Pros and Cons of OSX Firewall

[nyc2sd]

I notice that OSX has a built in Firewall that is by default turned off. I am running a new iMac on a Wi-Fi network shared only with one other Windows laptop. Should I turn the firewall on? Is there any downside to having it on?

 

[Shikarnov]

I find OSX's built-in firewall to be a little basic, and somewhat cumbersome as a result - with its burried preferences and always on or always off mentality.

I prefer something like Little Snitch to be superior because it keeps you informed of what's going on with your system and lets you issue allowances and denials on a case by case basis.

ETA: Another advantage of Little Snitch is that it lets you know about outgoing connections and allows you to stop them. Most firewalls, conversely, would not block outgoing connections *or outside responses to those connections*. So with a normal firewall, a malicious process could, theoretically, still establish links to the Internet for various purposes. Little Snitch would stop it in its tracks.

 

[YosemiteSam81]

There are people that know far more about this subject than I but I have my firewall activated on the 13" Air and have noticed no performance issues. I have read about some other problems people have run into regarding the system always asking for permission to run programs etc but have yet to have any of those issues.

I may have to do some research on "Little Snitch" mentioned in Shikarnov's post.

 

[chas_m]

The OS X firewall is turned off by default simply because most people don't need it, but like a lot of other things in OS X you don't use, it's there if you DO need it.

These days, MOST people have a router or modem from their high-speed internet provider that already sports a hardware (vastly superior) firewall that is already on an in use by default. Thus, the software one would be redundant can could cause all kinds of difficult-to-pin-down errors and blocks if also used.

That said, there are times when you may want a firewall on, such as when using a public unencrypted network. I personally haven't seen the need, since the main thing a firewall protects you from is a DDOS attack and I've not yet encountered such a thing in public places, but every situation is different.

Firewalls do not offer any protection from viruses, malware, phishing scams et al, nor do they encrypt your transmissions on a wireless network, so to me they are of extremely limited use apart from prevention of DDOS attacks.

Bottom line: a normal user would have little need of the software firewall OR Little Snitch, but there are certain circumstances where both can be useful.

 

[chscag]

Bottom line: a normal user would have little need of the software firewall OR Little Snitch, but there are certain circumstances where both can be useful.

+1. I agree. Good synopsis chas.

 

[McBie]

This has been covered so many times and there will always be people who are for and other who are against.

Just for the sake of clarity, a correctly configured firewall will protect you against so much more than just DDOS ( to the contrary of what is suggested above )

Look at it from a risk point of view .... why would you rely on someone else his/her unknown controls when you can have your own in place.
Why do you have a user password set on your Mac when you have told everyone around you not to touch your computer .... why not work without a user password ?

Having the firewall ON is not going to hurt you and will provide you an extra layer of protection if configured correctly. ( ie. Setting your firewall to " Allow all incoming connections " is almost the same as not having a firewall in place )
I am not saying that the OS X firewall is the best firewall out there, but it is better than nothing.

With all due respect, but statements like " .... a normal user would have little need...... " ... what does that mean ? That is not helping anyone. I consider myself a normal user and I have the firewall always ON.

In other threads you see statements like " your iMac is protected because your router/internet gateway has a built in firewall already. ", without checking or understanding how the firewall on that router is configured ( Allow ANY to ANY ? )
If you allow unknown devices on your internal network ( ie. a " friends " PC ), then the firewall on your router is useless.

In summary, look at your risks and define your risk appetite ( ie. you can decide not to give a **** ( censorship -_- )) and then make a conscious decision on your desired level of protection.

It is not my intention to spread FUD, but not having your firewall ON ( even in basic format ) is an accident waiting to happen.
1 ounce of prevention equals 1 pound of cure.

Amen.

Cheers ... McBie

 

[chas_m]

Just for the sake of clarity, a correctly configured firewall will protect you against so much more than just DDOS ( to the contrary of what is suggested above )

Would you mind "clarifying" then what exactly you mean by this from the point of view of a Mac user? I'm happy to learn something new ...

 

[McBie]

Very high level .....

Firewall technique is all about opening or closing specific ports on your computer.
On these ports, you have services listening, waiting for incoming packets, the trigger to execute a piece of code.
That , in combination with specific network protocols ( TCP/ UDP / IP ) and the direction in which you allow traffic to flow ( in/out/both ) define the firewall rules.

So you can actually ask a firewall not just to drop packets when DOS or DDOS ( for the firewall there is no difference ) is happening, you can ask it to drop packets for a specific port ( service ), protocol or direction .

Depending on where in the OSI stack you have your firewall operating, it can actually inspect the content of packets and drop packets that could contain the machine code for " repartition your hard drive " ( This is an example )

This is very high level, and if you ask me what this means from the point of view of a Mac user, it is exactly the same as from the point of view for any OS type of user...... preventing malicious packets from reaching services that are listening on ports and subsequently these services executing code based on the content of a packet.
( Just like your browser is listening on a port and executing code based on the receipt of a packet ie. an HTML page )

How do you know if a packet is malicious .... you don't, the firewall does ( if the rules are set correctly ) .
Setting the rules can be done manually or you can trust the default settings as supplied by the manufacturer.

Having the firewall ON is not going to harm you, on the contrary, it will provide an extra layer of protection by default and you can even increase the level of protection by configuring it manually, if you know what you are doing.

Hope this clarifies.

Cheers ... McBie

 

[Ghost Rider]

Sorry I can't add more but I turned on my firewall the first day and hav had no performance issues. I prefer to have any protection turned on