Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Newbie Powerbook user with Firewall / Spyware questions

florencevassy

florencevassy

macrumors regular
Original poster
Jun 1, 2004
204
0
Princeton, NJ
I am the proud owner of a new 15’ PowerBook and I am very happy!

I have a couple of questions, Is the OS X firewall enough security/protection or should I purchase another firewall program?

Also, my PC using friends have a lot of trouble with spyware, should I try to use a spyware program?

I know that Macs are safer than PCs, it is a much different (and nicer) world :) but I do a ton of surfing and download song samples a lot etc. and am generally paranoid and want to be extra careful. Also all of my friends are PC users (I feel bad for them) and I don’t want to accidentally send them anything that is harmful.

Someone I spoke to at Apple’s technical support area suggested that I buy this program:
http://www.allume.com/mac/cleanup/index.html but after some research I see it has received horrible reviews. :confused:

Please advise, thanks a lot !! Flo
 
3%

That's the nice thing about having a 3% share in the market (give or take a few.)

There aren't a whole lot of viruses running around for Macs.

I've been using Macs for the past fifteen years and have never had a problem with viruses.

For me, I tend to go commando. For my PCs, I use protection!

I suppose it's all about how safe you want to play it...
 
No viruses for Mac OS X (yet).
No spyware for Mac OS X (yet).

The built-in firewall (ipfw) is very good.
The built-in GUI control for it (System Preferences -> Sharing prefpane -> Firewall tab) is VERY BAD.
Invest in Brickhouse or Sunshield to control/config ipfw if you don't know anything about UNIX and command line (if you do, learn to use ipfw via the command line).
 
flo via PM said:
Can you please explain?

Thanks a lot for your response, but what do you mean by GUI control?

I need to know UNIX (I used to know a little, it has been a while) to properly set the firewall? What is the ipfw?

Thanks a lot! Flo
Click to expand...


GUI = graphics user interface. Point and click with a mouse. Much easier for most people to navigate. Apple's point and click interface for the built in firewall (ipfw) is completely worthless and should not be relied upon.

ipfw is an IP FireWall built into the OS. It's quite configurable. It's pretty strong. Look over the man page on ipfw for more info: man ipfw

If you are comfortable with the command line, and with UNIX, and the learning curve that inevitably comes with it, you can learn to control ipfw. This is my preferred method. However, if reading that man page above sets your head spinning, look into some 3rd party utilities that allow you to control/configure ipfw from a better interface. Utilities like SunShield or BrickHouse.
 
As a matter of curiosity, what can ipfw do via the command line that you can't do via the Apple-provided GUI? A blanket statement that "it's Bad" isn't much use if you don't say exactly WHY it's Bad.

I'd kind of been under the impression that Apple ships the built-in firewall with only those ports that are really needed open, and all the GUI lets you do is open additional ports for specific purposes (like iTunes sharing) or close some of the major ones. Are more ports open than should be, as shipped? Or is it just that you personally like more explicit configurability?
 
Thanks for your responses!

Thanks guys! This is a great group.
I think I will try the Brickhouse program, I used UNIX years ago and
I don't remember much of it.
 
rueyeet said:
As a matter of curiosity, what can ipfw do via the command line that you can't do via the Apple-provided GUI? A blanket statement that "it's Bad" isn't much use if you don't say exactly WHY it's Bad.
Click to expand...

Well, there's a lot to cover, so unless someone asks, I'll always just say "it's bad". But since you asked, here's the problems:

I do want finer grained control in my firewall. It's just not there with the Apple GUI control. But that's a small point of contention.

A larger point of contention is, there is NO WAY to turn on logging in the Apple control! What good is a firewall if you have no idea what is happening with it? Are you just going to press the "on" button and hope that it's doing a good job? How do you know if you're being targeted? How can you know who is touching which port? Logging is a very important part of a firewall and it's just no an option.

And finally, the biggest problem of all..

The Apple GUI control offers NO way to block specific IPs or ranges of IPs. It's all or nothing. This renders the firewall completely useless. It's about as effective as not running a firewall at all. Any service that is running and listening for external connections will show up through a port scan when the Mac is firewalled using the Apple-config, the same as it would if there was no firewall "running" (technically, ipfw is ALWAYS running, it's default rule set is "allow all from any to any", but this is equivalent to it being "off"). You cannot specify, hey, I'll let my buddy Foo from so-and-so connect to my FTP server, but everyone else can keep the hell out.

So, without being able to block IPs, nor have logging to know whom is touching my box (no pun), Apple has rendered ipfw impotent. It's benefits are miniscule.


Using ipfw from the command line (or BrickHouse/SunShield if you need/want GUI) allows for MUCH greater control.

I deny most external ICMP requests, and log when they connect:
Code: 
02003 deny log icmp from any to any in icmptype 8,10,13,15,17

I have a blacklist of hosts that are naughty, and log when they try to connect:
Code: 
# naughty host blacklist:
00500 unreach host-unknown log ip from 216.42.81.141 to any in
00501 unreach host-unknown log ip from 216.42.81.143 to any in
00502 unreach host-unknown log ip from 211.0.0.0/8 to any in
00503 unreach host-unknown log ip from 80.116.0.0/16 to any in
00504 unreach host-unknown log ip from 207.103.247.50 to any in
00505 unreach host-unknown log ip from 221.0.0.0/8 to any in
00506 unreach host-unknown log ip from 220.0.0.0/8 to any in
00507 unreach host-unknown log ip from 80.117.0.0/16 to any in
00509 unreach host-unknown log ip from 210.0.0.0/8 to any in

Unless I'm on vacation, I only allow ssh connections from a "trusted" source range of IPs, and I log all connections:
Code: 
00935 allow log tcp from 152.16.0.0/16 to any 22 in

I only allow DNS from "trusted" sources, limiting my exposure to DNS spoofing:
Code: 
00920 allow udp from 209.x.x.x 53 to any in
00921 allow udp from 209.x.x.x 53 to any in

Etc, etc, etc,...

No need to bore you anymore, I think you get the idea.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back