OS X Leopard Firewall Flawed

cycoj writes with a report in the German IT magazine Heise, taking a look at the new OS X Leopard firewall. They find it flawed. When setting access to specific services and programs to only allow SSH access, for example, they found that a manually started service was still accessible. From the article: "So the first step after starting Leopard should be to activate the firewall. The obvious choice to do so is the option to 'Set access to specific services and programs,' which promises more control over network traffic. Mac OS X automatically enters all shared resources set up by the user, such as 'Remote login' for SSH servers, into the list of accessible resources... However, initial functional testing quickly dispels any feeling of improved security. A service started for testing purposes was able to be addressed from outside without any difficulty. The firewall records this occurrence... Even with the firewall set to 'Block all incoming connections' ports to netbios, ntp and other services were still open... Specifically these results mean that users can't rely on the firewall."

Never put your eggs in one basket.

[jellomizer]

Leson 1.
Never Trust Software firewalls. Software firewalls are only should be used in protection against "internet static" attacks. Where just random worms and viruses are trying to get in. Software Firewalls
Are normally bad against direct attacks from real hackers. Because there are so many ways to trick the user to install software to get around it...

Lesson 2.
Never trust anyone to keep security up. Apple, Microsoft, Linux Distributions, even Open BSD they are all made by humans and humans make mistakes and forget to check out things...

Lesson 3.
Always keep a hardware firewall even if it is a cheap Linksys Firewall/Router they will double up protection and keep your system relatively safe.

Lesson 4.
Never assume that you are 100% safe. There are always ways around things...

Re:Never put your eggs in one basket.

[MBCook]

I'll agree with most of that. I've got a Mac, and it's running Leopard (yeah!). At work I surf behind a real firewall, a Watchguard I think. At home, I'm behind my Linksys. I could run no firewall and be OK. That said, I leave it on for one simple reason: I can go to other people's networks without having to think about turning the firewall on. This way if I were to go to Starbucks or something, I'd be much more safe from so guy a few tables over (malicious or just bot-infested). I don't expect things to be perfect. I don't expect a software firewall to be as good as a hardware one. It's just one more layer.

So what do I think of all this? I don't know. I saw comments somewhere the other day that claimed that these guys were just misunderstanding, but I'm not sure. I expect a firewall to block things if I tell it to though.

Re:Never put your eggs in one basket.

[ScytheBlade1]

I trust my linux based software firewall a lot more than I trust a Linksys router doing NAT.

Re:Never put your eggs in one basket.

[JCSoRocks]

Never trust anyone to keep security up. Apple, Microsoft, Linux Distributions, ...

Do you see that apply fanboys!? Quick! Attack! GO GO GO!

Seriously though, he's right. People in both camps should realize that no matter how great you think your software is, it's not perfect.

Re:Never put your eggs in one basket.

Couldn't you argue that more layers = more possibilities for attack vectors?
Also, FYI, a hardware firewall is just a dedicated software firewall.

Re:Never put your eggs in one basket.

[gEvil+(beta)]

Also, FYI, a hardware firewall is just a dedicated software firewall.

I don't know if I buy that. I mean, one has the word "hard" in it, while the other has "soft" in it. Given the choice of the two, the "hard" one sounds far more secure.

Re:Never put your eggs in one basket.

[nharmon]

Fine. Just don't have your main firewall be on the same machine as the data you're trying to protect.

Re:Never put your eggs in one basket.

[Cecil]

Couldn't you argue that more layers = more possibilities for attack vectors?

That would only apply if breaking one link in the chain is as good as breaking all the links in the chain - ie, if they give special accomodations to one another because they are all part of the "same network" or one contains passwords to the others or something of that nature. In this case that should not happen, thus you must break each link in succession to get through.

Also, FYI, a hardware firewall is just a dedicated software firewall.

The key word here is "dedicated". A dedicated firewall means you are not installing other software on it which could compromise the firewall itself (either intentionally or through poor design), and it also means that should a hacker somehow break into the firewall, your losses are limited as they have not also gained entry to your files, your passwords, your keyboard, your browser, etc and they cannot rootkit your PC. They only get a tiny, wimpy processor with little-to-no storage and complete network access. Dangerous, yes, but not a complete disaster.

Re:Never put your eggs in one basket.

[Zenaku]

If the the layers of security are really layers of security, then no you couldn't argue that. You have to breech the outtermost layer before you can even attack the second layer, and you have to breech that layer before you can attack the third, etc.

Re:Never put your eggs in one basket.

[Bryansix]

Actually some firewalls do the filtering and packet checking in hardware and some (mostly newer ones) actually just run software to do the task. Linksys for instance has both. One is not better at being a firewall then the other although you might argue that the hardware version will have more uptime.

As for more layers equalling more attack vectors; that is complete hogwash. The second firewall doesn't open holes in the first in order to function. It just filters the traffic that actually makes it through the first one.

Re:Never put your eggs in one basket.

[toleraen]

My Linksys router runs a Linux based software firewall.

Re:Never put your eggs in one basket.

[jellomizer]

No not for this case.

Firewall A has all ports blocked

Firewall B has all ports blocked

Breaking Firewall A doesn't effect Firewall B Tequnique for Firewall B is different the Firewall A. It is like having 2 Locked Doors with different Keys and lock types. It is like saying if you have More Keys and Doors that are locked the less time it will take for a burgler to break into you house...

Yes a Gardware furewakk us a det=ducated software firewall but that is all it is dooing you don't go install software on it that could turn it off. All it does is what is sopose to do... In some cases it is hardware control. I remember a long time ago a white paper on Sun Firewalls software that properly filters information with the OS stopped. All the traffic is handled with the Network Card settings.

Re:Never put your eggs in one basket.

[physicsboy500]

Lesson 4.
Never assume that you are 100% safe. There are always ways around things... I (unfortunately) used to work for Geek Squad and you wouldn't believe how many people got completely enraged about this one. They would bring in a virus-ridden computer in (mainly because they didn't follow lessons 1, 2 or 3) and ask why their firewall or virus software didn't catch the error. I had to explain that there are always ways around security measures and they need to continually update to help prevent this, but there is no failsafe. The conversation that generally followed is "So you're saying I spent ~$40 on a firewall and ~$40 on antivirus and it may not even prevent me from malware?!"

It made me wish I worked at a place like this just so I could tell them where to stick their virus protection.

Re:Never put your eggs in one basket.

[jellomizer]

Looking at your Moderation and the Parents soes that you statement is true... I am using OS X right now and I am hoping my Copy of Leapoard is in the mail and planning to install it as soon as I get home... Even Though I really like the OS right now it is my favorate, I don't want to be a FanBoy and assume that it is flawless perfect system that will protect me from nuclear blasts. And that Steve Jobs is always right... There are things I dislike about the OS but I dislike them less then my dislikes of Other OS's

Re:Never put your eggs in one basket.

[jellomizer]

Except unless you are compleatly anail check the source line for line for all the application you run and do absolutly nothing as root and make sure your OS is free from all buffer Overflows.... (In this case you have little time left to do anything of use on your computer) you could run a trojin script that disables your firewall, some update to the firewall software that a compile bug makes it seem like it is running but compleatly unusabe, or like in OS X 10.5 added new features to it that actually hurt security more. The problem with software firewall is the human factor humans can be tricked to do a bunch of things...

Re:Never put your eggs in one basket.

[Sloppy]

That's why, on my computer, I a use a hardware null device. I don't trust the OS' slow software-emulated null device to properly dispose of my unused bits. You never know who might be going through your trash, piecing together private information. The performance boost is just icing on the cake.

Re:Never put your eggs in one basket.

[walt-sjc]

They only get a tiny, wimpy processor with little-to-no storage

This depends on what you use as a dedicated firewall. Some of the dedicated commercial firewalls are actually fairly powerful systems.

Re:Never put your eggs in one basket.

[VisceralLogic]

Of course, I was once running OS X for quite awhile with no firewall, because I had turned it off for some reason (debugging X11 connection, I think), and forgot to turn it back on. Still no problems when I realized it was off several months later.

Re:Never put your eggs in one basket.

[sg3235]

I run a software firewall on Linux. I seriously doubt I could be tricked into running a script that disables my firewall for the simple reason that running the firewall is the only thing the box is used for. I have a second Linux box that functions as server. I also have windows and apple machines on my network. Though the risks that you state are valid, it's not the fact that the firewall is software rather than hardware that makes it vulnerable, but that you are using it to do more than one task.

Re:Never put your eggs in one basket.

[RobertM1968]

I'll agree with most of that. I've got a Mac, and it's running Leopard (yeah!). At work I surf behind a real firewall, a Watchguard I think. At home, I'm behind my Linksys. I could run no firewall and be OK. That said, I leave it on for one simple reason: I can go to other people's networks without having to think about turning the firewall on. This way if I were to go to Starbucks or something, I'd be much more safe from so guy a few tables over (malicious or just bot-infested). I don't expect things to be perfect. I don't expect a software firewall to be as good as a hardware one. It's just one more layer.

Regardless, if I am on a network where I dont have control of all the machines on it 24/7, then I think running the machine's OS (or add-on) Firewall is still a must. It really doesnt matter how great a hardware firewall is if someone infects their machine via a CD, DVD, USB Drive, etc from something they bring from their infected home machine or friend's machine or whatever. Since most direct network traffic doesnt (try to) pass through the hardware firewall, one should always be protected from the other machines on their network. For instance, in my office, we have a couple WinXP machines - and though they are not infected, they are constantly broadcasting nonsense trying to find their brethren (to EVERY machine on the network). Our "hardware" firewall does nothing to stop that - even though it does block the traffic from going OFF our network. I block that traffic on my other machines at their firewalls (no need to waste sockets or OS time handling the packets at all). If those XP machines were infected... well, you see the point.

Having one machine on the network, or a few machines that only you use (with taking precautions not to infect them from an external source), then yeah, a hardware firewall is probably all you need.

Re:Never put your eggs in one basket.

[ScytheBlade1]

Really good thing that my linux software firewall is stored on a read-only filesystem then, and only allows login via SSH hostkeys.

I made my initial post pretty quickly, and likewise screwed up some things.

What is the difference between a software and a hardware firewall anyways? Heck, what is a firewall? There are so many countless ways of defining a 'firewall' that the average home router you can pick up at your local grocery store is advertised as a "router/firewall." Just because it's embedded suddenly makes it less of a software firewall, and more of a hardware one?

As mentioned, my router has a read-only root file system. It's also running a complete linux distro. Is this a hardware or software firewall?

Further, it does stateful packet inspection (four-ish lines of iptables commands? Worth $40+ on 'firewall' devices?), QoS (both host and service based), and it does this all through a transparent ethernet bridge. Then I have an admin ethernet jack, which requires IPSEC connectivity before you can touch the internal ports (22, 80).

It's a complete linux distro, so it's software. It's 100% embedded, so it's hardware.

As mentioned, other routers are embedding linux. Cool. Hardware or software? More secure, or less? More capable? Or less capable?

Classifying 'software firewalls' as 'insecure' and classifying 'a cheap Linksys Firewall/Router' as 'secure' is kinda scary in all truth. Well, mostly just wrong. Firewalls are too generic now - just because it says 'firewall' on the front, you're supposed to think that you're safe from 'hackers.'

Re:Never put your eggs in one basket.

[peragrin]

ah so you never returned your Sony Batteries.

remind me never to borrow your computer.

Re:Never put your eggs in one basket.

[Bob-taro]

Couldn't you argue that more layers = more possibilities for attack vectors?

I've never heard of a firewall bug creating a new attack vector, though in theory I guess it could happen. Still, I'd argue that multiple firewalls is safer. If there are two firewalls between you and the bad guys / bots, they would have to get past BOTH firewalls.

Re:Never put your eggs in one basket.

[Cally]

Oh dear. Look, I'm sorry to break it to you, but that "hardware firewall"? That's a computer, running software. Your Windows machine's built-in, "software", firewall? That's a computer, running software.

I think the distinction you're trying to make is between dedicated appliances and general purpose computers. Well, there's a security advantage to having your firewall device be on a separate host than the machine you use for web and mail - but most of that advantage is that you've got a separate device telling you what's going in and out, so if your sexytime box gets pwned you can at least tell from the firewall logs. (You do review the logs, don't you? I bought a $60 Linksys box a couple of months back which even supports syslog to an external server, and you can't say fairer than that. Hmmm, that makes three devices... I suppose you could get a NSLU2 slug for $80, stick a cheap USB drive on it and use that for syslog, with OpenSlug... but I'm thinking out loud here :))

(BTW, yes - despite what the firewall nazis will be saying downthread -- to my mind anyway, a NAT device *IS* a firewall, of a sort; they're both doing stateful packet routing against a rulebase after all. You just need to be sufficiently clueful to understand what it's doing for you; it's certainly *not* a magic attack-proof gadget that keeps you secure.)

Re:Never put your eggs in one basket.

[MarcoAtWork]

what router do you have? and can you run something full-featured like LEAF? I am looking into retiring my ancient (P133) linux router/fw for something more energy efficient and quiet and if there was something I could flash LEAF on it would be the perfect thing...

Re:Never put your eggs in one basket.

[rhavenn]

I have a OpenBSD box (486 old HP box) with 2 NICs in it. It runs PF and filters everything. That's all it does. It's far better, far more flexible and far more secure then any $40 Linksys "device" you can buy. Plunk a $2000 PIX down next to it and we'll talk.

Also, who do you think programs the Linksys devices. It's all humans and I would venture to state one who cares less about his work then does a OpenBSD developer.

Re:Never put your eggs in one basket.

[Mr.+Underbridge]

Couldn't you argue that more layers = more possibilities for attack vectors?

Only if they were run in parallel (which wouldn't make any obvious sense) instead of serial (which is the implication, I believe).

Re:Never put your eggs in one basket.

[toleraen]

I had been using a WRT54G, but I retired it for Buffalo WHR-HP-54G. I've been using DD-WRT on both of them, and it's been pretty solid. V24 is looking to be a pretty good release too.

Re:Never put your eggs in one basket.

[joh]

Lesson 3.
Always keep a hardware firewall even if it is a cheap Linksys Firewall/Router they will double up protection and keep your system relatively safe.

Most hardware firewalls run a version of Linux (good) which gets hardly ever updated (bad). You may very well target yourself to a bazillion of script-kiddies if you're running a hardware firewall with an outdated Linux on it.

This is a time-bomb ticking in many (even quite geeky) households. Tell me, which version of the Linux kernel is your hardware router/firewall running?

Re:Never put your eggs in one basket.

[644bd346996]

You must be new here (despite your UID). The Linksys WRT54G and derivatives has been the most popular 802.11b/g/etc. router for years (since 2003, according to wikipedia). One of the reasons for its popularity is that it runs Linux, and there are many projects offering customized firmware, such as DD-WRT and OpenWRT. This has been popular enough that when Linksys chose to switch to VxWorks and halve the amount of flash, they released the WRT54GL with the old hardware configuration specifically for people wanting to modify the firmware.

If you pick up one of the models with a USB port, you can trivially expand its storage capacity, although the built-in RAM and Flash is usually sufficient.

Re:Never put your eggs in one basket.

[adavidw]

You want a WRT54G, which can be had dirt cheap, and be flashed to many specialized Linux distributions, some of which have LEAF. One example is http://openwrt.org/.

Anybody still running an old standalone computer as a Linux software firewall probably pays enough in electricity to buy a new WRT54G or similar router every few months.

Re:Never put your eggs in one basket.

One is not better at being a firewall then the other although you might argue that the hardware version will have more uptime.

Who says the hardware version will have more uptime? And what happens when a bug is found in the hardware, and not one of those fancy-ass new bugs that can be fixed by a firmware revision? What then?

