Leopard's Firewall Criticized

Discussion in 'MacRumors.com News Discussion' started by rpp3po, Oct 29, 2007.

  1. macrumors regular

    Joined:
    Aug 16, 2003
    Location:
    Germany
    #1
    You wouldn't even believe Microsoft to be so stupid to expose open services (and even NetBIOS!!) to the internet when the firewall is setup to block ALL traffic. No kidding, Leopard does. Though, there is no proof of concept exploit, yet, that's a totally unneccessary design flaw, even a freshman CS student wouldn't be allowed to turn in.

    From the article (German heise magazine):

     
  2. macrumors 603

    Warbrain

    Joined:
    Jun 28, 2004
    Location:
    Chicago, IL
    #2
    It's no surprise. I loved the old firewall, this firewall is awful. It doesn't work right. Little Snitch is better than it.
     
  3. macrumors 68000

    vansouza

    Joined:
    Mar 28, 2006
    Location:
    West Plains, MO USA Earth
    #3
    The sky is falling...

    Thank God for hardware firewalls.
     
  4. macrumors 68000

    flyinmac

    Joined:
    Sep 2, 2006
    Location:
    Somewhere out there
    #4
    I wonder what degree of hardware firewall you would need to compensate.

    Would a standard router with NAT work?

    Or, would you actually need a router with a specific firewall to compensate?
     
  5. macrumors G4

    flopticalcube

    Joined:
    Sep 7, 2006
    Location:
    In the velcro closure of America's Hat
    #5
    I have an AEBS. It has a hardware firewall and it sucks. Apple can't even do hardware firewalls right. :rolleyes:
     
  6. macrumors 68000

    flyinmac

    Joined:
    Sep 2, 2006
    Location:
    Somewhere out there
    #6
    I have a Linksys Router with a Hardware Firewall in it. I wonder if that is adequate, or if the Leopard issue would create an open door.

    It's a BEFSX41 Labeled as a Broadband Firewall Router.

    I've previously configured it, and it seems to have passed the online scanners. So, hopefully it will close the door that Apple is opening.
     
  7. macrumors G4

    flopticalcube

    Joined:
    Sep 7, 2006
    Location:
    In the velcro closure of America's Hat
    #7
    That should be more than adequate.
     
  8. macrumors 68000

    flyinmac

    Joined:
    Sep 2, 2006
    Location:
    Somewhere out there
    #8
    I sure hope so :confused:
     
  9. macrumors G5

    Sun Baked

    Joined:
    May 19, 2002
    #9
    Anybody turn on the advanced settings, use stealth, then look at the logs awhile latter. :(

    Edit: I miss the dead SPI enabled router.
     
  10. macrumors 68000

    flyinmac

    Joined:
    Sep 2, 2006
    Location:
    Somewhere out there
    #10
    From reading the article, I couldn't tell.

    SPI, I seem to recall something about that when I was researching my router / firewall purchase. Seems it was a feature of the Linksys Router if I remember correctly. But, then I could just be mixing things up at the moment.
     
  11. macrumors 65816

    iJawn108

    Joined:
    Apr 15, 2006
    #11
    turn of Universal Plug n' play
     
  12. macrumors 68000

    flyinmac

    Joined:
    Sep 2, 2006
    Location:
    Somewhere out there
    #12
    I believe I did do that. I spent hours comparing the settings with descriptions of what they did on the Internet. Hopefully I got everything.
     
  13. macrumors 68040

    motulist

    Joined:
    Dec 2, 2003
    #13
    Are they saying the OS X firewall has always been terrible, or that 10.5 is a brand new firewall under the hood and it replaces a very good firewall that was in 10.4?
     
  14. macrumors 68000

    flyinmac

    Joined:
    Sep 2, 2006
    Location:
    Somewhere out there
    #14
    It sounds to me like they are saying that 10.5 is worse. But, I could be wrong.
     
  15. macrumors 6502a

    Daiden

    Joined:
    Feb 25, 2007
    Location:
    Chicago, IL
    #15
    Well this is somewhat disappointing.
     
  16. macrumors regular

    Joined:
    Sep 27, 2006
    #16
    Has anyone else tested this? I'm not so quick to jump on this one yet. Why has it taken this long to figure this out?

    Edited: I did a port scan on my local network with the firewall on block all and stealth and it would not pick up anything until the very second I allowed all incoming connections. Am I missing something here???
     
  17. macrumors 68000

    flyinmac

    Joined:
    Sep 2, 2006
    Location:
    Somewhere out there
    #17
    Just double-checked, and I did have that disabled already. So, hopefully I'm protected.

