OS X Leopard Firewall Flawed

cycoj writes with a report in the German IT magazine Heise, taking a look at the new OS X Leopard firewall. They find it flawed. When setting access to specific services and programs to only allow SSH access, for example, they found that a manually started service was still accessible. From the article: "So the first step after starting Leopard should be to activate the firewall. The obvious choice to do so is the option to 'Set access to specific services and programs,' which promises more control over network traffic. Mac OS X automatically enters all shared resources set up by the user, such as 'Remote login' for SSH servers, into the list of accessible resources... However, initial functional testing quickly dispels any feeling of improved security. A service started for testing purposes was able to be addressed from outside without any difficulty. The firewall records this occurrence... Even with the firewall set to 'Block all incoming connections' ports to netbios, ntp and other services were still open... Specifically these results mean that users can't rely on the firewall."

Never put your eggs in one basket.

[jellomizer]

Leson 1.
Never Trust Software firewalls. Software firewalls are only should be used in protection against "internet static" attacks. Where just random worms and viruses are trying to get in. Software Firewalls
Are normally bad against direct attacks from real hackers. Because there are so many ways to trick the user to install software to get around it...

Lesson 2.
Never trust anyone to keep security up. Apple, Microsoft, Linux Distributions, even Open BSD they are all made by humans and humans make mistakes and forget to check out things...

Lesson 3.
Always keep a hardware firewall even if it is a cheap Linksys Firewall/Router they will double up protection and keep your system relatively safe.

Lesson 4.
Never assume that you are 100% safe. There are always ways around things...

Re:Never put your eggs in one basket.

[MBCook]

I'll agree with most of that. I've got a Mac, and it's running Leopard (yeah!). At work I surf behind a real firewall, a Watchguard I think. At home, I'm behind my Linksys. I could run no firewall and be OK. That said, I leave it on for one simple reason: I can go to other people's networks without having to think about turning the firewall on. This way if I were to go to Starbucks or something, I'd be much more safe from so guy a few tables over (malicious or just bot-infested). I don't expect things to be perfect. I don't expect a software firewall to be as good as a hardware one. It's just one more layer.

So what do I think of all this? I don't know. I saw comments somewhere the other day that claimed that these guys were just misunderstanding, but I'm not sure. I expect a firewall to block things if I tell it to though.

Re:Never put your eggs in one basket.

[JCSoRocks]

Never trust anyone to keep security up. Apple, Microsoft, Linux Distributions, ...

Do you see that apply fanboys!? Quick! Attack! GO GO GO!

Seriously though, he's right. People in both camps should realize that no matter how great you think your software is, it's not perfect.

Re:Never put your eggs in one basket.

Couldn't you argue that more layers = more possibilities for attack vectors?
Also, FYI, a hardware firewall is just a dedicated software firewall.

Re:Never put your eggs in one basket.

[gEvil+(beta)]

Also, FYI, a hardware firewall is just a dedicated software firewall.

I don't know if I buy that. I mean, one has the word "hard" in it, while the other has "soft" in it. Given the choice of the two, the "hard" one sounds far more secure.

Re:Never put your eggs in one basket.

[nharmon]

Fine. Just don't have your main firewall be on the same machine as the data you're trying to protect.

Re:Never put your eggs in one basket.

[Cecil]

Couldn't you argue that more layers = more possibilities for attack vectors?

That would only apply if breaking one link in the chain is as good as breaking all the links in the chain - ie, if they give special accomodations to one another because they are all part of the "same network" or one contains passwords to the others or something of that nature. In this case that should not happen, thus you must break each link in succession to get through.

Also, FYI, a hardware firewall is just a dedicated software firewall.

The key word here is "dedicated". A dedicated firewall means you are not installing other software on it which could compromise the firewall itself (either intentionally or through poor design), and it also means that should a hacker somehow break into the firewall, your losses are limited as they have not also gained entry to your files, your passwords, your keyboard, your browser, etc and they cannot rootkit your PC. They only get a tiny, wimpy processor with little-to-no storage and complete network access. Dangerous, yes, but not a complete disaster.

Re:Never put your eggs in one basket.

[Zenaku]

If the the layers of security are really layers of security, then no you couldn't argue that. You have to breech the outtermost layer before you can even attack the second layer, and you have to breech that layer before you can attack the third, etc.

Re:Never put your eggs in one basket.

[toleraen]

My Linksys router runs a Linux based software firewall.

Re:Never put your eggs in one basket.

