Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Leopard's Firewall Criticized

boz0 said:
This is nonsense.

To begin with, there's no such thing as a "hardware firewall". A better (and commonly used) designation is "appliance". A firewall appliance is a dedicated box, running an OS (in many cases a tweaked Linux or *BSD, though there are of course many other possibilities, like IOS on Cisco firewalls), on top of which the actual firewall software sits.
Click to expand...

I agree that it is nonsense, but you are adding to it.

To start with, there are devices which are dedicated firewall appliances that run a dedicated firewall OS on them. Many of these devices actually perform the screening in the hardware via programmable asics. Ok, it's still "software" running on dedicated chips, but the traffic is not handled by the operating system and is not inspected by the general processor.

These same firewall appliances will sometimes include more than just ethernet interfaces. Sometimes they have DSL, Cable or T1/T3 and wireless interfaces. Make no mistake, though, they are a firewall first, and a router second. In fact, they make pretty poor routers, but excellent firewalls. These would be like the Cisco PIX, Juniper Netscreen or the SonicWall firewalls. There may be more, but these are the ones I'm more familiar with.

For residential use, these are probably overkill, although I do use a Netscreen at home. Using any broadband router with NAT enabled is going to secure you from MOST incoming connection attempts. The exception would be if you have port forwarding or UPnP enabled.

Sorry, I just couldn't let this one go.

-jt2
 
123 said:
Same for UDP stuff, for example ntp can still be accessed even if all incoming connections are supposedly blocked:
Click to expand...

It's interesting that you mention ntp, but not netbios. The leofud page claims that ntp does indeed work, but not the more dangerous netbios as the original article is asserting.
 
dunc85 said:
and yet another biased report from the BBC about Apple

http://news.bbc.co.uk/1/hi/technology/7071017.stm
Click to expand...

Yes and no...

Read to the end of the article. Money quote:
Mikko Hypponen, chief research officer at F-Secure, said: "Year after year, Macs continue to have these potential security problems.

"However, in practice they just don't seem to become real-world problems," he added. "The old wisdom still stands: if you want to avoid viruses and worms, get a Mac."
Click to expand...
 
rpp3po said:
It's interesting that you mention ntp, but not netbios. The leofud page claims that ntp does indeed work, but not the more dangerous netbios as the original article is asserting.
Click to expand...

I don't find that very interesting considering I don't have a netbios port open...

However, I did also test mDNSResponder/Bonjour with "Block all...": (port 5353 UDP)
Code: 
sepp@deesli:~$ avahi-resolve -a 192.168.2.250
192.168.2.250	Quad.local

should be: (sudo ipfw add 101 deny ip from any to any 5353 in)
Code: 
sepp@deesli:~$ avahi-resolve -a 192.168.2.250
Failed to resolve address '192.168.2.250': Timeout reached
 
cal6n said:
Yes and no...

Read to the end of the article. Money quote:
Click to expand...

Exactly, end of the article, a couple of lines.

A bit of research on their part would have shown that the interpretation of the test results was flawed.
 
vansouza said:
Thank God for hardware firewalls.
Click to expand...

Yea the other firewall can protect you, assuming you are not on the road with your laptop in which case all you have is a lame firewall with build in false-sense of security.

I head about this about 3 days ago and was not a happy camper.
 
OK, it seems that everything that runs as root is not blocked.

Code: 
bash-3.2$ ./listen.pl 2000
uid 501. Listening on port 2000...
-- --
sepp@deesli:~$ telnet 192.168.2.250 2000
Trying 192.168.2.250...
telnet: Unable to connect to remote host: Connection timed out

whereas:
Code: 
bash-3.2$ sudo ./listen.pl 2000
uid 0. Listening on port 2000...
-- --
sepp@deesli:~$ telnet 192.168.2.250 2000
Trying 192.168.2.250...
Connected to 192.168.2.250.
Escape character is '^]'.

