Firewall access

Discussion in 'Mac Basics and Help' started by Peter Franks, Jun 26, 2011.

  1. Peter Franks macrumors 65816

    Joined:
    Jun 9, 2011
    Location:
    London UK
    #1
    Bit confused as after a search and conflicting views...someone on here told me not to worry about putting the Firewall on, and yet plenty of others scream you should never turn it off, So what's the deal with it, and if it's as necessary as it was on Windows why isn't it on by default on the MBP, apparently it is with the MBA, and also which settings are best to use? Block all, Auto, or stealth? I have no idea why or for what incoming connections are, so why would I need it to be off?
     
  2. simsaladimbamba

    Joined:
    Nov 28, 2010
    Location:
    located
    #2
    Your router probably has a Firewall, if not (which is hardly the case) you can just turn on the Mac OS X Firewall. My Mac OS X Firewall is turned off, as my router (AirPort Extreme Base Station) has a firewall built into it.

    Mac Security Suggestions from
    Mac Virus/Malware Info by GGJstudios
    There are currently no viruses for Mac OS X in public circulation, only a handful of trojans and other malware, which have to be installed manually via entering the administrator password.
    The only anti-virus you need to protect your Mac is education and common sense.
     
  3. Peter Franks thread starter macrumors 65816

    Joined:
    Jun 9, 2011
    Location:
    London UK
    #3
    and it's bad to double up? I just read turn on and put in stealth... but they don't say why? I think when you come from windows and don't use an AV, you just figure it's odd that they say don't worry about it?
    But, when could it interfere if it's on, and is it worth using stealth or could that cause problems too?
     
  4. maflynn Moderator

    maflynn

    Staff Member

    Joined:
    May 3, 2009
    Location:
    Boston
    #4
    Not really, my router has a firewall, and I have OSX's enabled.

    Check out Gibson's ShieldsUp to test your vulnerabilities
     
  5. Peter Franks thread starter macrumors 65816

    Joined:
    Jun 9, 2011
    Location:
    London UK
    #5
    You know that will just make me paranoid, when i see the results:cool:
    What about this Stealth mode, making the computer almost invisible on the Internet, so hackers will be less likely to attack?
     
  6. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #6
    There's no reason not to turn the firewall on. Do it.
    You do want stealth mode. If you click the ? icon in the lower right corner of the firewall screen, it will explain the various settings. You could select “Allow only essential services” and run with that mode until you have any connection issues. If there are specific apps you want to restrict or allow access for, use the “Set access for specific services and applications.”
     
  7. Rowf macrumors regular

    Joined:
    Feb 7, 2011
    #7
    The ShieldsUp test is worth doing if you are interested in how secure your firewall is.
    If you get a good result (which, if you have set your firewall to block all incoming connections and stealth mode, is pretty likely) you will feel more at ease with your security.
    If there is a problem look into it further on the site or ask the question posting up the results, I'm sure that someone here will be able to help.
    As above, your results will more than likely be fine and you will learn a fair bit about firewalls from the site.
    Just be aware that there some rather dramatic choices of wording on the site if you choose to read further.
     
  8. munkery macrumors 68020

    munkery

    Joined:
    Dec 18, 2006
    #8
    Mac OS X is firewalled by default via sandboxing implemented on mandatorily exposed services.

    Scanning a Mac without a firewall using NMAP provides less information than scanning Windows with a firewall.

    Enabling one or both of the auxiliary firewalls adds extra layers of protection. Stealth mode has it's benefits but it can also create issues, such as connection instability.

    Check out the links in my sig for more Mac security information.
     
  9. Rowf macrumors regular

    Joined:
    Feb 7, 2011
    #9
    Scanning a Mac without a firewall using NMAP provides less information than scanning Windows with a firewall.

    Why? If it's too long to explain here a link will be fine.

    Enabling one or both of the auxiliary firewalls adds extra layers of protection.

    By this, do you mean the router firewall and Os x firewall?

    Thanks.
     
