I have a feeling this might have to do with the "Back to my Mac" functionality that was enabled on .Mac. Turning it off now since it's just as easy to tunnel Shared Screens (VNC) through an SSH tunnel.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Leopard's Firewall Criticized
- Thread starter rpp3po
- Start date
- Sort by reaction score
I don't think anybody is defending Apple here...I'm just personally surprised that such a widely tested system would have such a fundamental flaw in it.
Thousands of developers tested this software for months, and having a missing firewall should have been pretty obvious to somebody. And if Apple tweaked the firewall settings right before they pressed the GM disc...then they are really stupid.
Until we get confirmation from some other authorities, I think we need to take any news like this skeptically. (Unknown site outs security flaws without explicitly showing how to recreate their results? Yawn...I'll pass.)
MAC firewall Leopard
Hi,
I support WinDoze machines for a living in an EDU enviroment and you better believe that viruses and malware are a real problem... even with a pro level harware firewall on our network we still have problems.
I have yet to learn the ins and out so the Lepoard firewall as I just installed it last night... but within the first 45 Mins I turned the firewall on and set to reject all incoming and Stealth. I am also behind a LinkSys WRTG54s router/wireless but I have the wireless turned off and my MacPro is hardwired to it.
Apple has enough time to improve Leopard security for the attacks that are sure to come
... I think Leopard is a good start
Hi,
I support WinDoze machines for a living in an EDU enviroment and you better believe that viruses and malware are a real problem... even with a pro level harware firewall on our network we still have problems.
I have yet to learn the ins and out so the Lepoard firewall as I just installed it last night... but within the first 45 Mins I turned the firewall on and set to reject all incoming and Stealth. I am also behind a LinkSys WRTG54s router/wireless but I have the wireless turned off and my MacPro is hardwired to it.
Apple has enough time to improve Leopard security for the attacks that are sure to come
... I think Leopard is a good startdoesn't Little Snitch only block outgoing traffic from ones Computer? Not incoming?
I guess you don't leave your house with your Mac... laptops are mobile. I hook up to customer networks/WIFI sites numerous times a week. I would rather not rely on others for my protection. ... not to mention Leopard update had the firewall off. If I had not been here reading, I probably would have thought it was still on.
Originally Posted by Rodimus Prime View Post
"I might want to point out this thread shows a lot of problems with mac users.
If some one bring up something apple screwed up on they bash it and refused to believe it could be true. This attitude will cause them to get hurt when someone some one finally makes something take advantage of a hole in the OS."
And why do you always presume the opposite? The article is FUD, we are correct in assessing as such; the firewall works for crap sakes; even in the off position I report out as safely hidden. What else do we need to do?
"I might want to point out this thread shows a lot of problems with mac users.
If some one bring up something apple screwed up on they bash it and refused to believe it could be true. This attitude will cause them to get hurt when someone some one finally makes something take advantage of a hole in the OS."
And why do you always presume the opposite? The article is FUD, we are correct in assessing as such; the firewall works for crap sakes; even in the off position I report out as safely hidden. What else do we need to do?
I passed Symantec's security check
I passed Symantec's security check feature on their website with Leopard's firewall enabled
I passed Symantec's security check feature on their website with Leopard's firewall enabled
I've run their test several times in the past. I've passed each time.
The interesting thing, is that it always says I've passed, and then says it recommends Norton Internet Security as a "Fix".
It always suggests a "Fix" or "Solution" even if there is no problem.
I've always found it humorous that they actually propose to fix the problem I have of a functioning and secure firewall.
Apparently I need a Norton product to fix the problem of it doing it's job.
"Hey, it's working, I know how to fix this. Install our program and the problem is gone. Oh, wait, you want security, oh, sorry"
I've run their test several times in the past. I've passed each time.
The interesting thing, is that it always says I've passed, and then says it recommends Norton Internet Security as a "Fix".
It always suggests a "Fix" or "Solution" even if there is no problem.
I've always found it humorous that they actually propose to fix the problem I have of a functioning and secure firewall.
Apparently I need a Norton product to fix the problem of it doing it's job.
"Hey, it's working, I know how to fix this. Install our program and the problem is gone. Oh, wait, you want security, oh, sorry"
I just thought it was interesting cuz if what these criticisms are saying is true than you'd think that Norton would be trying to capitalize on it and sell some software. It's not like they haven't tried to capitalize on it before if my memory serves me well....but on false alarms about that Mac virus that finally popped up
I think MDN just published an article where Intego issued a statement about this Trojan horse that apparently is going around porn sites posing as a video codec for QuickTime. Capitalizes on the fact you need an admin password to install such things to gain root access. Anyways..... they're using it to try to sell software.
