Edited: I did a port scan on my local network with the firewall on block all and stealth and it would not pick up anything until the very second I allowed all incoming connections. Am I missing something here???
This new firewall in Leopard is disappointing. I liked Tiger's much much better.
Glad I'm behind a router...
You wouldn't even believe Microsoft to be so stupid to expose open services (and even NetBIOS!!) to the internet when the firewall is setup to block ALL traffic. No kidding, Leopard does. Though, there is no proof of concept exploit, yet, that's a totally unneccessary design flaw, even a freshman CS student wouldn't be allowed to turn in.
From the article (German heise magazine):
You wouldn't even believe Microsoft to be so stupid to expose open services (and even NetBIOS!!) to the internet when the firewall is setup to block ALL traffic. No kidding, Leopard does. Though, there is no proof of concept exploit, yet, that's a totally unneccessary design flaw, even a freshman CS student wouldn't be allowed to turn in.
From the article (German heise magazine):
I just visited www.grc.com and tested Leopard and I passed all tests; is there a UNIX specific site we can visit to test our Macs?
This is nonsense.
To begin with, there's no such thing as a "hardware firewall". A better (and commonly used) designation is "appliance". A firewall appliance is a dedicated box, running an OS (in many cases a tweaked Linux or *BSD, though there are of course many other possibilities, like IOS on Cisco firewalls), on top of which the actual firewall software sits.
Now, assuming you call a "hardware firewall" any kind of dedicated firewall appliance, well, obviously, since your wireless router does wireless routing, it's not a dedicated firewall, is it?
That said, whether you have a dedicated firewall box or not, it's the quality of the firewall software that has to be taken into account. It's always a very bad idea to make a product insecure by default. Microsoft has been bashed repeatedly for that, and so should Apple!
However, I'm not yet ready to believe that their firewall is as flawed as the article says. I'll have a look in a couple days!
Who gives a ****? I've run with no firewall and several different specific services exposed to the world through a NAT router for the last 4 years on both Windows and Apple machines and have never had a single problem with a worm, virus, or other exploit. Being careful about where you go online is much more crucial to security than running some stupid firewall.
Well it's obvious that you don't but some do give a fig. I am trying to understand the concern and passion of the OP; because I don't share it. Not for lack of passion or concern but because, like you said, exercise some care about the sites you visit and after all Leopard is UNIX.
If someone can explain why, given Leopard is UNIX based, I need to be concerned about leaving my firewall off, I would very much like to learn.
I did this with allowing all incoming allowed and still passed with all green.
Same here. I tested every setting with "allow all incoming" and everything passed. Only when I set a specific port to test, one that is open for bittorrent, did it find anything.
I would have concerns about the accuracy of that test then.
A person trying to get through a firewall is going to be checking for specific ports. Their not just going to say "show me what's open".
Who knows how accurate it is, but when you see the "all ports closed, you are stealth" if makes you feel better.
BTW, Id think if someone were trying to get through, they wouldnt be looking for specific ports but looking for any open port.
A consumer grade software firewall may as well be no firewall.
Actually, although I'm a BIG fan of Netgear routers, I would consider them to be consumer- or at best SOHO-grade machines.If you want a serious low cost (no kidding, compared to PIX, Checkpoint, etc.) firewall... get a Netgear FWG-114P firewall/wireless router ... A consumer grade software firewall may as well be no firewall.
You're certainly correct if the hacker is specifically targeting YOU, but for most of us as private citizens, the real threat comes from "script kiddies" and hackers looking for random vulnerable machines on the internet to host zombies, spambots, etc. In this scenario, securing your home network is like securing your car--you can't make it impervious to the most determined attacker or thief, but you can harden it to the point where the most likely attackers will simply move on to a softer target. If you're running a decent SPI firewall and haven't done anything stupid to the firewall configuration, and you're running WPA or WPA2 wireless security with a strong key, as a home user you're going to be fine. If you are Microsoft, on the other hand, you'll need far more sophisticated protection as people certainly will be targeting you specifically, all the time!It would be a pretty wimpy hacker that would just say well, it says the doors closed, I'm done.
