I had the exact same thing happen. It was the final tipping point for me, I spent a good 12 hours installing windows that day, I then installed linux in 20 minutes, including patches.
I wiped windows after that, never ran it since.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Leopard's Firewall Criticized
- Thread starter rpp3po
- Start date
- Sort by reaction score
I had the exact same thing happen. It was the final tipping point for me, I spent a good 12 hours installing windows that day, I then installed linux in 20 minutes, including patches.
I wiped windows after that, never ran it since.
A big problem with software firewalls is there's a lot that can go wrong and you'd never know. It could crash. A configuration file could get messed up and it wouldn't be doing what it's supposed to. The firewall itself may have an exploit that can let an attacker remotely turn off the firewall and gain full access. The advantage of using NAT, is that by design, it acts as a firewall. If it crashes, you'll know because you wont be able to access the internet and you can reboot it, replace it, whatever. I suppose an attacker can get in if you have remote management enabled, so thats why it should be disabled and you should have a really good password, to reduce the chance of anything like that happening. Even for people who have 1 computer and no need for wireless, I'd still recommend a cheap router, even if they don't need it for routing purposes, it still provides a huge security increase for little money. Very cost effective for home users.
As far as the issue of blocking outgoing traffic from applications, I have never found a use for it. If you do, then I suppose a software firewall (or some expensive layer 7 hardware firewall appliance if you have thousands of dollars to blow
) is the only way to do that. But the few times I tried something like that (ZoneAlarm/Little Snitch, etc), I've found it a huge annoyance. But that's all personal preference.
For me, I just have a router...no software firewall. The only port I need to forward is my BitTorrent port, and I use UPnP in Transmission, so it's only forwarded when Transmission is open (Yeah, I know UPnP has its own security issues, but I use a Mac, what do I need to worry about?) No attacks yet and I don't think I'll ever get anything, it's a pretty good, secure setup for a home user.
As far as the issue of blocking outgoing traffic from applications, I have never found a use for it. If you do, then I suppose a software firewall (or some expensive layer 7 hardware firewall appliance if you have thousands of dollars to blow
) is the only way to do that. But the few times I tried something like that (ZoneAlarm/Little Snitch, etc), I've found it a huge annoyance. But that's all personal preference.For me, I just have a router...no software firewall. The only port I need to forward is my BitTorrent port, and I use UPnP in Transmission, so it's only forwarded when Transmission is open (Yeah, I know UPnP has its own security issues, but I use a Mac, what do I need to worry about?
) No attacks yet and I don't think I'll ever get anything, it's a pretty good, secure setup for a home user.
Don't have Leopard yet, so don't know what firewall is running. OS X seemed to be the only BSD using ipfw (as my BSD friends liked to point out); so maybe Leopard's moved to packetfilter (pf)?
If indeed the report is accurate, and you can reach a service (that shouldn't even be running) through the firewall by default - that's not good. That's almost exactly the sort of thing that bit XP multiple times back in the bad old days.
I will say that people posting that their Airport's "hardware firewall" sucks likely don't have a good grasp on the technical details. NAT is NAT is NAT, no matter who makes the router. NAT's not a firewall at all; but unless there's a flaw in that particular NAT implementation, it's pretty darn good protection unless you're actively doing something to defeat it (e.g. putting gaming machines in the DMZ; port forwarding through to an internal server, etc.). Private address space packets are simply not routable over the internet. Also, if you know how to use nmap, you know "stealth mode" is overrated.
It has always bugged me, though, that OS X doesn't have the firewall on by default. You could have it turned on with bonjour's ports open, or something to that effect, without losing much "ease of use".
If indeed the report is accurate, and you can reach a service (that shouldn't even be running) through the firewall by default - that's not good. That's almost exactly the sort of thing that bit XP multiple times back in the bad old days.
I will say that people posting that their Airport's "hardware firewall" sucks likely don't have a good grasp on the technical details. NAT is NAT is NAT, no matter who makes the router. NAT's not a firewall at all; but unless there's a flaw in that particular NAT implementation, it's pretty darn good protection unless you're actively doing something to defeat it (e.g. putting gaming machines in the DMZ; port forwarding through to an internal server, etc.). Private address space packets are simply not routable over the internet. Also, if you know how to use nmap, you know "stealth mode" is overrated.
It has always bugged me, though, that OS X doesn't have the firewall on by default. You could have it turned on with bonjour's ports open, or something to that effect, without losing much "ease of use".