Re:Never put your eggs in one basket.

Yes a Gardware furewakk us a det=ducated software firewall but that is all it is dooing you

Quick, call 911! Dude's having a stroke!

Re:Never put your eggs in one basket.

[Bryansix]

Then your shit out of luck. But hopefully the thing is still covered by a warranty of some sort.

Re:Never put your eggs in one basket.

Dude, quit using "Software Firewall" for crying out loud! All firewall appliances I know of do the filtering via software, everything is software! Damn! Cisco runs IOS FIY! Please, enlighten me, what is this Hardware based Firewall you're mentioning. I'm really clueless about that.

Re:Never put your eggs in one basket.

I always thought of a hardware based device as having some sort of hardware assistance, like a dedicated ASIC.

May not improve security, but assists thoughput.

Re:Never put your eggs in one basket.

What exactly do you think is running on your "hardware" firewall? Do you think Linksys has implemented statefull packet inspection in silicon on a $40 wireless router?

Re:Never put your eggs in one basket.

[ChrisA90278]

So you buy a Lynksys "hardware" fire wall. What's inside? There is a CPU, some RAM, an operating system, likely VxWorks and some software. There are no truely hardware-only firewalls.

And then what does a fire wall do? If the computer is configured corectly there is no need for a firewall. Firewals are just the "suspenders" part of a "belt and suspenders" security system. And even then the virus comes in via email and the web which your fire wall lets in.

That said, I use redundant layers of protection and then tripwire-like detection

Re:Never put your eggs in one basket.

[shakestheclown]

Or what if you find out, as I did, that the object you've been plugging your network cables into all of this time wasn't a firewall at all, BUT A TOASTER!

Re:Never put your eggs in one basket.

[jandrese]

The worst part about those hardware firewalls is that they're buggy. People think that because they're in hardware they're bug free, but frankly I've discovered way more bugs in those cheap commercial "internet routers" that I've ever seen in iptables, ipfw, and pf combined. VxWorks is not easy to debug and most vendors seem to do as little work in it as possible. I actually had one on my home network that got replaced by a FreeBSD box when I discovered a firmware bug that DOSed my local network and the remote network with malformed packets about once a day, requiring me to reboot the router.

Re:Never put your eggs in one basket.

[mpeg4codec]

You never know who might be going through your trash, piecing together private information.

Quoted for truth! A few years ago some kids got a hold of my garbage file and managed to frame me for something called a Da Vinci virus! It was awful, even Angelina Jolie was somehow involved.

~The Plauge

Re:Never put your eggs in one basket.

[TheSkyIsPurple]

Who knows, maybe his company decomm'd a bunch of PIX's, and he's got one sitting behind every machine in his house?

Re:Never put your eggs in one basket.

even OpenBSD. are you out of your fucking mind??

Re:Never put your eggs in one basket.

[Nimey]

Read up on the military theory of "defense in depth". For a particular example, study Japanese tactics during the Battle of Iwo Jima.

Re:Never put your eggs in one basket.

[hakr89]

The problem with putting the null device into hardware, is that it would would be IO bound more so than the emulated device, as it actually has to send the data to another chip, clogging up the busses even more than the kernel internally disgarding the memory. Write-Only Memory only goes so fast you know.

Re:Never put your eggs in one basket.

[tulare]

A little ARP poisoning, and some sniffing to see what version of what your linux box is running, next time you apt-get update && apt-get upgrade, or emerge world, or whatever mechanism you use, you're pwned. My experience is that the best method of security is a pair of eyeballs attached to a skeptical brain.

Re:Never put your eggs in one basket.

[joelleo]

I have 3 pix 501s just lying around unused right now - its not that farfetched :)

Re:Never put your eggs in one basket.

[FlameboyC11]

Have fun using QOS on it though. I admit the WRT54G ran great at my house with just my parents and brother on it, but my current house has 5 guys who love to transfer files/stream/p2p and the WRT54G I had ran straight into the ground. Threw in a box running pfSense (Some shitty P2 with 128mb of ram) and it's been running great ever since. Can't save power with something that doesn't work...

Re:Never put your eggs in one basket.

[MarcoAtWork]

no, I'm not new, and I am aware of the WRT54G (although I've never bought it b/c I don't care much about wireless), however as far as I know you can't run LEAF/Bering on it, that's why I was asking what the OP was running... OTOH I haven't really ever investigated the merits/demerits of DD-WRT et. al. compared against LEAF etc.

Re:Never put your eggs in one basket.

[MarcoAtWork]

I don't really care about QOS, or about wireless (I actually want to make sure it's possible to turn it off explicitly), I just want something I can keep running NAT/DHCP/Firewalling on that sucks less electricity than a full featured box and won't cause issues with my 10mbit cable connection (whether limiting the d/load speed or, worse, introduce lag and/or other issues: I use this for telecommuting so having a very stable low-added-latency fw/nat is mandatory for me, since for some reason nx sometimes doesn't like to resume sessions dropped due to network issues).

Re:Never put your eggs in one basket.

Lesson 1.
Never trust Slashdot Posters. The majority of slashdot posts either contain no relevant content, or contain factually incorrect content.

Lesson 2.
Never trust Slashdot Submitters. Most submissions are either misleading or factually incorrect.

Lesson 3.
Never trust Slashdot Editors. No Slashdot editor has a technology or science background, and none of them are qualified to evaluate submissions for correctness.

Lesson 4.
Never trust Slashdot. This article gets almost everything wrong, and nothing right. A blank page contains just as much true information, and much less false information.

Re:Never put your eggs in one basket.

[slater86]

My Linksys router runs a Linux based software firewall. Absolutely. All firewalling equipment works at the same network level (session layer I think). Both the dedication and the physically separation between the device and the pc makes the big difference. i.e. If you browse to a site that runs an arbitrary code exploit to turn off or crash your pc's firewall, its not going to affect the hardware based firewall at all.

Re:Never put your eggs in one basket.

[TheLink]

For me the difference between hardware and software nowadays is:

software = stuff I can configure/modify.
hardware = stuff other people configure (e.g. too hard for me to configure).

Ever reflashed a router, modem, cd burner etc? Or patched an Intel CPU using a BIOS update? Software :).

Ever hear someone regard all the computers, routers, switches etc in his organization as "hardware"?

Re:Never put your eggs in one basket.

[Knuckles]

next time you apt-get update && apt-get upgrade, or emerge world, or whatever mechanism you use, you're pwned

How do you plan to sign the packages with a valid key?

Re:Never put your eggs in one basket.

[dvNull]

Which ran NetBSD ?

Re:Never put your eggs in one basket.

[treuf]

Moreover, how do you plan to get physical access to the lan where your machine is ?
By owning another box (chicken & egg issue there ...) ?

Arp poisoning is nice, but only if you are on the same network branch.

Re:Never put your eggs in one basket.

[master_p]

Everything is software, even hardware logic circuits :-).

The real benefit of an external firewall is that if your system is compromised, the firewall itself is not compromised, whereas in a firewall embedded in an O/S, if the O/S is hacked then the firewall is useless.

Re:Never put your eggs in one basket.

[AntiDragon]

Not really. The layers are nested. In theory, you can't even see one layer until you've got past another. So in fact, you need to take advantage of more vulnerabilities to get access to the target system, which requires more time, effort and knowledge. Not mention that one attack vector could make it more difficult to implement the next attack vector for the second firewall. Of course, the exact impact of adding multiple layers is debatable - two layers of tissue paper is barely better than one :)

Re:Never put your eggs in one basket.

[Lumpy]

Look up the following on google.

Open-WRT and DD-WRT. and receive what you are seeking.

Re:Never put your eggs in one basket.

[Sloppy]

The problem with putting the null device into hardware, is that it would would be IO bound more so than the emulated device, as it actually has to send the data to another chip

Yeah, but that happens asynchronously if your null device can use DMA, so while it's transferring, your CPU can run the next bit of code out of cache, instead of wasting time executing emulator code. Also, if you have multiple busses, you can always hook up more null devices, and stripe them, to spread the load out.

Re:Never put your eggs in one basket.

[danpritts]

I have a OpenBSD box (486 old HP box) with 2 NICs in it. It runs PF and filters everything. That's all it does. It's far better, far more flexible and far more secure then any $40 Linksys "device" you can buy. Plunk a $2000 PIX down next to it and we'll talk.

Better in terms of functionality, almost certainly.

don't forget about the other implications of what you're doing, though. How much power does that 486 use compared to a linksys? How much does that cost you per year? How much carbon is emitted to keep it running?

Obviously there are always tradeoffs; just don't forget to include all the costs.

a reasonable alternative that combines both might be to use a linksys with the replacement firmware. That might take more work, and runs linux, not openbsd. (also let's not forget to include the environmental cost of producing & eventually disposing of the linksys ;)

Re:Never put your eggs in one basket.

Spot on! Now all we need is a working os x firewall. I'm sure its just the gui though - anyone?

Re:Never put your eggs in one basket.

[gobbo]

Have fun using QOS on it though. I admit the WRT54G ran great at my house with just my parents and brother on it, but my current house has 5 guys who love to transfer files/stream/p2p and the WRT54G I had ran straight into the ground. Threw in a box running pfSense (Some shitty P2 with 128mb of ram) and it's been running great ever since. Can't save power with something that doesn't work...

I recently bought a WRT54GL for exactly this reason, to get good QoS cheap on miserly electricity.

I promptly flashed the firmware OS to Tomato because of its speed, stability, and balance between simplicity and features like 10 QoS classes. So far so good with torrents and video streaming (some tweaking of settings, not much), while keeping surfing speedy. Twenty minutes of work and all of a sudden it's a much better router, good speeds, no slogging down under p2p connections.

Re:Never put your eggs in one basket.

[urlgrey]

Lesson 2.
Never trust anyone to keep security up. Apple, Microsoft, Linux Distributions, even OpenBSD they are all made by humans and humans make mistakes and forget to check out things...

Ummm.... hardware still runs software. Firmware *is* software.

Re:Never put your eggs in one basket.

[Tug3]

So untrue!

I have this hardware firewall installed on my ADSL modem. Actually because I use a separate WLAN access point, I have two hardware firewalls! And both of them are cheap (only couple of Euros each, price depends on the length of the firewall) and 100% powerfull. Now, let me demonstrate the power and security of either one of these firewalls! I'll just crawl under the desk and acti

Re:Never put your eggs in one basket.

Anybody still running an old standalone computer as a Linux software firewall probably pays enough in electricity to buy a new WRT54G or similar router every few months.

Maybe, maybe not. The hardware would definitely cost more (VIA C3 setups using flash/laptop drives are a bit more expensive). But the power difference will only be around 20-30W more then the WRT54G (less for a VIA setup).

Investigation flawed, more like

[Space+cowboy]

From the 'help' button available on the same screen (emphasis mine),

In addition to the sharing services you turned on in Sharing preferences, the list may include other services, applications, and programs that are allowed to open ports in the firewall. An application or program might have requested and been given access through the firewall, or might be digitally signed by a trusted certificate and therefore allowed access

IMPORTANT: Some programs have access through the firewall although they don't appear in the list. These might include system applications, services, and processes (for example, those running as "root"). They can also include digitally signed programs that are opened automatically by other programs.

... so if Leopard trusts the service (it's a root process, or it's signed with an acceptable crypto signature), it will have access through the firewall. Since Leopard ships with cryptographically-signed binaries/packages, I guess I'm not seeing the problem - if Jo(e)-evil-cracker already has 'root' on the system, the firewall isn't going to help save the system, after all... Perhaps Heise are just used to using Linux, where the firewall trumps all ?

You could argue that the 'Block all incoming connections' is badly worded, but you could argue that reading the documentation for a new firewall would be a useful thing to do as well.

And, FWIW, if I set the firewall to 'Set Access for specific services and applications', then disable SMB sharing, I can't connect using nmblookup. I can only get through when the service has been enabled (which seems reasonable).

Simon

Re:Investigation flawed, more like

I'm not familiar with Leopard, so this might be a bit of an odd question. What does it take for the certificate to be "trusted"? Is it possible for a malicious piece of software to be shipped with what the firewall will take as a trusted certificate and be granted access without user consent?

Re:Investigation flawed, more like

[Space+cowboy]

Plain answer - I don't know.

I *think* the only entity who can acceptably sign something at the moment is Apple themselves, but I wouldn't bet my life on it...

Simon.

Re:Investigation flawed, more like

[Sloppy]

so if Leopard trusts the service .. it will have access through the firewall.

The default configuration represents the situation where the user defers to Leopard's estimation of what can be trusted. If the user starts modifying the configuration, then the question of what Leopard trusts or doesn't trust, should be irrelevant.

But sure: they documented the bug, thereby causing it to be merely lame design, rather than a bug.

Re:Investigation flawed, more like

[kebes]

if Leopard trusts the service (it's a root process, or it's signed with an acceptable crypto signature), it will have access through the firewall. Since Leopard ships with cryptographically-signed binaries/packages, I guess I'm not seeing the problem The problem is that the user asked the OS for a certain action ("block everything") and the OS didn't implement that action. This is basically a case of the OS saying "don't worry, I'm smarter than you and I know what to do"... which isn't a good policy when it comes to security. If a user tries to activate a firewall policy (because they happen to know a certain service is insecure, or not needed, or whatever), then the firewall should implement that policy.

You could argue that the 'Block all incoming connections' is badly worded, but you could argue that reading the documentation for a new firewall would be a useful thing to do as well. If the situation is indeed as you describe (that the problem here is just that the firewall is allowing certain connections that it "knows" are okay) then you're right: this isn't a security vulnerability, but rather a case of poor UI design. The UI is saying "I'm blocking all connections" even though it isn't. You're also right that in principle the user should educate themselves about their software. However the software should, as much as possible, not misrepresent what's going on. Saying "blocking all connections" and then allowing something to connect is a recipe for security mistakes.

Re:Investigation flawed, more like

[mcrbids]

... so if Leopard trusts the service (it's a root process, or it's signed with an acceptable crypto signature), it will have access through the firewall. Since Leopard ships with cryptographically-signed binaries/packages, I guess I'm not seeing the problem - if Jo(e)-evil-cracker already has 'root' on the system, the firewall isn't going to help save the system, after all... Perhaps Heise are just used to using Linux, where the firewall trumps all ? ... and there are good reasons why this is useful.

For example, if you want to allow a database connection from the local DMZ but not anywhere else, you want to allow the database to connect to the wild, wooly Internet, but only from the DMZ. If the mere fact that the database server is "trusted" allows it to pierce the firewall, this capability is severely mitigated.

As a thought experiment, how is this "firewall" really any better than no firewall at all? Other than the warm and fuzzy "I have a firewall" effect, what good does it do if it doesn't block connections to applications, and worse, doesn't even properly report this fact to you?

The one that really takes the cake:

Some programs have access through the firewall although they don't appear in the list. These might include system applications, services, and processes (for example, those running as "root").

So running an application as root alone is enough to render it open to the world? And it's not even properly reported as such? And you are OK with this? Glad to know that you aren't my security administrator...

You could argue that the 'Block all incoming connections' is badly worded

That's not all that I'd argue. This is a "let me know I'm safe" button. This is "Don't let anybody in" button. People will check it, and not bother to think about it any more. That this button has almost no actual effect on security is simply awful.

This is a problem - expect a hotfix soon.

Re:Investigation flawed, more like

[ByOhTek]

The argument against that is in TFS even.

