a "hardware firewall" any kind of dedicated firewall appliance, well, obviously, since your wireless router does wireless routing, it's not a dedicated firewall, is it?

That said, whether you have a dedicated firewall box or not, it's the quality of the firewall software that has to be taken into account. It's always a very bad idea to make a product insecure by default. Microsoft has been bashed repeatedly for that, and so should Apple!

However, I'm not yet ready to believe that their firewall is as flawed as the article says. I'll have a look in a couple days!

[joelovesapple]

Thanks for the info. I'll be keeping my eye out for a software update to combat this problem.