This is nonsense.
To begin with, there's no such thing as a "hardware firewall". A better (and commonly used) designation is "appliance". A firewall appliance is a dedicated box, running an OS (in many cases a tweaked Linux or *BSD, though there are of course many other possibilities, like IOS on Cisco firewalls), on top of which the actual firewall software sits.
Now, assuming you call a "hardware firewall" any kind of dedicated firewall appliance, well, obviously, since your wireless router does wireless routing, it's not a dedicated firewall, is it?
That said, whether you have a dedicated firewall box or not, it's the quality of the firewall software that has to be taken into account. It's always a very bad idea to make a product insecure by default. Microsoft has been bashed repeatedly for that, and so should Apple!
However, I'm not yet ready to believe that their firewall is as flawed as the article says. I'll have a look in a couple days!
Finally someone said it
Off by default even after upgrading from tiger with it on.
I assumed that 10.5 would respect the overall settings of 10.4 after upgrading, but it did not.
Firewall was set to allow all incoming after upgrade.
That's a bit disappointing, but fortunately, I'm only exposed to other machines on my local network, not the interweb as my router blocks all incoming traffic.
I assumed that 10.5 would respect the overall settings of 10.4 after upgrading, but it did not.
Firewall was set to allow all incoming after upgrade.
That's a bit disappointing, but fortunately, I'm only exposed to other machines on my local network, not the interweb as my router blocks all incoming traffic.
Do you even know what this stealth mode is, what it does and how it works? this stealth word is just marketing BS and I totally agree with Chulani's response.
If you have an Airport Base Station, you are already behind NAT, which will make you 99% secure (I guess you are not the pentagon which gets hack attacks every day) unless you forward some obscure ports apart from the needed 80, 443 etc. which is exactly what your stealth mode would achieve. NAT will only forward the configured ports, and the rest would not work.
This is nonsense.
To begin with, there's no such thing as a "hardware firewall". A better (and commonly used) designation is "appliance". A firewall appliance is a dedicated box, running an OS (in many cases a tweaked Linux or *BSD, though there are of course many other possibilities, like IOS on Cisco firewalls), on top of which the actual firewall software sits.
Now, assuming you call a "hardware firewall" any kind of dedicated firewall appliance, well, obviously, since your wireless router does wireless routing, it's not a dedicated firewall, is it?
That said, whether you have a dedicated firewall box or not, it's the quality of the firewall software that has to be taken into account. It's always a very bad idea to make a product insecure by default. Microsoft has been bashed repeatedly for that, and so should Apple!
However, I'm not yet ready to believe that their firewall is as flawed as the article says. I'll have a look in a couple days!
Actually pretty much all firewalls also route by design / function. They just base their decisions on additional parameters, so it's pretty unfair to criticize someone for using the phrase "dedicated firewall" in the context of a router. How many of the appliances you say are dedicated offer VPN functionality ? Pretty much all of them i think.
I switched to mac's a about 4 years ago, i have seen my collegues do exactly the same things.....The average time to infection on our internal network at work was around 17 seconds at the time (it is a very big global network). That said .......it's foolish to build windows machines in an environment where they can be exposed to infection and yet unprotected because the build hasn't finished. IMHO
A little exaggerated...
This is FUD! The article isn't completely inaccurate because it leaves out some important facts... the truth is quite a bit less terrible. I did some of my own tests and found that the firewall isn't horrible. It needs some minor patching, but thats all. Read:
1)
The tester first set up a fake trojan server to test incoming connections. He found that he could connect to it when using the selective access setting ("Set access for specific services and applications"). I did my own tests and came to a similar but perfectly acceptable conclusion.
Verdict: WRONG!
I can explain what is going on you because it's quite simple. OSX knows what programs are listening for incoming connections at any given time (try command 'netstat -l'). When you turn on this "selective" setting, you are giving OSX permission to decide on some sensible defaults for allowing external access. When the setting is first enabled, the OS looks at what servers are currently listening for connections and allows them to continue listening. Clearly the purpose of this setting is to not cut off any applications that were already in the process of communicating, while preventing any new applications (legitimate or otherwise) from being access externally.
Despite the criticism, this feature *does* make sense. Had the reviewer started up his fake trojan after choosing selective access, he would have been presented with a popup asking whether to allow or deny access to the program. Apple is trying to allow users to secure their computers with minimal frustration and impact on their computing. Additionally there is a little warning under the button that says it basically allows the OS to determine what is right.