Actually, although I'm a BIG fan of Netgear routers, I would consider them to be consumer- or at best SOHO-grade machines.But if by "consumer grade" you mean NAT-only routers, and there we are in pretty good agreement. NAT provides some protection, but a stateful packet inspection (SPI) router that actually examines each packet to determine whether it is solicited or unsolicited is a major step up in security. The problem, however, is that there is no standard implementation for "SPI," every vendor implements his own algorithms, which means that not all SPI routers are created equal. Presumably, what you pay for when you move from Netgear equipment to SMB equipment to enterprise-class gear is more sophisticated and robust algorithms, but few of us really have the competence to assess this, so at the end of the day you must trust that your vendor has done a good job. Hey, you have to trust somebody!
You're certainly correct if the hacker is specifically targeting YOU, but for most of us as private citizens, the real threat comes from "script kiddies" and hackers looking for random vulnerable machines on the internet to host zombies, spambots, etc. In this scenario, securing your home network is like securing your car--you can't make it impervious to the most determined attacker or thief, but you can harden it to the point where the most likely attackers will simply move on to a softer target. If you're running a decent SPI firewall and haven't done anything stupid to the firewall configuration, and you're running WPA or WPA2 wireless security with a strong key, as a home user you're going to be fine. If you are Microsoft, on the other hand, you'll need far more sophisticated protection as people certainly will be targeting you specifically, all the time!
A hardware firewall is a dedicated piece of hardware used as a firewall. Yes it uses software, but it's a hardware firewall. I use a dedicated machine as a hardware firewall running IPCOP. It's a dedicated hardware firewall. This is in contrast to a software firewall, as in Zone Alarm, which runs as a service on a personal computer.This is nonsense.
To begin with, there's no such thing as a "hardware firewall".
Stealth just means that port 113 does not respond to pings. However this doesn't mean that outbound ports are closed. So technically not all ports are closed.Who knows how accurate it is, but when you see the "all ports closed, you are stealth" if makes you feel better.![]()
Absolutely, all the time. The latest estimates I've read indicate that an unprotected, unpatched Windows machine connected to the internet will be compromised in an astonishingly short time--as little as 15 minutes! See, for example, this. The thing to understand, however, is that these "attacks" you see in your firewall log are almost certainly random--initiated by automated scanning routines downloaded from the internet by teenagers with too much free time on their hands and used to look for vulnerable machines to screw with. Or, spammers and phishers looking for easy targets. That is why, in home network security, a little protection goes a long way.The issue for me, is that I have had several instances where firewall software has detected deliberate attempts to enter the system (although that was before I had a firewall router). So, it does appear that they do attempt from time to time to enter private systems.
Stealth, as relentlessly pounded into us by Steve Gibson, involves much more than port 113. It means that there is no evidence whatsoever that a computer even exists at a given IP address. This is not the same as closed ports--which respond that they are "closed," and thus betray the existence of a computer. Although I'm with Gibson on this (invisibility is better), this viewpoint is not uncontested--detractors argue that stealthing machines is not compliant with Internet design and actually generates more nuisance traffic than a simple "closed" response.Stealth just means that port 113 does not respond to pings. However this doesn't mean that outbound ports are closed. So technically not all ports are closed.
That's true. You don't want to be naked on the net.Absolutely, all the time. The latest estimates I've read indicate that an unprotected, unpatched Windows machine connected to the internet will be compromised in an astonishingly short time--as little as 15 minutes! See, for example, this. The thing to understand, however, is that these "attacks" you see in your firewall log are almost certainly random--initiated by automated scanning routines downloaded from the internet by teenagers with too much free time on their hands and used to look for vulnerable machines to screw with. Or, spammers and phishers looking for easy targets. That is why, in home network security, a little protection goes a long way.
You're right, but I believe Tiger just closed port 113 in stealth mode. Port 113 is the identification port and what's normally used to identify a machine.Stealth, as relentlessly pounded into us by Steve Gibson, involves much more than port 113. It means that there is no evidence whatsoever that a computer even exists at a given IP address. This is not the same as closed ports--which respond that they are "closed," and thus betray the existence of a computer. Although I'm with Gibson on this (invisibility is better), this viewpoint is not uncontested--detractors argue that stealthing machines is not compliant with Internet design and actually generates more nuisance traffic than a simple "closed" response.