Re: Leopard Firewall Warning

Chris Ridd <chrisridd@xxxxxxx> wrote:

On 2007-11-01 13:25:12 +0000, ric <publicmail@xxxxxxxxxxxxxxxx> said:

On Nov 1, 11:33 am, Sak Wathanasin <s...@xxxxxxxxxxxxxxxxxxxxxxx>
wrote:
In article <fgbdm1$40...@xxxxxxxx>, Rolly <n...@xxxxxxxxxxx> wrote:
I truly hope the article is inaccurate.

Alas, no. The problem is in earlier versions of OSX as well, and it's
really a problem with the GUI, not the firewall as such. When you
enable the firewall, the GUI adds a set of rules to open "holes" for
the services that you've enabled and right at the end, it adds 2
default rules:

12190 deny tcp from any to any
65535 allow ip from any to any

This blocks any TCP connections that you haven't explicitly allowed, but
alas not UDP or ICMP. This is why they were to connect to SMB services on
the Mac from the Internet.

You can, of course, fix this from the cmd line, but I'm really disappointed
that they haven't fixed this in Leopard.

Of course, most people are sitting behind NATing routers, when they access
the Internet, so this isn't a big issue, but beware when you're on the road
and connected to an untrusted network (like the hotel's WLAN).

--

Sak Wathanasin
Network Analysis Limitedhttp://www.network-analysis.ltd.uk

i'm probably being thick here, but is what you're saying that the non-
gui firewall (iptables?) ships with everything open, and then you use

Nope, ipfw.

the GUI to change things. the gui adds entries to open up the ports
you specify via the gui, but doesn't close ones you don't?

Nope. There's a global setting to turn the firewall on/off. Once you
turn it on, everything's blocked apart from the stuff you allow.

I don't know why Apple don't turn it on by default. I suppose the
argument is that nothing's listening by default so why bother? It seems
a little short-sighted.

it does it assumes that no service will be compromised, and is a touch
um microsofty in thinking?

my ideal would be a "trusted zone" of anything within my 10.0.x.x IP
range at home where all ports were open to other clients on that
network, and very little other than absolutely necessary open
(bittorrent, not a lot else that needs to be accessible from outside
from the internet side via my router - mail/internet etc would all be
initiated from the Mac and connect out).

i currently have my mac in a DMZ via the router on the understanding
that the OS X firewall would protect me and it'd appear this isn't
the case in leopard and probably not in tiger too?

slightly worried now...

There are firewall configurator GUIs around for OS X, and have been
since 10.1/10.2. They'll implement whatever level of paranoia you want
;-)

heh!

Do a 'man ipfw' to get an idea of what the firewall can actually do,
instead of believing all the scare stories.

and/or give it a scan with nmap.

Cheers,

Chris


--
www.rogermerriman.com
.

Relevant Pages

  • Re: Leopard Firewall Warning
    ... a problem with the GUI, not the firewall as such. ... alas not UDP or ICMP. ... the Mac from the Internet. ...
    (uk.comp.sys.mac)
  • Re: Leopard Firewall Warning
    ... a problem with the GUI, not the firewall as such. ... alas not UDP or ICMP. ... They fixed it in Tiger - have they undone the fix? ...
    (uk.comp.sys.mac)
  • Re: Leopard Firewall Warning
    ... a problem with the GUI, not the firewall as such. ... alas not UDP or ICMP. ... mine when it's not behind a NAT router. ...
    (uk.comp.sys.mac)
  • Re: How To Setup a Home LAN?
    ... Is there a GUI ... network icon the error message complaing if the missing "Lisa daemon". ... To use a Linux firewall w/Samba - If you do not have WINS on the ... Suse needs a slick newbie-friendly GUI wizard to facilitate home ...
    (alt.os.linux.suse)
  • Re: Leopard Firewall Warning
    ... a problem with the GUI, not the firewall as such. ... and connected to an untrusted network. ... from the internet side via my router - mail/internet etc would all be ...
    (uk.comp.sys.mac)