Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

Detektiv-Pinky

macrumors 6502a
Feb 25, 2006
839
171
Berlin, Germany
This is FUD! The article isn't completely inaccurate because it leaves out some important facts... the truth is quite a bit less terrible. I did some of my own tests and found that the firewall isn't horrible. It needs some minor patching, but thats all. Read:

1)
The tester first set up a fake trojan server to test incoming connections. He found that he could connect to it when using the selective access setting ("Set access for specific services and applications"). I did my own tests and came to a similar but perfectly acceptable conclusion.



Verdict: WRONG!

I can explain what is going on you because it's quite simple. OSX knows what programs are listening for incoming connections at any given time (try command 'netstat -l'). When you turn on this "selective" setting, you are giving OSX permission to decide on some sensible defaults for allowing external access. When the setting is first enabled, the OS looks at what servers are currently listening for connections and allows them to continue listening. Clearly the purpose of this setting is to not cut off any applications that were already in the process of communicating, while preventing any new applications (legitimate or otherwise) from being access externally.

Despite the criticism, this feature *does* make sense. Had the reviewer started up his fake trojan after choosing selective access, he would have been presented with a popup asking whether to allow or deny access to the program. Apple is trying to allow users to secure their computers with minimal frustration and impact on their computing. Additionally there is a little warning under the button that says it basically allows the OS to determine what is right.

2)
NTP and NetBIOS. Access to these services doesn't seem to be logged properly and can't be restricted via the GUI. This is the real bug, and it needs to be fixed. Although I couldn't get NTP working externally (my isp might block it?), it's definitely not working properly.

Here is a perl server that I used to test the firewall:
Code:
use IO::Socket::INET;

my $sock = new IO::Socket::INET(
  LocalPort => '7778', Proto => 'tcp', Listen => 1, Reuse => 1,
) or die "Could not crbate socket: $!\n";
  
while (1) {
  my $in = $sock->accept();
  while (<$in>) { print "$_\n"; }
  close($in);
}
Test externally with
Code:
telnet your.ip 7778
and type stuff

Thank's Jahz, for this explanation. I, also, would not go as far as to claim that the article as such is incorrect. Maybe some of their conclusions are, and some maybe not.

You have given a reasonable explantion what might be behind the 'automatic' decisions made by the OS. I would agree that this might be sensible if the default setting for the FW would be 'ON'. It is however, 'OFF' by default and who knows what programms might be running when a user finally gets around to turn it on. By this time it basically gives the 'OK' for anything that is running, which I think is not such a good idea.

On another note, most people here think that a FW is primarily about defense against viruses. This is not the case. It is important to understand the multitude of threads that your machine is exposed on the network and it would most likely be Worms, deliberate hacking attempts (manual and automatic), Denial-of-Service attempts, Trojans and Spyware that a FW can block. Nothing about viruses here.
 

Evangelion

macrumors 68040
Jan 10, 2005
3,322
42
Shrug. I'll take my OpenBSD "software" firewall over a commercial vendor's "hardware," weak web interface-driven firewall any day.

Well, quite often that hardware-firewall IS OpenBSD's software-firewall :). so there's no difference there, only difference is that there's a dedicated piece of hardware for the firewall, as opposed to something that does several things, one of which is firewall.
 

rpp3po

macrumors regular
Original poster
Aug 16, 2003
171
0
Germany
Evidence that Heise's analysis may be bluntly false

I am the OP of the link to Heise. I'm afraid to tell you that I think there have surfaced sufficient indications that the Heise story may be false. Read this!
 

aLoC

macrumors 6502a
Nov 10, 2006
726
0
It's just so suspicious when things like this happen. Writing a firewall config file is not that hard. Hobbyists can do it let alone pros at Apple. So it just makes you wonder whether the NSA asked them to leave some holes.

