OSX Firewall configurations are broken in Tiger as well
I don't yet have leopard, but the default configuration in Tiger (10.4.10)
is still fundamentally broken. If someone uses the configuration tool
from preferences and explicitly denies everything (allow nothing), also
blocks UDP traffic and enables 'stealth' mode this is he ends up with:
02050 allow tcp from any to any out
02060 allow tcp from any to any established
02065 allow tcp from any to any frag
12190 deny tcp from any to any
20310 allow udp from any to any dst-port 53 in
20320 allow udp from any to any dst-port 68 in
20321 allow udp from any 67 to me in
20322 allow udp from any 5353 to me in
20340 allow udp from any to any dst-port 137 in
20350 allow udp from any to any dst-port 427 in
20360 allow udp from any to any dst-port 631 in
20370 allow udp from any to any dst-port 5353 in
30510 allow udp from me to any out keep-state
30520 allow udp from any to any in frag
35000 deny udp from any to any in
(Some lines snipped)
As you see, certain udp services are still allowed. This is nothing however.
The ridiculus part is in the following two rules:
02065 allow tcp from any to any frag
30520 allow udp from any to any in frag
What these rules do is allow EVERY fragmented packet. So, effectivelly
what we have here is a severely bad implementation of the fw configuration tool that undermines ALL other rules. No matter what the user blocks,
these two rules allow complete unrestricted access to every service running
on the machine as if THE FIREWALL NEVER EXISTED AT ALL.
Using tools such as fragrouter, the attack process becomes extremely easy
and the firewall is completely bypassed.
I read somewhere that the reason Apple did this is because of some faulty
routers that fragmented packets but it doesn't really matter. The only way
to fix this is to stop using the graphical configuration tool in preferences
and ONLY use the command line to input manually the ipfw rules you want.
Every time you use the graphical config tool, the above rules are restored.
Apple needs to understand that security is not a collection of shiny new 'features' that appeal to people impressed by catchy words but a _CHAIN_
that is as strong as its _WEAKEST_ link. They really need to focus on this,
as the danger is clearly there (mDNSResponder exploit comes to mind)
Also, they need to fix their graphical config tool and have it output sane
rules but also make it more powerful and give users the choice of advanced
firewall configuration without resorting to the command line.
I don't yet have leopard, but the default configuration in Tiger (10.4.10)
is still fundamentally broken. If someone uses the configuration tool
from preferences and explicitly denies everything (allow nothing), also
blocks UDP traffic and enables 'stealth' mode this is he ends up with:
02050 allow tcp from any to any out
02060 allow tcp from any to any established
02065 allow tcp from any to any frag
12190 deny tcp from any to any
20310 allow udp from any to any dst-port 53 in
20320 allow udp from any to any dst-port 68 in
20321 allow udp from any 67 to me in
20322 allow udp from any 5353 to me in
20340 allow udp from any to any dst-port 137 in
20350 allow udp from any to any dst-port 427 in
20360 allow udp from any to any dst-port 631 in
20370 allow udp from any to any dst-port 5353 in
30510 allow udp from me to any out keep-state
30520 allow udp from any to any in frag
35000 deny udp from any to any in
(Some lines snipped)
As you see, certain udp services are still allowed. This is nothing however.
The ridiculus part is in the following two rules:
02065 allow tcp from any to any frag
30520 allow udp from any to any in frag
What these rules do is allow EVERY fragmented packet. So, effectivelly
what we have here is a severely bad implementation of the fw configuration tool that undermines ALL other rules. No matter what the user blocks,
these two rules allow complete unrestricted access to every service running
on the machine as if THE FIREWALL NEVER EXISTED AT ALL.
Using tools such as fragrouter, the attack process becomes extremely easy
and the firewall is completely bypassed.
I read somewhere that the reason Apple did this is because of some faulty
routers that fragmented packets but it doesn't really matter. The only way
to fix this is to stop using the graphical configuration tool in preferences
and ONLY use the command line to input manually the ipfw rules you want.
Every time you use the graphical config tool, the above rules are restored.
Apple needs to understand that security is not a collection of shiny new 'features' that appeal to people impressed by catchy words but a _CHAIN_
that is as strong as its _WEAKEST_ link. They really need to focus on this,
as the danger is clearly there (mDNSResponder exploit comes to mind)
Also, they need to fix their graphical config tool and have it output sane
rules but also make it more powerful and give users the choice of advanced
firewall configuration without resorting to the command line.