New To Mac-Forums?

Welcome to our community! Join the discussion today by registering your FREE account. If you have any problems with the registration process, please contact us!

Get your questions answered by community gurus Advice and insight from world-class Apple enthusiasts Exclusive access to members-only contests, giveaways and deals

Join today!

 
Start a Discussion
 

Mac-Forums Brief

Subscribe to Mac-Forums Brief to receive special offers from Mac-Forums partners and sponsors

Join the conversation RSS
OS X - Operating System General OS operation information and support

Built in Firewall


Post Reply New Thread Subscribe

 
Thread Tools
Kokopelli
Guest
 
Posts: n/a

This is going to be a bit of a rant so I apologize in advance.

Short Version: There is absolutely no value in the default implementation of firewall from 10.3.8 up. You can not filter by interface or address range and this does not in any way protect an OS X client system running any network service.

Longer Version:

Axiom Number One: A firewall is meant to block traffic that you do not want to reach your system.

Let's suppose you have no services running, which is the default in OS X client edition. So the firewall is blocking traffic which would have been discarded any way. This is different from Windows (particularly Windows 2000) which starts with, and to a greater or lesser extent requires, certain services to be running. So you have vectors of attack available by default in Windows which do not exist in OS X, making a firewall important for a stock Win2K but not OS X. There may be some as yet undiscovered way of exploiting the network driver itself, but it is unlikely.

Axiom Number Two: The most likely Vector of attack is a service running on your outward facing interface.

So now we have an almost superfluous firewall since there are no services running by default, let's make use of it. Say I turn on Windows sharing. Mac conveniently, and without any evident way of over riding it, opens the ports needed for Samba. This is bad for a great number of reasons but here are the most important. First, now regardless of who tries to access the share, or what interface, it is let through. So as an example if you have a Mac connected directly to the internet through ethernet and have your private network on your Airport you are making your samba share available to the whole world. Second, there is no clear warning that indeed the port is open for all. This leads to a false sense of security for people who do not understand networking... "Yeah I have FTP running, but I have a firewall."

In the mean time the firewall is doing the important job of blocking all those ports which would not be vulnerable to attack in the first place. I can understand not wanting to make it complicated but Apple could have at least made which interfaces a service was available on selectable. This same problem goes on for all the stock services. If there is a vulnerability discovered in one of the services there is no way to block traffic while the service is up. It is marginally more useful for non core services since the firewall does not autodetect and open the ports for you.

Axion Number Three: If you need a service on your outward facing interface, minimize rights to it to the greatest extent possible.

OS X has one of the best firewall tools available for *nix (ipfw) but does not have any way to restrict access to a service by address. So in the example above of a Windows share, I can not limit access to the outwards facing interface to only my work address range.

Now for the geek you could always code your firewall by hand (which is what I did) or use some product like BrickHouse (which I did when I decided my rules were getting too complicated) but this does not help your typical user under a misconception of what the firewall is doing.

Whew, I am done. If you made it to the end thanks for reading. (For the curious this came about when I needed to secure my hotel room network of 3 laptops while using my PB as the router.)
QUOTE Thanks
dtravis7

 
dtravis7's Avatar
 
Member Since: Jan 04, 2005
Location: Modesto, Ca.
Posts: 27,193
dtravis7 has a reputation beyond reputedtravis7 has a reputation beyond reputedtravis7 has a reputation beyond reputedtravis7 has a reputation beyond reputedtravis7 has a reputation beyond reputedtravis7 has a reputation beyond reputedtravis7 has a reputation beyond reputedtravis7 has a reputation beyond reputedtravis7 has a reputation beyond reputedtravis7 has a reputation beyond reputedtravis7 has a reputation beyond repute
Mac Specs: iMac 2.4 C2D 10.9.1, iMac 2.16 C2d 10.6.8, Macbook2007 10.8.4, Mac Mini 10.8.4, iPhone 3GS IPad1

dtravis7 is offline
Agreed. I have thought about that very thing many times. Even XP's Built in Firewall in SP2 is incoming only which is why I never use it. My Router has a nice SPI firewall to protect me from the outside getting in anyway. If it were Windows I would be a lot more concerned but I do share your concerns though. I have messed with Brickhouse also. It seemed pretty complete.

The reason I don't worry as much about OSX is, how would someone install something that would call home from the outside as they would need Super User access to do it. Any thoughts on that?
QUOTE Thanks
Kokopelli
Guest
 
Posts: n/a

An app does not need root access to call out. Root access is mostly required if you want to set up a service in the privileged port range (under 1024). So apps can, and frequently do, "call home" usually to check for updates. If you are worried about that the easy solution is to use Little Snitch. I don't bother personally since I monitor what apps are running and follow the "you have to trust someone sometime" school of thought. If I started noticing an excess of network traffic I would probably add a log to outward requests for a few days though.

What I am more worried about would be something like SSH. If someone were lucky enough to guess my account password they could effectively destroy my Mac. A fate that could have been avoided by simply blocking all but a few addresses access to port 22 (SSH). Unfortunately you can't do it with the default implementation.
QUOTE Thanks
badmojo
Guest
 
Posts: n/a

A little off topic, but I want to plug my router. Airlink+G
(http://www.airlink101.com/products/ar315w.html). When you activate the firewall, you physicallly have to connect a computer to an ethernet port to access the router's settings. My older Microsoft router didn't do this, nor my older (b) D-Link. Those could be accessed wirelessly, and I never understood that. I don't know if this was a deliberate feature or just a fluke, but it's a helluva idea.
QUOTE Thanks

Post Reply New Thread Subscribe


« User Problem? | Tiger Mail automatically opens. »
Thread Tools

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off
Forum Jump

Similar Threads
Thread
Thread Starter
Forum
Replies
Last Post
Other firewall is running on my Mac! powercat OS X - Operating System 1 04-12-2005 11:29 AM
Stuck behind a firewall :( HELP! leelovesbikesto OS X - Apps and Games 0 03-15-2005 05:42 AM
Port 3689 being blocked by Firewall? HUH??????? Horatio Street Apple Notebooks 2 12-07-2004 04:34 AM
fricken uni firewall gab1982 OS X - Operating System 5 11-11-2004 05:00 PM
Mac Firewall gennipher Internet, Networking, and Wireless 0 08-24-2004 10:22 PM

All times are GMT -4. The time now is 05:27 AM.

Powered by vBulletin
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
X

Welcome to Mac-Forums.com

Create your username to jump into the discussion!

New members like you have made this community the ultimate source for your Mac since 2003!


(4 digit year)

Already a member?