  10. munkery, Jun 26, 2011
    Last edited: Jul 6, 2011

    munkery macrumors 68020

    munkery

    Joined:
    Dec 18, 2006
    #10
    In Mac OS X, remotely accessible server side services that are turned off by default are pointed at localhost so that no information is given to NMAP regarding whether the port is being filtered or not despite a firewall not being enabled.

    Also, fewer services are enabled by default. Those services that are exposed are protected by default via the TrustedBSD MAC framework.

    NMAP often can not distinguish a machine running a specific version of OS X in its default state from a machine running any other version of Apple OS (any OS X or iOS) as well as some variants of BSD and Linux.

    NMAP can distinguish whether or not a machine is running Windows and what version of Windows it is running. It can also determine whether or not ports are only closed or being filtered. In many cases, it can provide usernames for accounts on the machine.

    OS X uses the TrustedBSD MAC framework to provide a default measure of protection similar to a firewall.

    Beyond that, OS X has two conventional firewalls. A packet filter, called IPFW, that is capable of stateful packet inspection but is only running the most open ruleset by default so that it is fundamentally disabled. And, a socket filter (application firewall), accessible via the security preference pane, that is disabled by default.
     
  11. Peter Franks thread starter macrumors 65816

    Joined:
    Jun 9, 2011
    Location:
    London UK
    #11
    Thanks guys, I know I've probably got this totally wrong, but why would I want to allow any incoming connections, or are there things online that need that access, emails some sites etc, but If I don't use SKYPE, messenger and Facetime etc. am guessing stealth won't hurt, unless as you say if there are connection problems, I'll know where it comes from?
     
  12. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #12
    Without incoming connections, you could never receive emails, view websites, etc.

    Really, you should learn to relax and enjoy your Mac. You don't have to worry about malware and security like you did with Windows. You don't have to run 3rd party apps to "clean" or "maintain" your Mac. Just use it and enjoy the freedom of not having to "fiddle" with it to keep it running well. Surf the web, exchange emails, chat, listen to music, edit photos, watch movies, play games.... use your Mac for what you want. It will take care of itself, as long as you don't do anything out-of-the-way foolish.
     
  13. Peter Franks thread starter macrumors 65816

    Joined:
    Jun 9, 2011
    Location:
    London UK
    #13
    Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation.

    Am guessing this is standard blurb below

    The string of text above is known as your Internet connection's "reverse DNS." The end of the string is probably a domain name related to your ISP. This will be common to all customers of this ISP. But the beginning of the string uniquely identifies your Internet connection. The question is: Is the beginning of the string an "account ID" that is uniquely and permanently tied to you, or is it merely related to your current public IP address and thus subject to change?

    The concern is that any web site can easily retrieve this unique "machine name" (just as we have) whenever you visit. It may be used to uniquely identify you on the Internet. In that way it's like a "supercookie" over which you have no control. You can not disable, delete, or change it. Due to the rapid erosion of online privacy, and the diminishing respect for the sanctity of the user, we wanted to make you aware of this possibility. Note also that reverse DNS may disclose your geographic location.

    If the machine name shown above is only a version of the IP address, then there is less cause for concern because the name will change as, when, and if your Internet IP changes. But if the machine name is a fixed account ID assigned by your ISP, as is often the case, then it will follow you and not change when your IP address does change. It can be used to persistently identify you as long as you use this ISP.


    It told me it's running in stealth and can't be found on one of them, and I've not even turned stealth on yet?
     
  14. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #14
    See my last post. Don't worry about Ping replies. I suggest a new hobby, other than paranoia.
     
  15. Peter Franks thread starter macrumors 65816

    Joined:
    Jun 9, 2011
    Location:
    London UK
    #15
    See, I didn't know that, I thought it's purely letting people in/share etc, and that viewing sites was all outgoing stuff. What do I know?

    Good advice, thanks

    Well it thought the machine was in 'stealth' and I'd not turned that on yet, so I'll leave it, in case the stealth mode asks me what I want to allow and then I call you in the middle of the night.
    Paranoia... It's what I do best:D
     
  16. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #16
    Turn on the firewall and enable stealth mode. You really don't need to do anything else.
     
