Leopard's Firewall Criticized

[johnny-salieris]

OSX Firewall configurations are broken in Tiger as well

I don't yet have leopard, but the default configuration in Tiger (10.4.10)
is still fundamentally broken. If someone uses the configuration tool
from preferences and explicitly denies everything (allow nothing), also
blocks UDP traffic and enables 'stealth' mode this is he ends up with:

02050 allow tcp from any to any out
02060 allow tcp from any to any established
02065 allow tcp from any to any frag
12190 deny tcp from any to any

20310 allow udp from any to any dst-port 53 in
20320 allow udp from any to any dst-port 68 in
20321 allow udp from any 67 to me in
20322 allow udp from any 5353 to me in
20340 allow udp from any to any dst-port 137 in
20350 allow udp from any to any dst-port 427 in
20360 allow udp from any to any dst-port 631 in
20370 allow udp from any to any dst-port 5353 in
30510 allow udp from me to any out keep-state
30520 allow udp from any to any in frag
35000 deny udp from any to any in

(Some lines snipped)

As you see, certain udp services are still allowed. This is nothing however.
The ridiculus part is in the following two rules:

02065 allow tcp from any to any frag
30520 allow udp from any to any in frag

What these rules do is allow EVERY fragmented packet. So, effectivelly
what we have here is a severely bad implementation of the fw configuration tool that undermines ALL other rules. No matter what the user blocks,
these two rules allow complete unrestricted access to every service running
on the machine as if THE FIREWALL NEVER EXISTED AT ALL.
Using tools such as fragrouter, the attack process becomes extremely easy
and the firewall is completely bypassed.

I read somewhere that the reason Apple did this is because of some faulty
routers that fragmented packets but it doesn't really matter. The only way
to fix this is to stop using the graphical configuration tool in preferences
and ONLY use the command line to input manually the ipfw rules you want.
Every time you use the graphical config tool, the above rules are restored.

Apple needs to understand that security is not a collection of shiny new 'features' that appeal to people impressed by catchy words but a _CHAIN_
that is as strong as its _WEAKEST_ link. They really need to focus on this,
as the danger is clearly there (mDNSResponder exploit comes to mind)

Also, they need to fix their graphical config tool and have it output sane
rules but also make it more powerful and give users the choice of advanced
firewall configuration without resorting to the command line.

 

[bigpics]

Stealthed to whom

Most NAT firewalls (linksys for example) are sufficient for 99% of the cases, they stop all but extremely dedicated hackers.

However firewall main function is to block a connection attempt on a specific port. Any port you open is subject to attack. Even if the firewall is perfect and lets say you open port 80 (www) for people to use your web server, the web server it self can come under attack and the application being run by your web server / application server (example Tomcat) can come under attack. Main purpose of a firewall is to protect you at the network level, if your web server has a flaw or your application has a flaw you are still dead meat.

Don't open any inbound ports (from internet to your computer or network) and you should be ok 99$ of the time.

However with this flaw, your chances are closer to 60%.

OK, lots of very erudite (and other) discussion here, and I've read endless articles on security over the years, retaining some of the less technical, but I have a simple, naive question:

If you close all your ports, turn off ping, etc., how do sites with web 2.0 features and programs like iTunes get into your computer to automatically update part or all of the page content, download new podcasts, etc? And what keeps malicious agents from doing the same thing?

And after writing and posting this, I immediately came across a new MacWorld article about hackers entering through an established MySpace session connection, which isn't exactly what I was talking about above, but is certainly related.

 

[johnny-salieris]

OK, lots of very erudite (and other) discussion here, and I've read endless articles on security over the years, retaining some of the less technical, but I have a simple, naive question:

If you close all your ports, turn off ping, etc., how do sites with web 2.0 features and programs like iTunes get into your computer to automatically update part or all of the page content, download new podcasts, etc? And what keeps malicious agents from doing the same thing?

Usually they don't. Your browser makes the request (e.g AJAX via XMLHttpRequest) and there is client-to-server communication (and not the
reverse).

 

[aLoC]

If you close all your ports, turn off ping, etc., how do sites with web 2.0 features and programs like iTunes get into your computer to automatically update part or all of the page content, download new podcasts, etc? And what keeps malicious agents from doing the same thing?