[jellomizer]

Looking at your Moderation and the Parents soes that you statement is true... I am using OS X right now and I am hoping my Copy of Leapoard is in the mail and planning to install it as soon as I get home... Even Though I really like the OS right now it is my favorate, I don't want to be a FanBoy and assume that it is flawless perfect system that will protect me from nuclear blasts. And that Steve Jobs is always right... There are things I dislike about the OS but I dislike them less then my dislikes of Other OS's

Re:Never put your eggs in one basket.

[Sloppy]

That's why, on my computer, I a use a hardware null device. I don't trust the OS' slow software-emulated null device to properly dispose of my unused bits. You never know who might be going through your trash, piecing together private information. The performance boost is just icing on the cake.

Re:Never put your eggs in one basket.

[VisceralLogic]

Of course, I was once running OS X for quite awhile with no firewall, because I had turned it off for some reason (debugging X11 connection, I think), and forgot to turn it back on. Still no problems when I realized it was off several months later.

Re:Never put your eggs in one basket.

[RobertM1968]

I'll agree with most of that. I've got a Mac, and it's running Leopard (yeah!). At work I surf behind a real firewall, a Watchguard I think. At home, I'm behind my Linksys. I could run no firewall and be OK. That said, I leave it on for one simple reason: I can go to other people's networks without having to think about turning the firewall on. This way if I were to go to Starbucks or something, I'd be much more safe from so guy a few tables over (malicious or just bot-infested). I don't expect things to be perfect. I don't expect a software firewall to be as good as a hardware one. It's just one more layer.

Regardless, if I am on a network where I dont have control of all the machines on it 24/7, then I think running the machine's OS (or add-on) Firewall is still a must. It really doesnt matter how great a hardware firewall is if someone infects their machine via a CD, DVD, USB Drive, etc from something they bring from their infected home machine or friend's machine or whatever. Since most direct network traffic doesnt (try to) pass through the hardware firewall, one should always be protected from the other machines on their network. For instance, in my office, we have a couple WinXP machines - and though they are not infected, they are constantly broadcasting nonsense trying to find their brethren (to EVERY machine on the network). Our "hardware" firewall does nothing to stop that - even though it does block the traffic from going OFF our network. I block that traffic on my other machines at their firewalls (no need to waste sockets or OS time handling the packets at all). If those XP machines were infected... well, you see the point.

Having one machine on the network, or a few machines that only you use (with taking precautions not to infect them from an external source), then yeah, a hardware firewall is probably all you need.

Re:Never put your eggs in one basket.

[ScytheBlade1]

Really good thing that my linux software firewall is stored on a read-only filesystem then, and only allows login via SSH hostkeys.

I made my initial post pretty quickly, and likewise screwed up some things.

What is the difference between a software and a hardware firewall anyways? Heck, what is a firewall? There are so many countless ways of defining a 'firewall' that the average home router you can pick up at your local grocery store is advertised as a "router/firewall." Just because it's embedded suddenly makes it less of a software firewall, and more of a hardware one?

As mentioned, my router has a read-only root file system. It's also running a complete linux distro. Is this a hardware or software firewall?

Further, it does stateful packet inspection (four-ish lines of iptables commands? Worth $40+ on 'firewall' devices?), QoS (both host and service based), and it does this all through a transparent ethernet bridge. Then I have an admin ethernet jack, which requires IPSEC connectivity before you can touch the internal ports (22, 80).

It's a complete linux distro, so it's software. It's 100% embedded, so it's hardware.

As mentioned, other routers are embedding linux. Cool. Hardware or software? More secure, or less? More capable? Or less capable?

Classifying 'software firewalls' as 'insecure' and classifying 'a cheap Linksys Firewall/Router' as 'secure' is kinda scary in all truth. Well, mostly just wrong. Firewalls are too generic now - just because it says 'firewall' on the front, you're supposed to think that you're safe from 'hackers.'

Re:Never put your eggs in one basket.

[toleraen]

I had been using a WRT54G, but I retired it for Buffalo WHR-HP-54G. I've been using DD-WRT on both of them, and it's been pretty solid. V24 is looking to be a pretty good release too.

Re:Never put your eggs in one basket.

[644bd346996]

You must be new here (despite your UID). The Linksys WRT54G and derivatives has been the most popular 802.11b/g/etc. router for years (since 2003, according to wikipedia). One of the reasons for its popularity is that it runs Linux, and there are many projects offering customized firmware, such as DD-WRT and OpenWRT. This has been popular enough that when Linksys chose to switch to VxWorks and halve the amount of flash, they released the WRT54GL with the old hardware configuration specifically for people wanting to modify the firmware.

If you pick up one of the models with a USB port, you can trivially expand its storage capacity, although the built-in RAM and Flash is usually sufficient.

Re:Never put your eggs in one basket.