2)
NTP and NetBIOS. Access to these services doesn't seem to be logged properly and can't be restricted via the GUI. This is the real bug, and it needs to be fixed. Although I couldn't get NTP working externally (my isp might block it?), it's definitely not working properly.
Here is a perl server that I used to test the firewall:
Test externally with
and type stuff
This is FUD! The article isn't completely inaccurate because it leaves out some important facts... the truth is quite a bit less terrible. I did some of my own tests and found that the firewall isn't horrible. It needs some minor patching, but thats all. Read:
1)
The tester first set up a fake trojan server to test incoming connections. He found that he could connect to it when using the selective access setting ("Set access for specific services and applications"). I did my own tests and came to a similar but perfectly acceptable conclusion.
Verdict: WRONG!
I can explain what is going on you because it's quite simple. OSX knows what programs are listening for incoming connections at any given time (try command 'netstat -l'). When you turn on this "selective" setting, you are giving OSX permission to decide on some sensible defaults for allowing external access. When the setting is first enabled, the OS looks at what servers are currently listening for connections and allows them to continue listening. Clearly the purpose of this setting is to not cut off any applications that were already in the process of communicating, while preventing any new applications (legitimate or otherwise) from being access externally.
Despite the criticism, this feature *does* make sense. Had the reviewer started up his fake trojan after choosing selective access, he would have been presented with a popup asking whether to allow or deny access to the program. Apple is trying to allow users to secure their computers with minimal frustration and impact on their computing. Additionally there is a little warning under the button that says it basically allows the OS to determine what is right.
2)
NTP and NetBIOS. Access to these services doesn't seem to be logged properly and can't be restricted via the GUI. This is the real bug, and it needs to be fixed. Although I couldn't get NTP working externally (my isp might block it?), it's definitely not working properly.
Here is a perl server that I used to test the firewall:
Code:
use IO::Socket::INET;
my $sock = new IO::Socket::INET(
LocalPort => '7778', Proto => 'tcp', Listen => 1, Reuse => 1,
) or die "Could not crbate socket: $!\n";
while (1) {
my $in = $sock->accept();
while (<$in>) { print "$_\n"; }
close($in);
}
Code:
telnet your.ip 7778
The Leopard firewall also will break World of Warcraft.
You can read about this bug here at the WoW forums.
In short, one of the Blizzard support team wrote:
" I was able to reproduce one instance of this problem internally. When I put the WoW game executable (application) in the Firewall config dialog where you can "set access for specific services and applications", the OS changes something about the application contents and then the signature check at login fails because the bits have changed.
The OS has added a new file "CodeResources" into the application bundle, and also made some change to the executable itself, causing the checksum to no longer match what the server expects.
My advice until we get this sorted out would be, don't mess with the Leopard firewall and do not put any of our applications on the special treatment list that the firewall panel provides.
Additional info: if you have no backup copy of the WoW executable, you will probably need to reinstall to get it running again. Once you get to that point I would make a backup copy of the WoW application using Duplicate or (dare I say it) Time Machine, so this issue can be resolved quickly should it come up again."
You can read about this bug here at the WoW forums.
In short, one of the Blizzard support team wrote:
" I was able to reproduce one instance of this problem internally. When I put the WoW game executable (application) in the Firewall config dialog where you can "set access for specific services and applications", the OS changes something about the application contents and then the signature check at login fails because the bits have changed.
The OS has added a new file "CodeResources" into the application bundle, and also made some change to the executable itself, causing the checksum to no longer match what the server expects.
My advice until we get this sorted out would be, don't mess with the Leopard firewall and do not put any of our applications on the special treatment list that the firewall panel provides.
Additional info: if you have no backup copy of the WoW executable, you will probably need to reinstall to get it running again. Once you get to that point I would make a backup copy of the WoW application using Duplicate or (dare I say it) Time Machine, so this issue can be resolved quickly should it come up again."
gah, shut up about this already...
Negative.
NMAP will not be able to scan your computer if you block all connections AND use stealth mode. What stealth mode does is prevent your computer from responding properly to requests. Normally when requests come into a computer and are filtered by the firewall, your computer sends a "Connection Refused" message back to the sender. With stealth mode is enabled, your computer will remain silent after blocking packets from the firewall.
