This is FUD! The article isn't completely inaccurate because it leaves out some important facts... the truth is quite a bit less terrible. I did some of my own tests and found that the firewall isn't horrible. It needs some minor patching, but thats all. Read:
1)
The tester first set up a fake trojan server to test incoming connections. He found that he could connect to it when using the selective access setting ("Set access for specific services and applications"). I did my own tests and came to a similar but perfectly acceptable conclusion.
Verdict: WRONG!
I can explain what is going on you because it's quite simple. OSX knows what programs are listening for incoming connections at any given time (try command 'netstat -l'). When you turn on this "selective" setting, you are giving OSX permission to decide on some sensible defaults for allowing external access. When the setting is first enabled, the OS looks at what servers are currently listening for connections and allows them to continue listening. Clearly the purpose of this setting is to not cut off any applications that were already in the process of communicating, while preventing any new applications (legitimate or otherwise) from being access externally.
Despite the criticism, this feature *does* make sense. Had the reviewer started up his fake trojan after choosing selective access, he would have been presented with a popup asking whether to allow or deny access to the program. Apple is trying to allow users to secure their computers with minimal frustration and impact on their computing. Additionally there is a little warning under the button that says it basically allows the OS to determine what is right.
2)
NTP and NetBIOS. Access to these services doesn't seem to be logged properly and can't be restricted via the GUI. This is the real bug, and it needs to be fixed. Although I couldn't get NTP working externally (my isp might block it?), it's definitely not working properly.
Here is a perl server that I used to test the firewall:
Test externally withCode:use IO::Socket::INET; my $sock = new IO::Socket::INET( LocalPort => '7778', Proto => 'tcp', Listen => 1, Reuse => 1, ) or die "Could not crbate socket: $!\n"; while (1) { my $in = $sock->accept(); while (<$in>) { print "$_\n"; } close($in); }
and type stuffCode:telnet your.ip 7778
Thank's Jahz, for this explanation. I, also, would not go as far as to claim that the article as such is incorrect. Maybe some of their conclusions are, and some maybe not.
You have given a reasonable explantion what might be behind the 'automatic' decisions made by the OS. I would agree that this might be sensible if the default setting for the FW would be 'ON'. It is however, 'OFF' by default and who knows what programms might be running when a user finally gets around to turn it on. By this time it basically gives the 'OK' for anything that is running, which I think is not such a good idea.
On another note, most people here think that a FW is primarily about defense against viruses. This is not the case. It is important to understand the multitude of threads that your machine is exposed on the network and it would most likely be Worms, deliberate hacking attempts (manual and automatic), Denial-of-Service attempts, Trojans and Spyware that a FW can block. Nothing about viruses here.