It all comes down to who establishes the connection. When you lock down the firewall, you cancel the ability of outsiders to establish a connection to your computer. But it's still ok for you to establish a connection out to them, and once established, data can flow both ways, even inwards.

 

[bigpics]

It all comes down to who establishes the connection. When you lock down the firewall, you cancel the ability of outsiders to establish a connection to your computer. But it's still ok for you to establish a connection out to them, and once established, data can flow both ways, even inwards.

Thanks to you and Johhny Salieris for your concise and understandable clarifications.

Here's an excerpt of another new article about how, when you log into a compromised site, you can easily download a Trojan (designed to attack Macs), and if using Safari, the download will proceed automatically along with the porn you wanted to watch if you give permission to "update Quicktime." Proving, I guess, there is no "firewall" for user behavior.....

November 01, 2007 (Computerworld) -- A Trojan horse targeting Macs -- among the rarest of security events -- has been spotted on numerous pornographic Web sites, researchers said Wednesday.

First reported by Mac security software maker Intego of Austin, Tex. and later confirmed by Sunbelt Software, McAfee Inc., and the SANS Institute's Internet Storm Center, "OSX.RSPlug.a" changes the Mac's DNS (Domain Name System) settings to redirect users to alternate or spoofed sites.

"The whole Trojan is relatively simple and works almost exactly the same as its brother for Windows," said Bojan Zdrnja, an analyst at Internet Storm Center (ISC) in a warning posted early Thursday. The DNSChanger exploit is well-known to Windows Trojan watchers.

"The bad guys are taking Mac seriously now," Zdrnja added. "This is a professional attempt at attacking Mac systems, and they could have been much more damaging."

Alex Eckelberry, Sunbelt's CEO, echoed Zdrnja. "This is the first targeted, real attack on Mac users by a professional malware group," said Eckelberry in a posting to his blog.

When users click on a link to watch video on one of the malicious porn sites, a dialog box tells them QuickTime needs to install additional software. "Quicktime Player is unable to play movie file. Please click here to download new version of codec."

Depending on the browser's settings, the download may mount a disk image and launch an installer automatically. In Safari, for instance, the checked-by-default "Open 'safe' files after downloading" option will mount and launch. Firefox, however, does not have a comparable setting, and will not auto-mount the image or launch the installer. In every case, the user must enter an administrator password to install the masquerading Trojan.

 

[Detektiv-Pinky]

That's pretty nonsensical. If your machine is running spyware, the first thing it will do is mess with a local firewall.

This is exactly the reason why you should NEVER do your regular work and Web-surfing from an administrative account on your system.
Have a non-adminstrative account on your machine an USE it to do your surfing. This way it would be pretty hard for any malicious peace of code to install itself without you knowing it.

 

[Detektiv-Pinky]

That's pretty nonsensical. If your machine is running spyware, the first thing it will do is mess with a local firewall.

This is exactly the reason why you should NEVER do your regular work and Web-surfing from an administrative account on your system.
Have a non-adminstrative account on your machine an USE it to do your surfing. This way it would be pretty hard for any malicious peace of code to install itself without you knowing it.

Edit:
Hhm, somehow I managed to post this twice. Anyhow, it is probably important enough to be read and remembered properly.

 

[johnnybluejeans]

AWESOME! THanks.. more reason not to get Leopard

What were the other reasons? Or are you just being a troll? My money is on troll.

 

[mooncaine]

Uh oh, is that ... [sniff]... Windows I smell?

 

[coffey7]

I still love little snitch.

 

[killerrobot]

Can anyone explain how Leopard's firewall actually differs from Tiger's?
Are there any clear back-steps?
I just recently installed Tiger on a new iMac and it's firewall was inactive at first as well. The user has to enable it and set the ports to stealth etc.
It seems to me that whenever a new OS comes out (be it Windows or OSX) there is someone screaming bloody murder about it's built-in firewall.

 

[DavidCar]

Maybe someone has mentioned this, but I find I have to have the whole firewall off to do a video iChat. If I had the firewall set to block, but iChat is allowed, I can't get a video or screen sharing iChat to work.