I mean, I know there's the saying "don't attribute to mailce what can be explained by stupidity" (paraphrasing), but you can only stretch that so far before incredulity takes over.
 

rasputnik

macrumors newbie
Sep 3, 2004
12
0
Without an effective firewall, anyone with time and skill can get into your computer and browse around.

That's untrue. You'd need to be offering browsing services in order for them to be exploited.

This kind of thinking is very common and is the main reason the article linked to is nonsense. 'no firewall by default? Oh noes!".

For example, Ubuntu Linux also runs no firewall by default. Because it has no services enabled this is a total non-issue.
 

boz0

macrumors regular
May 21, 2007
166
1
/dev/null
Shrug. I'll take my OpenBSD "software" firewall over a commercial vendor's "hardware," weak web interface-driven firewall any day. Especially in the way that too many people install them - on the same wire as a wireless router with default passwords (and even default network name).

But hey, they've got a hardware firewall...

Nobody's shipping a product that's close to secure when installed by clueless admins, which is most end users. I submit that anything that defaults to a single well-known password and exposes direct control via an insecure network channel (like the web interfaces) can at best be considered "potentially secure," and all of the consumer grade "hardware" firewalls I've seen fall into this category. Remember, the overwhelming majority of intruders go after the low-hanging fruit.

Amen.
 

boz0

macrumors regular
May 21, 2007
166
1
/dev/null
I am the OP of the link to Heise. I'm afraid to tell you that I think there have surfaced sufficient indications that the Heise story may be false. Read this!

This article has a point, there may be some amount of FUD at work here.

Still, Leopard's firewall should have been enabled by default. All the more since Apple targets also non-technical-savvy users.
 

rasputnik

macrumors newbie
Sep 3, 2004
12
0
This article has a point, there may be some amount of FUD at work here.

Still, Leopard's firewall should have been enabled by default. All the more since Apple targets also non-technical-savvy users.

There are 2 ways of looking at this. You either block by default, or you know what services you are running. Apple chose the second approach.

If you aren't running services, a firewall is a waste of time. It isn't going to protect you from the 2 dozen known holes in Firefox, and it isn't going to make a secure service insecure.
 

boz0

macrumors regular
May 21, 2007
166
1
/dev/null
There are 2 ways of looking at this. You either block by default, or you know what services you are running. Apple chose the second approach.

Which is, IMO, a bad idea in general, and goes contrary to Apple's policy of "works by default".

If you aren't running services, a firewall is a waste of time. It isn't going to protect you from the 2 dozen known holes in Firefox, and it isn't going to make a secure service insecure.

Definitely true, though there's something to say for not appearing on every script-kiddie's port scan.
 

rasputnik

macrumors newbie
Sep 3, 2004
12
0
(Apple chose to know what services you're running and not block by default)

Which is, IMO, a bad idea in general, and goes contrary to Apple's policy of "works by default".

But 'block by default' only 'works by default' if you know what services you're running :)
 

boz0

macrumors regular
May 21, 2007
166
1
/dev/null
But 'block by default' only 'works by default' if you know what services you're running :)

No, no, they should block *everything*, regardless of the active services.

Besides, not doing so is illogical, as Leopard asks the user to explicitly declare which services they want to share. So, as long as the user hasn't decided to share a service, all ports should be firewalled.
 

Orge

macrumors member
Jun 27, 2004
66
0
By the look of it, the original report definitely has some holes in it - specifically, for the "block all incoming connections" results. However, this is still a poor show from Apple. I think there 4 are main issues here:

1. Shipping the firewall in a default state off.
2. Disabling the firewall settings even if you're upgrading from a configuration where it was originally on.
3. Potentially, leaving default services open with no clear indication in the firewall settings - in application mode.
4. Making it harder for savvy users to specify the exact configuration they would like to implement.

I appreciate that they have made some of these changes in an attempt to improve security for all users. However, I don't understand why they have shipped it with a default state of off?? Additionally, it would have been better if there was an "advanced" dialogue which allowed explicit configurations and explained what the firewall was doing. It looks as if this may have changed from earlier leopard builds FW Gui from Nov '06?

