Leopard's Firewall Criticized

[Rodimus Prime]

Gibson Research's tests are very reliable - the "full" port scan hits ports 0-1055 sequentially and gives specific results on each. You can also specifically choose to scan any ports beyond that range (though I don't have the time or real concern to hit all 64K ports!)

I just completed all tests--on a public network--on both 10.5 through Camino and XP through Firefox and have a full stealth posture on each. Much better than my old native Win98 Frankenputer.

On a side (but semi-related) note, I am also now seeing a bunch of other PC's & Macs (at least a dozen different ones so far) out there in the sidebar. Most of the Macs are offering up Screen Sharing. I'm pretty sure they're all on the same network as I am in the hotel, but it's still a little unnerving. ALL of my sharing is now off, to be turned on only as needed. Just a little too much like walking around with my fly unzipped...

I woudl of taken the chance to try to screw around with the person screen and told them that they really should turn it off.

It's just weird. When I owned a PC, I'd get like 1-5 viruses a day. On a Mac, never got one, never, never, never got one. Very impressive. lol

I have to say that is an insane number to get. Since startnig to use a PC back with windows 95 I can count on one hand the number of viruses I have gotten. One of them was just plan stupidity on my part and I installed a trogin the other was msbalaster off a fresh reformat that I had walk off for a while n my college campus network which makes it very easy to pick it up. Both my fault.
Now I have seen my AV software log a few but it was off a files sent to me by some one else or I downloaded in a risky area. It really only takes very minor proactive procection to stop everything.

Now if you leave a computer unprotected viruses seem to multiply very quickly (that could explain you 1-5 a day you had some viruses that you never knew about) some one in the dorms who computer I spent a better part of a few hours cleaning up had no AV software and we got Symantec corp ed. installed and then ran it. I believe it removed 150+ viruses off the computer. They multiple because they start leaving you open to other viruses that will get them selves installed. Got to love how they breed.
This was virus scan was followed by a spyware scan and that removed well over 1k worth of crap. His computer work night and day difference.

As for the random virus that was the caused it to be brought to my attention and caused me to have to started working on it is a good laugh. It was something that was making him print all sorts of random crap. All those poor thieves out there taking stuff from this computer ended because of a printing virus.

 

[jaw04005]

I turned my firewall on. Now where is the firewall for my AirPort Extreme Base Station (802.11g)? I can't seem to find it in the new AirPort Admin Utility.

 

[seanneko]

I've used Windows since win 3.0 days. I've had ONE virus back in 95 on 3.11. It was a master boot record virus. Since then NOTHING.

Same here. I've been using Windows since 3.1, and I've also had ONE virus. It was a DOS virus that added an echo statement to autoexec.bat.

Windows doesn't get viruses unless you download and run a program that has a virus in it. It's just common sense - don't click on things that say "free screensaver - best program ever 100% free click here!"

 

[brownbird]

There ought to be a few people out there that are proficient with Unix. Some of you must be familiar with ipfw (Apple's firewall). Can someone post some suggested settings for ipfw? A tutorial for us who want to build the best firewall protection possible?

 

[CANEHDN]

It's no surprise. I loved the old firewall, this firewall is awful. It doesn't work right. Little Snitch is better than it.

I agree. Tiger's firewall was excellent. Easy to use and could easily be changed to open and close any or all ports. In Leopard they moved it and mad it more confusing and more complicating than it needed to be. I couldn't even open my firewall logs. I'd click the button and nothing would happen. I think it may be time to get one of the old computers from storage and build myself a hardware firewall.

 

[eme jota ce]

Can anyone explain to a noob what decent Network settings would be for a macbook that joins a variety of wired / wireless networks for reaonsalbe level of security?

 

[diehldun]

I'm sorry, I guess I'm a little confused right now, because it seems everything was "automatic" in Tiger before I upgraded to Leopard.

As a college student using a new MBP via ethernet, what should I do in terms of changing settings to set up the firewall and ensure security? Under "Firewall" under System Preferences, I changed it to "block all incoming connections", and under "Advanced", clicked "Enable Stealth Mode"; "Enable Firewall Logging" was already selected. Is this good enough? I made these changes just by glancing at a few of the posts scattered throughout. Sorry if I sound paranoid, but I'm kind of concerned...