 

[aquajet]

This is exactly the reason why you should NEVER do your regular work and Web-surfing from an administrative account on your system.
Have a non-adminstrative account on your machine an USE it to do your surfing. This way it would be pretty hard for any malicious peace of code to install itself without you knowing it.

This is a good point. I've always configured my user account as a standard user account. It includes all my docs, music, pics etc. And then I have a separate admin account. If I need to install a program or otherwise need admin privileges, I can simply enter the name and password of my admin account within my daily standard user account. I generally never have to actually log into the admin account.

Just another small thing everyone can do to significantly increase security.

 

[Analog Kid]

I still love little snitch.

I'm not finding Little Snitch to be all that stable on Leopard yet... The new features (seeing what apps are contacting where in real time) are pretty slick though.

 

[greenpflyer]

I'm worried about that thing. I have never used a Mac computer and was planning on buying one really soon until now. So I wanted some info to convince me to still go mac. Is it still safe to use a mac computer and how do I avoid this trojan? The phishing thing, a similar site , makes me feel uncomfortable. Yes, I have gone to porn sites on my XPS m170 soon to be 2 year old computer and seen the download the codec thing. As far as I remember I never clicked to download, I would click the back button several quickly to avoid seeing it again. It is my fault on that part. That's why I'm looking for a computer namely a mac. I set one of my goals to avoid looking at porn sites. The new experience to a mac computer might haunt me with the leopard's critcized firewall and this trojan. So I don't want to waste my money on a new computer if it is going to get dirty and infected. Let me know about the security of mac computers. Sorry for being a newb. Thank you.

 

[greenpflyer]

Also, is there a suggesting that I should wait for a better macbook in january? I do'nt want the pricey macbook pro so omit that. I was planning on buying the new macbook (black) by this coming friday so I can play with it when I get home from college for Thanksgiving. Any suggestions for problems with leopard and time to buy macbook would be helpful. Thank you.

 

[cohibadad]

Standard accounts are for newbs and children

jk standard accounts are safer if you are afraid you will repeatedly click porn things and enter your admin info into the boxes. Here is a little run down on the differences between account types for anyone interested http://www.macusersforum.com/index.php?showtopic=16966&mode=threaded

 

[sblasl]

You probably would be best served by doing a search or looking in the MacBook & MacBook Pro forums. Here is thread that might help you with your decision.

https://forums.macrumors.com/threads/379594/

Also, is there a suggesting that I should wait for a better macbook in january? I don't want the pricey macbook pro so omit that. I was planning on buying the new macbook (black) by this coming friday so I can play with it when I get home from college for Thanksgiving. Any suggestions for problems with leopard and time to buy macbook would be helpful. Thank you.

 

[boz0]

To start with, there are devices which are dedicated firewall appliances that run a dedicated firewall OS on them. Many of these devices actually perform the screening in the hardware via programmable asics. Ok, it's still "software" running on dedicated chips, but the traffic is not handled by the operating system and is not inspected by the general processor.

Could you give a few examples. Last I checked (which, admittedly, is quite some time ago), no commercial firewall appliances were doing filtering at the ASIC level (I guess this would simply be because reprogramming the ASIC each time you wanted to change a rule isn't efficient).

EDIT : I was wrong on that count. Some companies appear to use ASICs to insert firewall rules in their routing components, like Juniper and Fortinet. I haven't found anything beyond commercial buzzwords, though, so I'm not sure exactly what they do. Still, it seems to me they remain a minority, for high-end firewalls.

The fact that they run a dedicated OS or not doesn't seem relevant, and neither would the fact that the OS is some tweaked version of Linux or *BSD, or rather some completely closed and dedicated solution like Nokia's IPSO for Checkpoint firewalls.

My real point is : yes, there are different kinds of firewalls. But the real difference is between Application Level Firewalls (a la ZoneAlarm), which try to identify the application itself, whether for incoming or outgoing connections, and the more traditional IP stack-based firewalls, whatever extensions, protocol helpers and the like they may use.

Why make the difference here instead of between "software" and "hardware" firewalls? Because you can have an IP-based firewall on your desktop : this is exactly what ipfw does on your MacOS box. Using ipfw on your desktop or laptop, then using it to build a dedicated firewall on a dedicated server at the edge of your network does not magically change the nature of ipfw from a "software" to a "hardware" firewall.