If you are testing software and don't want it accessible from the outside world, Leopards trust be damned, you want it blocked. I agree with the author here, even if he managed to miss the obvious text: any hole in the firewall should be put there explicitly via the administrator of said firewall (or the machine it is on), not left default by the OS and it's own preferences. If MS didn't the same thing everyone would get pissed. If Linux did the same thing [I'd hope] everyone would get pissed. If *BSD did the same thing, the devs would probably get brutalized by their own fanatics.

Re:Investigation flawed, more like

[venicebeach]

"All applications shipped with Leopard are signed by Apple, and third-party software developers can also sign their applications."

Re:Investigation flawed, more like

[Kadin2048]

I'm not 100% sure on this, but if it uses the same certificate framework that's been present in OS X up until now (which I can't see why it wouldn't, honestly), it will mean having the CA for the signing certificate in as a trusted root. I assume Apple will have its own CA cert in there by default, but there will probably be a way that users can add other certificates as they see fit. I doubt this will be easy to do, because you don't want idiots doing it because it's easy to do and basically trojaning their own systems (e.g. "To install BigBoobsPorn.app, first download xyz.p12, and install it in your X509Anchors keyring..."), but I suspect that there's no technical reason why you can't do this.

That said, according to what I've read from some people, the security might not even be that rigorous; it might be more about making sure that only the developer of an application can update it automatically (so it's more difficult for an attacker to create an update that 'fixes' your copy of Mail.app or some other approved program to do evil things) than making sure each developer has been vetted by Apple or some other Higher Authority.

There is a posting from someone who supposedly has access to the Leopard previews over at ThinkMac basically saying this:

I can't tell you much without (totally) violating my WWDC NDA, but suffice it to say that this is not as bad as you think it is.

Anyone at all can easily make a new signing identity and use it to sign an application they just compiled.

The main objective of code signing in Leopard is not the same as for SSL certificates -- it is not to evaluate the trust or confidence of something based on a list of trusted certificate authorities.

Rather, it is to provide a much better means for users to identify applications. A good example is software updates. Right now, if a user updates your application, and your application asks for an item the user's keychain, the user will get a Keychain warning telling him the application has changed.

With code signing, the user will get that dialog once the first time he or she runs your application, and if you sign every future versions of that application, the system will not bother the user again, because instead of using for example a hash of the application, it will now be using the code signature.

(source)

Re:Investigation flawed, more like

[Space+cowboy]

As a thought experiment, how is this "firewall" really any better than no firewall at all? Other than the warm and fuzzy "I have a firewall" effect, what good does it do if it doesn't block connections to applications, and worse, doesn't even properly report this fact to you?

Well, that's the thing, you see. It *does*block connections to applications. Did you miss that part ?

There are some processes that are allowed to punch through the firewall, and Heise found those. I'd not argue against reporting those processes (perhaps in an 'advanced' tab, to prevent unknowing users from worrying needlessly), but anything not running as root, or crypto-signed, is blocked.

Here's another thought-experiment: How do you stop a root process from modifying the firewall on any unix box ? On Linux it could alter the rules, make the connection, break the connection, replace the rules. I guess I don't see the point in trying to block root. That's what 'root' is for...

That this button has almost no actual effect on security is simply awful."

This is of course complete rubbish. It has a huge effect on security.

Enough. I'm done defending this - I think all it needs is some more UI to show the ports remaining open, and perhaps a reason why (root process, crypto-signed,...). Even if they put that in, it won't make a difference to the *actual* security, it'll just be some more information on the current firewall state, anyone who cares that much about it will be using netstat/lsof. If you want to get all in a tizzy about that, feel free.

Simon.

Re:Investigation flawed, more like

[roystgnr]

An application or program might have requested and been given access through the firewall, or

So, this firewall, it just blocks remote access to applications who don't open TCP or UDP ports for listening? Awesome! I've been running a firewall for years and I didn't even know it!

Re:Investigation flawed, more like

[Have+Blue]

If you have specific advanced requirements like that, pop open the command line and enter it into the config yourself. The "firewall preferences" screen is just a wizard on top of ipfw.

Re:Investigation flawed, more like

[autophile]

As a thought experiment, how is this "firewall" really any better than no firewall at all? Other than the warm and fuzzy "I have a firewall" effect...

If it's warm and fuzzy, it should be "I has a firewall (what I do wif it?)"

Lolz,

--Rob

Re:Investigation flawed, more like

[NNKK]

This isn't about a root process being able to bypass the firewall, it's about external users being able to bypass the firewall to talk to a process running as root. I happily run such processes behind firewalls without caring much about potential vulnerabilities, because I know only trusted users have access to it, therefore only trusted users, who would already have full access to the box (either physically or by remote sudo/root access) anyway could exploit it and gain root.

A firewall that allows unrestricted connections to any process running as root completely breaks this model, and though one may argue about its theoretical wisdom and purity, it's a model that is incredibly critical to a great many networks in practice.

Re:Investigation flawed, more like

>... so if Leopard trusts the service (it's a root process, or it's signed with an acceptable crypto signature), it will have access >through the firewall. Since Leopard ships with cryptographically-signed binaries/packages, I guess I'm not seeing the problem - if >Jo(e)-evil-cracker already has 'root' on the system, the firewall isn't going to help save the system, after all... Perhaps Heise >are just used to using Linux, where the firewall trumps all ?

assuming the packages are bug free are we?

Re:Investigation flawed, more like

[elrous0]

This is basically a case of the OS saying "don't worry, I'm smarter than you and I know what to do"

If you don't trust Father Steve, you don't deserve an Apple, Heathen Infidel!!

Re:Investigation flawed, more like

[Genady]

Part of me wants to think: "You know if you're serious about firewalling you'll write your own rules", but I think you're right. Someone (not it) needs to take a look at this research and confirm it, preferably from another machine on the subnet and not localhost. If I say 'drop outside access' by damned the OS/UI should do that.

All that said Apple REALLLLLLLY needs to offer up a pro firewall config tool. I'm all about writing my own rules, but I know they could provide a nice interface to this if they wanted to.

Re:Investigation flawed, more like

[dhavleak]

If it works the same way as it does in windows, then applications can be signed by any certificate authority that the system trusts (Verisign + a few other most likely), and the OS binaries would be signed by Apple themselves.

In any case a signed module should not automatically be completely trustworthy. Verifying the digital signature merely tells you that the module has not been tampered with. If, said module has an exploitable flaw (say a simple buffer overrun), you don't usually need to tamper with the module to take advantage of it.

Re:Investigation flawed, more like

[Schlaefer]

Since Leopard ships with cryptographically-signed binaries/packages, I guess I'm not seeing the problem

But signed does not mean flawless (i.e. not exploitable).

Re:Investigation flawed, more like

[Kadin2048]

This isn't about a root process being able to bypass the firewall, it's about external users being able to bypass the firewall to talk to a process running as root.

You're making a distinction where none exists. If root starts a process that listens on a certain port, then it's logical to assume that root wanted to bypass the firewall for that process. Since root also has full control over the firewall, it doesn't make sense to touch root's processes. If you don't want to accept incoming connections, than you don't start a process that listens for incoming connections.

If you don't want a process being accessible, probably best not to run it as root, or configure it so that it rejects connections except from localhost or the LAN, rather than relying on the firewall to do it.

I can't think of that many processes that you'd want to have accepting connections and running as root anyway -- that in itself is bad practice. If you have to run it, and it has to accept connections, better to run it as its own unprivileged user (www, mail, etc.). Then it'll have some measure of compartmentalization and it'll be subject to the local firewall rules.

Apple perhaps created one more reason not to run listener daemons as root, but it's not as though there weren't a lot of compelling ones already.

Re:Investigation flawed, more like

[Altus]

The signing, from what I can see, is only about trust. If install acrobat (an example, I don't know if acrobat is being signed or not) it will ask you if you want to run it the first time, tell you its signed by Adobe. From then on it will run just fine.

If some hacker manages to get you to run a script that changes the acrobat executable then the signature wont match up and the app will no longer just run. Thats the only protection it provides you beyond asking you the first time if you trust the application. There is no guarantee that Adobe didn't fuck up and make a version of acrobat that wipes your system the first time you run it.

Re:Investigation flawed, more like

[Cally]

you could argue that reading the documentation for a new firewall would be a useful thing to do as well.

Er, yeah, but... these are Mac users you're talking about. The people who've been sold a computer that ordinary people can use without being computer experts, and which doesn't get viruses like Windows does. (Not counting the Linux refugees, of course.)

Re:Investigation flawed, more like

[gatekeep]

The UI is saying "I'm blocking all connections" even though it isn't.

Well technically, the only examples this article provides are of UDP services listening. So there's no evidence that the firewall is allowing 'connections'

I agree that to the end user connections probably means something different, but in the world of network protocols it has a very specific meaning, which doesn't include UDP services by definition. The only way for the firewall to deny inbound UDP sessions would be to fake connection state for these protocols. Many popular commercial enterprise class firewalls do just this, but I'm not surprised that a desktop firewall isn't doing it.

Re:Investigation flawed, more like

[Fweeky]

Here's another thought-experiment: How do you stop a root process from modifying the firewall on any unix box ? You set kern.securelevel=3:

3 Network secure mode - same as highly secure mode, plus IP packet
  filter rules (see ipfw(8), ipfirewall(4) and pfctl(8)) cannot be
  changed and dummynet(4) or pf(4) configuration cannot be adjusted.

Ok, not "any unix box", but should work on OS X since that's using ipfw. At least I assume they're still using it, anyone running the Leopard firewall fancy showing us what ipfw show looks like?

Re:Investigation flawed, more like

[Pinky's+Brain]

Simply disallowing all incoming UDP traffick is trivially easy ... and doesn't break all that much.

Re:Investigation flawed, more like

[teknopurge]

If the situation is indeed as you describe (that the problem here is just that the firewall is allowing certain connections that it "knows" are okay) then you're right: this isn't a security vulnerability, but rather a case of poor UI design. The UI is saying "I'm blocking all connections" even though it isn't. Eh - I don't know if I buy even that.

I know a car's engine makes a "vroooom" sound but I'm not going to try and replace the flywheel. People need to know what they are doing, not "think" they know.

Re:Investigation flawed, more like

[gatekeep]

Simply disallowing all incoming UDP traffick is trivially easy ... and doesn't break all that much.

Sure, if DNS isn't 'all that much'

Disallow all incoming UDP/53 traffic, and you'll lose the ability to resolve names. More secure? Maybe. Practical? Absolutely not.

Re:Investigation flawed, more like

[NNKK]

The Apache parent, the OpenSSH sshd parent(s), the postfix master process (postfix! an SMTP server built for the express purpose of security!), xinetd. These are just a few common network daemons that run as root as standard practice with their author's blessing.

Welcome to the real world, it's not so rosy as you seem to think.

Re:Investigation flawed, more like

[Tom]

You are doing the usual mistake of judging from your perspective.

Apple is the one company on the market who I trust to actually do user tests. I'm also fairly sure they found out that Joe Average clicks on "block incoming connections" and still expects stuff to work. Which is why they made it behave that way, put the info into the help file for those of us who RTFM and give you commandline access and ipfw if you really know what you're doing.

Re:Investigation flawed, more like

[Hatta]

This is basically a case of the OS saying "don't worry, I'm smarter than you and I know what to do"

Isn't that exactly what everyone says when they say Macs "just work"?

Re:Investigation flawed, more like

[dpninerSLASH]

By default DNS will fall back to TCP for requests if it receives no response via UDP.

Re:Investigation flawed, more like

[Bill_the_Engineer]

But signed does not mean flawless (i.e. not exploitable).

True, but:

A>> Firewalled doesn't mean protected from exploitation. If you don't need the service, then disable it.

B>> One of the new security features of 10.5 is having the services running in a sandbox. If the service is actually running in a sandbox, then this would take care of most concerns about an undiscovered exploit.

Re:Investigation flawed, more like

When you send a request to a dns server, it's outgoing, not incoming. So it shouldn't matter if you block incoming UDP traffic on port 53... unless you are running your own DNS server.

Re:Investigation flawed, more like

[Bill_the_Engineer]

I'd hope that memory randomization and sandboxing would take care of most of the vulnerabilities.

The job of the firewall is not to prevent vulnerabilities, it is to prevent unauthorized access.

While the above is true, you are correct that a firewall can help prevent exploits by limiting access. However, setting the service configuration files correctly and disabling unused services are a better solution.

I might add that if you were to install services manually, you can still manually setup the firewall rules (ipfw) to do what you want. So what was your point?

Re:Investigation flawed, more like

[ipjohnson]

Yeah but why would you want to revert to a slower heavier system for something simple like DNS?

Re:Investigation flawed, more like

[Slashcrap]

Simply disallowing all incoming UDP traffick is trivially easy ... and doesn't break all that much.

Sure, if DNS isn't 'all that much'

Disallow all incoming UDP/53 traffic, and you'll lose the ability to resolve names. More secure? Maybe. Practical? Absolutely not. Your character gains +1 Networking points for knowing that DNS uses UDP/53 by default, but sadly loses 100 points for not knowing what a stateful firewall is and an additional 50 for confusing source and destination ports. You should probably re-roll before you get eaten by an ICMP packet.

Re:Investigation flawed, more like

Even though UDP doesn't have states like TCP does, stateful firewalls still keep track of outgoing and incoming UDP connections. Provided you permit outbound UDP and also permit all related connections, blocking inbound UDP isn't going to break your DNS-- unless you're actually acting as an authority for a domain or as a local resolver for your network.

Re:Investigation flawed, more like

[eli+pabst]

Perhaps Heise are just used to using Linux, where the firewall trumps all ?

Unless things have changed with Leopard, OS X runs ipfw which is a standard freeBSD firewalling software. It functions very similar to iptables on linux and absolutely should "trump all" otherwise an administrator could easily accidentally compromise system security by starting an application. Frankly this looks like a page from the old microsoft playbook of sacrificing security for ease of use.

Re:Investigation flawed, more like

[dindae]

In my opinion, it looks like this is a fairly straightforward case of the security folks assuming a certain "traditional" firewall behavior is the goal and Apple using poor (technically inaccurate) language in the UI. Hasn't Apple touted their new "application-based" firewall enough for these folks to see what they were doing with Leopard's firewall?

-d

Re:Investigation flawed, more like

[gatekeep]

Your character gains +1 Networking points for knowing that DNS uses UDP/53 by default, but sadly loses 100 points for not knowing what a stateful firewall is and an additional 50 for confusing source and destination ports. You should probably re-roll before you get eaten by an ICMP packet.

I know what a stateful firewall is.. but the fact is that for UDP, there's no such thing. Some stateful firewalls were do protocol inspection to fake state by figuring out when to expect a DNS packet, but UDP is by definition stateless. Without reading the protocol at a higher layer, there's no way to tell state from only the UDP headers.

As for source and destination ports, that's irrelevant. A request from my machine going to the DNS server will have source port > 1024 and destination port 53. The response will reverse those - source port 53, destination port > 1024. How exactly am I to tell by looking at that information if a packet destined for a high port on my machine from UDP 53 is truly a reply or not? The only reliable way is to read outbound packets for requests, and keep a faux-state -table of what I should expect in response. It works similar to state, but is not the same, and has a non-trivial amount more overhead.

Re:Investigation flawed, more like

[kigrwik]

*** Critical Strike ***

(no mod points, 'twas the best I could come up with)

Re:Investigation flawed, more like

[Lumpy]

I havent trusted OSX firewalls for a long time. that is why I run LilSnitch. it blocks EVERYTHING outgoing unless I specifically allow it. Even OSX get's blocked.

I never liked the "signed" or "trusted" apps get a free pass. I give out the passes not apple.