So, at least there is a pattern, but it's just wrong to call this "Block all incoming connections".
 
flyinmac said:
I have a Linksys Router with a Hardware Firewall in it. I wonder if that is adequate, or if the Leopard issue would create an open door.

It's a BEFSX41 Labeled as a Broadband Firewall Router.

I've previously configured it, and it seems to have passed the online scanners. So, hopefully it will close the door that Apple is opening.
Click to expand...

Most NAT firewalls (linksys for example) are sufficient for 99% of the cases, they stop all but extremely dedicated hackers.

However firewall main function is to block a connection attempt on a specific port. Any port you open is subject to attack. Even if the firewall is perfect and lets say you open port 80 (www) for people to use your web server, the web server it self can come under attack and the application being run by your web server / application server (example Tomcat) can come under attack. Main purpose of a firewall is to protect you at the network level, if your web server has a flaw or your application has a flaw you are still dead meat.

Don't open any inbound ports (from internet to your computer or network) and you should be ok 99$ of the time.

However with this flaw, your chances are closer to 60%.
 
As ever, there's a lot of "apology" for this clear mistake on Apple's part... Whilst the article has some flaws, anybody with the opinion that it has no substance is either blinkered or ignorant. It's true that there are mitigating factors which may reduce the real exposure to attacks, but it's hardly good practice. If a comparable setup was deployed by MS, the media would probably make an even bigger deal about it (and the fan-boys would be s******ing in their corners).

What makes it worse, is that Apple could almost certainly have avoided much of this. There's a packet firewall installed with leopard by default (ipfw). This has proved adequate for previous versions of OS X (and many other operating systems). However, it's set to allow all ingoing and outgoing traffic - presumably so it works more effectively with Apple's new application layer firewall. They have chosen to "dumb down" the security of OS X, at the expense of making the OS less secure by default. To make matters worse, the application firewall does not behave as you would expect from the UI and allow's root services to access the internet unchecked (and without any notification to the user). Whilst it may have had techy jargon (port numbers etc) and been less user friendly, Tiger's setup was clearly superior.

If they felt an application firewall would be easier for user's to configure, it should have (and could have) been implemented in such a way that it worked hand in hand with ipfw or incorporates both levels of functionality - i.e. when you authorised an application, it suggests opening an appropriate port on the ip firewall and by default everything else is blocked.

This halfway house is both deceiving to casual users and frustrating for people with more understanding of the implications. Personally, I can't see any use for the application firewall, it does not meet my needs and I don't see the point of managing two sets of rules (one of which may have "vague" behaviour). I have installed waterroof and will continue to configure access to services through ipfw. However, I know that I will be in a minority (as will the script-kiddies...).

Maybe nobody will take the opportunity to give Apple a bloody nose, but I would have thought that pressure is mounting for the first successful worm/virus. Arrogance like this just makes it more likely.

J
 
rasputnik said:
There are 2 ways of looking at this. You either block by default, or you know what services you are running. Apple chose the second approach.

If you aren't running services, a firewall is a waste of time. It isn't going to protect you from the 2 dozen known holes in Firefox, and it isn't going to make a secure service insecure.
Click to expand...

Agreed, I recall hearing what you said with similar things with firewalls and Linux...

Washac said:
Sorry to sound stupid, but where is the Universal Plug N Play setting ?
Click to expand...

I have absolutely no clue how of turning that off....personally I see a use for it on both Vista, and OSX, as long as the machines that use it are secure.
 
boz0 said:
This is nonsense.

To begin with, there's no such thing as a "hardware firewall". A better (and commonly used) designation is "appliance". A firewall appliance is a dedicated box, running an OS (in many cases a tweaked Linux or *BSD, though there are of course many other possibilities, like IOS on Cisco firewalls), on top of which the actual firewall software sits.

