M
Mr.damien
Guest
Firewall IS a software dude. Your sentence means nothing.
What you call a hardware firewall is only a hardware box dedicated for running the firewall SOFTWARE.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Leopard's Firewall Criticized
- Thread starter rpp3po
- Start date
- Sort by reaction score
Firewall IS a software dude. Your sentence means nothing.
What you call a hardware firewall is only a hardware box dedicated for running the firewall SOFTWARE.
I can't speak to Leopard (since I don't run it and probably won't for some time), but I've really never had any complaints about Tiger's firewall.
Of course, I'm also sitting behind a DD-WRT-based router, so I'm not that worried.
Of course, I'm also sitting behind a DD-WRT-based router, so I'm not that worried.
Interesting. Since the weekend, I've had the firewall turned on with connections limited to specific applications (Remote Login, Screen Sharing, and Apple File Sharing). I'm behind a Linksys WRV54G with only web sharing being passed to my desktop on a WAP-enabled wireless network.
Yet, my firewall logs show the following:
Oct 29 03:24:48 MacBook Firewall[53]: Allow AppleVNCServer connecting from 66.7.212.29:3665 uid = 0 proto=6
Oct 29 03:58:36 MacBook Firewall[53]: Allow AppleVNCServer connecting from 70.49.174.70:32916 uid = 0 proto=6
Oct 29 03:58:36 MacBook Firewall[53]: Allow AppleVNCServer connecting from 70.49.174.70:32922 uid = 0 proto=6
Oct 29 03:58:36 MacBook Firewall[53]: Allow AppleVNCServer connecting from 70.49.174.70:32916 uid = 0 proto=6
Oct 30 04:21:35 MacBook Firewall[47]: Allow AppleVNCServer connecting from 81.202.69.250:4289 uid = 0 proto=6
Oct 30 04:21:36 MacBook Firewall[47]: Allow AppleVNCServer connecting from 81.202.69.250:4291 uid = 0 proto=6
Oct 30 04:21:36 MacBook Firewall[47]: Allow AppleVNCServer connecting from 81.202.69.250:4289 uid = 0 proto=6
Oct 30 04:21:36 MacBook Firewall[47]: Allow AppleVNCServer connecting from 81.202.69.250:4291 uid = 0 proto=6
Oct 30 04:21:38 MacBook Firewall[47]: Allow AppleVNCServer connecting from 81.202.69.250:4311 uid = 0 proto=6
Oct 31 03:47:34 MacBook Firewall[47]: Allow AppleVNCServer connecting from 222.216.28.172:3095 uid = 0 proto=6
The fact that these are even being logged is a bit odd since these are totally random IP addresses...
Not to mention the fact that I've had a steady stream of non-stop SSH login attempts from a few determined parties. All the better reason to tweak your SSH servers settings for better security (pubkey auth only, explicitly deny PasswordAuth, using the AllowUsers and DenyUsers, etc.)
Yet, my firewall logs show the following:
Oct 29 03:24:48 MacBook Firewall[53]: Allow AppleVNCServer connecting from 66.7.212.29:3665 uid = 0 proto=6
Oct 29 03:58:36 MacBook Firewall[53]: Allow AppleVNCServer connecting from 70.49.174.70:32916 uid = 0 proto=6
Oct 29 03:58:36 MacBook Firewall[53]: Allow AppleVNCServer connecting from 70.49.174.70:32922 uid = 0 proto=6
Oct 29 03:58:36 MacBook Firewall[53]: Allow AppleVNCServer connecting from 70.49.174.70:32916 uid = 0 proto=6
Oct 30 04:21:35 MacBook Firewall[47]: Allow AppleVNCServer connecting from 81.202.69.250:4289 uid = 0 proto=6
Oct 30 04:21:36 MacBook Firewall[47]: Allow AppleVNCServer connecting from 81.202.69.250:4291 uid = 0 proto=6
Oct 30 04:21:36 MacBook Firewall[47]: Allow AppleVNCServer connecting from 81.202.69.250:4289 uid = 0 proto=6
Oct 30 04:21:36 MacBook Firewall[47]: Allow AppleVNCServer connecting from 81.202.69.250:4291 uid = 0 proto=6
Oct 30 04:21:38 MacBook Firewall[47]: Allow AppleVNCServer connecting from 81.202.69.250:4311 uid = 0 proto=6
Oct 31 03:47:34 MacBook Firewall[47]: Allow AppleVNCServer connecting from 222.216.28.172:3095 uid = 0 proto=6
The fact that these are even being logged is a bit odd since these are totally random IP addresses...
Not to mention the fact that I've had a steady stream of non-stop SSH login attempts from a few determined parties. All the better reason to tweak your SSH servers settings for better security (pubkey auth only, explicitly deny PasswordAuth, using the AllowUsers and DenyUsers, etc.)