Therefore with stealth mode enabled, your computer is invisible to basically any internet scans. It can still be found in the arp table of your local lan router, but past the first switch it will invisible. An internet scanner couldn't tell whether your computer is on or off.
Negative.
NMAP will not be able to scan your computer if you block all connections AND use stealth mode. What stealth mode does is prevent your computer from responding properly to requests. Normally when requests come into a computer and are filtered by the firewall, your computer sends a "Connection Refused" message back to the sender. With stealth mode is enabled, your computer will remain silent after blocking packets from the firewall.
Therefore with stealth mode enabled, your computer is invisible to basically any internet scans. It can still be found in the arp table of your local lan router, but past the first switch it will invisible. An internet scanner couldn't tell whether your computer is on or off.
Good Q.
Furthermore - does anyone else think that system prefs in 10.5 are a little... dumbed down? I really feel like it's XP and windows control panel ish.
I agree, although I did try it once to see what would happen and I was just amazed how fast something evil found my install. I keep all my Windows systems behind a good router, but every once in a while one of my clients manages to download a rootkit or some other horror.
So, let's see, if I run a dedicated Linux box running Netfilter, it's a hardware firewall, but if I suddenly decide I want to use that box as well as a media player or to do some kind of office work, it's no longer a hardware firewall?
The only reason people started talking about hardware firewalls is stupid vendors pretending their products were different.
There's certainly a huge difference between the kind of "applicative" firewalling done by ZoneAlarm and the like, and robust solutions like Ipf and Netfilter. However, you could argue that both categories can be run as services on a personal computer (notwithstanding the fact that one sits above the system and one is really hooked into the kernel's IP stack).
Anyway, I was just making a point for non-security literate users, a description which obviously doesn't fit you
And the two main measures that will save a Windows PC (I mean, beyond replacing the OS by Linux or a *BSD and unplugging the network cable) :
- don't click on something if you don't trust the source
- don't use IE and Outlook
This is nonsense.
To begin with, there's no such thing as a "hardware firewall". A better (and commonly used) designation is "appliance". A firewall appliance is a dedicated box, running an OS (in many cases a tweaked Linux or *BSD, though there are of course many other possibilities, like IOS on Cisco firewalls), on top of which the actual firewall software sits.
Now, assuming you call a "hardware firewall" any kind of dedicated firewall appliance, well, obviously, since your wireless router does wireless routing, it's not a dedicated firewall, is it?
That said, whether you have a dedicated firewall box or not, it's the quality of the firewall software that has to be taken into account. It's always a very bad idea to make a product insecure by default. Microsoft has been bashed repeatedly for that, and so should Apple!
However, I'm not yet ready to believe that their firewall is as flawed as the article says. I'll have a look in a couple days!
And
Finally someone said it
I think that's basically splitting hairs.
Obviously, software (in a generic term), or perhaps more appropriately referred to as a "Computer Program" in this context, has to be used to process rules and determine what should happen.
In the case of a router with a firewall, you essentially have a hardware appliance that is programmed to respond to events in a specific fashion. Those of us from the early days of computing will distinguish hardware / firmware from software based on a simple criteria. Hardware / Firmware was used to refer to physical product or code that was embedded into a physical product such as an EPROM / ROM chip (which more recently would equate to a Flash ROM).
Software was a term reserved for a program or code that resided on "soft" media such as a floppy disk (or any disk media at the time).
Firm=Hardware / Chip or code contained in said firm item.
Soft=Floppy / media that was generally a disk.
Of course, for those who's entry point into computers didn't originate in the 70's, perhaps software could be looked at as any form of computer code. But, that is not the origins of the meaning.
But, the term "Hardware Firewall" is generally used to distinguish a Firewall device / appliance from a program running on a PC (or computer).
It's pretty clear and obvious what is meant.
Those that like to nitpick, will obviously flock to picking where picking isn't necessary. At least it makes them feel like big tough men (or is that nerds who need an ego boost?).
I would imagine that most would see the simple term of hardware firewall and associate it appropriately with a product that is dedicated to that purpose.
And, likewise, a person of reasonable intelligence would also associate software firewalls with programs that run directly on their computer.
Those would be appropriate and reasonable associations. And, are simple terms to convey an idea without extended and unnecessary descriptions.
It would be far more useful to discuss the topic at hand than to debate whether a given term meets with your literal interpretation. As such, the given terms do fit with the origins of the terms as they originated back before most here were out of their diapers.
