10.6 Stealth mode on, system profiler disagrees

[KyleAwesome]

So just out of curiosity I was messing around in system profiler tonight and happened on the firewall tab. Never really took a look to see what it said until tonight. I have stealth mode enabled, and have ever since I installed SL but the profiler seems to think otherwise?



Any ideas as to why?

 

[Morod]

No idea, but mine is the same as yours. I have stealth enabled, but System Profiler says not.
It may be time to check it out at grc.com.

 

[KyleAwesome]

anyone else experiencing the same "issue"?

 

[PeteB]

Same for me as well.

 

[Keeval]

It is showing the same for me - Firewall Stealthed, but not in System Profiler.
I just did a Shields Up check on www.grc.com and got a perfect Stealth score so it looks like it's system profiler that is wrong.

 

[PeteB]

It is showing the same for me - Firewall Stealthed, but not in System Profiler.
I just did a Shields Up check on www.grc.com and got a perfect Stealth score so it looks like it's system profiler that is wrong.

That's odd. GCR correctly says that my ports are in stealth mode, however, it's reporting that my computer is responding to pings. Surely if my firewall is in "stealth" mode, it shouldn't be responding to any ICMP ping requests?

 

[Keeval]

That's odd. GCR correctly says that my ports are in stealth mode, however, it's reporting that my computer is responding to pings. Surely if my firewall is in "stealth" mode, it shouldn't be responding to any ICMP ping requests?

I shouldn't think so... as you say odd.
Do you have any equipment between your machine and the internet that might be responding?

I have a router/firewall/wifi/DSL base that the iMac is plugged into and that might be screening out the ICMP packets for me though. Not really sure how to confirm it though as if I bypass it I can't get on the internet!

 

[PeteB]

I shouldn't think so... as you say odd.
Do you have any equipment between your machine and the internet that might be responding?

I have a router/firewall/wifi/DSL base that the iMac is plugged into and that might be screening out the ICMP packets for me though. Not really sure how to confirm it though as if I bypass it I can't get on the internet!

It might be my router that's responding. I have no other wireless devices on at the moment apart from my MacBook.

 

[RandomKamikaze]

Note the following from GRC when using a NAT router to test ShieldsUP!

Checking a NAT Router's WAN Security

Residential broadband "NAT" routers which allow many computers to share a single Internet connection are becoming quite popular. We love them for the security they provide to the machines placed behind them since any NAT router functions as a natural and excellent hardware firewall.

However, the Internet or "WAN" (Wide Area Network) side connection of many NAT routers and DSL gateways is not as secure as it should be. Many routers ship with web, ftp, or Telnet management ports wide open! And many are still configured with their well-known default administrative passwords. Although the router may be protecting the machines behind it, it might not be protecting itself without your deliberate closing of remote "WAN" administration ports.

ShieldsUP! automatically tests your NAT router's WAN-side security because the router's WAN IP is the single public IP that connects your internal private network to the public Internet. When a test is initiated by any system behind a NAT router, we are testing the public-side security of the router itself and not the security of the individual machines which are located behind and protected by the router.

So you aren't really testing your computer, but rather your NAT router. If you wanna test your computer, you're going to need to put it directly on to the Internet.

And staying on topic, I have the same as well, but my laptop is indeed hidden on networks and no-one can connect to it

 

[PeteB]

So you aren't really testing your computer, but rather your NAT router. If you wanna test your computer, you're going to need to put it directly on to the Internet.

As far as I understand it, GCR is testing a combination of router and computer. Both have the capability of enabling firewalls.

What I don't understand as yet is whether the 10.6 firewall is functioning in full stealth mode, or whether other people simply have their router set up to deny ping requests.

Regardless, my system appears to be perfectly safe (according to GCR).

 

[Keeval]

I just attempted to ping my iMac from my MacBook Pro which is on the same internal network - and nothing.. no response from it. I also tried to telnet to it -nothing either.

Looks like it's fine. Can you try something similar?

Edit: If you can connect to your router - you might be able to ping your machine from it.

 

[RandomKamikaze]

As far as I understand it, GCR is testing a combination of router and computer. Both have the capability of enabling firewalls.

I think the only one that tests your computer is the File Sharing test which checks for the local Internet Service running. The other seem to be either blind or router based checks. The full port scan would appear to terminate on the router. The only reason it would get to your computer is if you have port forwarding enabled, or a crappy firewall.

What I don't understand as yet is whether the 10.6 firewall is functioning in full stealth mode, or whether other people simply have their router set up to deny ping requests.

Regardless, my system appears to be perfectly safe (according to GCR).

The easiest way is to stick it on a network, such as your own, and then get another computer, and then try and hack your own computer.

 

[PeteB]

Looks like the firewall is working fine then. Since my router was supplied and configured by my TV/Internet provider, I won't mess with it. Overt much doubt that it's a serious security risk if my Internet devices themselves are locked down.

 

[netnothing]

Same thing here.....System Profiler shows it off, but it's on.

Don't know about anyone else, but with Stealth mode on, I'm getting all kinds of Notice messages in Console like this:

Sep 4 19:11:11 Firewall[79]: Stealth Mode connection attempt to UDP 192.168.2.6:53652 from 68.87.73.242:53

Any stealth mode attempts should be logged in the appfirewall.log.

BTW.....that address is my Comcast DNS server for some reason sending UDP requests....no idea why!

-Kevin

 

[broken-chaos]

Stealth mode is working properly. It seems to be only a System Profiler bug.

Ping attempt:

Lightning:~ broken_chaos$ ping localhost
PING localhost (127.0.0.1): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
^C
--- localhost ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss

Console log:

2009-09-05 03:55:00	Firewall[57]	 33300 Deny ICMP:8.0 127.0.0.1 127.0.0.1 in via lo0
2009-09-05 03:55:01	Firewall[57]	 33300 Deny ICMP:8.0 127.0.0.1 127.0.0.1 in via lo0
2009-09-05 03:55:02	Firewall[57]	 33300 Deny ICMP:8.0 127.0.0.1 127.0.0.1 in via lo0
2009-09-05 03:55:03	Firewall[57]	 33300 Deny ICMP:8.0 127.0.0.1 127.0.0.1 in via lo0

 

[KyleAwesome]

Stealth mode is working properly. It seems to be only a System Profiler bug.

Ping attempt:

Lightning:~ broken_chaos$ ping localhost
PING localhost (127.0.0.1): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
^C
--- localhost ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss

Console log:

2009-09-05 03:55:00	Firewall[57]	 33300 Deny ICMP:8.0 127.0.0.1 127.0.0.1 in via lo0
2009-09-05 03:55:01	Firewall[57]	 33300 Deny ICMP:8.0 127.0.0.1 127.0.0.1 in via lo0
2009-09-05 03:55:02	Firewall[57]	 33300 Deny ICMP:8.0 127.0.0.1 127.0.0.1 in via lo0
2009-09-05 03:55:03	Firewall[57]	 33300 Deny ICMP:8.0 127.0.0.1 127.0.0.1 in via lo0

I've also confirmed this after trying some pen testing and running GFI languard, that in fact system profiler is misreporting the firewall state...