Seems rather unbelievable to fail "every" test. I tend to assume such articles are FUD until confirmed. FWIW I haven't used a firewall for years and I have both Windows and Macs. I am behind a NAT router. I am tempted to take a Mac and place it into the DMZ totally unprotected and see what happens. I doubt anything will but I could be surprised. I had a PC bare naked to the internet once. It was practically taken over with the strangest window advertising.
This was already discussed on Slashdot....
Someone there suggested that this "security test" was completely flawed, because it appeared they tested whether these ports were "open" or "closed" from terminal prompts on the SAME MACHINE!
If that's true, that proves NOTHING. Even if you tell a firewall to deny all access to services, you're talking about denying them from over your ethernet connection. It wouldn't necessarily deny them from the localhost address on the same box.
Someone there suggested that this "security test" was completely flawed, because it appeared they tested whether these ports were "open" or "closed" from terminal prompts on the SAME MACHINE!
If that's true, that proves NOTHING. Even if you tell a firewall to deny all access to services, you're talking about denying them from over your ethernet connection. It wouldn't necessarily deny them from the localhost address on the same box.
The firewall in the AEBS works just fine. It's not the be all and end all of firewalls, nor was it intended to be. It's meant to be a simply incoming port based firewall, which it does just fine.
Could? Well, if that code is poorly written - but is that the case? There is a belief portrayed by the media that a skilled hacker can get into anything which is simply not true. If there is a flaw in the code the routes network packets, then yes, but I haven't seen evidence of that in MacOS X.
I understand that if your router is functioning properly, and you don't have unnecessary ports open—your achieving the same protection as stealth mode. However, I do think the option to have a router not respond to certain outside requests is a good idea, and a feature that should be included in a $179 wireless router. There is something to it or Apple wouldn't have purposely built it in to Mac OS X's firewall. And yes, I do realize this is contrary to how the Internet is supposed to work—but I'm no web server.
Non Sequitur. Being or not being UNIX means nothing. The UNIX brand is not a seal of infallibility.
The more daemon processes that are listening for incoming connections, the larger the target you present. A firewall is supposed to lower your profile to prevent outside users from hitting those open ports. If this review is correct, the Leopard firewall is doing a poor job of it.
Because of development times, Leopard is running some versions of OSS that have many well known remotely exploitable bugs in them. If indeed the firewall is not preventing access to them, then being UNIX is not, and never, going to save you.
The short if it is simply this, UNIX is not a security brand.
Are you directly connected to your cable/DSL/FIOS modem or is it being routed? These days, 99.9% of the time there is a NAT router built in to your modem and that external IP is what Shields Up is testing, not your computer. To test your machine you would need to hook up directly to the internet or DMZ your machine, neither of which is a good idea.
Here are some important points for those newer to networking:
- There is no such thing as a hardware firewall. A standalone firewall, yes, but all firewalls run firewalling software.
- A NAT router is a firewall
- NAT routers default to allowing any outbound traffic on any port, but only inbound traffic that was solicited by an outbound connection.
- If you are behind a NAT router (most are) you are protected from any unsolicited networks attacks UNLESS:
[*]You have any open ports you have explicitly set up
[*]You have a DMZ'd machine (hope not)
[*]You have UPnP on and an active service has opened a port (or the router didn't close it)
[*]Your router stinks - A compromised system on your network means game over for that computer and potentially any other system on your network not protected by a software firewall (This is why a bad Leopard firewall is a big deal)
- Once malware is on a system you can never be totally sure it is ever 100% OK until a complete OS wipe and reinstall.
- An open port is only useful to a bad guy if there is an exploitable service listening to it. Historically, OS X has been very good about this and Windows has been poor.
- Nothing will save you from a social engineering attack on OS X or Windows. (InSta1l ThIs for freE PRON!!!1)
Hope that helps to allay some fears.
Agreed. My previous post didn't make this point at all, but it's very true.
OS X is not infallible. Especially running older packages.
Question from a non-techie
Is the firewall "on" when you choose "Set access for specific services and applications?"
In Tiger you could choose a similar option and indicate which apps get past the firewall -- you could even assign them a specific port. A list gets populated in the Leopard firewall panel too, but it includes apps you blocked as well as the apps you've opened a port for. Are apps missing from this list not blocked until you add them as blocked? Confusing to me and not very confidence inspiring.
Raoul
Is the firewall "on" when you choose "Set access for specific services and applications?"
In Tiger you could choose a similar option and indicate which apps get past the firewall -- you could even assign them a specific port. A list gets populated in the Leopard firewall panel too, but it includes apps you blocked as well as the apps you've opened a port for. Are apps missing from this list not blocked until you add them as blocked? Confusing to me and not very confidence inspiring.
Raoul
If the airport and router have firewalls, then...
Why am I showing the following activities in my log?