Now, assuming you call a "hardware firewall" any kind of dedicated firewall appliance, well, obviously, since your wireless router does wireless routing, it's not a dedicated firewall, is it? :)

That said, whether you have a dedicated firewall box or not, it's the quality of the firewall software that has to be taken into account. It's always a very bad idea to make a product insecure by default. Microsoft has been bashed repeatedly for that, and so should Apple! :mad:

However, I'm not yet ready to believe that their firewall is as flawed as the article says. I'll have a look in a couple days!
Click to expand...
My understanding is that a router is an inherently unhackable device (because it's too stupid to be taken over), and that if you stealth it, e.g., turn off pings, close ports, etc., it will easily pass the test Steve Gibson has set up set up, you're in pretty good shape.

Whether this can be called a "firewall" or not my feeble brain's forgotten, if someone wants to clarify.
 
brownbird said:
My Mac passed all the shields up tests. I'm on 10.5. So, just because the Leopard firewall isn't as informative as the Tiger firewall doesn't mean it's not working.
Click to expand...
Actually, it does. If nobody understands what's going on, nobody can trust it. Everything I'm reading here indicates that I'm far from alone in not having a clue about how this Firewall actually works. People have quoted the help text twice, and I've read it about a dozen times myself, and it still isn't clear. Apple has always been bad at documentation, but here's a place where it would be really useful.

To the best of my understanding, "allow all incoming connections" should essentially turn the firewall off. "Block all incoming connections" should actually say "block all unsolicited connections", because I think it will still allow responses to outgoing requests (ie. Safari). That last option, is a freaking mess. I don't get how it works or what it does. Everytime I open an app, Leopard asks me if I want to allow it to receive incoming connections, but why would it ask me that about Excel? I think it just asks as a matter of form, unless Excel is really requesting a port connection. I can choose between "always allow" which scares the bejeezus out of me, or "deny and affect performance", which isn't inviting in regards to an app I just launched for a reason.

Then there's that whole caveat about how Leopard may let all kinds of other stuff talk out the ports without user intervention (system processes, processes launched by other processes-- all the kinds of stuff you'd actually want to know about because you didn't explicitly launch the process yourself). I can't quite tell if that note applies only to the selection list or if it's a general warning about all the operating modes.

I have the feeling that Apple came up with a reasonably user friendly system here-- tying access to applications and services, which people understand, rather than port ranges and protocols, which people don't. The problem is I can't figure out what it's doing and simply can't trust it.

For completeness, I should mention that I'm not behind a router-- I've relied on the Tiger firewall as the only defense between me and my ISP. Logs indicate port scans and mostly ssh attacks, but no indication that anyone's been successful yet. I only run the services I'm interested in using, so I'd punch them through a router anyway.
ChrisA said:
Next question: Why would we EVER need a software firewall on a Mac? Seriously. Is there a scenario where it helps? Lets go back to FTP. Lets say I have a Mac directly connected to the Internet with no firewall. Someone finds my computer and tries to open a connection of Port 21. What will happen? Nothing, because I'm not running FTP and not listening on 21. So if I block 21 or not I get the same result, nothing. So why block it?

Firewalls make the most sense in a larger organization where we don't know if some idiot is running a misconfigured FTP server on his PC, so we add a firewall which makes that imposable.
Click to expand...
Firewalls do allow local services to send requests and receive responses. They just don't allow unsolicited incoming requests. There is still value in having it running.
 
Shields Up

bigpics said:
My understanding is that a router is an inherently unhackable device (because it's too stupid to be taken over), and that if you stealth it, e.g., turn off pings, close ports, etc., it will easily pass the test Steve Gibson has set up set up, you're in pretty good shape.

Whether this can be called a "firewall" or not my feeble brain's forgotten, if someone wants to clarify.
Click to expand...

I just ran the test, I am behind a Netgear wireless router/firewall device, and with the Leopard firewall enabled and disabled, I got the same results at the Gibson site. Passed with flying colors. Totally and completely. I offer this for what ever it may or may not be worth; I am just trying to learn.
 
