Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Leopard's Firewall Criticized
- Thread starter rpp3po
- Start date
- Sort by reaction score
Well, that sounds like the kind of behaviour you'd expect from a firewall, which is, in view of this thread, kinda reassuring
What protocols did you scan for? Only tcp, or did you try udp, icmp, others?
How bizarre...I didn't want to believe it, but the article is pretty clear cut.
Just to be clear to the others here: if you're behind a NAT router (and you haven't done anything weird like forward ports or DMZ), then you're still safe to attacks from the outside.
But anybody on your network would be able to attack the services that are running -- which could be problematic if you were on a public wifi, e.g. That doesn't necessarily mean they could compromise those services or take control of your computer, but it should still be a concern to Apple to send out an update ASAP.
It seems that this was on a fresh install of Leopard. When I get home tonight I'll check out the settings on my MacBook -- I upgraded from Tiger to Leopard -- and see if it actually degraded my security.
Steve Gibson Research
I just visited www.grc.com and tested Leopard and I passed all tests; is there a UNIX specific site we can visit to test our Macs?
I just visited www.grc.com and tested Leopard and I passed all tests; is there a UNIX specific site we can visit to test our Macs?
Who gives a ****? I've run with no firewall and several different specific services exposed to the world through a NAT router for the last 4 years on both Windows and Apple machines and have never had a single problem with a worm, virus, or other exploit. Being careful about where you go online is much more crucial to security than running some stupid firewall.
This is nonsense.
To begin with, there's no such thing as a "hardware firewall". A better (and commonly used) designation is "appliance". A firewall appliance is a dedicated box, running an OS (in many cases a tweaked Linux or *BSD, though there are of course many other possibilities, like IOS on Cisco firewalls), on top of which the actual firewall software sits.
Now, assuming you call a "hardware firewall" any kind of dedicated firewall appliance, well, obviously, since your wireless router does wireless routing, it's not a dedicated firewall, is it?
That said, whether you have a dedicated firewall box or not, it's the quality of the firewall software that has to be taken into account. It's always a very bad idea to make a product insecure by default. Microsoft has been bashed repeatedly for that, and so should Apple!
However, I'm not yet ready to believe that their firewall is as flawed as the article says. I'll have a look in a couple days!
The router I'm using is a Wired Router. I don't allow wireless in the house. So, the router has no wireless capabilities.
But, it does have a firewall built-in. Basically, it is supposed to filter all incoming and outgoing communications. It appears to be pretty thorough. I've configured all the settings, and such and used various online scanners, and none of them have reported a weakness.
Hopefully, it is good. It's one of those things where you never know how good something is until it fails.
The link is rather long, so here's a tinyURL to the page with information on the router / Firewall I'm using:
http://tinyurl.com/25shvh
It definitely has more firewall features to configure than the OS X firewall. So, it seems pretty thorough. Hopefully it is a secure as it seems.
I think that's the point, really.
Well it's obvious that you don't but some do give a fig. I am trying to understand the concern and passion of the OP; because I don't share it. Not for lack of passion or concern but because, like you said, exercise some care about the sites you visit and after all Leopard is UNIX.
If someone can explain why, given Leopard is UNIX based, I need to be concerned about leaving my firewall off, I would very much like to learn.
Well it's obvious that you don't but some do give a fig. I am trying to understand the concern and passion of the OP; because I don't share it. Not for lack of passion or concern but because, like you said, exercise some care about the sites you visit and after all Leopard is UNIX.
If someone can explain why, given Leopard is UNIX based, I need to be concerned about leaving my firewall off, I would very much like to learn.
The Apple firewall comes with certain default settings, you can play with it as much as you like though and configure it to your hearts desire. Just type man ipfw in the Terminal for instructions or Google ipfw (IP Firewall).
If your not happy do something about it rather than waiting for Apple to fix it. If you can't be bothered to learn how to fix it or do it yourself then you are obviously happy enough with it in its current form.