Many people run behind "reasonable" hardware firewall's whilst at home. However, in addition to redundancy, the proliferation of wi-fi and Apple's success in the portable market means that the software firewall is an important feature for OS X. I appreciate that mac's are less of a target for malicious attacks and virus's, but leaving the door open like this is like an invitation...

For those interested in improving the security of their mac's, you may want to have a look at configuring ipfw. There's a number of gui's - waterroof seems to work ok on leopard.

J
 

boz0

macrumors regular
May 21, 2007
166
1
/dev/null
For those interested in improving the security of their mac's, you may want to have a look at configuring ipfw. There's a number of gui's - waterroof seems to work ok on leopard.

We'll have to check how the Leopard firewall settings in system preferences interact with active ipfw rules, and to make sure that starting a new service doesn't automatically open a hole in ipfw.

Beyond that, I can only recommend this excellent introduction to ipfw, called Exploring the MacOS X Firewall, including a step-by-step tutorial to set up ipfw.
 

Orge

macrumors member
Jun 27, 2004
66
0
We'll have to check how the Leopard firewall settings in system preferences interact with active ipfw rules, and to make sure that starting a new service doesn't automatically open a hole in ipfw.

Having checked, it doesn't appear that new rules are being added to ipfw... I imagine this is part of the reason that the ipfw is initially set to allow all. Apple have effectively dumped it completely in favour of an application level firewall. A better, albeit more complicated to develop, would have integrated these two components.

J
 

Evangelion

macrumors 68040
Jan 10, 2005
3,322
42
But 'block by default' only 'works by default' if you know what services you're running :)

Well, there are two ways to go about here: "block by default" or "allow by default". Either case, you need to know what services you are using. In the first case, you need to know them so you can actually make them work by opening the ports they need. In the latter case you need to know them so you can close the unneeded ports in order to secure your system.

Of the two, I would rather choose the former.
 

aLoC

macrumors 6502a
Nov 10, 2006
726
0
Can you explain how a 'super' hacker is going to connect to a closed port?

No, didn't think so.

How super? Even if there is no service running on a port, code still runs when a packet arrives. It is the OS code which inspects the packet to determine it's destination port and whether there is a service to redirect it to or not. A maliciously crafted packet could compromise this program and get it to start running the packet payload.

But then the same could be said of a firewall program I suppose. It doesn't make you fundamentally safer. There is still the fact that anyone on the Internet can cause code to run on your computer just by firing some comms your way.
 

mrpdn

macrumors newbie
Oct 31, 2007
2
0
OS X 10.5 firewall test results

I get the impression that the guy who wrote the original firewall review article was intentionally looking for a way to make the firewall look bad. I'm pretty OS agnostic, and am convinced that you can have a decent on-host firewall for any OS, and that you can also misconfigure it to offer little protection. Following are my test results, performed using nmap on the same LAN as a Macbook running OS X 10.5. The Macbook had no sharing of any kind enabled, but was using many SMB shares and other network applications.

http://padilla.net/osx-10.5_firewall_test
 

gnasher729

Suspended
Nov 25, 2005
17,980
5,560
You wouldn't even believe Microsoft to be so stupid to expose open services (and even NetBIOS!!) to the internet when the firewall is setup to block ALL traffic. No kidding, Leopard does. Though, there is no proof of concept exploit, yet, that's a totally unneccessary design flaw, even a freshman CS student wouldn't be allowed to turn in.

If you want to stop all incoming traffic, there is a very simple solution. Unplug the network cable and/or turn WiFi off.
 

boz0

macrumors regular
May 21, 2007
166
1
/dev/null
If you want to stop all incoming traffic, there is a very simple solution. Unplug the network cable and/or turn WiFi off.

What if I want to stop all unwanted incoming traffic and still use my laptop, both at home where I can comfortably sit behind my perimeter firewall, and on the road, using various hotspots?
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.