This thread made me check my firewall in 10.5 and to check the log. I connect via an airport express (firewall 1) connected to a voip router (firewall 2). But I have logged the following messages:
Oct 30 23:36:55 Macintosh-2 Firewall[65]: Stealth Mode connection attempt to TCP 10.0.x.x:50625 from 12.129.xxx.xx:80
Oct 30 23:36:56 Macintosh-2 Firewall[65]: Stealth Mode connection attempt to TCP 10.0.x.x.:50626 from 12.129.xxx.xx:80
Oct 30 23:36:57 Macintosh-2 Firewall[65]: Stealth Mode connection attempt to TCP 10.0.x.x:50627 from 12.129.xxx.xx:80
Oct 30 23:36:57 Macintosh-2 Firewall[65]: Stealth Mode connection attempt to TCP 10.0.x.x:50628 from12.129.xxx.xx:80
Oct 30 23:36:58 Macintosh-2 Firewall[65]: Stealth Mode connection attempt to TCP 10.0.x.x:50630 from 12.129.xxx.xx:80
Oct 30 23:37:01 Macintosh-2 Firewall[65]: Stealth Mode connection attempt to UDP 10.0.x.x:52392 from 10.0.x.x:53
Oct 30 23:37:17 Macintosh-2 Firewall[65]: Stealth Mode connection attempt to TCP 10.0.x.x:50647 from 206.191.xxx.x:80
Oct 30 23:37:47: --- last message repeated 2 times ---
Oct 30 23:57:42 Macintosh-2 Firewall[65]: Stealth Mode connection attempt to TCP 10.0.x.x:50871 from 64.154.xx.x:80
Shouldn't I not be able to see these attempts on my 10.5 firewall log? Or is this a sign that my airport and voip router are not effective? Thanks for your thoughts.
Why am I showing the following activities in my log?
This thread made me check my firewall in 10.5 and to check the log. I connect via an airport express (firewall 1) connected to a voip router (firewall 2). But I have logged the following messages:
Oct 30 23:36:55 Macintosh-2 Firewall[65]: Stealth Mode connection attempt to TCP 10.0.x.x:50625 from 12.129.xxx.xx:80
Oct 30 23:36:56 Macintosh-2 Firewall[65]: Stealth Mode connection attempt to TCP 10.0.x.x.:50626 from 12.129.xxx.xx:80
Oct 30 23:36:57 Macintosh-2 Firewall[65]: Stealth Mode connection attempt to TCP 10.0.x.x:50627 from 12.129.xxx.xx:80
Oct 30 23:36:57 Macintosh-2 Firewall[65]: Stealth Mode connection attempt to TCP 10.0.x.x:50628 from12.129.xxx.xx:80
Oct 30 23:36:58 Macintosh-2 Firewall[65]: Stealth Mode connection attempt to TCP 10.0.x.x:50630 from 12.129.xxx.xx:80
Oct 30 23:37:01 Macintosh-2 Firewall[65]: Stealth Mode connection attempt to UDP 10.0.x.x:52392 from 10.0.x.x:53
Oct 30 23:37:17 Macintosh-2 Firewall[65]: Stealth Mode connection attempt to TCP 10.0.x.x:50647 from 206.191.xxx.x:80
Oct 30 23:37:47: --- last message repeated 2 times ---
Oct 30 23:57:42 Macintosh-2 Firewall[65]: Stealth Mode connection attempt to TCP 10.0.x.x:50871 from 64.154.xx.x:80
Shouldn't I not be able to see these attempts on my 10.5 firewall log? Or is this a sign that my airport and voip router are not effective? Thanks for your thoughts.
Thing is Mac users have never said that the OS is more secure because of the technology, they mean it's more secure because no one bothers to hack it, I always read or get people touting that Mac isn't anymore secure. I think people have missunderstood.
Messages to testers: WTF?
So I don't get it.
wasn't leopard in public beta (testing) mode for the last... forever?
Didn't anyone point this out? How did something as public as firewall configuration/performance get missed?
So I don't get it.
wasn't leopard in public beta (testing) mode for the last... forever?
Didn't anyone point this out? How did something as public as firewall configuration/performance get missed?
All firewalls run on hardware too, so I guess there is no such thing as software firewalls either? You need both hardware and software to make a firewall device work. This is not the critical distinction and is really just semantics. There are host-based firewalls, network-based firewalls and gateway firewalls. All of the above run software and run on hardware. In the business, hardware firewalls specifically refer to security appliances that use ASICs rather than general purpose CPUs to process packets. Yes, you still need software to make everything work but the processing is done in hardware (this is similar to the hardware/software RAID distinction).
A NAT router provides some protection but it is not a firewall even though some people use it as such. It is similar to using saran wrap instead of a condom. Yes, it does provide some protection but saran wrap is still not a condom.
I might want to point out this thread shows a lot of problems with mac users.
