Re: Leopard Firewall Warning

On Nov 1, 11:33 am, Sak Wathanasin <s...@xxxxxxxxxxxxxxxxxxxxxxx>
wrote:
In article <fgbdm1$40...@xxxxxxxx>, Rolly <n...@xxxxxxxxxxx> wrote:
I truly hope the article is inaccurate.

Alas, no. The problem is in earlier versions of OSX as well, and it's really
a problem with the GUI, not the firewall as such. When you enable the
firewall, the GUI adds a set of rules to open "holes" for the services that
you've enabled and right at the end, it adds 2 default rules:

12190 deny tcp from any to any
65535 allow ip from any to any

This blocks any TCP connections that you haven't explicitly allowed, but
alas not UDP or ICMP. This is why they were to connect to SMB services on
the Mac from the Internet.

You can, of course, fix this from the cmd line, but I'm really disappointed
that they haven't fixed this in Leopard.

Of course, most people are sitting behind NATing routers, when they access
the Internet, so this isn't a big issue, but beware when you're on the road
and connected to an untrusted network (like the hotel's WLAN).

--

Sak Wathanasin
Network Analysis Limitedhttp://www.network-analysis.ltd.uk

i'm probably being thick here, but is what you're saying that the non-
gui firewall (iptables?) ships with everything open, and then you use
the GUI to change things. the gui adds entries to open up the ports
you specify via the gui, but doesn't close ones you don't?

what's the fix for this? certainly wouldn't want smb shares open on
mine when it's not behind a NAT router. presumably some kind soul
will have scripted something to sort this out with a standard set of
rules?

my ideal would be a "trusted zone" of anything within my 10.0.x.x IP
range at home where all ports were open to other clients on that
network, and very little other than absolutely necessary open
(bittorrent, not a lot else that needs to be accessible from outside
from the internet side via my router - mail/internet etc would all be
initiated from the Mac and connect out).

i currently have my mac in a DMZ via the router on the understanding
that the OS X firewall would protect me and it'd appear this isn't
the case in leopard and probably not in tiger too?

slightly worried now...

ric

.

Relevant Pages

  • Re: Leopard Firewall Warning
    ... a problem with the GUI, not the firewall as such. ... alas not UDP or ICMP. ... the Mac from the Internet. ...
    (uk.comp.sys.mac)
  • Re: Leopard Firewall Warning
    ... a problem with the GUI, not the firewall as such. ... alas not UDP or ICMP. ... They fixed it in Tiger - have they undone the fix? ...
    (uk.comp.sys.mac)
  • Re: Leopard Firewall Warning
    ... really a problem with the GUI, not the firewall as such. ... alas not UDP or ICMP. ... and connected to an untrusted network. ...
    (uk.comp.sys.mac)
  • Re: Leopard Firewall Warning
    ... a problem with the GUI, not the firewall as such. ... and connected to an untrusted network. ... from the internet side via my router - mail/internet etc would all be ...
    (uk.comp.sys.mac)
  • Re: view function of Bind 9
    ... Router IP: 202.175.123.128 ... There are Ethernat 0 and Ethernet 1 two Interfaces with the Server: ... So...how to config the firewall rules by using iptables as the following condition: ... Command line or GUI? ...
    (Fedora)