Re:Investigation flawed, more like

[liquidf]

damn you're STILL wrong. it would reply using the originating source port number. it would ONLY use UDP53 if you are hosting DNS (ie. someone making a request TO you), not only that but most firewalls (consumer-grade) out-of-the-box knows and allows traffic that merely responds to outbound requests. take a look at your home router/firewall, linksys, netgear, d-link, multitech, i'm guessing that you probably don't have a specific entry for forwarding UDP53. that would mean that any INCOMING request on UDP53 would be discarded because the firewall would not know where it goes. the -149 pts still stands, sorry.

Re:Investigation flawed, more like

[gatekeep]

"it would reply using the originating source port number."

Uhh, that's what I said.

"The response will reverse those - source port 53, destination port > 1024."

Re:Investigation flawed, more like

>Sure, if DNS isn't 'all that much'

DNS can also work over TCP, although I am not sure how many ISPs provide DNS over TCP.

Probably depends on whether it is on by default.

Re:Investigation flawed, more like

[Lars+T.]

By default DNS will fall back to TCP for requests if it receives no response via UDP. Yeah, but many people set their firewall to block TCP port 53 by default. Catch 53?

Re:Investigation flawed, more like

Sigh, gatekeep, you STILL don't get it.

Stateful packet inspection means that the firewall also keeps track of IP addresses, not just ports. It will only allow an incoming UDP packet with a source address that matches the destination address of the initiating corresponding outgoing source packet.

An SPI firewall is keeping track of state (source addr, source IP, dest addr, dest IP) even for UDP. Separately for each outgoing UDP packet. That's what "stateful" means. These states are aged and expire after a (configurable) amount of time, for example 30 seconds.

When your local, NATted computer makes a DNS lookup request from 192.168.1.1:1500 to 4.3.2.1:53 the firewall will translate the 192.xxx address to a legal IP address and send the packet on its way. Then it will only allow an incoming UDP packet from 4.3.2.1:53 to firewall_ip_addr:1500. Of course the firewall then needs to reverse the address translation. Also source port number may also need to change depending on whether other devices behind the firewall are using the same source port.

This is elementary, Firewalls 101.

Re:Investigation flawed, more like

You are wrong, your quote is from help subsection "Setting firewall access for services and applications" and not "Block all incoming connections" which is a different button. The help for "Blocking all..." says: To have your firewall prevent connection of all services and applications, select "Block all incoming connections." It is not just badly worded, it is also wrong in the documentation.

Re:Investigation flawed, more like

The article is stupid and they do not know what they are talking about. I have installed many new Leopard clients and servers and ran port scans right after the installs on those systems from another machine. Came back with ZERO ports open.

As any new OS

[El+Lobo]

As any new OS out there, these are childre diseases. Every new system will have problems: small problems and big problesm. The difference is that some will get praise anyway and some others will get "defectivebydesign" or "haha" tags.

Re:As any new OS

[marcello_dl]

"defective by design" makes no sense if you're not a monopoly.

Re:As any new OS

[east+coast]

Apple may not be a monopoly but they certainly act a lot more like one than Microsoft does.

Re:As any new OS

[El+Lobo]

Oh boy, say bye to your karma...

Re:As any new OS

[croddy]

"Defective by design" is not typically used to refer to "any defective technology, har har", except by a few folks here on Slashdot. "Defective by Design" is a campaign of the FSF, referring specifically devices or software that are deliberately crippled with DRM. see defectivebydesign.org.

Re:As any new OS

[clang_jangle]

Apple does have a sort of monopoly with it's own user base via vendor-lockin. Most of the time it Just Works very well,and it has the cleanest, most robust desktop on the market. The price Apple users pay for that is vendor lockin ($$$) but many of us feel it's a reasonable trade-off. Plus of course, it contributes a great deal to the reliability and consistency of the platform. The Mac works like a consumer appliance (which is very nice when my brain is fried after a long, hard day) or I can use it pretty much the same way as any *nix box. But I certainly have complaints -- like *why* no tty0, tty1, etc? I can't see any good reason for that one, I think it's just Jobs' obsession with dumbing everything down. He occasionally goes too far IMO.

That said, I still tend to prefer FreeBSD for my main machine (a laptop) and use OSX for my desktop machine, which is also my home entertainment center/digital recording studio/video production box. Nothing can touch the Mac's sound quality. That was true even in the classic reboot-every-two-hours days, and it's the main reason I like them.

I tried to do my recording and video in every desktop OS out there (even windoze) but frankly, they all suck for that. Maybe IOKit should be ported to BSD and Linux as kernel modules? IOKit is free software. If that happens, many multimedia pros will be free to use any *nix, especially once compiz-fusion gets all the kinks out. We'd finally have a *real* free alternative to the Mac.

Well, enough of my rambling, obviously I made my tea too strong this morning... :)

Re:As any new OS

I believe the traditional generic phrase for defective technology is "Broken As Designed". Accurate, and the acronym merely reinforces the point.

Re:As any new OS

[Cairnarvon]

Minor "children diseases" are perhaps to be expected, but serious problems just aren't acceptable. Remember that this isn't new technology or an entirely new OS; it's just improvements on old technology and bugfixes.
If that introduces serious new bugs, then yes, it does deserve a "haha" tag.

Re:As any new OS

[TheNetAvenger]

deliberately crippled with DRM

Yep it applies...

Cool, so now we can talk about the application and driver signing in OS X, and all the audio/video DRM as well, and yell DRM DRM DRM a million times like people did when Vista was released?

Or do we shut up because it is Apple, and label all their DRM as security?

Re:As any new OS

[Coriolis]

I believe the term they're thinking of is working as designed.

Re:As any new OS

[marcello_dl]

No matter how they act (e.g.? I recall evil moves where they have a monopoly, which makes my point), they have no ways to profit from weaknesses in osx. Especially now.

Re:As any new OS

[ToasterMonkey]

Dude, you're talking about their own software AND hardware. Has been for a very long time. Nothing in the whole damned world forces someone to buy a Mac.
If Apple has a monopoly, then Sun has a monopoly in the Sparc server market, and Ford has a monopoly with the Mustang market.

It's trivially easy to install OS X on PC hardware, and certainly didn't get harder with Leopard. They even HELP you install Windows on your Mac. What does that mean to you?

Microsoft flat out abused it's monopoly. I'm not sure what "acting like a monopoly" means to you, but until Apple stifles innovation and development in several software markets at once for years on end, your Microsoft analogy fails.

Re:As any new OS

[croddy]

I'll be the first in line to criticize Apple's DRM, but by no stretch of the imagination does this firewall have anything to do with that.

OS Firewalls

[nurb432]

Shouldn't be used in the first place. You really need an external dedicated firewall if you want to pretend to be safe.

Re:OS Firewalls

[pandrijeczko]

Actually, a good security policy is to take a layered approach & to not simply just trust one device.

Yes, an external NAT/firewall/router is advisable but there's nothing wrong activating the computer's firewall also - especially because firewall activation is usually associated with additional activity logging which, on a computer will be more comprehensive & more likely to be looked at than any logging on the router.

Re:OS Firewalls

Exactly right, having a firewall perimiter ONLY is a disaster waiting to happen. If something is unleashed internally, every machine should be self-protected as well.

Re:OS Firewalls

[pandrijeczko]

And of course, both of them together are still *NO EXCUSE* for not putting on regular software updates, turning off unneeded services and making sure everything is configured securely...

Re:OS Firewalls

[msimm]

Do they use a different firewall on their servers?

Re:OS Firewalls

[AceCaseOR]

Unfortunatly, Apple's apparently company line (based on what I've heard from Apple sales reps) is that you don't need any "3rd party security software". Specifically, I overheard a salesperson speaking to a customer who was buying a notebook computer for his daughter (who was going to college), saying that the customer didn't need to purchase any of that kind of software, because OS X had no security holes. I did restrain myself from taking the salesperson to task for this in front of the whole store - but only because I didn't want to get kicked out of the store - as I hadn't completed my purchase yet. If I'd already gotten my iPod, I would have, as least, brought this to the manager's attention. As it is, it'd been a long day, and I wanted to get my iPod and go, so didn't make a deal about it.

In retrospect, I should have made a bit of a fuss about it, and were the situation to happen today, especialy with what I learned from TFA, I would certainly have called the salesperson on this (albeit after I'd gotten my iPod - I'd rather not get kicked out of the store before I made my purchase).

Re:OS Firewalls

[cycoj]

Shouldn't be used in the first place. You really need an external dedicated firewall if you want to pretend to be safe. Yeah that's why I always carry around my router with me, in case I need to access wireless at an hotspot.

Re:OS Firewalls

[walt-sjc]

If something is unleashed internally

Such as an un-patched laptop that is totally infested with malware... Work in any corporate environment and these things eventually find there way in... So what you do is only allow "trusted" machines on your "trusted" VLAN. A machine has to pass certain tests to maintain trust every time it is connected to the network. Untrusted "outsider" machines can still get to the internet and a "guest printer" though. This is what Network Access Control is all about. Furthermore, IDS systems can detect and shut down net access from anything that is behaving in an untrusted manor.

Re:OS Firewalls

[LurkerXXX]

Who the hell modded that insightful?

Yes they SHOULD be used, in ADDITION to external dedicated firewalls.

Anyone plugging in an infected laptop behind your LAN's firewall now has a shot at your firewall-free computer.

Use both hardware and software firewalls. Layers of protection are good.

Re:OS Firewalls

[Bill_the_Engineer]

Why do people always overlook the internal threats from "nosey" coworkers or disgruntled employees?

Re:OS Firewalls

[nurb432]

I would agree with you ( in a perfect world ) except that today's OS based firewalls are so full of holes that its the same as running without. So why bother wasting the extra resources?

Re:OS Firewalls

[nurb432]

If you are concerned about secuirty, you should.

Personally, i *expect* my laptop to be hacked into. That's why i reload it on a regular basis ( normally weekly ) and dont store anything of value on it. its mostly just a remote access terminal that i use SSH on to get back to my data at home, or the office.

Re:OS Firewalls

[LurkerXXX]

Please find a hole in my pf firewall on any of my OpenBSD machines.

It's well, well worth the resources to run.

Re:OS Firewalls

[tyrione]

Heard from a friend who, heard it from a friend who...

The parent poster to your response wasn't talking about 3rd party Firewall Software. They were referring to a dedicated hardware appliance to be your firewall. This is not a solution for the vast majority of people, unless someone like F5 Networks plans on providing a hardware solution that is secure and affordable to the average Joe.

Re:OS Firewalls

[rat_herder]

I'm sorry, but that is crap. I administer many, many OSX workstations. I wouldn't advise anyone to install any 3rd party security software on an up-to-date OS X client install.

Sure the salesman was speaking dross when he said there are "no security holes is OSX". I'm not ignorant of the few exploits available for OSX, I just don't consider them a credible threat. I do take a few very simple steps to minimise OSX services exposure, that's just me.

Re:OS Firewalls

[SanityInAnarchy]

except that today's OS based firewalls are so full of holes that its the same as running without.

So what's the alternative? Some $1k Cisco firewall? Assuming, of course, that IOS hasn't been compromised...

Because your Linksys router, likely as not, runs some form of Linux. May as well throw it away, it's "the same as running without."

Or, in a perfect world, people would shut up if they don't know a thing about the subject at hand, instead of spewing random bullshit.

Re:OS Firewalls

Please stop posting nonsense.

Re:OS Firewalls

[timmy+the+large]

I here people say things like this about apple stores a lot. Why do you shop at a store that will kick you out so quickly. I don't think I could bring myself to shop somewhere that I had to worry about saying the wrong thing and upsetting the staff. If a store doesn't want your business, may I suggest shopping elsewher. Amazon will ship it to your house, or you could go to officeMax/Depot/whatever or some other brick and mortar store that actually wants customers. I'm not trying to bash here but what is up with those stores?

Seriously though, why do people shop there?

Re:OS Firewalls

[trifish]

Shouldn't be used in the first place. You really need an external dedicated firewall if you want to pretend to be safe.

That's true for inbound traffic. But for outbound traffic, only software firewalls are effective. An external firewall has no way of knowing whether it's CoolScreenSaver.exe or Firefox.exe trying to connect to a server. The answer is, use both (internal and external).

Re:OS Firewalls

[nurb432]

You didn't get my point.

When i speak of "OS basedfirewalls", I'm speaking of running a firewall on the OS that you are using on your desktop/server. I realize that even dedicated deices have a ( hopefully hardened ) embedded OS of some sort.

If you run a dedicated firewall, ( without the ability to update via software is even better ) you can always reboot/reload it on a regular basis ( i reboot mine daily, the actual system is not writable unless you physically flip a swtich, only the swap and logs are writeable ) to mitigate any compromises that may have occurred. If your firewall is compromised like this your workstation isn't automatically toast.

Re:OS Firewalls

[nurb432]

http://slashdot.org/comments.pl?sid=344775&cid=21186205

Re:OS Firewalls

[SanityInAnarchy]

you can always reboot/reload it on a regular basis ( i reboot mine daily, the actual system is not writable unless you physically flip a swtich, only the swap and logs are writeable ) to mitigate any compromises that may have occurred.

Granted, that is more secure than a desktop.

I also think there's not a lot of point to it, if you're running pretty much the same OS (without the hardening) behind the firewall. If the desktop OS is "full of holes", I'd imagine that most of these holes -- at least the ones you'd have a prayer of stopping with a "hardware" firewall -- are holes which could as easily be exploited to simply pass connections through as to install something locally. And if they can pass a connection through, they're now in your main box.

I think that pretty much counters your point here:

If your firewall is compromised like this your workstation isn't automatically toast.

But that has nothing to do with it being "hardware". If it was simply a standard desktop/server OS at the firewall, you get the same protection -- and only assuming the same exploit that got them into the firewall won't get them into your desktop.

Sure, you can reboot it -- but if, as you say:

without the ability to update via software is even better

Great, how much are you going to update it?

If I find a vulnerability, and you simply reboot it the next day, fine, I'll punch through the next day, too. And every day, until you apply an update. Wouldn't you rather those updates happen faster?

I'd also argue that, if a desktop OS is secure enough to include in a firewall (Linux), then there is, in fact, a very good reason for running a firewall on your desktop. For one thing, it lets you take it to insecure networks -- great for a laptop. For another, it means you don't have to immediately freak out when a friend plugs in behind your firewall. Doesn't mean you have to turn off that firewall, though.

Hm

[d3vo1d]

I guess we should expect to see 10.5.1 pretty soon.

Software firewall

[GodCandy]

I tend to agree with the fact that software firewalls are more or less a joke. Some I would consider OK for some things such as blocking out the "static" that tends to make its way across any network from time to time. Else the best protection for most users is a simple hardware firewall. It keeps the bad people outside and allows you to do what you need to do with few restrictions. This is however no replacement for good old common sense which seems to get lost in the translation for todays society. Normally if you are surfing slashdot, e-bay, google, yahoo, and other popular sites you wont end up with worms and malware on your computer. If your running a mac you will end up with less. However a mac is not the answer to all the problems. The answer lies with the end user.

Else I feel that the firewall could probably use some work. I am sure that Apple is already working hard to correct whatever problems they are seeing and will be patching this within the first few weeks. I hate to see a patch that early as it reminds me a lot of a Microsoft release however it has to happen in this case.

Re:Software firewall

[GodCandy]

If you would like to argue... I think the firewall in XP sucked sense day one. I again didn't use it opting for a hardware solution. I could care less if you use mac, windows, linux, or if your computer still runs off punch cards. It matters not. I am an equal opportunity hater. I however will never rely on a software firewall.