If some one bring up something apple screwed up on they bash it and refused to believe it could be true. This attitude will cause them to get hurt when someone some one finally makes something take advantage of a hole in the OS.
As it has been pointed out a lot of the attacks that hit windows are targeting non updated computers and a lot of people (mac users included) do not keep up to day. If you noticed M$ quite saying what the security threat was in their updates beyond being very general about it because people where using that infomatoin to figure out how to exploit it in people who fail to stay updated.
If some one bring up something apple screwed up on they bash it and refused to believe it could be true. This attitude will cause them to get hurt when someone some one finally makes something take advantage of a hole in the OS.
As it has been pointed out a lot of the attacks that hit windows are targeting non updated computers and a lot of people (mac users included) do not keep up to day. If you noticed M$ quite saying what the security threat was in their updates beyond being very general about it because people where using that infomatoin to figure out how to exploit it in people who fail to stay updated.
I have the same router as well....it seems to be pretty secure....though I do not use the OSX firewall, nor did I use it with Tiger. I don't share any folders anyway.
Worry not. I wouldn't put too much thought on it, In my humble opinion, this is a typical FUD case article.
Anyone concerned about security that relies on software-only for security protection deserves a smack in the head.
Even if you are behind your good'ol "Linksys" router, "firewalled" et al, the chances of your Mac being hacked are rather slim, now, enable this "insecure" firewall on your Mac and I bet the chances will be even slimmer.
Here's a hint, get yourself a nice and secure router with firewall option (around $50.00-ish), configure the firewall for your security needs (unpingeable, close ports for idiotic broadcast services, etc), disable your "insecure" Mac firewall and live happy..
-- sb
Repeating my question
With the Leopard firewall set at the Apple default, I visited the Gibson site and tested my iMac. The result was that the ports, not one of them, showed a result of even existing, but closed. They just presented a black hole of no response. I use a Netgear wireless router with its firewall protection on: Now for the question. How is that not sufficient protection. I am not the pentagon, or the Bank of America or anything else that would be tempting to anyone.
I think much has been made about nothing. Get back to work!
With the Leopard firewall set at the Apple default, I visited the Gibson site and tested my iMac. The result was that the ports, not one of them, showed a result of even existing, but closed. They just presented a black hole of no response. I use a Netgear wireless router with its firewall protection on: Now for the question. How is that not sufficient protection. I am not the pentagon, or the Bank of America or anything else that would be tempting to anyone.
I think much has been made about nothing. Get back to work!
That's a weird thing to say: "where you go online is much more crucial to security than running some stupid firewall."
If you have exposed ports, it doesn't matter "where you go" (whatever that even means)...people will come find you.
If your router can capture logs, turn that feature on and take a look at it sometime. There are thousands of people all around the world who have computers scanning the net (which in IP4 is still pretty small, about 4bn addresses) for open ports. You will see your own computer receiving literally hundreds or thousands of probes every day. Those probes are usually bad (or perhaps just mischievous) people trying to see what services you have exposed on your computer, and once they find out you're running those services they run the battery of attacks that exploit that service. The tools to do so are actually shocking powerful. They can potentially finger print what kind of OS/hardware you're running, then automatically run all of the potential cracks against that OS/hardware combination that are known to exist.
The problem with just a hardware firewall like the netgear is it great for stopping inbound traffic but it worthless at stopping outbound traffic.
A software firewall is not as good at stopping inbound but much better at stopping outbound traffic. This is the reason why it is a good idea to run both. One handles inbound better the other handles outbound better.
The point is that this Heise Security was guessing at the risk if there ever was any. They obviously need to do some more research before they reach a conclusion. What I find funny is that all the Mac vulnerabilities have alleged security risk which means they are not sure and most likely it's nothing anyway.
Quick testing
I have my mac set to stealth, deny incoming connections and no services enabled. I ran some of the tests in the article and could not match his results. Nmap returns no open ports. But, if the firewall allows any application to open ports and start listening, it will be very easy to drive-by-download a trojan or RAT that starts a listener.
That said, the firewall was DISABLED by default. That is BAD.
The firewall is not running ipfw.
The running process appears to be /usr/libexec/ApplicationFirewall/socketfilterfw
I have no clue how to handle rules with this; if they can be manually tweaked; and what happens if I run ipfw.
I have my mac set to stealth, deny incoming connections and no services enabled. I ran some of the tests in the article and could not match his results. Nmap returns no open ports. But, if the firewall allows any application to open ports and start listening, it will be very easy to drive-by-download a trojan or RAT that starts a listener.
That said, the firewall was DISABLED by default. That is BAD.
The firewall is not running ipfw.
The running process appears to be /usr/libexec/ApplicationFirewall/socketfilterfw
I have no clue how to handle rules with this; if they can be manually tweaked; and what happens if I run ipfw.