If your not happy do something about it rather than waiting for Apple to fix it. If you can't be bothered to learn how to fix it or do it yourself then you are obviously happy enough with it in its current form.
The issue is not so much whether something can get in and infect your system.
Rather, the issue is whether someone with time on their hands can locate your system through the internet and start browsing around through information on your hard drive.
Without an effective firewall, anyone with time and skill can get into your computer and browse around.
I've had previous alerts that have come up (before I had a firewall router) that showed IP addresses and such of users who were out on the Internet trying to find a hole in my firewall to exploit and gain access (of course I was using a software firewall at the time that reported such attempts).
I would then track down the IP address of the offender, and send a note to their Service Provider (which obviously may have done nothing, but may have been taken seriously).
Either way, if you don't have a Firewall, then the websites are not the concern to me. It's the individuals trying to gain access and looking for whatever is on your computer (or using your computer to mask what they are doing and from where).
Edit: Just for information purposes, my firewall router does offer alerting and reporting services like other software routers do.
Same here. I tested every setting with "allow all incoming" and everything passed. Only when I set a specific port to test, one that is open for bittorrent, did it find anything.
If you want a serious low cost (no kidding, compared to PIX, Checkpoint, etc.) firewall... get a Netgear FWG-114P firewall/wireless router (part of the blue metal Pro SoHo series, not the white/grey plastic boxes).
It's SPI, ICSA-certified, has user-definable implict rules (can allow/deny both inbound and outbound) and user definable filtering, logging, NAT, VPN, syslog forwarding, email alerts;/event alerts, DoS attack mitigation, TCP/UDP flood protection, MAC Address auth, WEP/WPA, etc. etc.
A consumer grade software firewall may as well be no firewall.
It's SPI, ICSA-certified, has user-definable implict rules (can allow/deny both inbound and outbound) and user definable filtering, logging, NAT, VPN, syslog forwarding, email alerts;/event alerts, DoS attack mitigation, TCP/UDP flood protection, MAC Address auth, WEP/WPA, etc. etc.
A consumer grade software firewall may as well be no firewall.
I would have concerns about the accuracy of that test then.
A person trying to get through a firewall is going to be checking for specific ports. Their not just going to say "show me what's open".
Who knows how accurate it is, but when you see the "all ports closed, you are stealth" if makes you feel better.
BTW, Id think if someone were trying to get through, they wouldnt be looking for specific ports but looking for any open port.
Who knows how accurate it is, but when you see the "all ports closed, you are stealth" if makes you feel better.
BTW, Id think if someone were trying to get through, they wouldnt be looking for specific ports but looking for any open port.
A person who wants in, will obviously first scan for open ports. But, knowing that firewalls attempt to hide them, they would then try deliberately entering through ports that they expect will have weaker protection or through any port that they typically have success with.
They know that just because you don't immediately see them, that they are not actually gone.
It would be a pretty wimpy hacker that would just say well, it says the doors closed, I'm done.
Your joking right? The Mac OS X firewall is in no way a consumer grade firewall. It is a firewall used in a consumer grade product but that does not make it any more of a consumer solution. Sure the default setup may not be great but with proper configuration is just as good as any other firewall out there.
Actually, although I'm a BIG fan of Netgear routers, I would consider them to be consumer- or at best SOHO-grade machines.
But if by "consumer grade" you mean NAT-only routers, and there we are in pretty good agreement. NAT provides some protection, but a stateful packet inspection (SPI) router that actually examines each packet to determine whether it is solicited or unsolicited is a major step up in security. The problem, however, is that there is no standard implementation for "SPI," every vendor implements his own algorithms, which means that not all SPI routers are created equal. Presumably, what you pay for when you move from Netgear equipment to SMB equipment to enterprise-class gear is more sophisticated and robust algorithms, but few of us really have the competence to assess this, so at the end of the day you must trust that your vendor has done a good job. Hey, you have to trust somebody! You're certainly correct if the hacker is specifically targeting YOU, but for most of us as private citizens, the real threat comes from "script kiddies" and hackers looking for random vulnerable machines on the internet to host zombies, spambots, etc. In this scenario, securing your home network is like securing your car--you can't make it impervious to the most determined attacker or thief, but you can harden it to the point where the most likely attackers will simply move on to a softer target. If you're running a decent SPI firewall and haven't done anything stupid to the firewall configuration, and you're running WPA or WPA2 wireless security with a strong key, as a home user you're going to be fine. If you are Microsoft, on the other hand, you'll need far more sophisticated protection as people certainly will be targeting you specifically, all the time!