Yup. Since nmap gets no reply at all, it assumes that either the port is open (and since UDP is a connectionless protocol, unless you send precisely the right message for the application that might be sitting behind that port, you won't get any kind of answer), or that it's silently (or "stealthily", as Leopard puts it) filtered by a firewall.
However, there's a reason nmap identified these ports and not others as open/filtered : after all, all other UDP ports on the scanned host are likely closed, which means they wouldn't answer either. The thing is, there are tricks for making the system answer with an "ICMP unreachable" packet when addressing a closed UDP port, which allows nmap to rule these out.
*shrug* I never bothered to waste time with OS X's firewall. Mine is turned off, and I use my routers firewall instead, and that seems to do good job at protecting my network.
That said, I still don't understand how Apple could make a basic error like this. It's pretty simple really: Default it to "On", default it to block everything. Then open those ports that you really need, no more, no less. that is the correct way to secure the system. If it defaults to off, that is a huge hole. If it defaults to open everything after you enable it, that is a huge hole.
That said, I still don't understand how Apple could make a basic error like this. It's pretty simple really: Default it to "On", default it to block everything. Then open those ports that you really need, no more, no less. that is the correct way to secure the system. If it defaults to off, that is a huge hole. If it defaults to open everything after you enable it, that is a huge hole.
They are different. The term is derived from the origins of their terms in the computer industry. Read the previous post regarding such.
Either way, they are different. "hardware firewalls" are dedicated appliances designed for a specific purpose.
A computer could serve the same purpose. But, it is not a product explicitly designed for and limited to that purpose.
Your argument would equate to insisting that a tape deck and a computer are the same thing since they can both play music.
Of course, the tape deck is specifically designed and limited to that purpose.
The computer can serve that purpose by using a program, but it is also not limited to that purpose or explicitly designed for that purpose.
Do you believe that since Leopard is UNIX, you don't need a firewall? Even the most secure OS'es out there (think OpenBSD and the like) have a firewall, and the firewall is one of the reasons they are so secure. Saying stuff like "Since Leopard is UNIX, I don't need firewall" is like saying "my house is so hard to break in to, that I don't need to lock my doors"...
Fair enough
Still ...
They might be reasonable, only ... well, they're not. They're not because the real distinction is between what I would call "traditional" firewalls, which work on TCP/IP resources, and "application" firewalls (precisely those that have been called "software firewalls"), which try to work at the application level by allowing or disallowing access (incoming and outgoing) to applications.
The point is not, and has never been, whether the firewall sits on its own box or not. So, while the term "software firewall" can be understood (as in, the stuff I'm firewalling is software, instead of TCP/IP packets), a "hardware firewall" doesn't mean anything.
Ah, but it is closely related to the topic at hand : Leopard provides an interface that, to the user, looks like an "application" (or software, if you insist) firewall. Part of the question we're trying to address here is really : to which category of firewall does Leopard's belong? Is it simply creating some kind of ruleset for ipfw (the "traditional" firewall), or are there other mechanisms behind the scenes?
This is why I thought, and still think, the difference had to be made. But I promise I'll stop nitpicking
I dualboot my MBP between XP and OS X. I have no virusprotection on XP. None. I also have no firewall installed on XP. And no problems. No viruses, no crap.
lol
ICMP type 8 are echo-requests packets, more commonly known as "ping". So basically, your system is refusing to answer a ping.
Guess Steve Jobs doesn't like pong.
Shrug. I'll take my OpenBSD "software" firewall over a commercial vendor's "hardware," weak web interface-driven firewall any day. Especially in the way that too many people install them - on the same wire as a wireless router with default passwords (and even default network name).
But hey, they've got a hardware firewall...
Nobody's shipping a product that's close to secure when installed by clueless admins, which is most end users. I submit that anything that defaults to a single well-known password and exposes direct control via an insecure network channel (like the web interfaces) can at best be considered "potentially secure," and all of the consumer grade "hardware" firewalls I've seen fall into this category. Remember, the overwhelming majority of intruders go after the low-hanging fruit.
But hey, they've got a hardware firewall...
Nobody's shipping a product that's close to secure when installed by clueless admins, which is most end users. I submit that anything that defaults to a single well-known password and exposes direct control via an insecure network channel (like the web interfaces) can at best be considered "potentially secure," and all of the consumer grade "hardware" firewalls I've seen fall into this category. Remember, the overwhelming majority of intruders go after the low-hanging fruit.