[adavidw]

You want a WRT54G, which can be had dirt cheap, and be flashed to many specialized Linux distributions, some of which have LEAF. One example is http://openwrt.org/.

Anybody still running an old standalone computer as a Linux software firewall probably pays enough in electricity to buy a new WRT54G or similar router every few months.

Re:Never put your eggs in one basket.

Yes a Gardware furewakk us a det=ducated software firewall but that is all it is dooing you

Quick, call 911! Dude's having a stroke!

Re:Never put your eggs in one basket.

[ChrisA90278]

So you buy a Lynksys "hardware" fire wall. What's inside? There is a CPU, some RAM, an operating system, likely VxWorks and some software. There are no truely hardware-only firewalls.

And then what does a fire wall do? If the computer is configured corectly there is no need for a firewall. Firewals are just the "suspenders" part of a "belt and suspenders" security system. And even then the virus comes in via email and the web which your fire wall lets in.

That said, I use redundant layers of protection and then tripwire-like detection

Re:Never put your eggs in one basket.

[jandrese]

The worst part about those hardware firewalls is that they're buggy. People think that because they're in hardware they're bug free, but frankly I've discovered way more bugs in those cheap commercial "internet routers" that I've ever seen in iptables, ipfw, and pf combined. VxWorks is not easy to debug and most vendors seem to do as little work in it as possible. I actually had one on my home network that got replaced by a FreeBSD box when I discovered a firmware bug that DOSed my local network and the remote network with malformed packets about once a day, requiring me to reboot the router.

Re:Never put your eggs in one basket.

[hakr89]

The problem with putting the null device into hardware, is that it would would be IO bound more so than the emulated device, as it actually has to send the data to another chip, clogging up the busses even more than the kernel internally disgarding the memory. Write-Only Memory only goes so fast you know.

Re:Never put your eggs in one basket.

[tulare]

A little ARP poisoning, and some sniffing to see what version of what your linux box is running, next time you apt-get update && apt-get upgrade, or emerge world, or whatever mechanism you use, you're pwned. My experience is that the best method of security is a pair of eyeballs attached to a skeptical brain.

Re:Never put your eggs in one basket.

[master_p]

Everything is software, even hardware logic circuits :-).

The real benefit of an external firewall is that if your system is compromised, the firewall itself is not compromised, whereas in a firewall embedded in an O/S, if the O/S is hacked then the firewall is useless.

Re:Never put your eggs in one basket.

[Sloppy]

The problem with putting the null device into hardware, is that it would would be IO bound more so than the emulated device, as it actually has to send the data to another chip

Yeah, but that happens asynchronously if your null device can use DMA, so while it's transferring, your CPU can run the next bit of code out of cache, instead of wasting time executing emulator code. Also, if you have multiple busses, you can always hook up more null devices, and stripe them, to spread the load out.

Investigation flawed, more like

[Space+cowboy]

From the 'help' button available on the same screen (emphasis mine),

In addition to the sharing services you turned on in Sharing preferences, the list may include other services, applications, and programs that are allowed to open ports in the firewall. An application or program might have requested and been given access through the firewall, or might be digitally signed by a trusted certificate and therefore allowed access

IMPORTANT: Some programs have access through the firewall although they don't appear in the list. These might include system applications, services, and processes (for example, those running as "root"). They can also include digitally signed programs that are opened automatically by other programs.

... so if Leopard trusts the service (it's a root process, or it's signed with an acceptable crypto signature), it will have access through the firewall. Since Leopard ships with cryptographically-signed binaries/packages, I guess I'm not seeing the problem - if Jo(e)-evil-cracker already has 'root' on the system, the firewall isn't going to help save the system, after all... Perhaps Heise are just used to using Linux, where the firewall trumps all ?

You could argue that the 'Block all incoming connections' is badly worded, but you could argue that reading the documentation for a new firewall would be a useful thing to do as well.

And, FWIW, if I set the firewall to 'Set Access for specific services and applications', then disable SMB sharing, I can't connect using nmblookup. I can only get through when the service has been enabled (which seems reasonable).

Simon

Re:Investigation flawed, more like

[Sloppy]

so if Leopard trusts the service .. it will have access through the firewall.

The default configuration represents the situation where the user defers to Leopard's estimation of what can be trusted. If the user starts modifying the configuration, then the question of what Leopard trusts or doesn't trust, should be irrelevant.

But sure: they documented the bug, thereby causing it to be merely lame design, rather than a bug.