Actually, although I'm a BIG fan of Netgear routers, I would consider them to be consumer- or at best SOHO-grade machines.
You're certainly correct if the hacker is specifically targeting YOU, but for most of us as private citizens, the real threat comes from "script kiddies" and hackers looking for random vulnerable machines on the internet to host zombies, spambots, etc. In this scenario, securing your home network is like securing your car--you can't make it impervious to the most determined attacker or thief, but you can harden it to the point where the most likely attackers will simply move on to a softer target. If you're running a decent SPI firewall and haven't done anything stupid to the firewall configuration, and you're running WPA or WPA2 wireless security with a strong key, as a home user you're going to be fine. If you are Microsoft, on the other hand, you'll need far more sophisticated protection as people certainly will be targeting you specifically, all the time!
I can agree with that.
The issue for me, is that I have had several instances where firewall software has detected deliberate attempts to enter the system (although that was before I had a firewall router). So, it does appear that they do attempt from time to time to enter private systems.
A hardware firewall is a dedicated piece of hardware used as a firewall. Yes it uses software, but it's a hardware firewall. I use a dedicated machine as a hardware firewall running IPCOP. It's a dedicated hardware firewall. This is in contrast to a software firewall, as in Zone Alarm, which runs as a service on a personal computer.
Stealth just means that port 113 does not respond to pings. However this doesn't mean that outbound ports are closed. So technically not all ports are closed.Who knows how accurate it is, but when you see the "all ports closed, you are stealth" if makes you feel better.
Absolutely, all the time. The latest estimates I've read indicate that an unprotected, unpatched Windows machine connected to the internet will be compromised in an astonishingly short time--as little as 15 minutes! See, for example, this. The thing to understand, however, is that these "attacks" you see in your firewall log are almost certainly random--initiated by automated scanning routines downloaded from the internet by teenagers with too much free time on their hands and used to look for vulnerable machines to screw with. Or, spammers and phishers looking for easy targets. That is why, in home network security, a little protection goes a long way.
Stealth, as relentlessly pounded into us by Steve Gibson, involves much more than port 113. It means that there is no evidence whatsoever that a computer even exists at a given IP address. This is not the same as closed ports--which respond that they are "closed," and thus betray the existence of a computer. Although I'm with Gibson on this (invisibility is better), this viewpoint is not uncontested--detractors argue that stealthing machines is not compliant with Internet design and actually generates more nuisance traffic than a simple "closed" response.
That's true. You don't want to be naked on the net.
I just looked at my IDS log and on Saturday I had 258 intrusion detections, but most were bad traffic. However some were the follow:
MS-SQL Worm propagation attempt
Priority: 2 Type: Misc Attack
http://www.snort.org/pub-bin/sigs.cgi?sid=2003
MS-SQL version overflow attempt
Priority: 3 Type: Misc activity
http://www.snort.org/pub-bin/sigs.cgi?sid=2050
(http_inspect) DOUBLE DECODING ATTACK
Name: (portscan) TCP Portsweep
Priority: n/a Type: n/a
Name: ICMP PING CyberKit 2.2 Windows
Priority: 3 Type: Misc activity
An attacker may attempt to determine live hosts in a network prior to launching an attack.
I get a ton of CyberKit, MySQL attacks and port sweeps. Google has even done several ports sweeps. Nothing for me to worry about, but if you leave your machine open someone will find it.
You're right, but I believe Tiger just closed port 113 in stealth mode. Port 113 is the identification port and what's normally used to identify a machine.