 

[SMM]

Shucks, all that I can bring to the table for my Windows experience is MS-DOS 5.0 and Windows 3.1.

I may have gotten one virus but my memory isn't what it used to be.

I am sure you could recount every one if it was a Mac, Shucks.

 

[MagnusVonMagnum]

I've been using a PC at home now for nearly 5 months. (e.g. right now)

I got nothing.

I've had a PC for 7 years and I've NEVER gotten a virus on it (had to clear spyware off before, though) and I've had broadband for over 3 years now and internet access from day 1. I guess it matters WHAT you download. And I've never used IE on it on any kind of regular basis (went from Netscape to Mozilla to Firefox for my regular browser).

It's kind of hard to get a virus on a Mac when there really aren't any out there to get.... Still, you'd think Apple would improve their firewall from Tiger, not make it worse. I can't even put Tiger on this Mac (dual 553 G4) without buying an accelerator card so I guess it'll stay Tiger and be used mostly for Internet browsing and downloading. Hopefully the new Macbook will at least have the newer Santa Rosa integrated graphics so I can get my first Intel Mac (waiting on MacPro to update graphics cards before I consider one for a desktop; I hate the new iMacs so no show there...possibly a MacMini for now if it gets better graphics too, though. I don't need bleeding edge, just the ability to run current games at a reasonable rate. I need the laptop for LogicPro8 music production and pinball game development under WinXP or Vista).

 

[Eidorian]

I am sure you could recount every one if it was a Mac, Shucks.

Someone maliciously posted that old iChat trojan on MacRumors.

So 1 trojan to say maybe 1-2 Windows junk?

I think we can all say we have ancient Windows experience. No need to compare.

 

[jaw04005]

This is regarding the new(er) AirPort Extreme Base Station (802.11n/gigabit):

Still, if all other routers are set as stealth, why isn't Apple's? I asked Jai Chulani, the senior product manager for the Airport Extreme, why this router doesn't have a feature found on almost all its competitors' products. Chulani argued it's not that important for a router to operate in stealth mode, and then made a very Applesque point:

"We decided it doesn't add enough value. We're not going to add something just because the other guy is doing it."

http://blogs.chron.com/techblog/archives/2007/05/just_how_important_is_it_to_be_stealthy_on_th.html

...

[Steve Gibson] also made the point that, while Apple may not provide a stealth mode for its routers, its Mac OS X operating system includes the feature in its built-in firewall. In the System Preferences, click on Sharing, the Firewall button, then Advanced.

Apparently, our AirPort routers will fail GRC's Shields Up stealth tests. However, enabling stealth mode in Mac OS X's software firewall sort of makes up for it.

 

[yg17]

The new Leopard firewall SUCKS. I want the good old fashioned "allow this port, block that port" firewall that Tiger had.


And, for most people, your basic router works as a firewall by design. Your computer is on a private network, it cannot be directly accessed from the outside world without port forwarding or DMZ. Lets say there's an attack that exploits a service running on port 12345. So an attacker tries to connect to your IP at port 12345, and unless you have that port forwarded, or you DMZed your computer, your router has no idea what to do with that packet and drops it. So that's why you don't do DMZ, and only forward when you need to.

I had the Tiger firewall enabled just for that extra layer of security (although really isn't needed since I'm behind a router) but I disabled the Leopard firewall. I'm not going to mess with that piece of junk.

 

[diehldun]

On a side (but semi-related) note, I am also now seeing a bunch of other PC's & Macs (at least a dozen different ones so far) out there in the sidebar. Most of the Macs are offering up Screen Sharing. I'm pretty sure they're all on the same network as I am in the hotel, but it's still a little unnerving. ALL of my sharing is now off, to be turned on only as needed. Just a little too much like walking around with my fly unzipped...

I'm curious, but aren't almost all the options except for Bluetooth sharing turned off by default in Leopard? It is (at least) on mine...

I have to agree, I'm in my dorm right now (do we have firewalls, or am I in "the wild"?), and its really awkward and unsettling to see a bunch of people's computers right in my Finder. I'll be honest I don't like this one bit.

 

[jaw04005]

I have to agree, I'm in my dorm right now (do we have firewalls, or am I in "the wild"?), and its really awkward and unsettling to see a bunch of people's computers right in my Finder. I'll be honest I don't like this one bit.