I have a certain feeling that the happy times of 'nobody cares to attack my Mac' are over.

I give you just 2 reasons:

  1. Market-share in the private domain is well over 10% now (see latest figures of rising OSX popularity)

  2. For the typical phisher and cyber-attacker the Mac crowd is actually a much juicier target than the 16-year old hardcore Windows gamer: reasonably well off, totally trusting Apple and their OS

Just look into the mindset of a phisher who tries to steal your password for online-banking: Would he rather get it from the Dell user or from somebody who queues for a nice and shiny iMac as soon as they hit the store.

I only hope that Apple can react as fast as these attacks are rising, see:

http://sunbeltblog.blogspot.com/2007/10/mackanapes-can-now-can-feel-pain-of.html
 
rockosmodurnlif said:
I did a fresh install, silly me I left the cable connection in...
Click to expand...

I've had a similar experience. I've never had a windows virus or worm (probably due to how little I've used it) but I have had a linux box owned. I put a fresh install of RedHat 6.2 on several years ago. This was pre-broadband for me (and this box WAS my firewall) so I got the modem working, and started downloading the updates right away before doing any hardening. It was late so I just went to sleep for the night. I figured the modem would finish the download and hang up after an hour of inactivity. Well, that was long enough for an NFS exploit in RH62 to get my freshly-installed box owned over freaking dialup! Woke up to a rootkit :)

It's not just MS... other vendors have been equally guilty of having too many services turned on out-of-the-box. It seems Apple is guilty of that to some degree now. Just because there's not an exploit for it on release day doesn't mean one won't come out before the OS is totally end-of-lifed. Turn everything off by default!!!
 
Rodimus Prime said:
A software firewall is not as good at stopping inbound but much better at stopping outbound traffic. This is the reason why it is a good idea to run both. One handles inbound better the other handles outbound better.
Click to expand...

That's pretty nonsensical. If your machine is running spyware, the first thing it will do is mess with a local firewall.
 
gwangung said:
On the other hand, the firewall being turned off by default is bad---why on heaven's name would that be a good thing as a default?
Click to expand...

Because then things work out of the box. A firewall only becomes an issue when you need to limit access to your services - if you're not running services, there's no need for it.
 
rasputnik said:
It really can't. Packets aren't executable.
Click to expand...

Well, if you've got a braindead operating system which ignores the NIC's report of how large the packet physically is, but rather bases its buffer size solely on the EtherType/Length field of the packet header and just keeps on pulling in bytes until there aren't any more bytes to get, then I suppose it conceivably could become the victim of a buffer overflow attack.

But that would require a severely braindead OS, and such an attack could not propagate to you in the first place unless the hacker is originating the attack on a computer that's a member of the same subnetwork as your computer.
 
rasputnik said:
That's pretty nonsensical. If your machine is running spyware, the first thing it will do is mess with a local firewall.
Click to expand...


minus the fact that very little spyware will target the local firewall. Most will not even try to touch it. On top of that a lot of the firewall software makes it very diffcult for another piece of software to have any effect on changing something. Now if the spyware is installed before the firewall then yes it can do something about it.
 
well....

i'm sorry, but if you are using a firewall built into your computer I think you've got enough problems.

my netgear router works just fine.
 
lorductape said:
i'm sorry, but if you are using a firewall built into your computer I think you've got enough problems.
Click to expand...

Or you do a lot of computing outside your home and office.

A lot of people's WORK makes them do this. I'd say you do have problems if you can't get out of the office to do your job....
 
lorductape said:
i'm sorry, but if you are using a firewall built into your computer I think you've got enough problems.

my netgear router works just fine.
Click to expand...
That's a meaningless statement. If someone is using a wireless connection in a starbucks, having a firewall on his or her laptop is a good thing and not a problem.

Having a router is fine, but it's certainly not the security holy grail. You could have a router with wifi and if you don't secure that wifi network or if is using WEP, then you have a very insecure network.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back