    I just updated my firmware to the latest revision (on the router / firewall). I was one revision behind there.

    And, I just went back through my settings, and all looks good there.

    So, hopefully Leopard won't open the door on me.

    Yes. If this is true, then Leopard will definitely be a let-down there.


    Did you do this in the new Leopard (10.5)? Or, were you in Tiger (10.4.x)?
     
  18. macrumors G5

    Sun Baked

    Joined:
    May 19, 2002
    #18
    He harped on netbios, then said that came from the Samba package.

    I looked and have Bonjour and the time server open.
     
  19. macrumors 68000

    flyinmac

    Joined:
    Sep 2, 2006
    Location:
    Somewhere out there
    #19

    Hesitant to read between the lines... What is your belief based on your observations?
     
  20. macrumors regular

    Joined:
    Sep 27, 2006
    #20
    Leopard (10.5) I'm no security expert but from what I gathered something should have showed up according to their claim.

    00:19 is when I allowed all incoming connections


    Oct 30 00:16:56 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
    Oct 30 00:16:56 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
    Oct 30 00:16:56 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
    Oct 30 00:16:57 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
    Oct 30 00:16:57 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
    Oct 30 00:16:57 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
    Oct 30 00:16:58 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
    Oct 30 00:16:58 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
    Oct 30 00:16:58 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
    Oct 30 00:16:59 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
    Oct 30 00:16:59 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
    Oct 30 00:16:59 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
    Oct 30 00:17:00 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
    Oct 30 00:17:00 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
    Oct 30 00:17:00 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
    Oct 30 00:17:01 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
    Oct 30 00:17:01 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
    Oct 30 00:17:01 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
    Oct 30 00:17:03 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
    Oct 30 00:17:03 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
    Oct 30 00:17:03 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
    Oct 30 00:17:07 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
    Oct 30 00:17:07 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
    Oct 30 00:17:07 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
    Oct 30 00:19:06 bobby-weavers-macbook-pro-15 Firewall[40]: Allow cupsd listening from :::631 uid = 0 proto=6
    Oct 30 00:19:06 bobby-weavers-macbook-pro-15 Firewall[40]: Allow cupsd listening from 0.0.0.0:631 uid = 0 proto=6
    Oct 30 00:21:18 bobby-weavers-macbook-pro-15 Firewall[40]: Stealth Mode connection attempt to UDP 192.168.x.xxx:49429 from 66.82.x.x:xx
     
  21. macrumors P6

    Peace

    Joined:
    Apr 1, 2005
    Location:
    Space--The ONLY Frontier
    #21
    This guy/site doesn't understand the Leopard firewall..
     
  22. macrumors G5

    Sun Baked

    Joined:
    May 19, 2002
    #22
    They said Apple allows every process started by the user into the execptions list ... even if you run a trojan.

    Almost sounded like they stayed there til you restarted.

    Which is basically how all Apple firewalls are typically punched in the contests, getting at them through stuff the user runs.
     
  23. macrumors 6502a

    Detektiv-Pinky

    Joined:
    Feb 25, 2006
    Location:
    Berlin, Germany
    #23
    This is entirely possible. However, I honestly think that the apple firewall is not an easily usable and confidence inspiring product. And it is turned 'OFF' by default!:eek:

    I do not know the English version of the UI, but in the German version Apple tells you that 'normally the OS is choosing for which programms it allows incoming connection', that is not something I want my firewall to do.

    So if you have in-depth knowledge of the workings of the Mac OS X firewall, maybe you like to share it with us.
     
  24. macrumors regular

    Joined:
    May 21, 2007
    Location:
    /dev/null
    #24
    This is nonsense.

    To begin with, there's no such thing as a "hardware firewall". A better (and commonly used) designation is "appliance". A firewall appliance is a dedicated box, running an OS (in many cases a tweaked Linux or *BSD, though there are of course many other possibilities, like IOS on Cisco firewalls), on top of which the actual firewall software sits.

    Now, assuming you call a "hardware firewall" any kind of dedicated firewall appliance, well, obviously, since your wireless router does wireless routing, it's not a dedicated firewall, is it? :)

    That said, whether you have a dedicated firewall box or not, it's the quality of the firewall software that has to be taken into account. It's always a very bad idea to make a product insecure by default. Microsoft has been bashed repeatedly for that, and so should Apple! :mad:

    However, I'm not yet ready to believe that their firewall is as flawed as the article says. I'll have a look in a couple days!
     
  25. macrumors 6502a

    joelovesapple

    Joined:
    Sep 25, 2006
    Location:
    UK
    #25
    Thanks for the info. I'll be keeping my eye out for a software update to combat this problem. :)
     

Share This Page