Re: Leopard Firewall Warning
- From: NEWS@xxxxxxxxxxxxxxxxxx (Roger Merriman)
- Date: Thu, 1 Nov 2007 16:17:57 +0000
Chris Ridd <chrisridd@xxxxxxx> wrote:
On 2007-11-01 13:25:12 +0000, ric <publicmail@xxxxxxxxxxxxxxxx> said:
On Nov 1, 11:33 am, Sak Wathanasin <s...@xxxxxxxxxxxxxxxxxxxxxxx>
In article <fgbdm1$40...@xxxxxxxx>, Rolly <n...@xxxxxxxxxxx> wrote:
I truly hope the article is inaccurate.
Alas, no. The problem is in earlier versions of OSX as well, and it's
really a problem with the GUI, not the firewall as such. When you
enable the firewall, the GUI adds a set of rules to open "holes" for
the services that you've enabled and right at the end, it adds 2
12190 deny tcp from any to any
65535 allow ip from any to any
This blocks any TCP connections that you haven't explicitly allowed, but
alas not UDP or ICMP. This is why they were to connect to SMB services on
the Mac from the Internet.
You can, of course, fix this from the cmd line, but I'm really disappointed
that they haven't fixed this in Leopard.
Of course, most people are sitting behind NATing routers, when they access
the Internet, so this isn't a big issue, but beware when you're on the road
and connected to an untrusted network (like the hotel's WLAN).
Network Analysis Limitedhttp://www.network-analysis.ltd.uk
i'm probably being thick here, but is what you're saying that the non-
gui firewall (iptables?) ships with everything open, and then you use
the GUI to change things. the gui adds entries to open up the ports
you specify via the gui, but doesn't close ones you don't?
Nope. There's a global setting to turn the firewall on/off. Once you
turn it on, everything's blocked apart from the stuff you allow.
I don't know why Apple don't turn it on by default. I suppose the
argument is that nothing's listening by default so why bother? It seems
a little short-sighted.
it does it assumes that no service will be compromised, and is a touch
um microsofty in thinking?
my ideal would be a "trusted zone" of anything within my 10.0.x.x IP
range at home where all ports were open to other clients on that
network, and very little other than absolutely necessary open
(bittorrent, not a lot else that needs to be accessible from outside
from the internet side via my router - mail/internet etc would all be
initiated from the Mac and connect out).
i currently have my mac in a DMZ via the router on the understanding
that the OS X firewall would protect me and it'd appear this isn't
the case in leopard and probably not in tiger too?
slightly worried now...
There are firewall configurator GUIs around for OS X, and have been
since 10.1/10.2. They'll implement whatever level of paranoia you want
Do a 'man ipfw' to get an idea of what the firewall can actually do,
instead of believing all the scare stories.
and/or give it a scan with nmap.
- Re: Leopard Firewall Warning
- From: Chris Ridd
- Re: Leopard Firewall Warning
- Prev by Date: Re: OT height
- Next by Date: Re: Leopard Firewall Warning
- Previous by thread: Re: Leopard Firewall Warning
- Next by thread: Re: Leopard Firewall Warning