Leopard's Firewall Criticized

rpp3po

macrumors regular
Original poster
Aug 16, 2003
172
0
Germany
You wouldn't even believe Microsoft to be so stupid to expose open services (and even NetBIOS!!) to the internet when the firewall is setup to block ALL traffic. No kidding, Leopard does. Though, there is no proof of concept exploit, yet, that's a totally unneccessary design flaw, even a freshman CS student wouldn't be allowed to turn in.

From the article (German heise magazine):

The Mac OS X Leopard firewall failed every test. It is not activated by default and, even when activated, it does not behave as expected. Network connections to non-authorised services can still be established and even under the most restrictive setting, "Block all incoming connections," it allows access to system services from the internet. Although the problems and peculiarities described here are not security vulnerabilities in the sense that they can be exploited to break into a Mac, Apple would be well advised to sort them out pronto.
 

Warbrain

macrumors 603
Jun 28, 2004
5,699
292
Chicago, IL
You wouldn't even believe Microsoft to be so stupid to expose open services (and even NetBIOS!!) to the internet when the firewall is setup to block ALL traffic. No kidding, Leopard does. Though, there is no proof of concept exploit, yet, that's a totally unneccessary design flaw, even a freshman CS student wouldn't be allowed to turn in.

From the article (German heise magazine):
It's no surprise. I loved the old firewall, this firewall is awful. It doesn't work right. Little Snitch is better than it.
 
Comment

vansouza

macrumors 68000
Mar 28, 2006
1,736
3
West Plains, MO USA Earth
The sky is falling...

You wouldn't even believe Microsoft to be so stupid to expose open services (and even NetBIOS!!) to the internet when the firewall is setup to block ALL traffic. No kidding, Leopard does. Though, there is no proof of concept exploit, yet, that's a totally unneccessary design flaw, even a freshman CS student wouldn't be allowed to turn in.

From the article (German heise magazine):
Thank God for hardware firewalls.
 
Comment

flyinmac

macrumors 68040
Sep 2, 2006
3,577
2,452
United States
I have an AEBS. It has a hardware firewall and it sucks. Apple can't even do hardware firewalls right. :rolleyes:
I have a Linksys Router with a Hardware Firewall in it. I wonder if that is adequate, or if the Leopard issue would create an open door.

It's a BEFSX41 Labeled as a Broadband Firewall Router.

I've previously configured it, and it seems to have passed the online scanners. So, hopefully it will close the door that Apple is opening.
 
Comment

flopticalcube

macrumors G4
I have a Linksys Router with a Hardware Firewall in it. I wonder if that is adequate, or if the Leopard issue would create an open door.

It's a BEFSX41 Labeled as a Broadband Firewall Router.

I've previously configured it, and it seems to have passed the online scanners. So, hopefully it will close the door that Apple is opening.
That should be more than adequate.
 
Comment

Sun Baked

macrumors G5
May 19, 2002
14,874
57
Anybody turn on the advanced settings, use stealth, then look at the logs awhile latter. :(

Edit: I miss the dead SPI enabled router.
 
Comment

flyinmac

macrumors 68040
Sep 2, 2006
3,577
2,452
United States
Anybody turn on the advanced settings, use stealth, then look at the logs awhile latter. :(

Edit: I miss the dead SPI enabled router.
From reading the article, I couldn't tell.

SPI, I seem to recall something about that when I was researching my router / firewall purchase. Seems it was a feature of the Linksys Router if I remember correctly. But, then I could just be mixing things up at the moment.
 
Comment

motulist

macrumors 601
Dec 2, 2003
4,082
346
Are they saying the OS X firewall has always been terrible, or that 10.5 is a brand new firewall under the hood and it replaces a very good firewall that was in 10.4?
 
Comment

flyinmac

macrumors 68040
Sep 2, 2006
3,577
2,452
United States
Are they saying the OS X firewall has always been terrible, or that 10.5 is a brand new firewall under the hood and it replaces a very good firewall that was in 10.4?
It sounds to me like they are saying that 10.5 is worse. But, I could be wrong.
 
Comment

weaverra

macrumors 6502
Sep 27, 2006
250
2
Has anyone else tested this? I'm not so quick to jump on this one yet. Why has it taken this long to figure this out?

Edited: I did a port scan on my local network with the firewall on block all and stealth and it would not pick up anything until the very second I allowed all incoming connections. Am I missing something here???
 
Comment

flyinmac

macrumors 68040
Sep 2, 2006
3,577
2,452
United States
turn of Universal Plug n' play
Just double-checked, and I did have that disabled already. So, hopefully I'm protected.