 

[ben24ben]

It's unbelievable. Mr. Schmidt, the author of the heise security articles, describe now the new Leopard Firewall with these words:

"The background to all this is that, in contrast to Tiger, the firewall in Leopard no longer operates at the packet level but rather it works with applications, to which it permits or denies specific network activities. In order to unambiguously identify applications, Apple uses code signatures, something which has also been introduced for the first time in Leopard. Certain applications signed by Apple are automatically permitted to communicate with the network past the firewall without showing that in the user interface -- even if the firewall is set to "Block all incoming connections".

By contrast, if an application which does not have a valid signature opens a network port, the firewall swings into action. In the "Block all incoming connections" state, it blocks incoming connections to unsigned services and records this with entries such as:

Deny evilserver connecting from 10.10.22.75:60957 uid = 0 proto=6

In restricted mode, simply trying to start a service brings up a window asking the user for permission. The user can then allow or forbid this. The system records this choice and enters it into the firewall's exceptions list. To achieve this, Apple furnishes unsigned programs with a digital signature in the process. If changes are made to the program subsequently, the permission is withdrawn."

http://www.heise-security.co.uk/news/98492

In his first articles, Mr. Schmidt don't know nothing about code signatures and a application based firewall. Maybe it would be better for all, Mr. Schmidt study first the new apple os security design before he wrote his articles. It's only FUD.

 

[aLoC]

Apple has posted this explanation of the Leopard firewall now.
http://docs.info.apple.com/article.html?artnum=306938

Clearly it is application-centric.

IMO the most common scenario for a home user is to want to stealth all ports on their computer to make themselves invisible to attackers. Unfortunately this new firewall doesn't allow for that.

Did they even make a list of common usage scenarios in the design phase, or did they just get carried away with the wonders of application-centricity?

 

[flyinmac]

Apple has posted this explanation of the Leopard firewall now.
http://docs.info.apple.com/article.html?artnum=306938

Clearly it is application-centric.

IMO the most common scenario for a home user is to want to stealth all ports on their computer to make themselves invisible to attackers. Unfortunately this new firewall doesn't allow for that.

Did they even make a list of common usage scenarios in the design phase, or did they just get carried away with the wonders of application-centricity?

Yep, I just read their new article on the Apple site.

Glad I have the firewall built-in to my router. This new Leopard one seems a bit simple and more for those who assume they are already mostly safe anyway.

It's probably good enough for those who know little, and don't think anyone would try to get into their system. But, for those who are concerned about security, this seems to be a major step backwards.

Why is Microsoft improving in security, and Apple is trying to go backwards. Are we in Bizarro land now?


If it were my primary firewall, I would feel very open and exposed.

 

[boz0]

IMO the most common scenario for a home user is to want to stealth all ports on their computer to make themselves invisible to attackers. Unfortunately this new firewall doesn't allow for that.

That's true for home users, and that's even more true when you intend to use your laptop on the road.

Ah, well, at least they're confirming that ipfw *does* override the Application Level Firewall rules.

 

[knweiss]

I'm new to Mac. I bought a Mac Pro two weeks ago and today I've looked into Apple's Firewall for the first time because I was debugging a network problem in my LAN.

After reading Apple' article About the Application Firewall I am really can't believe that they really released a firewall with such a flawed security concept. In my opinion the key problem is that they seem to think that their users *only* want to be protected from malicious 3rd-party software.

However, they completely ignore the fact that we also need protection from flaws (e.g. buffer overruns) in Apple's *own* (system) software! Digitally signing a program and thereby allowing all incoming traffic just because it's from Apple and they think it's flawless is a ridiculous security concept!

Also, not showing all the digitally signed applications (which are allowed to receive traffic!) in the Firewall security preferences is simply *misleading*. I bet most user's would be upset if they saw the entire list.

Finally, disabling the firewall by default? What were they thinking? "Apple Leopard - Insecure by default" maybe?
I'm not impressed!

 

[intoxicated662]

yeah that is a risk everyone is taking now but it's being talked about more as they are releasing new products. also, just because it is harder to have problems and viruses, etc. on an apple than on a windows pc doesn't still make it right for them to leave it open and vulnerable like that. disabling firewalll? gotta be kidding me..