I am however a part of the Apple camp. I would expect more from them but some of there more recent endevours have not been up to there usually strict standards. However for that I can forgive them. Microsoft on the other hand has not been able to release a product with any consistency that does not cause me grief. My linux distro's tend to be stable however I sometimes find some things on the bleeding edge that should not be included in those releases either.

Else I was simply stating that yes software firewalls will always suck and yes you should get a real firewall router if you want any form of security on your local network. This is regardless of the os that you use as there are exploits targeting all of them now days.

Re:Software firewall

[pandrijeczko]

I however will never rely on a software firewall.

Then you are a fool who has no idea what he is talking about.

As I said in a previous post on this thread, security is about layered protection, not one single point of potential failure. A sensible person deploys a hardware *AND* software firewall, as well as turning off unneeded services and checking everything is configured correctly.

Re:Software firewall

[GodCandy]

Perhaps you mis-interpreted... I was stating exactly what you are attempting to rebuttal with. I do not depend on a software firewall. I would never take a computer be it a Mac or a PC and hook it directly to my cable modem and expect it to be secure using only the software firewall. There are layers of protection including but not limited to software. I do however argue that the software firewall is weak in its defenses and should only be used as a last line of defense. I also agree that services that are not in use should not be running on your system. This just leaves you open for attacks. Every network I work with is setup in a layered architecture to help curb outbreaks on my systems.

To this date I have had no problems with that setup. I however also use good common sense in my activities on the internet as not to become the victim of malware or other such programs.

To clarify once and for all when I stated "I however will never rely on a software firewall" I was simply referring to the fact that that is not a 100% fail safe line of defense be it hardware or software. Everything is only safe until someone figures out how to get into it.

Re:Software firewall

[cycoj]

So what do you consider a software firewall? A machine running iptables can be considered a software firewall, hey iptables is software. Also you do realize that what you're saying is totally impractical for say laptops. You might never leave the house (as any good slashdot nerd ;), but other people might actually go outside, and they might want to connect to a wireless hotspot. What do you do then? Where's your hardware firewall?

Re:Software firewall

[rhavenn]

PF is "software" firewall. Once you know it you can rival any dedicated hardware device for security. Throw in a proxy service "filter" on your local box and you've suddenly got a better setup then the 95%+ of the dedicated hardware firewalls out there.

Re:Software firewall

[quintessentialk]

Normally if you are surfing slashdot, e-bay, google, yahoo, and other popular sites you wont end up with worms and malware on your computer.

Indeed. This is what I tell people whenever I am asked to clean their computers: You don't get viruses from Disney.com.

I've run windows for years without spyware or virus problems (though I do have zone alarm and AVG should my arrogance bite me). But I don't surf dodgy sites, or install random executables on my computer.

and now for something completely different...

[Tumbleweed]

"It's not much of a firewall, is it?"

"Finest on this subnet, sir!"

"And how to you come to that conclusion?"

"Well, it's so *clean*!"

"It's certainly uncontaminated by security!"

Re:and now for something completely different...

[Cally]

Flawed? So what's the nature of this flaw? Well, it doesn't really, well, work. Not as such. Not as such. Yeah, we've heard there's some BSD firewalls already out there, and apparently some of them are supposed to be pretty secure, but... hell, we don't need firewalls, this is a Mac! And, as the strip "Osama Bin Laden's Computer Nightmare" in the latest issue of Viz so perspicaciously pointed out, Macs can't get viruses.

Re:and now for something completely different...

[wumpus188]

It's funny, but here is what I see on my MacBook running OS X Leopard:

$ sudo ipfw list
33300 deny icmp from any to me in icmptypes 8
65535 allow ip from any to any
$

Lesson 5 - Belt and suspenders (braces)

[JonTurner]

jellomizer,

Good post, but hardware firewalls are not infallible as they are also affected by Lesson #2 (made by humans who make mistakes) and can be hacked, as per Lesson #1.

So, rather than have an either/or solution, why not apply all the tools at our disposal?
* If you have a hardware firewall, use it.
* If you have a software firewall, use that, too.

And regardless, run a service such as "Little Snitch" which requires each application explicitly ask permission before communicating with external resources (e.g. "phoning home").

Little Snitch anyone?

[solosaint]

most powerusers I know use Little Snitch ... its better than the firewall apple includes

Re:Little Snitch anyone?

[frodo527]

I use Little Snitch on my MacBook Pro (still running Tiger) becsuse OS X's built-in firewall doesn't configure or notify you about outbound connections. The problem reported in the OP about Leopard's firewall concerns inbound connections. Little Snitch doesn't do anything about those. IOW, Little Snitch complement's OS X's firewall but does not replace it.

Re:Little Snitch anyone?

[Juergen+Kreileder]

Real powerusers write their own ipfw rules! But that's not the point.

Re:Little Snitch anyone?

it should go without saying to a power user such as yourself, but little snitch blocks traffic going out initiated by apps on your computer, not traffic coming in from sources you dont control

Re:Little Snitch anyone?

[foniksonik]

Little Snitch only covers outgoing requests from your system... ie: if you've downloaded some malware and it suddenly decides to send all your addressbook entries an email... Little Snitch will block it and ask you if you want to let it through. It does nothing for incoming requests.

Re:Apple product insecure? No WAY!

[rootofevil]

to be fair the wifi mess wasnt apples fault, it was a 3rd party driver (netgear?).

Re:yup

[d3vo1d]

Perhaps you meant 10.5 (Leopard) rather tan 10.4 (Tiger) ?

Negative story about Mac on Slashdot/

It must be Tuesday.......Wednesday, Thursday, Friday.........

apple defense force

to the rescue!

Apple's security model is...

[throatmonster]

Security through obscurity! The saddest part is, way too much (i.e. more than zero) of the stuff I do and deal with use that security model too.

Default Leopard install NMAP 4.20 scan

[Kancer]

Strange nmap picks it up as an IronPort C60. I know they run a BSD variant on those boxes but the dump is that similar.

PORT STATE SERVICE VERSION
22/tcp filtered ssh
80/tcp filtered http
443/tcp filtered https
554/tcp filtered rtsp
1755/tcp filtered wms
Device type: specialized
Running: IronPort AsyncOS
OS details: IronPort C60 email security appliance

Re:Default Leopard install NMAP 4.20 scan

[jay-be-em]

OS X seriously has a web server running by default?

Re:Default Leopard install NMAP 4.20 scan

[Todd+Knarr]

No. It means that the firewall's black-holing (dropping without generating any ICMP response) all packets to ports 80 and 443. It can do this whether or not a Web server's running.

Re:Apple product insecure? No WAY!

http://www.uninformed.org/?v=8&a=4&t=sumry

Look like it was in the built-in Atheros driver.

Anyone tested this?

[commodoresloat]

This was pointed out on a previous slashdot article and this poster claims it is not true.

Re:Anyone tested this?

[prockcore]

That poster didn't have permission to view all the running services. He should've used sudo.

Re:Anyone tested this?

[juct]

This guy missed to run with "sudo" -- so lsof has not sufficient rights to query.
Do a

sudo lsof -iUDP

and you will see all the services listening on UDP ports.

bye, ju

Re:Anyone tested this?

[Mathi�u]

Doesn't show more with sudo:

$ sudo netstat -an | fgrep LISTEN
Password:
tcp4 0 0 127.0.0.1.631 *.* LISTEN
tcp6 0 0 ::1.631 *.* LISTEN

Clearly the article is crap, the guy doesn't have a clue. Yesterday's comment post was well enough for this article, having it posted on the main page reflects poorly on the slashdot poster.

Re:"defective by design"

[Abjifyicious]

Tagging this "defectivebydesign" doesn't make any sense here at all, whether or not Apple's a monopoly. "Defective by design" is a phrase coined to describe DRM encumbered products, because they really are designed to be that way. A defect in a firewall is most definitely not intentional. Unfortunately, "defective by design" has lost its roots, and has become a phrase that is mindlessly repeated by the slashdot hoards whenever any product has any problem with it whatsoever. Obviously it couldn't be due to oversight or incompetence, Apple must have intentionally gone out of their way to make a flaw in their firewall because they're evil. /sarcasm

Wait a second...

[CompMD]

I thought it was illegal for Germans to do this kind of investigation now. Is it? I mean, it requires "hacking tools."

MAC firewall is mostly TCP. UDP is optional.

This is a known issue with the Tiger firewall. It only filters TCP unless you check the "Block UDP Traffic" advanced option. Even then it doesn't block all UDP traffic.
Why would they change this in Leopard?

"Software firewall" != "firewall"

The firewall maintained by the OS is, at best, a weak packet filtering defense when compared with a stand-alone, in-the-network firewall. The problem is that the on-board firewall is always at the mercy of the OS; anything with sufficient privileges can tamper with it. (Yes, I know of exceptions like FreeBSD's security levels, but that sort of defense is rare on most desktop computers.) A real network firewall

1. sits inline in the network path
   
2. is completely stand-alone, and not directly affected by changes to users' desktop environments
   
3. is capable of moderately fine-grained access controls
   
4. does not supplant other security measures, e.g., keeping your systems patched, practicing sanitary computing, etc.
   

Ideally, a firewall also

1. can do stateful inspection
   
2. has some higher level awareness on the OSI stack (e.g., it can tell something might be amiss if it sees an SSH session being negotiated on 80/tcp and can react accordingly)
   
3. can have a management interface that's completely separate from the interfaces on which it applies its rulesets
   

Although I loathe analogies, in cars a real firewall sits between the dangerous (engine) and habitable (passenger) compartments, has a few holes poked in it to allow certain things through (throttle controls, wiring, etc.), and hopefully blocks everything else. The counterpart to a "software firewall" in such a case would be a piece of sheet metal between the engine and passenger compartments that spontaneously opened new holes whenever someone turned on the A/C, played a CD, or unfastened their seat belt. That's NOT A FIREWALL!

All tests were run on localhost

[hbp4c]

Perhaps I missed something...

It looks like every test that was ran was run from the local machine. The tester set "block incoming connections" not "block local connections" and/or "block outbound connections"

If you lsof, you're going to see ports open to localhost, unless the firewall is specifically dropping packets to 127.0.0.1.

ntpdate is an ntp client tool, so it makes an outbound connection instead of an inbound connection.

nmblookup actually warns the guy testing this - it realized that 192.168.69.21 was the local interface, so it responded as "localhost" instead of the samba name!

The nmap test was the only tool that specifically checked a non-localhost IP, and it's not clear to me if it actually checked the localhost interface cleverly or actually sent packets out and through the firewall.

As I said, perhaps I missed some critical fact. However, I would put more credibility in the tests if the tester had used a 2nd machine on his subnet to nmap the leopard firewall.

Re:All tests were run on localhost

[juct]

Yes you are missing something.

I run all tests from a linux machine. Look at the packet dumps. It shows two machines communicating over a network.
Look at the IP address given as an argument to ntpdate -- it is a public IP of an ISP that I queried from our company network.
Look at the quoted logfile entries. All of them show that the tests have been run from external machines.

bye, ju

Re:All tests were run on localhost

[Pinky's+Brain]

Lsof was of course done locally, but if you look at the image in the article of their connection to the NETBIOS name server you can see it was from a different IP (192.168.69.2 192.168.69.21). In theory he could have run the ntp request and the connection to the netcat service they started locally, but it seems wholly unlikely. Give the guy some credit, C't isn't written by complete idiots.

http://www.heise-security.co.uk/bilder/98120/1/1

Badly worded ...

[Pinky's+Brain]

The netbios name service and NTP run regardless of how empty the services list seems to be. Also they never mentioned root, they ran netcat as a user and it was remotely accessible.

I can't see how you could argue Leopard's setting are badly worthed, or the other way around ... it's a completely meaningless argument. It's just plain untruthful. Heise are used to the meaning of words not being changed just to make it so Apple is right.

I am not convinced

[avatar4d]

This article is a bit fishy in its interpretation. They don't list their expectations vs the results.. They just make assumptions. For instance:

Users who want to raise their security level might choose the option "Block all incoming connections" - in the hope that this really will reject all incoming queries to network services.

Which it appears to do if you look at the quote below. They show a deny in their logs. Seems to work so far.

The initial tests looked promising. The SSH server activated for testing purposes and the primitive demo backdoor could no longer be accessed from outside. The firewall even blocked access to a test server on a UDP port:

Oct 29 11:26:49 Qf98e Firewall[44]: Deny nc data in from 193.99.145.XXX:28524 uid = 0 proto=17

However, a simple port scan was enough to destroy our misplaced optimism:

# nmap -sU 192.168.69.21
PORT STATE SERVICE
123/udp open|filtered ntp
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
631/udp open|filtered unknown
5353/udp open|filtered zeroconf
MAC Address: 00:17:F2:DF:CD:B3 (Apple Computer)

They are now basing an assumption (or marketing spin) because of output from an Nmap scan. This just indicates a flaw in the signature Nmap has (or the lack thereof) for this particular firewall implementation.

Then straight from NMAP's documentation:

"Nmap reports the state combinations open|filtered and closed|filtered when it cannot determine which of the two states describe a port." -(http://insecure.org/nmap/man/)

And as for the NTP response being received, well that goes back to what we should expect to see. Apple is about usability. I would suspect that "Block all INCOMING connections" to not refuse information that I request. Basically this just does ingress filtering and not egress.

I haven't read the entire article yet, but from my brief scan I don't see how this is not a "functioning" firewall.

Re:I am not convinced

[Todd+Knarr]

The NTP port is easy enough to explain. NTP is a UDP-based protocol, so there aren't any connections. When operating properly, the time interval between packet exchanges with the time servers is long so maintaining the equivalent of a TCP masquerading map isn't feasible (you either need unreasonably long timeouts leading to odd behavior when the entries become invalid but aren't timed-out, or you tend to time out active entries). Since NTP packets are fairly simple and, being UDP, arrive in a single message with the length known as the packet is read, NTP clients aren't generally subject to buffer overflow attacks. Since they also default to not trusting or accepting synchronization from any hosts other than those they're configured to use and to only accept packets from those hosts that're in response to a known request from the client, and serving time up to random clients is considered safe for the server, it's not considered a risk to have them accessible and it simplifies the firewall rules considerably to just leave the NTP port open to the world.

Re:I am not convinced

[Kent+Recal]

When operating properly, the time interval between packet exchanges with the time servers is long so maintaining the equivalent of a TCP masquerading map isn't feasible (you either need unreasonably long timeouts leading to odd behavior when the entries become invalid but aren't timed-out, or you tend to time out active entries).

hmm, but doesn't ntp follow the same old request/response pattern?
at least *my* ntp client has been working fine for ages with nothing but an old RELATED rule...

look at your /proc/net/ip_conntrack sometime and you'll notice it also tracks udp just fine.

Re:I am not convinced

[eli+pabst]

They are now basing an assumption (or marketing spin) because of output from an Nmap scan. This just indicates a flaw in the signature Nmap has (or the lack thereof) for this particular firewall implementation.

That's how UDP scanning works. The fact that all of the other ports on the system appear as closed is highly suggestive that these ports are still accessible to the network. Plus, if you look at the last PNG image on the first page it shows an actual screenshot of tcpdump observing a connection from the remote client to the OS X system and the corresponding reply, clearly showing that a remote incoming connection is allowed through the firewall.

Re:I am not convinced

My first question with the article is why hasn't he taken this a step further in regards to enabling Stealth Mode in order to drop packets silently without response?... or does Stealth Mode allow such port scan info to slip through the cracks??

Sandboxing is fun!

ls /usr/share/sandbox/
bsd.sb quicklookd.sb
krb5kdc.sb syslogd.sb
mDNSResponder.sb update.sb
mdworker.sb xgridagentd.sb
named.sb xgridagentd_task_nobody.sb
ntpd.sb xgridagentd_task_somebody.sb
portmap.sb xgridcontrollerd.sb

No one ever thinks of the sandbox. Just sayin, is all.