Just because you see them, doesn't mean they can see you. They have some type of sharing turned on. I wouldn't worry about it too much. If your firewall is on, and sharing is off, you should be fine.

 

[hulugu]

The new Leopard firewall SUCKS. I want the good old fashioned "allow this port, block that port" firewall that Tiger had.


And, for most people, your basic router works as a firewall by design. Your computer is on a private network, it cannot be directly accessed from the outside world without port forwarding or DMZ. Lets say there's an attack that exploits a service running on port 12345. So an attacker tries to connect to your IP at port 12345, and unless you have that port forwarded, or you DMZed your computer, your router has no idea what to do with that packet and drops it. So that's why you don't do DMZ, and only forward when you need to.

I had the Tiger firewall enabled just for that extra layer of security (although really isn't needed since I'm behind a router) but I disabled the Leopard firewall. I'm not going to mess with that piece of junk.

Yep, they dorked this up.

Although knowing what each port number did seemed like needless esoteric knowledge, the descriptions were usually good enough to figure out what it did. The new system removes all the old information and becomes more opaque.
Do I want iTunes to allow incoming connections? Or not? It's not easy for the user to know and you can't make granular decisions because it appears to be based entirely on the applications.

 

[yg17]

Yep, they dorked this up.

Although knowing what each port number did seemed like needless esoteric knowledge, the descriptions were usually good enough to figure out what it did. The new system removes all the old information and becomes more opaque.
Do I want iTunes to allow incoming connections? Or not? It's not easy for the user to know and you can't make granular decisions because it appears to be based entirely on the applications.

Easy way to solve that:

Simple Mode and Advanced Mode.

Simple Mode would be the app-based thing like Leopard has now, Advanced Mode would be pre-Leopard firewall.

 

[hulugu]

Easy way to solve that:

Simple Mode and Advanced Mode.

Simple Mode would be the app-based thing like Leopard has now, Advanced Mode would be pre-Leopard firewall.

That's funny, I was just thinking the same thing. The advanced section should give more options for allow/disallow. Sometimes knowing that the iChat port is blocked by the firewall is helpful.

 

[shawnce]

From firewall help topic... (it obvious that the firewall is utilizing the new trust abilities that code signing allows to simplify management of the firewall by the average user)

Setting firewall access for services and applications
Mac OS X includes a firewall: a security measure that protects your computer when you’re connected to a network or the Internet. If you turn on a sharing service, such as file sharing, Mac OS X opens a specific port in the firewall for the service to communicate through. When you open the Firewall pane of Security preferences, any sharing services turned on in Sharing preferences, such as File Sharing or Remote Apple Events, appear in the list.

In addition to the sharing services you turned on in Sharing preferences, the list may include other services, applications, and programs that are allowed to open ports in the firewall. An application or program might have requested and been given access through the firewall, or might be digitally signed by a trusted certificate and therefore allowed access.

IMPORTANT: Some programs have access through the firewall although they don’t appear in the list. These might include system applications, services, and processes (for example, those running as “root”). They can also include digitally signed programs that are opened automatically by other programs. You might be able to block these programs’ access through the firewall by adding them to the list.

To add an application to the list, select “Set access for specific services and applications” in the Firewall pane of Security preferences, click Add (+) at the bottom of the list, and then select what you want to add. After the program is added, click its up and down arrows to allow or block connections through the firewall.

Blocking a program’s access through the firewall could affect the performance of other applications and services you use.

 

[rockosmodurnlif]

I always love when I see these I've run Windows since before Windows existed and I never got a virus. Congratulations. Let me share a short story.

I did a fresh install, silly me I left the cable connection in, I go to start downloading the security packs and Internet Explorer (which accesses the Windows Update) stays open for a bit then closes. This happens repeatedly. I'm confused. This is a fresh install, I think to myself, whiskey tango foxtrot? So I install Norton and it finds a worm but it can't get rid of it. It has to restart the computer to fix it. I say, to hell with that, unplug the machine from the net, do a new fresh install and then Norton afterward. Plug back in to download the updates, Norton catches the worm before it can install.

So I got infected without visiting anywhere. I'm sure there are others who have similar experiences. Please don't clog a good thread with your blame the user nonsense. Sorry for going off topic.

 

[Eidorian]

I always love when I see these I've run Windows since before Windows existed and I never got a virus. Congratulations. Let me share a short story.