When my Mac starts behaving like a Windows machine, maybe I'll buy into their sales pitch. So far though, the native security in OS X has done me just fine. Although I will concede that perhaps I hardware based firewall isn't a half bad idea...
Can it be that there is a serious flaw in your reasoning here?
With your setting you are testing the Firewall features of your Netgear router and not the Leopard Firewall.
Turn off the Firewall and any NAT in your Netgear router and than repeat those tests.
Why not? This is the real issue here. Can anyone answer this?
WHat Apple did was to put in some automation so that typical users would not do something stupid in the name of "Security". From reading all these posts I think Apple did the right thing. Users seem to not even understand what firewalls do.
Here is what they did that caused to "hole": When a user turns on a service like say "FTP" the firewall ports associated with FTP (20 and 21 from memory) are unblocked automatically. Why is this bad? If you wanted the FTP server what good is it if you block the associated ports? You server would be useless. Same goes for SSH and 100 other services, I can't see any reason to run the service behind a closed firewall.
Now things get a lot different if the firewall is running inside it's own box. because in this case there could be any number of computers going through the router. Then it WOULD make sense to run an FTP server on and office machine and close the ports on the hardware router box so everyone in the office can get to the FTP server but no one on the Internet could.
But you would never want to block the ports on the machine running the server.
Next question: Why would we EVER need a software firewall on a Mac? Seriously. Is there a scenario where it helps? Lets go back to FTP. Lets say I have a Mac directly connected to the Internet with no firewall. Someone finds my computer and tries to open a connection of Port 21. What will happen? Nothing, because I'm not running FTP and not listening on 21. So if I block 21 or not I get the same result, nothing. So why block it?
Firewalls make the most sense in a larger organization where we don't know if some idiot is running a misconfigured FTP server on his PC, so we add a firewall which makes that imposable.
I just thought it was interesting cuz if what these criticisms are saying is true than you'd think that Norton would be trying to capitalize on it and sell some software. It's not like they haven't tried to capitalize on it before if my memory serves me well....but on false alarms about that Mac virus that finally popped up
I think MDN just published an article where Intego issued a statement about this Trojan horse that apparently is going around porn sites posing as a video codec for QuickTime. Capitalizes on the fact you need an admin password to install such things to gain root access. Anyways..... they're using it to try to sell software.
When my Mac starts behaving like a Windows machine, maybe I'll buy into their sales pitch. So far though, the native security in OS X has done me just fine. Although I will concede that perhaps I hardware based firewall isn't a half bad idea...
I'm sure Symantec will attempt to capitalize on it if the claims are proven true.
It's only been a couple of days. So, I expect it will take a bit longer for an absolute answer to prevail.
The one Virus I have gotten on a Mac was discovered by Norton Antivirus though.
It was back in 1998 or 1999. I was running OS 8.1 or 8.5 (not sure at the moment - been a long time). I had wrongly assumed I was safe because I was using a Mac and not Windows (although I had other Windows computers around).
And, it was not until I decided to buy Norton Antivirus and installed it that I discovered the virus. I don't recall what it was called, but it was easily removed and taken care of.
I was quite surprised because I had never even used the machine on the Internet (it was a stand alone system). It was just for messing around. So, the only thing ever installed on it came from trusted publishers on CD-ROM (usually retail purchases).
Eventually, I tracked down the source. It was a CD that came with Mac Addict magazine. It came with a demo of Tomb Raider. Turns out that Tomb Raider was carrying a virus. It was a Mac OS virus. It was not simply a Windows virus residing on the system.
Mac Addict confirmed it to be true. They sent out an apology to their subscribers, and printed a statement in the next issue of their magazine.
They promised a replacement disk (which was virus free), but despite asking for it, I never did receive the replacement CD.
That is my one experience with a Mac Virus. I'm sure someday someone will care enough to write another one.
Why would I do that?
I want and need the protection of my hardware; I want and need the protection that Leopard provides. I would not dare be on the net/www without my hardware protection. I just meant I am done with this, I feel safe with the hardware and software protection that I have in place; it is totally sufficient that probes report that nothing is here to report on. I did set the firewall to block all incoming connections. I will just have to see if that diminishes my performance any.