Misleading descriptions

[Todd+Knarr]

I notice in their report that they complain about services Nmap lists as "open/filtered". Nmap reports that result when it encounters a port that elicits no reply whatsoever to a probe. This happens only when a firewall is dropping all traffic to a port and not generating any ICMP error packet for the attempt. The TCP spec says if a port isn't open the client should get an ICMP error, so Nmap knows that there's something there even if access to it's being blocked. If this is any indication of the quality of this "analysis", we can discount the article.

Re:Misleading descriptions

[gatekeep]

The TCP spec says if a port isn't open the client should get an ICMP error,

Huh? ICMP doesn't relay any information about ports. It's not even part of TCP but a completely different ip protocol. You'll get ICMP redirects or unreachables at layer 3 based on routing, but never based on port.

If a port isn't listening, the destination will reply with a TCP RST. If it's firewalled, most firewalls will silently discard it and the source gets no response their SYN just goes off into the ether. If it's open, the destination will respond with a SYN/ACK.

Other things can be at work here though.. for example, SYN Cookies will SYN/ACK every SYN regardless of service open/closed status, this making all ports appear open to a simple nmpa -sT scan.

Re:Misleading descriptions

[Todd+Knarr]

ICMP type 3 errors, destination unreachable, are very specifically for this purpose. In particular type 3 code 3, port unreachable, is returned if the port the client's trying to connect to isn't listening for connections. Type 3 code 13, communication administratively prohibited, is intended to be returned if a firewall rule prohibits the connection (eg. a filtering rule denies connections to that host and port). And yes, ICMP isn't part of TCP. It is, however, part of IP (although it's a parallel protocol at the same level as IP) and intended precisely for this sort of thing.

A TCP RST response is not the proper response to a closed port. It would indicate that the port was open, the listening application accepted the connection and then immediately (before any traffic was received) rejected the connection. Most commonly this happens when tcp_wrappers is being used to control access to services. It has to accept the connection to get the peer address, and then if that peer address isn't allowed access it resets the connection.

Re:Misleading descriptions

[gatekeep]

What's the source for your statement that TCP RST is not the proper response to a closed port? I've literally never seen a Type 3 code 13 in response to a TCP SYN, and wonder if you're not confusing TCP and UDP somewhat.

NMAP's docs indicate that a TCP RST in response to a SYN is a determination that a port is 'CLOSED', and any ICMP response will flag it as 'filtered' including an ICMP type 3 code 1,2, 3, 9, 10, or 13. See the -sS (TCP SYN scan) section of http://insecure.org/nmap/man/man-port-scanning-techniques.html In practice, I've never seen any firewall which will report an ICMP error in response to a filtered TCP port, and only rarely have I seen one which gives any response at all, but if it does respond, that response would be a RST.

Now, for UDP packets, the proper response to a connection request destined for a port on which you're not listening is indeed an ICMP type 3, code 3. Obviously, there's no connection state here, and thus no way to RST a session so ICMP is used to notify the requestor.

I tried to find an RFC to reference, but honestly the TCP RFCs are pretty complicated, revised several times, etc.. so I couldn't find a definitive reference. If you have a source that backs your statement about ICMP responses to TCP connection attempts, I'd love to see it... in my experience, every protocol stack I've ever encountered operates by replying with a RST.

Re:Misleading descriptions

[Todd+Knarr]

The sources are RFC 792, the ICMP protocol specification, and RFC 1812, IP v4 host requirements (especially section 5.2.7.1 relating to firewalls). Note that the TCP protocol specification isn't particularly relevant to a discussion of how the IP stack responds to a TCP not not being listening, since if the port isn't listening the TCP connection sequence never begins. A TCP RST presumes an existing connection to reset, which there can't be if there's nothing listening for a connection to be established with.

Re:Misleading descriptions

[gatekeep]

Thanks for providing links to the RFCs. That helps me understand where you're coming from.

As for the relevence of TCP RFCs, they're very relevant. What we're talking about is how to respond to a TCP SYN, which by it's very nature is a TCP operation. A connection exists on the client's end the moment it sends a SYN. It's not in 'established' state, but is in 'SYN-SENT' state and entered in the connection table. The server doesn't need to acknowledge a connection attempt to tell the client to tear down it's connection. I totally agree with you for non-TCP protocols, but TCP is different.

See RFC 1122 which states in part;
    " A Destination Unreachable message that is received MUST be
                        reported to the transport layer. The transport layer SHOULD
                        use the information appropriately; for example, see Sections
                        4.1.3.3, 4.2.3.9, and 4.2.4 below. A transport protocol
                        that has its own mechanism for notifying the sender that a
                        port is unreachable (e.g., TCP, which sends RST segments)
                        MUST nevertheless accept an ICMP Port Unreachable for the
                        same purpose."

The RFCs you've provided also support my explanation -- RFC 792 states;
"If, in the destination host, the IP module cannot deliver the
            datagram because the indicated protocol module or process port is
            not active, the destination host may send a destination
            unreachable message to the source host."
Note that it MAY send an unreachable. It's not required. In my experience, most stacks will send a type 3 code 3 in response to UDP attempts to closed ports, but never TCP.

RFC 1812 also states;
" Routers MUST be able to generate the Redirect for Host
      message (Code 1) and SHOULD be able to generate the Redirect for Type
      of Service and Host message (Code 3) specified in [INTERNET:8]."
Note 'SHOULD' which in RFC parlance means it's not required.

Under the section "5.3.9 Packet Filtering and Access Lists" which seems most related to our discussion;
"The router SHOULD allow an appropriate ICMP unreachable message to be
      sent when a packet is discarded. The ICMP message SHOULD specify
      Communication Administratively Prohibited (code 13) as the reason for
      the destination being unreachable."
Again, it's not a requirement, but it's recommended.

Re:Misleading descriptions

[eli+pabst]

No, it's exactly what the output says...it's either open or filtered. If the packet is accepted by the system, then no icmp error message is generated which is the same as if it is silently dropped by a firewall (hence open|filtered). Generally when you do a udp scan of a firewall that is filtering udp connections, then *all* ports on the system will appear as open|filtered. If just a few appear that way while others are closed then you can be fairly sure they are open. They then go on to show a tcpdump trace of a unsolicited incoming SMB connection and the corresponding reply. Their analysis is spot on, you just have no idea what you are talking about.

Re:Misleading descriptions

[Lars+T.]

As for the relevence of TCP RFCs, they're very relevant. What we're talking about is how to respond to a TCP SYN, which by it's very nature is a TCP operation. And I thought we were talking about "open/filtered" UDP ports.

Re:Misleading descriptions

[gatekeep]

Well, that's what the article is about.

The whole thing started because he said "The TCP spec says if a port isn't open the client should get an ICMP error," Which is flat out not true.

I think we're just talking about different things though.. he might've said TCP when he meant UDP

Whatever.. I quit.

Re:Misleading descriptions

[Todd+Knarr]

Well yes, I'd expect it to. The NetBIOS services on my computers do too despite being firewalled. That's because, if you look at the packet dump, the packets are sourced from the local subnet (the addresses are 192.168.69.2 and 192.168.69.21, both in the 192.168.69.0/24 network within the 192.168.0.0/16 reserved block). For SMB shares to work at all, you need to allow NetBIOS services to and from the local subnet. Since that's by definition on a different interface from the outside world (192.168.x.x addresses are not going to work on a public interface), it's a safe hole to poke. For a proper test, the attempt to access the service needs to be from a machine not on the local network.

Re:Misleading descriptions

[eli+pabst]

They do it both ways. In the screenshot they use local IP addresses, but look at the text dump slightly above the image link on the front page, I'll quote it for clarity:

$ sudo tcpdump -i ppp0
10:13:06.944735 IP XXX.heise.de.18099 > Qc39a.q.pppool.de.ntp: NTPv4, Client, length 48
10:13:06.945007 IP Qc39a.q.pppool.de.ntp > XXX.heise.de.18099: NTPv4, Server, length 48

Those are obviously obfuscated public IP addresses on both client and target, so this hole applies remotely. FWIW, I hope apple doesn't fix this :-]

Re:Misleading descriptions

[Todd+Knarr]

Yes, but the text dump is for the NTP protocol, not NetBIOS, and NTP's a protocol that presents a very low risk and it's much easier to just punch it through globally and let the NTP client handle discarding bogus attempts to alter it's time. Given that Apple's using the standard ntpd software, I'm going to want to see details of an actual exploit before I consider having it open a hole.

Re:Misleading descriptions

[eli+pabst]

If a user sets his firewall to "block all incoming connections" and ntp is still allowed, that is either a flaw in the firewall or the user interface.

Re:Misleading descriptions

[Todd+Knarr]

Not really. Remember that UDP doesn't have the concept of a connection. There's incoming packets, but at the level of the firewall it's much harder to determine whether a UDP packet's in response to a request from the local computer or not. And you can't block all incoming UDP packets. If you do, things like DNS stop working because the replies to your DNS queries get blocked. And the non-technical user isn't going to know which holes really do need punched through the firewall for things like DNS and time sync to work, so when the user says "block all incoming connections" the firewall has to decide for them which exceptions it has to make for the computer to keep working. When the user says "block all incoming connections" but also says "synchronize your time to the Internet", the firewall has to notice that it can't comply with the second request if it implements the first literally so it needs to make an appropriate exception.

That's a criticial point, BTW: the firewall settings are not the only instructions the user has given the system. If I tell it "synchronize your time with the Internet", the computer shouldn't decide to ignore that instruction just because I've also enabled the firewall. And if you do want it to start ignoring what the user's told it, why should the firewall settings take precedence over other instructions?

Re:Misleading descriptions

[eli+pabst]

Remember that UDP doesn't have the concept of a connection.

All statefull firewalls including OSXs have a concept of connection tracking for UDP and you absolutely can identify a state like "new" or "established" for udp. Firewall connection tracking is not the same concept as tcp connection states and connection state tracking *does* exist for protocols which do not in of themselves have a built-in state tracking mechanism like tcp.

And you can't block all incoming UDP packets.

You can block unsolicited incoming connections but allow udp packets belonging to a connection that was initiated by the OSX system, again using the statefull connection tracking mechanism.

When the user says "block all incoming connections" but also says "synchronize your time to the Internet"

The firewall settings should *always* override other application settings so that an administrator cannot accidentally open a hole in the firewall. Letting an application override system security is moronic and lazy. Microsoft has spent years digging itself out of that same mentality that you seem to be happily advocating. Unless you want other systems to be able to sync their time from your OSX system, then you do not need to allow total access to the ntp ports. You can block incoming connection attempts but still allow your system to sync to the remote timeserver.

Re:Misleading descriptions

[Todd+Knarr]

The firewall settings should *always* override other application settings so that an administrator cannot accidentally open a hole in the firewall.

This leads to the nonsensical result that when I tell the computer "block all incoming connections" and "synchronize your time to the Internet", it may not be allowed to synchronize time to the Internet because the incoming UDP packets needed for time synchronization will be blocked. There are ways around that, but remember that with NTP if I send a request to UDP port 123 on the NTP server, the reply does not have to come from UDP port 123 on the NTP server and connection tracking won't work in that case. The same applies to DNS. Both ntpd and BIND can be and often are configured to use random non-privileged ports for outgoing packets to remove the need to run as root after binding their listening port. When the UDP response doesn't come from the same port on the server that the request went to, connection tracking (which depends on matching up addresses and ports) fails to work and you need to punch a hole explicitly in both directions.

Re:Misleading descriptions

[eli+pabst]

but remember that with NTP if I send a request to UDP port 123 on the NTP server, the reply does not have to come from UDP port 123 on the NTP server

The reply packet from the NTP server will just have the source and dest ports flipped. You can see it in the tcpdump trace FTA.

Both ntpd and BIND can be and often are configured to use random non-privileged ports for outgoing packets to remove the need to run as root after binding their listening port.

I think you are confused. Please cite the exact part of an RFC or implemetation spec that describes that behavior.

When the UDP response doesn't come from the same port on the server that the request went to, connection tracking (which depends on matching up addresses and ports) fails to work and you need to punch a hole explicitly in both directions.

I've written hundreds of custom iptables and pf firewall scripts including build specs for fortune500 companies and used connection tracking for handling both NTP and DNS. It works, I've done it, I'm doing it right now.

A hardware firewall explained

[mkiwi]

I've read too many posts to ignore this.

[Rant]

There is no such thing as a purely hardware firewall in modern times.

The hardware like a Cisco pix has software (i.e. firmware) running on top of a simple (usually Linux or bsd architecture). A true hardware firewall is John or Jane sitting at a switchboard plugging in and unplugging cables, like way back when telephones first existed. You could also theoretically unplug the networking cable every-so-often to get a firewall-like effect, but the bottom line is that there is something (a brain) that decides what goes in and what goes out. The brain is a bunch of code (software) that is the firewall.

Hell, create a searing flame capable of burning anyone to death who dare walks through it- that's the literal definition of a firewall. The heat caused by the burning of wood or something else is a "hardware" firewall.

[/Rant]

Re:A hardware firewall explained

Actually, no, the literal definition of a firewall is a wall built to block the spread of fire, like the wall between the engine and passenger sections of a car. Not a wall made of fire, lol.

Re:A hardware firewall explained

While I understand your post it is rather pointless. A "hardware" firewall is a piece of hardware that is a dedicated to the task for protecting the network. Sure it runs software but then pretty much everything in the IT world does. The difference between a "hardware" firewall and a "software" firewall is that one is a dedicated device (normally with many more options that just detection/protection) and the other is a service/driver/application that sits on top of a generic system.

Re:A hardware firewall explained

[shelterpaw]

A hardware firewall is just a dedicated piece of hardware used as a firewall as opposed to a software application firewall running on a user machine. A piece of hardware dedicated to firewall software. Not a big deal, so don't get your panties all in a bunch, Mr. Rant.

Re:A hardware firewall explained

[peacefinder]

"Hell, create a searing flame capable of burning anyone to death who dare walks through it- that's the literal definition of a firewall. The heat caused by the burning of wood or something else is a "hardware" firewall."

Personally I'd call that a vaporware firewall.

Re:A hardware firewall explained

[TwistedSpring]

I think the lingo has evolved and left you behind. I understand "hardware firewall" to mean a hardware device that only functions as a firewall. Obviously the firewall it runs will be software or firmware. The idea of having some sort of "pure" hardware firewall implementation where you flick DIP switches to accept or drop packets is ludicrous. Perhaps the term "discrete firewall" would suit you better?

Also, as far as Leopard's firewall functionality goes I think they have struck quite a nice balance between irritating and protecting the user. People buy Macs primarily because they don't want bullshit from their computer. I don't have a Mac but I'm confident that Apple understand that to run something as root is to grant it complete control of the system (and, incidentally, the firewall) and have made sure that only system-critical network services run as root. I would be surprised to find network services that listen on anything other than localhost running as root in the base install. Besides, blocking root services with a firewall that can be controlled by root is an entirely pointless exercise.

Re:A hardware firewall explained

What prevents anyone from "programming" a firewall in VHDL and synthesizing a 100% hardware solution? Unless it's FPGA, you wouldn't call that firmware, would you?

Re:A hardware firewall explained

a searing flame capable of burning anyone to death who dare walks through it- that's the literal definition of a firewall.

Um... Not to be too pedantic and offtopic, but no. The definition of a firewall it to prevent flames from getting in- per example: an automobile's firewall.

