Thread: Built in Firewall
05-07-2005, 06:51 PM #1KokopelliGuestBuilt in Firewall
This is going to be a bit of a rant so I apologize in advance.
Short Version: There is absolutely no value in the default implementation of firewall from 10.3.8 up. You can not filter by interface or address range and this does not in any way protect an OS X client system running any network service.
Axiom Number One: A firewall is meant to block traffic that you do not want to reach your system.
Let's suppose you have no services running, which is the default in OS X client edition. So the firewall is blocking traffic which would have been discarded any way. This is different from Windows (particularly Windows 2000) which starts with, and to a greater or lesser extent requires, certain services to be running. So you have vectors of attack available by default in Windows which do not exist in OS X, making a firewall important for a stock Win2K but not OS X. There may be some as yet undiscovered way of exploiting the network driver itself, but it is unlikely.
Axiom Number Two: The most likely Vector of attack is a service running on your outward facing interface.
So now we have an almost superfluous firewall since there are no services running by default, let's make use of it. Say I turn on Windows sharing. Mac conveniently, and without any evident way of over riding it, opens the ports needed for Samba. This is bad for a great number of reasons but here are the most important. First, now regardless of who tries to access the share, or what interface, it is let through. So as an example if you have a Mac connected directly to the internet through ethernet and have your private network on your Airport you are making your samba share available to the whole world. Second, there is no clear warning that indeed the port is open for all. This leads to a false sense of security for people who do not understand networking... "Yeah I have FTP running, but I have a firewall."
In the mean time the firewall is doing the important job of blocking all those ports which would not be vulnerable to attack in the first place. I can understand not wanting to make it complicated but Apple could have at least made which interfaces a service was available on selectable. This same problem goes on for all the stock services. If there is a vulnerability discovered in one of the services there is no way to block traffic while the service is up. It is marginally more useful for non core services since the firewall does not autodetect and open the ports for you.
Axion Number Three: If you need a service on your outward facing interface, minimize rights to it to the greatest extent possible.
OS X has one of the best firewall tools available for *nix (ipfw) but does not have any way to restrict access to a service by address. So in the example above of a Windows share, I can not limit access to the outwards facing interface to only my work address range.
Now for the geek you could always code your firewall by hand (which is what I did) or use some product like BrickHouse (which I did when I decided my rules were getting too complicated) but this does not help your typical user under a misconception of what the firewall is doing.
Whew, I am done. If you made it to the end thanks for reading. (For the curious this came about when I needed to secure my hotel room network of 3 laptops while using my PB as the router.)
05-07-2005, 07:10 PM #2
- Member Since
- Jan 04, 2005
- Modesto, Ca.
- iMac late 2007 10.11.b4, iMac 2008 10.10.5, Macbook2007 10.7.5, Mac Mini 10.7.5, iPhone 3GS Note 8!!
Agreed. I have thought about that very thing many times. Even XP's Built in Firewall in SP2 is incoming only which is why I never use it. My Router has a nice SPI firewall to protect me from the outside getting in anyway. If it were Windows I would be a lot more concerned but I do share your concerns though. I have messed with Brickhouse also. It seemed pretty complete.
The reason I don't worry as much about OSX is, how would someone install something that would call home from the outside as they would need Super User access to do it. Any thoughts on that?...Dennis
Mac-Forums Community Guidelines
05-07-2005, 07:29 PM #3KokopelliGuest
An app does not need root access to call out. Root access is mostly required if you want to set up a service in the privileged port range (under 1024). So apps can, and frequently do, "call home" usually to check for updates. If you are worried about that the easy solution is to use Little Snitch. I don't bother personally since I monitor what apps are running and follow the "you have to trust someone sometime" school of thought. If I started noticing an excess of network traffic I would probably add a log to outward requests for a few days though.
What I am more worried about would be something like SSH. If someone were lucky enough to guess my account password they could effectively destroy my Mac. A fate that could have been avoided by simply blocking all but a few addresses access to port 22 (SSH). Unfortunately you can't do it with the default implementation.
05-12-2005, 10:08 AM #4badmojoGuest
A little off topic, but I want to plug my router. Airlink+G
(http://www.airlink101.com/products/ar315w.html). When you activate the firewall, you physicallly have to connect a computer to an ethernet port to access the router's settings. My older Microsoft router didn't do this, nor my older (b) D-Link. Those could be accessed wirelessly, and I never understood that. I don't know if this was a deliberate feature or just a fluke, but it's a helluva idea.
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
By Blueyes in forum OS X - Operating SystemReplies: 9Last Post: 06-08-2012, 05:30 AM
By matt.coolbrown in forum OS X - Operating SystemReplies: 0Last Post: 09-29-2008, 11:04 AM
By retrokid23 in forum Switcher HangoutReplies: 2Last Post: 05-01-2007, 04:13 AM
By tcharper in forum OS X - Operating SystemReplies: 2Last Post: 03-27-2007, 03:31 PM
By Mactime in forum Switcher HangoutReplies: 2Last Post: 01-15-2007, 08:45 PM