I did a fresh install, silly me I left the cable connection in, I go to start downloading the security packs and Internet Explorer (which accesses the Windows Update) stays open for a bit then closes. This happens repeatedly. I'm confused. This is a fresh install, I think to myself, whiskey tango foxtrot? So I install Norton and it finds a worm but it can't get rid of it. It has to restart the computer to fix it. I say, to hell with that, unplug the machine from the net, do a new fresh install and then Norton afterward. Plug back in to download the updates, Norton catches the worm before it can install.

So I got infected without visiting anywhere. I'm sure there are others who have similar experiences. Please don't clog a good thread with your blame the user nonsense. Sorry for going off topic.

You need to take into account internet background radiation.

An unprotected and non-updated Windows installation will just pick who knows what up.

 

[weaverra]

Of course the media is gonna have a hay day with this, but I think it's gonna be funny when it comes out it's not as they say it is. I find it interesting how these other researchers and analyst like to base their comments on what a security magazine says having not even tried it themselves. I'm calling bull on this whole claim. There probably is a reason hasn't contacted them for help.

 

[sulhaq]

Not being able to set specific ports for programs is irritating me to no end. Not only that, I can't turn the damn firewall off so I can use a third party one.....

 

[breal8406]

So it's very apparent we all agree that the Leopard firewall sucks. Instead of beating a dead horse....may I suggest we not encourage the problem and for those of us running our computers constantly in Admin, take an extra step and do all your day to day computing as a "Standard User" mode.

I read that piece of advice on MacWorld.com once and have been doing it every since. I run in Standard User, then I do maintenance tasks in Admin....then for random people I don't really trust, or people I know that are going to download a lot, I have the Guest Account option enabled.

That way when the unthinkable happens and OS X has a security flaw like this...we're all prepared.

If you wanna get really stringent you could also change your Keychain login...

 

[Dwight Schrute]

Actually, although I'm a BIG fan of Netgear routers, I would consider them to be consumer- or at best SOHO-grade machines. But if by "consumer grade" you mean NAT-only routers, and there we are in pretty good agreement. NAT provides some protection, but a stateful packet inspection (SPI) router that actually examines each packet to determine whether it is solicited or unsolicited is a major step up in security. The problem, however, is that there is no standard implementation for "SPI," every vendor implements his own algorithms, which means that not all SPI routers are created equal. Presumably, what you pay for when you move from Netgear equipment to SMB equipment to enterprise-class gear is more sophisticated and robust algorithms, but few of us really have the competence to assess this, so at the end of the day you must trust that your vendor has done a good job. Hey, you have to trust somebody!

You're certainly correct if the hacker is specifically targeting YOU, but for most of us as private citizens, the real threat comes from "script kiddies" and hackers looking for random vulnerable machines on the internet to host zombies, spambots, etc. In this scenario, securing your home network is like securing your car--you can't make it impervious to the most determined attacker or thief, but you can harden it to the point where the most likely attackers will simply move on to a softer target. If you're running a decent SPI firewall and haven't done anything stupid to the firewall configuration, and you're running WPA or WPA2 wireless security with a strong key, as a home user you're going to be fine. If you are Microsoft, on the other hand, you'll need far more sophisticated protection as people certainly will be targeting you specifically, all the time!

Although I run Macs exclusively at home, at work I manage Cisco firewall appliances and Symantec enterprise software firewalls for a Windows network. I know a little but about this stuff and would like to say that you, VideoFreek, have the best handle on this topic so far.

NAT is merely a good start. To the guy who only runs a NAT hard-wired router: if that's all you have between you and the Internet, WPA2 is tougher to get around than NAT so you may as well cut the cord already and enjoy some freedom.

Software firewalls are in fact very useful. Once you have your outside interface stealthing or blocking inbound activity, and SPI (Stateful Packet Inspection) is running ,unless you want to block all programs from using all ports outbound through the inside interface (good luck using the Internet), what else but a software firewall will decide who/what can initiate requests?

What am I talking about - this is a Mac forum. We don't have to worry about this crap.

 

[mmccaskill]

Well apparently ipfw isn't being used. I've set the GUI firewall to deny everything except a few programs. But here is the output for ipfw

> sudo ipfw list
33300 deny icmp from any to me in icmptypes 8
65535 allow ip from any to any

Not sure why/where icmp restriction came from