Instead of thinking of it as flaming death for all those who dare to attempt to tresspass (or for a newbie on usenet asking a stupid question), you might do better to think of it as a wall preventing the very fires of the Hell that is the internet from bursting through your connection and into your machine, and scorching ads for viagra into your drive's platters.

f you're going to rant, it's best you get your metaphor set up properly first.

Re:A hardware firewall explained

[bbdd]

quote:

"Hell, create a searing flame capable of burning anyone to death who dare walks through it- that's the literal definition of a firewall."

actually, the literal definition of a firewall is a partition that stops the spread of fire. for example, you have one in your car.

http://dictionary.reference.com/search?q=firewall

Re:A hardware firewall explained

[dumpster+baby]

a technical definition of firewall is a any barrier that thwarts a destructive agent. A firewall is a partition designed to inhibit the spread of fire. After direst expsure to fire for any amount of time, the firewall fails.

Re:A hardware firewall explained

I'd love to see a hardware firewall. It would need an entire TCP/IP stack implemented in discrete logic, or maybe Verilog on FPGAs if we're not feeling completely evil. Talk about huge and impossible to debug.

Hell, create a searing flame capable of burning anyone to death who dare walks through it- that's the literal definition of a firewall. The heat caused by the burning of wood or something else is a "hardware" firewall.

Last I heard, a firewall was a wall built to withstand fire for a significantly longer period of time than normal. For example, the firewall in your car would keep an engine fire from coming through and immolating (or at least broiling) the contents of the passenger compartment before said contents could get out.

Re:A hardware firewall explained

Since we're not ignoring casual misuse of the language: the meaning of "firewall" is not a literal wall of fire designed to keep people out. It is a wall built to keep fire from spreading (like the firewall at the rear of the engine compartment in your car). Your definition implies that the literal definition of a "bulkhead" is a massive ships' toilet.

Re:A hardware firewall explained

Technically, the literal definition of a firewall is a wall that holds back fire, not a wall of fire. For example, there is a firewall between the engine compartment and the passengers in all automobiles to keep the passengers from getting all crispy when the engine explodes... _That_ is a real hardware firewall.

Re:A hardware firewall explained

A firewall isn't a wall of flames. It is a protective barrier that impedes the progress of a fire. Think of your car's firewall, separating the engine compartment from the passenger compartment.

Most people equate hardware firewalls with dedicated firewalls.

Re:A hardware firewall explained

[jajuka]

Actually, no, the literal definition of a firewall is a wall built to block the spread of fire, like the wall between the engine and passenger sections of a car. Not a wall made of fire, lol.

I find it very very sad that this is marked +5 informative....

Re:A hardware firewall explained

[paimin]

Why? Its completely true. http://en.wikipedia.org/wiki/Firewall_(construction)

Re:A hardware firewall explained

[Bee1zebub]

Given how many office/university buildings have little yellow stickers on them (like asbestos ones) marking wall as firewalls, I agree. +2 or +3 would be about right..

You are in a hot air balloon...

Re:A hardware firewall explained

[dindae]

Most people are using "software" firewall to refer to a service or package running as software on the same (and only) client machine that is being protected. "Hardware" firewall is generally being used to refer to a device external to the client or clients capable of protecting multiple clients while not using any resources on the client.

I think it is correct to think of a software firewall as a layer on top of the TCP stack acting on packets that have already arrived at the client. A hardware client can prevent packets from ever reaching the clients behind it.

I believe in a layered approach to security. Each layer should provide protection making it more difficult and less likely that an automated or manual attack will break all the intervening layers and reach the protected client. So, I would always want to have a "hardware" firewall in the mix.

But I like the functionality a software firewall can provide by having data about the services and running state of the client itself. A hardware firewall will generally not have and not care about the configuration of the client, but a software firewall will have access to this information. It can make things easier to administer by opening the correct ports when a service is enabled or warning the user that an accessible executable has changed.

But no matter what you do, don't convince yourself you are protected from everything. A little paranoia goes a long way.

Re:A hardware firewall explained

[gardyloo]

The parent poster is feeling a bit depressed that it's not common knowledge.

other quirks with OSX and the services/firewall

[cpotoso]

This is on OSX 10.4. I wanted to share an internet connection (internet to eth0, then the airport card serving as a gateway for 2 laptops and an iphone to access the internet). All peachy, but this stupid OS does not let me do it unless I also setup an apache webserver?!?!?! Why? Why? Why? Why? Why? Why? Why? I do NOT want a webserver, just for the machine to be a gateway, but no... (sure there must be a way, but I did not feel like digging through pages of documentation... ended up allowing the server but changing the httpd config file to listen only to 127.0.0.1. The Macs always force you do work around the OS in silly ways... Sure it is a nicer system than Windoze and it has more apps available than linux (I used to be a linux-only person), but it is weird...

Re:other quirks with OSX and the services/firewall

Huh? Apache? I think this might be a case where you just happened to click it and didn't realize the internet sharing was working. I've never had to enable Apache to share my internet connection.

Re:other quirks with OSX and the services/firewall

[wolrahnaes]

This is on OSX 10.4. I wanted to share an internet connection (internet to eth0, then the airport card serving as a gateway for 2 laptops and an iphone to access the internet). All peachy, but this stupid OS does not let me do it unless I also setup an apache webserver?!?!?! What the fuck are you smoking?

I'm sitting here on my Macbook sharing my 3G connection from my phone over WiFi to a few of my coworkers' laptops, and Apache is certainly not running. Currently I'm on 10.5, but I never had to turn it on with 10.4 either.

Re:other quirks with OSX and the services/firewall

[cpotoso]

Huh? Apache? I think this might be a case where you just happened to click it and didn't realize the internet sharing was working. I've never had to enable Apache to share my internet connection.

In 10.4.11, if you do not enable "personal web sharing" (which enables apache), then you cannot connect to the internet (the gateway is closed). It says so and it is so. I do not know why, but it is...

Re:other quirks with OSX and the services/firewall

[cpotoso]

What the fuck are you smoking? I'm sitting here on my Macbook sharing my 3G connection from my phone over WiFi to a few of my coworkers' laptops, and Apache is certainly not running. Currently I'm on 10.5, but I never had to turn it on with 10.4 either.

Hey, nice manners, eh? Where did you say you grew up? In 10.4.11, if you do not enable "personal web sharing" (which enables apache), then you cannot connect to the internet (the gateway is closed). It says so and it is so. I do not know why, but it is...

Re:other quirks with OSX and the services/firewall

[Dahan]

In 10.4.11 Despite all the rumors of 10.4.11 being released "real soon now," the latest 10.4.* is still 10.4.10. I suspect your problem is using a beta/pre-release OS.

Re:other quirks with OSX and the services/firewall

When it asks you to 'enable personal web sharing', does it mean on the Firewall tab (ie, open the corresponding ports), or on the Services tab (ie, turn on apache)?

Can you check the Personal Web Sharing box on the Firewall tab without checking the Personal Web Sharing box on the Services tab?

Re:other quirks with OSX and the services/firewall

[Stu+Charlton]

Nope, you've got to turn on Personal Web Sharing; the firewall page's Personal Web Sharing box is greyed out, as are all other built-in features on the Services tab.

Rather counter-intuitive. I know OS X 10.5 has fixed this, however.

quote

In the words of Nelson Muntz "Ha Ha"

Re:"defective by design"

[rkanodia]

Agreed. There's a huge difference between "designed to be defective" and "designed defectively". Perhaps "defective by intent" would be more accurate, but you lose the satisfying and easy-to-remember assonance.

Why isn't this story also tagged as "haha"?

[PipingSnail]

Why isn't this story also tagged as "haha"?

If this was a story about a Windows Firewall, as well as defectivebydesign you'd also have the "haha" tag. Do I detect bias?

Re:Why isn't this story also tagged as "haha"?

Tags are added by readers. Are you shocked that /. readers have a bias? Maybe you should add the tags yourself.

Re:Why isn't this story also tagged as "haha"?

Yes, of course you detect bias. Get over it.

Re:Why isn't this story also tagged as "haha"?

[ChrisMounce]

Are you sure you know what defectivebydesign means?

Somebody correct me if I'm wrong here, but I don't see any association between DRM and firewalls.

Re:Why isn't this story also tagged as "haha"?

[mrbluze]

Why isn't this story also tagged as "haha"?

Because this isn't a rant about a deliberately crippled piece of software like the Windows Firewall. It's about a possible bug. Still, nobody's denying that Apple has a pretty strange record of denial, cover up and failure to fix when it comes to some problems. Apple is also in bed with DRM to some extent, which pisses everyone off.

We shall see if this develops into a "haha", for example, if Apple says this is a feature not a failure, or some other crap like we get from Microsoft so often.

Re:Why isn't this story also tagged as "haha"?

[PipingSnail]

Since when did Defective By Design apply only to DRM? As a series of words forming a phrase in the English language, its pretty clear what it means. A firewall that doesn't work properly is defective by design.

Re:Why isn't this story also tagged as "haha"?

[overbom]

No, it's not bias. It's not tagged such because the suckiness of Leopard's firewall is in dispute.

Heyo!

Re:Why isn't this story also tagged as "haha"?

Do I detect bias?

Hopefully, yes.

Don't backpedal too much, or you'll fall over.

[mattgreen]

... so if Leopard trusts the service (it's a root process, or it's signed with an acceptable crypto signature), it will have access through the firewall. Since Leopard ships with cryptographically-signed binaries/packages, I guess I'm not seeing the problem - if Jo(e)-evil-cracker already has 'root' on the system, the firewall isn't going to help save the system, after all... Perhaps Heise are just used to using Linux, where the firewall trumps all ? And what happens in the event the trust system is subverted somehow? Either the user accidentally trusts malware, or malware manages to squeeze itself in, what would the user do? The only option they have left is to pull the network connection. At least with a real firewall, a savvy user can lock down their machine and safely investigate further.

You could argue that the 'Block all incoming connections' is badly worded, but you could argue that reading the documentation for a new firewall would be a useful thing to do as well. I thought the appeal of Apple was that Things Just Work and it is so intuitive you don't have read the documentation? This is a major bug. Don't try to downplay it like its no big deal. Security is always a big deal. I thought we all learned that from the countless Windows worms?

Re:Don't backpedal too much, or you'll fall over.

[Bill_the_Engineer]

I thought the appeal of Apple was that Things Just Work and it is so intuitive you don't have read the documentation? This is a major bug.

I think you missed a huge point in your haste to make a point against Apple. When the "Block all incoming connections" it blocks all user applications, not root applications.

now for a legitimate complaint -- Why did it disable my firewall during the upgrade? or did it??

So I decided to do an EXTERNAL port scan to see what was happening. Admittedly, I'm too lazy right now to set up my other computer and run nmap, so I'm using a TCP port scanner hosted on the internet. After running port 0 through 1055, all the ports came back closed with the exception of ports 135-139 and port 445 being stealthed. Ok this is a minor bug, because my computer now responds to pings and actively returns the port status for all but the Microsoft related ports (ok maybe Netbios is a better term than Microsoft related). However, NONE of the ports are functional.

So the default firewall settings are to drop the ICMP packets for 135-139 and 445.

So after setting the firewall to "block incoming connections for applications" running as my user account, I can re-enable the advance option to stealth all closed ports. I re-ran the tests and my computer no longer accepts pings or return the ICMP messages. As far as the external scanner knows, my computer no longer exists.

OK so what does this mean? Well it means that if I ran an application that used the network, I wouldn't be asked to allow the connection. OK, so I *may* become stupid one day and run a program that creates an available port - what's the big deal? Well it will have access to my directory and anything my user account can access, but not my root account. This is a user education problem, not an OS design issue. enabling the "block incoming options" should safeguard against some lapses in judgement.

What about the services running a root (like bonjour)? From Apple:

"Sandbox tested.
Sometimes hackers try to hijack an application to run malicious code. Sandboxing helps ensure that applications do only what they're intended to by restricting which files they can access, whether they can talk to the network, and whether they can be used to launch other applications. Helper applications in Leopard -- including the software that enables Bonjour and the Spotlight indexer -- are sandboxed to guard against attackers."

OK - So can we now dial down the hyperbole a little???

Don't try to downplay it like its no big deal. Security is always a big deal. I thought we all learned that from the countless Windows worms?

In order for a worm to work, we would have to have some method of it being able to propagate itself without user intervention. This requires teaching the user not to run applications from dubious sources, I see this as a problem for ALL operation systems.

Re:Don't backpedal too much, or you'll fall over.

[jcr]

OK - So can we now dial down the hyperbole a little???

You must be new here. ;-)

-jcr

(Offtopic-ish) Re:"defective by design"

[recoiledsnake]

The roots of this slashdot tag are in the juvenile site Bad Vista run by Stallman's FSF.

They were asking people(don't know if they still do) as part of a astroturfing campaign to help out by tagging all Vista stories as defectivebydesign. Thus, it has lost its meaning and is just mindless people doing off topic tagging.

I once attended a talk by Stallman, it was fun and all, and the hall was jampacked. But seriously, FSF needs to close that site, it's full of meaningless and mindless half-true FUD and the joke's on FSF for creating that site. Maybe it was just an attempt at spreading FUD on MS to counter(or complement?) MS's anti-Linux FUD, but to anyone with half a brain, the joke's on FSF.

Re:(Offtopic-ish) Re:"defective by design"

[clang_jangle]

So win-dos users have just half a brain then? :)
Seriously though, the Bad Vista site is actually pretty accurate and appropriate. But it doesn't matter much, really -- Vista is destined to go the way of winME. MS is working feverishly on its replacement now.

Re:(Offtopic-ish) Re:"defective by design"

[Nazlfrag]

Woah. That site is so bad, I'm almost considering installing Vista just to spite them.

Solution?

[failedlogic]

I'm using Leopard and enabled the firewall and per-application blocking. I find it convienient at its enabled in two or three mouse clicks like the Windows firewall. I'm not a security techie but I understand as far as OS firewalls and there never being a magic bullet that should not ever be the only solution I should use.

Given that Apple may or likely has a flaw to fix in its Firewall, what solutions are there for additional protection? I'd been using PortSentry (a former Cisco package, now OSS on Sourceforge) on my Tiger system. It compiled, installed and worked on Tiger using GCC but no longer on Leopard. I frankly don't trust Norton and some of the other "firewall" expert 'solutions' companies. I'd like to say I would be willing to learn IPFW firewall rules (I assume Leopard uses this) but the level of technical expertise needed is well beyond my knowledge level. I'm not a techie and learning to implement firewall rules demands expertise and is a fine art in itself - as is computer security.

So, what other level of security might make up for Leopard's lack of a good firewall? I like using OSS as there is support, its free (can't afford more software) and the code is open for review by community. Suggestions?

Re:Solution?

[Lars+T.]

You didn't RTFA, did you.

Workarounds

At present, in order to block access to system services, users must either disconnect the network cable or fall back on the tried and tested BSD ipfw packet filter. This is still present, but by default is set to permeable - the only active rule lets everything through

Firewalls are for wimps!

[OptimusPaul]

Firewalls are half-assed anyway, why bother with half-assed security, never do it halfway... I say go full-assed and leave all ports open! Take back the internet! Let our data flow! Freedom! DISCLAIMER: I don't know shit about security, as a result I don't keep any sensitive info on my computer.

Re:Firewalls are for wimps!

[Cairnarvon]

It's not even just about your sensitive data, it's also about being turned into a botnet node and ruining the internet for the rest of us.
A good firewall may not be the only protection you need against that, but it's a good first step.

Re:Firewalls are for wimps!