I just updated my firmware to the latest revision (on the router / firewall). I was one revision behind there.

And, I just went back through my settings, and all looks good there.

So, hopefully Leopard won't open the door on me.

Well this is somewhat disappointing.
Yes. If this is true, then Leopard will definitely be a let-down there.

Has anyone else tested this? I'm not so quick to jump on this one yet. Why has it taken this long to figure this out?

Edited: I did a port scan on my local network with the firewall on block all and stealth and it would not pick up anything until the very second I allowed all incoming connections. Am I missing something here???

Did you do this in the new Leopard (10.5)? Or, were you in Tiger (10.4.x)?
 
Comment

Sun Baked

macrumors G5
May 19, 2002
14,874
57
Has anyone else tested this? I'm not so quick to jump on this one yet. Why has it taken this long to figure this out?
He harped on netbios, then said that came from the Samba package.

I looked and have Bonjour and the time server open.
 
Comment

weaverra

macrumors 6502
Sep 27, 2006
250
2
Did you do this in the new Leopard (10.5)? Or, were you in Tiger (10.4.x)?
Leopard (10.5) I'm no security expert but from what I gathered something should have showed up according to their claim.

00:19 is when I allowed all incoming connections


Oct 30 00:16:56 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
Oct 30 00:16:56 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
Oct 30 00:16:56 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
Oct 30 00:16:57 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
Oct 30 00:16:57 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
Oct 30 00:16:57 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
Oct 30 00:16:58 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
Oct 30 00:16:58 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
Oct 30 00:16:58 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
Oct 30 00:16:59 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
Oct 30 00:16:59 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
Oct 30 00:16:59 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
Oct 30 00:17:00 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
Oct 30 00:17:00 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
Oct 30 00:17:00 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
Oct 30 00:17:01 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
Oct 30 00:17:01 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
Oct 30 00:17:01 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
Oct 30 00:17:03 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
Oct 30 00:17:03 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
Oct 30 00:17:03 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
Oct 30 00:17:07 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
Oct 30 00:17:07 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
Oct 30 00:17:07 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
Oct 30 00:19:06 bobby-weavers-macbook-pro-15 Firewall[40]: Allow cupsd listening from :::631 uid = 0 proto=6
Oct 30 00:19:06 bobby-weavers-macbook-pro-15 Firewall[40]: Allow cupsd listening from 0.0.0.0:631 uid = 0 proto=6
Oct 30 00:21:18 bobby-weavers-macbook-pro-15 Firewall[40]: Stealth Mode connection attempt to UDP 192.168.x.xxx:49429 from 66.82.x.x:xx
 
Comment

Sun Baked

macrumors G5
May 19, 2002
14,874
57
Hesitant to read between the lines... What is your belief based on your observations?
They said Apple allows every process started by the user into the execptions list ... even if you run a trojan.

Almost sounded like they stayed there til you restarted.

Which is basically how all Apple firewalls are typically punched in the contests, getting at them through stuff the user runs.
 
Comment

Detektiv-Pinky

macrumors 6502a
Feb 25, 2006
809
141
Berlin, Germany
This guy/site doesn't understand the Leopard firewall..
This is entirely possible. However, I honestly think that the apple firewall is not an easily usable and confidence inspiring product. And it is turned 'OFF' by default!:eek:

I do not know the English version of the UI, but in the German version Apple tells you that 'normally the OS is choosing for which programms it allows incoming connection', that is not something I want my firewall to do.

So if you have in-depth knowledge of the workings of the Mac OS X firewall, maybe you like to share it with us.
 
Comment

boz0

macrumors regular
May 21, 2007
166
1
/dev/null
I have a Linksys Router with a Hardware Firewall in it.
This is nonsense.

To begin with, there's no such thing as a "hardware firewall". A better (and commonly used) designation is "appliance". A firewall appliance is a dedicated box, running an OS (in many cases a tweaked Linux or *BSD, though there are of course many other possibilities, like IOS on Cisco firewalls), on top of which the actual firewall software sits.

Now, assuming you call a "hardware firewall" any kind of dedicated firewall appliance, well, obviously, since your wireless router does wireless routing, it's not a dedicated firewall, is it? :)

That said, whether you have a dedicated firewall box or not, it's the quality of the firewall software that has to be taken into account. It's always a very bad idea to make a product insecure by default. Microsoft has been bashed repeatedly for that, and so should Apple! :mad:

However, I'm not yet ready to believe that their firewall is as flawed as the article says. I'll have a look in a couple days!
 
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.