K
Kokopelli
Guest
This is going to be a bit of a rant so I apologize in advance.
Short Version: There is absolutely no value in the default implementation of firewall from 10.3.8 up. You can not filter by interface or address range and this does not in any way protect an OS X client system running any network service.
Longer Version:
Axiom Number One: A firewall is meant to block traffic that you do not want to reach your system.
Let's suppose you have no services running, which is the default in OS X client edition. So the firewall is blocking traffic which would have been discarded any way. This is different from Windows (particularly Windows 2000) which starts with, and to a greater or lesser extent requires, certain services to be running. So you have vectors of attack available by default in Windows which do not exist in OS X, making a firewall important for a stock Win2K but not OS X. There may be some as yet undiscovered way of exploiting the network driver itself, but it is unlikely.
Axiom Number Two: The most likely Vector of attack is a service running on your outward facing interface.
So now we have an almost superfluous firewall since there are no services running by default, let's make use of it. Say I turn on Windows sharing. Mac conveniently, and without any evident way of over riding it, opens the ports needed for Samba. This is bad for a great number of reasons but here are the most important. First, now regardless of who tries to access the share, or what interface, it is let through. So as an example if you have a Mac connected directly to the internet through ethernet and have your private network on your Airport you are making your samba share available to the whole world. Second, there is no clear warning that indeed the port is open for all. This leads to a false sense of security for people who do not understand networking... "Yeah I have FTP running, but I have a firewall."
In the mean time the firewall is doing the important job of blocking all those ports which would not be vulnerable to attack in the first place. I can understand not wanting to make it complicated but Apple could have at least made which interfaces a service was available on selectable. This same problem goes on for all the stock services. If there is a vulnerability discovered in one of the services there is no way to block traffic while the service is up. It is marginally more useful for non core services since the firewall does not autodetect and open the ports for you.
Axion Number Three: If you need a service on your outward facing interface, minimize rights to it to the greatest extent possible.
OS X has one of the best firewall tools available for *nix (ipfw) but does not have any way to restrict access to a service by address. So in the example above of a Windows share, I can not limit access to the outwards facing interface to only my work address range.
Now for the geek you could always code your firewall by hand (which is what I did) or use some product like BrickHouse (which I did when I decided my rules were getting too complicated) but this does not help your typical user under a misconception of what the firewall is doing.
Whew, I am done. If you made it to the end thanks for reading. (For the curious this came about when I needed to secure my hotel room network of 3 laptops while using my PB as the router.)
Short Version: There is absolutely no value in the default implementation of firewall from 10.3.8 up. You can not filter by interface or address range and this does not in any way protect an OS X client system running any network service.
Longer Version:
Axiom Number One: A firewall is meant to block traffic that you do not want to reach your system.
Let's suppose you have no services running, which is the default in OS X client edition. So the firewall is blocking traffic which would have been discarded any way. This is different from Windows (particularly Windows 2000) which starts with, and to a greater or lesser extent requires, certain services to be running. So you have vectors of attack available by default in Windows which do not exist in OS X, making a firewall important for a stock Win2K but not OS X. There may be some as yet undiscovered way of exploiting the network driver itself, but it is unlikely.
Axiom Number Two: The most likely Vector of attack is a service running on your outward facing interface.
So now we have an almost superfluous firewall since there are no services running by default, let's make use of it. Say I turn on Windows sharing. Mac conveniently, and without any evident way of over riding it, opens the ports needed for Samba. This is bad for a great number of reasons but here are the most important. First, now regardless of who tries to access the share, or what interface, it is let through. So as an example if you have a Mac connected directly to the internet through ethernet and have your private network on your Airport you are making your samba share available to the whole world. Second, there is no clear warning that indeed the port is open for all. This leads to a false sense of security for people who do not understand networking... "Yeah I have FTP running, but I have a firewall."
In the mean time the firewall is doing the important job of blocking all those ports which would not be vulnerable to attack in the first place. I can understand not wanting to make it complicated but Apple could have at least made which interfaces a service was available on selectable. This same problem goes on for all the stock services. If there is a vulnerability discovered in one of the services there is no way to block traffic while the service is up. It is marginally more useful for non core services since the firewall does not autodetect and open the ports for you.
Axion Number Three: If you need a service on your outward facing interface, minimize rights to it to the greatest extent possible.
OS X has one of the best firewall tools available for *nix (ipfw) but does not have any way to restrict access to a service by address. So in the example above of a Windows share, I can not limit access to the outwards facing interface to only my work address range.
Now for the geek you could always code your firewall by hand (which is what I did) or use some product like BrickHouse (which I did when I decided my rules were getting too complicated) but this does not help your typical user under a misconception of what the firewall is doing.
Whew, I am done. If you made it to the end thanks for reading. (For the curious this came about when I needed to secure my hotel room network of 3 laptops while using my PB as the router.)