  17. Peter Franks thread starter macrumors 65816

    Joined:
    Jun 9, 2011
    Location:
    London UK
    #17
    Great, will do. Now!

    Thanks, now... tell me why my battery uses up 10% in the short time, barely 20 mins, after a full charge. :rolleyes:
     
  18. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #18
    I'm guessing you're being facetious, since we discussed battery issues in the first thread you posted in this forum. I posted the Battery FAQ in that thread, which answers your question.
     
  19. Peter Franks thread starter macrumors 65816

    Joined:
    Jun 9, 2011
    Location:
    London UK
    #19
    Damn, you're good!

    Using credit cards and banking on this is a whole new experience, it's weird.

    Do I leave 'Automatically allow signed software to receive incoming connections...' ticked as well?
     
  20. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #20
    That's fine.
     
  21. Peter Franks thread starter macrumors 65816

    Joined:
    Jun 9, 2011
    Location:
    London UK
  22. munkery macrumors 68020

    munkery

    Joined:
    Dec 18, 2006
    #22
    The problem with stealth mode is that it is not stealthy at all.

    When an ICMP ping request does not reach a target, the host making the request receives a "host unreachable" reply.

    Enabling stealth mode to "block, drop, or ignore" the request causes no reply to be sent. When the "host unreachable" reply is not recieved, then the requester knows that a target is there but it is not replying.
     
  23. Peter Franks thread starter macrumors 65816

    Joined:
    Jun 9, 2011
    Location:
    London UK
    #23
    So what are you saying? You're just talking about hackers presumably, it's not relevant to people sending emails etc..?
     
  24. munkery, Jun 26, 2011
    Last edited: Jun 26, 2011

    munkery macrumors 68020

    munkery

    Joined:
    Dec 18, 2006
    #24
    If you do not have any server side services running, enabling stealth is only going to make a hacker probing your system think that you are trying to hide the system because it has exposed services.

    Without any of the services turned on, it is better not to use stealth so that the individual probing your system knows that no services are enabled to attack.

    With any of these services turned on, using stealth often makes it more difficult to troubleshoot connections with the services and stealth does not effectively hide the system anyway.

    The typical user does not have these services enabled. It is not relevant to browsing the web, sending emails, or etc.

    It seems much of your interest is related to your IP address and privacy issues. Your firewall and stealth mode has no impact on websites collecting this information. To prevent websites from receiving your real IP address or other means of ID, you need to use an anonymizing service, such as Tor, or a proxy. Even then your IP address may be leaked via plugins, such as Flash. Hiding this information is not worth the effort of doing so.
     
  25. Rowf macrumors regular

    Joined:
    Feb 7, 2011
    #25
    Probably the best piece of advice you could get at the moment.

    Lets take a look at where you've got to:

    Firewall turned on and stealthed.
    No need for antivirus, sorted right?
    No need for maintenance 'cos it does it itself.
    Battery calibrated so that's healthy and ticking along.
    A basic understanding of Disk Utility and partitions.
    Getting used to Word on a mac.
    Preview sussed.

    Don't misunderstand me, this post is mean't to be funny, clever, sarcastic or any of those things, I'm just laying out where you've got to in the last week or so.
    Take GGJ's advice, chill down a little, let yourself digest what you've learned so far and feel confident with it.

    I like to follow the security threads because it interests me, has done ever since I've used computer systems, Windows, Linux or Os X, hence the question to Munkery, but in the meantime I'm concentrating on learning Iphoto and getting to grips with my digital camera (I've had it 2 yrs and still struggle with it :confused:) and, oddly, learning to play the penny whistle (wait 'til I stick that one up in a Garageband thread:) I'll integrate it into my mac use somewhere if I try hard enough)

    You've got the basics sorted so as GGJ is quite rightly saying, don't forget to enjoy your mac.
     

Share This Page