Slashdot Mirror

← Back to Stories (view on slashdot.org)

OS X Leopard Firewall Flawed

Posted by kdawson on from the block-what-i-say dept.

cycoj writes with a report in the German IT magazine Heise, taking a look at the new OS X Leopard firewall. They find it flawed. When setting access to specific services and programs to only allow SSH access, for example, they found that a manually started service was still accessible. From the article: "So the first step after starting Leopard should be to activate the firewall. The obvious choice to do so is the option to 'Set access to specific services and programs,' which promises more control over network traffic. Mac OS X automatically enters all shared resources set up by the user, such as 'Remote login' for SSH servers, into the list of accessible resources... However, initial functional testing quickly dispels any feeling of improved security. A service started for testing purposes was able to be addressed from outside without any difficulty. The firewall records this occurrence... Even with the firewall set to 'Block all incoming connections' ports to netbios, ntp and other services were still open... Specifically these results mean that users can't rely on the firewall."

13 of 300 comments (clear)

  1. Hm by d3vo1d · · Score: 2, Funny

    I guess we should expect to see 10.5.1 pretty soon.

  2. and now for something completely different... by Tumbleweed · · Score: 5, Funny

    "It's not much of a firewall, is it?"

    "Finest on this subnet, sir!"

    "And how to you come to that conclusion?"

    "Well, it's so *clean*!"

    "It's certainly uncontaminated by security!"

  3. Re:Never put your eggs in one basket. by gEvil+(beta) · · Score: 5, Funny

    Also, FYI, a hardware firewall is just a dedicated software firewall.

    I don't know if I buy that. I mean, one has the word "hard" in it, while the other has "soft" in it. Given the choice of the two, the "hard" one sounds far more secure.

    --
    This guy's the limit!
  4. apple defense force by Anonymous Coward · · Score: 1, Funny

    to the rescue!

  5. Re:Never put your eggs in one basket. by Sloppy · · Score: 5, Funny

    That's why, on my computer, I a use a hardware null device. I don't trust the OS' slow software-emulated null device to properly dispose of my unused bits. You never know who might be going through your trash, piecing together private information. The performance boost is just icing on the cake.

    --
    As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
  6. Re:Investigation flawed, more like by autophile · · Score: 2, Funny

    As a thought experiment, how is this "firewall" really any better than no firewall at all? Other than the warm and fuzzy "I have a firewall" effect...

    If it's warm and fuzzy, it should be "I has a firewall (what I do wif it?)"

    Lolz,

    --Rob

    --
    Towards the Singularity.
  7. Re:Never put your eggs in one basket. by peragrin · · Score: 1, Funny

    ah so you never returned your Sony Batteries.

    remind me never to borrow your computer.

    --
    i thought once I was found, but it was only a dream.
  8. Firewalls are for wimps! by OptimusPaul · · Score: 2, Funny

    Firewalls are half-assed anyway, why bother with half-assed security, never do it halfway... I say go full-assed and leave all ports open! Take back the internet! Let our data flow! Freedom! DISCLAIMER: I don't know shit about security, as a result I don't keep any sensitive info on my computer.

  9. Re:"defective by design" by Cally · · Score: 2, Funny
    "Designed by defectives", perhaps?

    Out in hall, wasn't it? No, don't get up...

    --
    "None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
  10. Re:Never put your eggs in one basket. by Anonymous Coward · · Score: 3, Funny

    Yes a Gardware furewakk us a det=ducated software firewall but that is all it is dooing you


    Quick, call 911! Dude's having a stroke!
  11. Re:Never put your eggs in one basket. by hakr89 · · Score: 2, Funny

    The problem with putting the null device into hardware, is that it would would be IO bound more so than the emulated device, as it actually has to send the data to another chip, clogging up the busses even more than the kernel internally disgarding the memory. Write-Only Memory only goes so fast you know.

  12. Re:Investigation flawed, more like by Slashcrap · · Score: 3, Funny

    Simply disallowing all incoming UDP traffick is trivially easy ... and doesn't break all that much.

    Sure, if DNS isn't 'all that much'

    Disallow all incoming UDP/53 traffic, and you'll lose the ability to resolve names. More secure? Maybe. Practical? Absolutely not. Your character gains +1 Networking points for knowing that DNS uses UDP/53 by default, but sadly loses 100 points for not knowing what a stateful firewall is and an additional 50 for confusing source and destination ports. You should probably re-roll before you get eaten by an ICMP packet.
  13. Re:Never put your eggs in one basket. by Sloppy · · Score: 2, Funny

    The problem with putting the null device into hardware, is that it would would be IO bound more so than the emulated device, as it actually has to send the data to another chip

    Yeah, but that happens asynchronously if your null device can use DMA, so while it's transferring, your CPU can run the next bit of code out of cache, instead of wasting time executing emulator code. Also, if you have multiple busses, you can always hook up more null devices, and stripe them, to spread the load out.

    --
    As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.