Newbie Powerbook user with Firewall / Spyware questions

Discussion in 'Mac Apps and Mac App Store' started by florencevassy, Sep 30, 2004.

  1. florencevassy macrumors regular

    florencevassy

    Joined:
    Jun 1, 2004
    Location:
    Princeton, NJ
    #1
    I am the proud owner of a new 15’ PowerBook and I am very happy!

    I have a couple of questions, Is the OS X firewall enough security/protection or should I purchase another firewall program?

    Also, my PC using friends have a lot of trouble with spyware, should I try to use a spyware program?

    I know that Macs are safer than PCs, it is a much different (and nicer) world :) but I do a ton of surfing and download song samples a lot etc. and am generally paranoid and want to be extra careful. Also all of my friends are PC users (I feel bad for them) and I don’t want to accidentally send them anything that is harmful.

    Someone I spoke to at Apple’s technical support area suggested that I buy this program:
    http://www.allume.com/mac/cleanup/index.html but after some research I see it has received horrible reviews. :confused:

    Please advise, thanks a lot !! Flo
     
  2. Champale macrumors member

    Joined:
    Jul 23, 2004
    Location:
    Chicago, USA
    #2
    3%

    That's the nice thing about having a 3% share in the market (give or take a few.)

    There aren't a whole lot of viruses running around for Macs.

    I've been using Macs for the past fifteen years and have never had a problem with viruses.

    For me, I tend to go commando. For my PCs, I use protection!

    I suppose it's all about how safe you want to play it...
     
  3. yellow Moderator emeritus

    yellow

    Joined:
    Oct 21, 2003
    Location:
    Portland, OR
    #3
    No viruses for Mac OS X (yet).
    No spyware for Mac OS X (yet).

    The built-in firewall (ipfw) is very good.
    The built-in GUI control for it (System Preferences -> Sharing prefpane -> Firewall tab) is VERY BAD.
    Invest in Brickhouse or Sunshield to control/config ipfw if you don't know anything about UNIX and command line (if you do, learn to use ipfw via the command line).
     
  4. yellow Moderator emeritus

    yellow

    Joined:
    Oct 21, 2003
    Location:
    Portland, OR
    #4

    GUI = graphics user interface. Point and click with a mouse. Much easier for most people to navigate. Apple's point and click interface for the built in firewall (ipfw) is completely worthless and should not be relied upon.

    ipfw is an IP FireWall built into the OS. It's quite configurable. It's pretty strong. Look over the man page on ipfw for more info: man ipfw

    If you are comfortable with the command line, and with UNIX, and the learning curve that inevitably comes with it, you can learn to control ipfw. This is my preferred method. However, if reading that man page above sets your head spinning, look into some 3rd party utilities that allow you to control/configure ipfw from a better interface. Utilities like SunShield or BrickHouse.
     
  5. andysmith macrumors 6502

    Joined:
    Sep 24, 2004
    Location:
    West Mids, UK
    #5
    You could use something like Little Snitch if you want to control outbound traffic of programs :)
     
  6. rueyeet macrumors 65816

    rueyeet

    Joined:
    Jun 10, 2003
    Location:
    MD
    #6
    As a matter of curiosity, what can ipfw do via the command line that you can't do via the Apple-provided GUI? A blanket statement that "it's Bad" isn't much use if you don't say exactly WHY it's Bad.

    I'd kind of been under the impression that Apple ships the built-in firewall with only those ports that are really needed open, and all the GUI lets you do is open additional ports for specific purposes (like iTunes sharing) or close some of the major ones. Are more ports open than should be, as shipped? Or is it just that you personally like more explicit configurability?
     
  7. florencevassy thread starter macrumors regular

    florencevassy

    Joined:
    Jun 1, 2004
    Location:
    Princeton, NJ
    #7
    Thanks for your responses!

    Thanks guys! This is a great group.
    I think I will try the Brickhouse program, I used UNIX years ago and
    I don't remember much of it.
     
  8. yellow Moderator emeritus

    yellow

    Joined:
    Oct 21, 2003
    Location:
    Portland, OR
    #8
    Well, there's a lot to cover, so unless someone asks, I'll always just say "it's bad". But since you asked, here's the problems:

    I do want finer grained control in my firewall. It's just not there with the Apple GUI control. But that's a small point of contention.

    A larger point of contention is, there is NO WAY to turn on logging in the Apple control! What good is a firewall if you have no idea what is happening with it? Are you just going to press the "on" button and hope that it's doing a good job? How do you know if you're being targeted? How can you know who is touching which port? Logging is a very important part of a firewall and it's just no an option.

    And finally, the biggest problem of all..

    The Apple GUI control offers NO way to block specific IPs or ranges of IPs. It's all or nothing. This renders the firewall completely useless. It's about as effective as not running a firewall at all. Any service that is running and listening for external connections will show up through a port scan when the Mac is firewalled using the Apple-config, the same as it would if there was no firewall "running" (technically, ipfw is ALWAYS running, it's default rule set is "allow all from any to any", but this is equivalent to it being "off"). You cannot specify, hey, I'll let my buddy Foo from so-and-so connect to my FTP server, but everyone else can keep the hell out.

    So, without being able to block IPs, nor have logging to know whom is touching my box (no pun), Apple has rendered ipfw impotent. It's benefits are miniscule.


    Using ipfw from the command line (or BrickHouse/SunShield if you need/want GUI) allows for MUCH greater control.

    I deny most external ICMP requests, and log when they connect:
    Code:
    02003 deny log icmp from any to any in icmptype 8,10,13,15,17
    I have a blacklist of hosts that are naughty, and log when they try to connect:
    Code:
    # naughty host blacklist:
    00500 unreach host-unknown log ip from 216.42.81.141 to any in
    00501 unreach host-unknown log ip from 216.42.81.143 to any in
    00502 unreach host-unknown log ip from 211.0.0.0/8 to any in
    00503 unreach host-unknown log ip from 80.116.0.0/16 to any in
    00504 unreach host-unknown log ip from 207.103.247.50 to any in
    00505 unreach host-unknown log ip from 221.0.0.0/8 to any in
    00506 unreach host-unknown log ip from 220.0.0.0/8 to any in
    00507 unreach host-unknown log ip from 80.117.0.0/16 to any in
    00509 unreach host-unknown log ip from 210.0.0.0/8 to any in
    
    Unless I'm on vacation, I only allow ssh connections from a "trusted" source range of IPs, and I log all connections:
    Code:
    00935 allow log tcp from 152.16.0.0/16 to any 22 in
    I only allow DNS from "trusted" sources, limiting my exposure to DNS spoofing:
    Code:
    00920 allow udp from 209.x.x.x 53 to any in
    00921 allow udp from 209.x.x.x 53 to any in
    
    Etc, etc, etc,...

    No need to bore you anymore, I think you get the idea.
     

Share This Page