I did not mean to be rude to anyone; I just think that the article that started this all is to be held in suspicion as it is a MS house. Sorry if I offended anyone. The crowd reminds me, this Halloween, of the mob chasing the monster Frankenstein; I am just not convinced the monster is real.
I want and need the protection of my hardware; I want and need the protection that Leopard provides. I would not dare be on the net/www without my hardware protection. I just meant I am done with this, I feel safe with the hardware and software protection that I have in place; it is totally sufficient that probes report that nothing is here to report on. I did set the firewall to block all incoming connections. I will just have to see if that diminishes my performance any.
I did not mean to be rude to anyone; I just think that the article that started this all is to be held in suspicion as it is a MS house. Sorry if I offended anyone. The crowd reminds me, this Halloween, of the mob chasing the monster Frankenstein; I am just not convinced the monster is real.
Hi Chris,
why do I think it is bad to have this automatism in the firewall?
Quite simple. Maybe because I distrust automatisms? Just because some program is started that listens on a port, the OS decides the FW should get a rule that lets traffic through?
Think of a rootkit or backdoor in your computer. You download some shiny freeware from some website, install it and anybody out there can now connect to your Mac - scarry!
I would at least expect to get some confirmation message from the FW asking me ('Are you OK with the fact that your computer is now reachable for everyone on the Internet?')
Regarding your second question: You are right. The best thing for security would be not to have any programs listening for connections at all - End of Story! Hoewever, sometimes this is just not convenient or feasible. A firewall is usefull here to control who can connect to your computer. On a public server (e.g. FTP) it makes no sense to have a FW. On your private computer you are usually not offering a service to everyone, but a small circle of trusted users/sites. Here a firewall gives you control over who this trusted few might be.
So in short: If there would be no services listening for connections on your Mac (which is not be the case on an out of the box system) you would need no firewall. Since this is not the case I want a system that is deterministic and can be trusted to not make arbitrary choices.
Maybe this clarifies the issue a little.
I am most certainly not offended. I only want to point out that there are situations (such as taking your Macbook on the road) where your sole line of defense is the inbuild defenses of the OS and no fancy HW router/firewall to help you.
This is what had been tested and has failed the test.
You are quite right to take this extra precaution in your set-up. But please do not talk as if there is no issue here with what has been implemented by Leopard. It might be no issue for your particular set-up, but this is not the general case for everybody.
Bogus/PR stunt
I can not believe MacRumors posted a reference to this company and this "test". It was completely flawed and bogus test just to get PR. Haven't we learned from the Airport wireless fiasco? MacRumors should remove this article from their front page and quit spreading garbage.
Please read the following:
Setting firewall access for services and applications
Mac OS X includes a firewall: a security measure that protects your computer when youre connected to a network or the Internet. If you turn on a sharing service, such as file sharing, Mac OS X opens a specific port in the firewall for the service to communicate through. When you open the Firewall pane of Security preferences, any sharing services turned on in Sharing preferences, such as File Sharing or Remote Apple Events, appear in the list.
In addition to the sharing services you turned on in Sharing preferences, the list may include other services, applications, and programs that are allowed to open ports in the firewall. An application or program might have requested and been given access through the firewall, or might be digitally signed by a trusted certificate and therefore allowed access.
IMPORTANT: Some programs have access through the firewall although they dont appear in the list. These might include system applications, services, and processes (for example, those running as root). They can also include digitally signed programs that are opened automatically by other programs. You might be able to block these programs access through the firewall by adding them to the list.
To add an application to the list, select Set access for specific services and applications in the Firewall pane of Security preferences, click Add (+) at the bottom of the list, and then select what you want to add. After the program is added, click its up and down arrows to allow or block connections through the firewall.
Blocking a programs access through the firewall could affect the performance of other applications and services you use.
I can not believe MacRumors posted a reference to this company and this "test". It was completely flawed and bogus test just to get PR. Haven't we learned from the Airport wireless fiasco? MacRumors should remove this article from their front page and quit spreading garbage.
Please read the following:
Setting firewall access for services and applications
Mac OS X includes a firewall: a security measure that protects your computer when youre connected to a network or the Internet. If you turn on a sharing service, such as file sharing, Mac OS X opens a specific port in the firewall for the service to communicate through. When you open the Firewall pane of Security preferences, any sharing services turned on in Sharing preferences, such as File Sharing or Remote Apple Events, appear in the list.
In addition to the sharing services you turned on in Sharing preferences, the list may include other services, applications, and programs that are allowed to open ports in the firewall. An application or program might have requested and been given access through the firewall, or might be digitally signed by a trusted certificate and therefore allowed access.