[OptimusPaul]

I see my humor was not lost on you. But you do have a good point, but I think that the tactics used to fight botnets is flawed in a way. While we should spend time making it more difficult for botnets to exist more time should be spent on making botnets irrelevant. We should understand why they exist and what we can do to remove the temptation for them to be used. Also, if people would stop buying faster computers botnets would be easier to detect. Do we really need anything better than an Apple ][? Join with me, let us throw out Ghz back at Intel and AMD and tell MS and Apple and Linus to shove their processor demands up thier asses... we don't need bells and whistles and transparent windows, shit we don't even need windows. Brothers and Sisters now is the time! We will fight, we will fight for what is ours! Freedom!!!

But Macs *just work*

[Chas]

Whether you want them to or not.

Re:"defective by design"

[Cally]

"Designed by defectives", perhaps?

Out in hall, wasn't it? No, don't get up...

Spin!!! Spin!!! Spin!!!

[BSDetector]

So - Leopard has major security holes right out of the box!!! See subject!!! Mod me down because the truth hurts!

Seriously flawed article

[So the first step after starting Leopard should be to activate the firewall. The obvious choice to do so is the option to "Set access to specific services and programs", which promises more control over network traffic.]

This very early sentence tells us that these people know absolutely nothing about security in OS X. The firewall is already on - it is on by default. The first thing they actually did was to _allow_ incoming connections. Other than changing that setting, they did nothing to the default firewall rules. And they certainly didn't "activate the firewall".

Then they changed it to "block all incoming connections". This admittedly didn't do exactly what it said. However, Apple has never said that you get perfectly granular or absolute control over the firewall through the gui controls in Preferences. To really control any firewall, you have to know what you are doing, and modifying the appropriate unix config settings - in this case, for ipfw. See http://www.macdevcenter.com/pub/a/mac/2005/03/15/firewall.html.

What Apple has done is to put into the preference pane a set of simplified security settings which make sense for most people running consumer or workstation machines. They've added more granular control to the simplified settings, which is impressive. But it would not be good PR for Apple if consumers who thought they had to "activate the firewall" messed around and disabled some key functionality.

If you are a network admin who really has to worry about these things, you will 1)be more knowledgeable, and 2)be running OS X Server, which I'm just guessing doesn't work quite this way.

For what it's worth, Apple has made a fairly idiot proof system. A casual user can't mess this up too much.

Re:Seriously flawed article

For what it's worth, Apple has made a fairly idiot proof system. A casual user can't mess this up too much. Make something idiot proof, and someone will find a greater idiot, q.e.d.

Re:Seriously flawed article

[BSDetector]

What's the matter with you Slashdotter's? Can't you stand to hear the truth? Are your own words trolling? I guess all you know what to do is to mod me down. Oh - I am so hurt!!!!

Re:Seriously flawed article

For what it's worth, I didn't mod you down - I can't as I posted anonymously.

But you seriously misunderstood what I wrote, just like the article author seriously misunderstood the OS X firewall, and what he was doing to it.

Sad thing is, there are apparently NO slashdotters left who actually do understand what's happening here. I can assure you, the Leopard firewall is working exactly as intended, which is exactly as it should work for consumers. If you're more paranoid than that, you need to learn something about security and implement it. Try reading the link I posted for starters, as it explains what the default firewall rules do. It's a bit technical though.

DON'T panic, just use ipfw

1. If you have OS X Tiger, turn on the firewall in System Preferences
2. Open Terminal in your admin account and type at the prompt: sudo ipfw list
3. Apply these rules to Leopard
4. For more info, type: man ipfw

P.S. Imagine Apple is trying to help you learn something.

Let me fix that for you.

[Medievalist]

I think you meant a so-called "personal firewall" when you said "software firewall". They are inherently weak and most are worthless.

I think you meant "a dedicated firewall host" when you said "hardware firewall". Most are inherently strong when properly used.

Don't forget to make sure you haven't stored a password to your firewall host on your PC. If possible, you should only log into the firewall host from its console, although that's not really doable on cheap linksys-type appliances. Always use https: and not http: connections if you are forced to use a web-based console, and make sure your browser isn't set to remember passwords. Always change the default password before connecting to any networks (use a loopback or a crossover cable to your PC if the device forces you to have a live ethernet port at bootup).

Your lesson #4, "Never assume that you are 100% safe" is excellent advice. Similar to "never discuss anything that might be considered illegal on the phone, even if you are just talking about some role-playing game".

Apple should switch to PF anyway

[chrysalis]

As long as I love OSX, it really sucks as a firewall.

Why don't they import PF, just like any modern BSD system?

Re:"defective by design"

[prockcore]

A defect in a firewall is most definitely not intentional.

Allowing a signed application to punch through the firewall is indeed "defective by design".

Re:A hardware firewall Re-explained

[NemoinSpace]

There is no such thing as a purely hardware firewall in modern times.

I understand you're on a rant, but your point is so basal, it doesn't illustrate a point. By your definition,related to computing, There is no such thing as a purely hardware firewall in ANY time. I would classify a hardware firewall as any number of unalterable rulesets ,whether it be LEAF on a cd, or a router that can only be updated with a maintenance port. The difference being, these types are impossible to screw up by Joe User and harder to screw up even by the admins that control them and are easily rolled out on a large scale. Thats the difference between your standard NAT firewall that anyone can access with user: admin pwd: enter. - another reason I like the 'fire and forget' hardware firewall. once you've paid for someone to program the beastie, you know what you have got. PS I'm tired of programmers, who don't take the time to understand the semantics of phrases like "Block all incoming connections" and don't have the skill to say what they mean.

severety of impact

[v1]

Windows machines traditionally need the firewall to keep the nasties out because of all the open services, the insecure services, and the holes in the network stack. Mac OS X has really none of these. So this is like comparing an unlocked front door on a bank (with a closed vault) with a grocery store with same unlocked front door. Yes, it does lower the security, but amplifying a 1 in a million security problem by a factor of say 10, is not nearly as severe as amplifying a 1 in 100 security hole by 10.

Still no excuse though. I'm sure we'll see many things fixed in 10.5.1, and unlike the usual suspects, they won't immediately be replaced by another dozen holes found the following morning.

Ehemm... a question...

Fresh install, OS X 10.5, Firewall set to installation default, all sharing services switched off:

$ sudo lsof -iUDP
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
ntpd 14 root 20u IPv4 0x6bd0bf0 0t0 UDP *:ntp
ntpd 14 root 21u IPv6 0x6bd0b18 0t0 UDP *:ntp
ntpd 14 root 22u IPv6 0x6bd07b8 0t0 UDP localhost:ntp
ntpd 14 root 23u IPv4 0x6bcea30 0t0 UDP localhost:ntp
ntpd 14 root 24u IPv6 0x6bce448 0t0 UDP localhost:ntp
ntpd 14 root 25u IPv6 0x6bcf1c8 0t0 UDP MacBookPro.local:ntp
ntpd 14 root 26u IPv4 0x6bce1c0 0t0 UDP MacBookPro.lan:ntp
mDNSRespo 22 _mdnsresponder 7u IPv4 0x6bce958 0t0 UDP *:mdns
mDNSRespo 22 _mdnsresponder 8u IPv6 0x6bce880 0t0 UDP *:mdns
configd 34 root 8u IPv4 0x6bd0cc8 0t0 UDP *:*
SystemUIS 89 SomeUser 9u IPv4 0x6bd0968 0t0 UDP *:*

sudo lsof -iTCP
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
launchd 1 root 13u IPv6 0x6bd4be8 0t0 TCP localhost:ipp (LISTEN)
launchd 1 root 14u IPv4 0x6ee3e64 0t0 TCP localhost:ipp (LISTEN)
cupsd 488 root 4u IPv6 0x6bd4be8 0t0 TCP localhost:ipp (LISTEN)
cupsd 488 root 6u IPv4 0x6ee3e64 0t0 TCP localhost:ipp (LISTEN)

You state that:

"To examine whether any unwanted services are running, a normal Apple user will consult the graphical front end ("System preferences / Sharing"). However, even when nothing is shown as being active in this front end, a number of services which are intended to be remotely accessible run in the background." and cite the output of 'sudo lsof -i udp' to support this. Your statement is true but your sample output shows the ntp daemon and the NetBIOS name server daemon... So taking ntpd as an example, which of the categories in the 'Sharing' dialog does ntpd fall under? As far as I can tell the ntpd daemon is quite faithfully shut down when you disable 'Set date and time automatically' in System Preferences->Date & Time, System preferences -> Sharing does nothing to affect ntpd. Disabling true 'Sharing' features such 'Remote Login' in the 'Sharing' dialog results in the sshd daemon being shut down. Basically you cannot use the 'Sharing' dialog to see whether any and all system services are running or not. One could argue that this is confusing. If I was inclined to use GUI tools to manage my machine I'd much prefer a dialog that lists all system services and shows if they are running or not but then I much prefer the terminal for this.

Don't depend on services being disabled.

[argent]

Unlike Windows, OSX does not run with services enabled unless you explicitly enable them.

It sounds like if you don't enable a service, it doesn't enable the firewall rules for that service. If you do enable the service, then it turns on the firewall rules for that service. This is not a problem unless you install a third-party program that provides the same network service, *and* you want to restrict access to it.

The argument in the article that the firewall would prevent a trojan from opening a listener on a low port is bogus, because any program that can open a listener on a low port can also remove the corresponding firewall rule... you have to be root to do either.

The fact that Samba processes were still running after sharing was turned off, however, is a concern. That absolutely should not happen, and Apple needs to fix it.

The workaround is to make sure that after you disable a service, you reboot to make sure it is really disabled. If you don't enable any services that should not be an issue.

What is this thing you call Firewall?

[PenGun]

My slak life has insulated me from many things. You have fires that will burn macs? Neato.

  Seriously I've never seen the need and I been out here a long time. Turn off what you don't need until you need it and then turn it back off when you done.

DRM DRM DRM

[TheNetAvenger]

DRM DRM DRM DRM DRM!!!

Oh, wait, we only say that when it is MS, when Apple does it, it is SECURITY...

Mostly because the article sucks.

[SanityInAnarchy]

If anything, we should be laughing at the people who report nmap's "open|filtered" state as if it were a problem -- as if it were somehow open. At people who are writing an article about security, yet don't appear to understand how UDP works.

And, especially, at an article blatantly cashing in on Leopard's release -- if these are "flaws", they are just about exactly the same "flaws" that exist in Tiger.

Simple:

[SanityInAnarchy]

Learn more about the firewall.

Enough to discover that this article is by someone who has absolutely no clue about OS X firewalls or security. Several of the responses here are pretty much the same.

PortSentry, if I understand, is to protect you from people doing portscans on you. While useful, that really doesn't seem anywhere near as essential as having a working firewall to begin with.

And you're right not to trust Norton -- that would likely make you LESS secure.

Personally, I run Linux with no firewall. I figure, by the time I need it (rather than simply refusing packets), I'm already 0wned. But dig through the comments a bit more, and you'll find that no matter what my personal beliefs are about firewalls, this one really is fine, if you need one. (I seem to remember leaving it on by default, since OS X never made it difficult for me to open the ports I needed.)

Just a matter of time

[superash]

This was bound to happen. Software is flawed no matter how much you fix it. Just because Windows was used by a large number of people it was the target till now. As Linux and MAC OS get more and more popular and people start adopting it in a large scale, there will be more people trying to break its security system, finding buffer overflow bugs etc etc...

Mac OS is just as flawed as Windows or Linux and just because "It just works" doesn't mean "It is not flawed".

*Gets ready for apple fanboy bashing*

OS X != Mac OS X

[Pliep]

No harisplitting intended, but the title and summary suggest we're talking about OS X (which is the OS for iPhone and iPod touch). Of course we are talking about Mac OS X, which is the operating system used on Macintosh computers.

Might also be a flawed analysis...

[CatOne]

http://leofud.blogspot.com/

Specifically that the open|filtered may mean the ports are in a stealth mode... which is what you want!

I did a port scan of my Leopard machine from a Tiger machine and didn't see any open ports at all. I'm not running the firewall either -- but I don't have any services turned on right now. That's the way OS X ships by default (and has since as least 10.2).

Not arguing that things couldn't be better communicated by Apple, but I think an article claiming they're taking a Microsoft-esque tact toward security is more than likely politically loaded.

Ho hum.

[stewbacca]

Call me when there is a serious threat to my Mac. Still don't see any viruses or malware 20+ years on now... With every new Apple product come the lowliest, most insecure, windows-using chumps with lame attempts like this thread to cast a bad light on Apple.

ipfw

[mzs]

Does ipfw still work on Leopard? Are there some sort of new rules for per app/service in ipfw? Is there some kind of way to see what the rules really are in the SW firewall and to set them via a shell script?

Re:ipfw

[Colpa]

Yes, ipfw still works in Leopard, but the new firewall does not use it.

Allows Root, but not users?

[SixByNineUK]

I have done a few tests myself from a remote linux box (using nmap). By default, there doesn't seem to be any ports open, but I have a python script that listens for connections on any specified port.

It seems that the firewall is a bit odd... From my quick tests, it seems that if you run something as root (i.e. sudo it) then the firewall lets it listen and allows incoming connections, however as a user it blocks it. Therefore it seems that this firewall is aimed at users running some malicious code, rather than for protecting against vunerabilities in the underlying OS.

It would be interesting if someone could confirm this.

UDP blocking requires separate activation

[amoney]

In OS 10.4 Tiger, in order to block UDP traffic, one had to click on the Advanced tab in the Firewall pane and select "block UDP traffic" otherwise the firewall would only block TCP traffic. If you notice in the article, all the open ports are UDP. I don't have a copy of Leopard yet, but given that the author didn't mention anything about the advanced tab I wouldn't be surprised if it's still the same for Leopard and that he didn't make this selection.

Blocking UDP traffic in 10.4:

http://docs.info.apple.com/article.html?path=Mac/10.4/en/mh1242.html

Re:UDP blocking requires separate activation

[SteveK1979]

Interesting...that's a bit of an oversight if it's true for 10.5 too! Also from the link, I would have expected the default to be "stealth mode" for the blocked ports. Cheers, Steve

Re:UDP blocking requires separate activation

[wfolta]

When I select Advanced, I see only two options:

1. Enable Firewall Logging

2. Enable Stealth Mode

I believe they were both off by default, but can't remember.

ipfw is still shipped with leopard

One doesn't need to rely on the fuzzy new "application firewall", since the tried and true ipfw is still included, although disabled by default and with no GUI for configuring it. There are other ways though:

http://www.netmojo.ca/blog/2007/10/31/fixing-leopards-firewall/

Block all does not work!

"Block all incoming connections" simply does not work, period. I've posted my test results here: http://forums.macrumors.com/showpost.php?p=4425082&postcount=199
(tests performed on a different machine)

The problem is that even if they come up with a fix, I will never trust this "firewall" if they can't even get the most basic thing right.

Are there non-software firewalls?

"Never Trust Software firewalls" is a good idea, but that does not mean that you should use a software-less firewall. Fixing a flaw in a hardware firewall is as hard as that hardware. Because of that, time to market for fixes and improvements will be awful. A software firewall that is sufficiently shielded from the malicious updates (for instance by running in a separate piece of hardware that itself does not have any connection between the internet and its program store) is a much better choice

New Rules for mac security posts

[DrProton]

New Rule: Any story trumpeting the latest security hole for OS X must include actual measurement data reporting the number of machines being infected out there on the net. Not hypothetical bullshit from some "security expert" with an axe to grind. Back up your "news" with real data. This is just speculation by heise.de.

So how many systems have been compromised as a result of this flawed firewall? My guess is zero. Let us know when the number of compromised OS X macs in the wild reaches .01% of the number of compromised windows boxes corralled by botnet herders.