IMPORTANT: Some programs have access through the firewall although they dont appear in the list. These might include system applications, services, and processes (for example, those running as root). They can also include digitally signed programs that are opened automatically by other programs. You might be able to block these programs access through the firewall by adding them to the list.
To add an application to the list, select Set access for specific services and applications in the Firewall pane of Security preferences, click Add (+) at the bottom of the list, and then select what you want to add. After the program is added, click its up and down arrows to allow or block connections through the firewall.
Blocking a programs access through the firewall could affect the performance of other applications and services you use.
Proving exactly what?
Edit:
Similar to the Microsoft favourite 'It is not a bug - it is a feature!"?
There's obviously something wrong with the "Block all incoming connections" setting:
TCP scan with firewall turned off:
After blocking everything:
And indeed, port 88 is still completely open:
Same for UDP stuff, for example ntp can still be accessed even if all incoming connections are supposedly blocked:
but should look like this: (using a real firewall: sudo ipfw add 100 deny all from any to any 123 in)
TCP scan with firewall turned off:
Code:
sepp@deesli:~$ sudo nmap -sS 192.168.2.250
Starting Nmap 4.20 ( http://insecure.org ) at 2007-10-31 23:16 CET
Interesting ports on 192.168.2.250:
Not shown: 1694 closed ports
PORT STATE SERVICE
22/tcp open ssh
88/tcp open kerberos-sec
548/tcp open afpovertcpAfter blocking everything:
Code:
sepp@deesli:~$ sudo nmap -sS 192.168.2.250
Starting Nmap 4.20 ( http://insecure.org ) at 2007-10-31 23:20 CET
Interesting ports on 192.168.2.250:
Not shown: 1694 closed ports
PORT STATE SERVICE
22/tcp filtered ssh
88/tcp open kerberos-sec
548/tcp filtered afpovertcpAnd indeed, port 88 is still completely open:
Code:
sepp@deesli:~$ telnet 192.168.2.250 88
Trying 192.168.2.250...
Connected to 192.168.2.250.
Escape character is '^]'.Same for UDP stuff, for example ntp can still be accessed even if all incoming connections are supposedly blocked:
Code:
sepp@deesli:~$ sudo /usr/sbin/ntpdate -d 192.168.2.250
31 Oct 23:33:23 ntpdate[1959]: ntpdate 4.2.4p3@1.1502-o Mon Aug 13 16:20:20 UTC 2007 (1)
transmit(192.168.2.250)
receive(192.168.2.250)
transmit(192.168.2.250)
receive(192.168.2.250)
transmit(192.168.2.250)
receive(192.168.2.250)
transmit(192.168.2.250)
receive(192.168.2.250)
transmit(192.168.2.250)
192.168.2.250: Server dropped: strata too high
server 192.168.2.250, port 123
stratum 16, precision -20, leap 11, trust 000
refid [192.168.2.250], delay 0.02582, dispersion 0.00000
transmitted 4, in filter 4
reference time: 00000000.00000000 Thu, Feb 7 2036 7:28:16.000
originate timestamp: cad3812e.1b99ef55 Wed, Oct 31 2007 23:33:18.107
transmit timestamp: cad38133.678476f2 Wed, Oct 31 2007 23:33:23.404
filter delay: 0.02594 0.02582 0.02582 0.02582
0.00000 0.00000 0.00000 0.00000
filter offset: -5.29667 -5.29670 -5.29670 -5.29670
0.000000 0.000000 0.000000 0.000000
delay 0.02582, dispersion 0.00000
offset -5.296705
31 Oct 23:33:23 ntpdate[1959]: no server suitable for synchronization found
Code:
sepp@deesli:~$ sudo /usr/sbin/ntpdate -d 192.168.2.250
31 Oct 23:34:12 ntpdate[1960]: ntpdate 4.2.4p3@1.1502-o Mon Aug 13 16:20:20 UTC 2007 (1)
transmit(192.168.2.250)
transmit(192.168.2.250)
transmit(192.168.2.250)
transmit(192.168.2.250)
transmit(192.168.2.250)
192.168.2.250: Server dropped: no data
server 192.168.2.250, port 123
stratum 0, precision 0, leap 00, trust 000
refid [192.168.2.250], delay 0.00000, dispersion 64.00000
...Yeah...I'll run a trial download of an anti-virus program every once in a while just to make sure stuff like that doesn't happen.