Re:Investigation flawed, more like

[kebes]

if Leopard trusts the service (it's a root process, or it's signed with an acceptable crypto signature), it will have access through the firewall. Since Leopard ships with cryptographically-signed binaries/packages, I guess I'm not seeing the problem The problem is that the user asked the OS for a certain action ("block everything") and the OS didn't implement that action. This is basically a case of the OS saying "don't worry, I'm smarter than you and I know what to do"... which isn't a good policy when it comes to security. If a user tries to activate a firewall policy (because they happen to know a certain service is insecure, or not needed, or whatever), then the firewall should implement that policy.

You could argue that the 'Block all incoming connections' is badly worded, but you could argue that reading the documentation for a new firewall would be a useful thing to do as well. If the situation is indeed as you describe (that the problem here is just that the firewall is allowing certain connections that it "knows" are okay) then you're right: this isn't a security vulnerability, but rather a case of poor UI design. The UI is saying "I'm blocking all connections" even though it isn't. You're also right that in principle the user should educate themselves about their software. However the software should, as much as possible, not misrepresent what's going on. Saying "blocking all connections" and then allowing something to connect is a recipe for security mistakes.

Re:Investigation flawed, more like

[ByOhTek]

The argument against that is in TFS even.

If you are testing software and don't want it accessible from the outside world, Leopards trust be damned, you want it blocked. I agree with the author here, even if he managed to miss the obvious text: any hole in the firewall should be put there explicitly via the administrator of said firewall (or the machine it is on), not left default by the OS and it's own preferences. If MS didn't the same thing everyone would get pissed. If Linux did the same thing [I'd hope] everyone would get pissed. If *BSD did the same thing, the devs would probably get brutalized by their own fanatics.

Re:Investigation flawed, more like

[venicebeach]

"All applications shipped with Leopard are signed by Apple, and third-party software developers can also sign their applications."

Re:Investigation flawed, more like

[Kadin2048]

I'm not 100% sure on this, but if it uses the same certificate framework that's been present in OS X up until now (which I can't see why it wouldn't, honestly), it will mean having the CA for the signing certificate in as a trusted root. I assume Apple will have its own CA cert in there by default, but there will probably be a way that users can add other certificates as they see fit. I doubt this will be easy to do, because you don't want idiots doing it because it's easy to do and basically trojaning their own systems (e.g. "To install BigBoobsPorn.app, first download xyz.p12, and install it in your X509Anchors keyring..."), but I suspect that there's no technical reason why you can't do this.

That said, according to what I've read from some people, the security might not even be that rigorous; it might be more about making sure that only the developer of an application can update it automatically (so it's more difficult for an attacker to create an update that 'fixes' your copy of Mail.app or some other approved program to do evil things) than making sure each developer has been vetted by Apple or some other Higher Authority.

There is a posting from someone who supposedly has access to the Leopard previews over at ThinkMac basically saying this:

I can't tell you much without (totally) violating my WWDC NDA, but suffice it to say that this is not as bad as you think it is.

Anyone at all can easily make a new signing identity and use it to sign an application they just compiled.

The main objective of code signing in Leopard is not the same as for SSL certificates -- it is not to evaluate the trust or confidence of something based on a list of trusted certificate authorities.

Rather, it is to provide a much better means for users to identify applications. A good example is software updates. Right now, if a user updates your application, and your application asks for an item the user's keychain, the user will get a Keychain warning telling him the application has changed.

With code signing, the user will get that dialog once the first time he or she runs your application, and if you sign every future versions of that application, the system will not bother the user again, because instead of using for example a hash of the application, it will now be using the code signature.

(source)

Re:Investigation flawed, more like

[Have+Blue]

If you have specific advanced requirements like that, pop open the command line and enter it into the config yourself. The "firewall preferences" screen is just a wizard on top of ipfw.

Re:Investigation flawed, more like

[autophile]

As a thought experiment, how is this "firewall" really any better than no firewall at all? Other than the warm and fuzzy "I have a firewall" effect...

If it's warm and fuzzy, it should be "I has a firewall (what I do wif it?)"

Lolz,

--Rob

Re:Investigation flawed, more like

[Cally]

you could argue that reading the documentation for a new firewall would be a useful thing to do as well.

Er, yeah, but... these are Mac users you're talking about. The people who've been sold a computer that ordinary people can use without being computer experts, and which doesn't get viruses like Windows does. (Not counting the Linux refugees, of course.)

Re:Investigation flawed, more like

[gatekeep]

The UI is saying "I'm blocking all connections" even though it isn't.

Well technically, the only examples this article provides are of UDP services listening. So there's no evidence that the firewall is allowing 'connections'

I agree that to the end user connections probably means something different, but in the world of network protocols it has a very specific meaning, which doesn't include UDP services by definition. The only way for the firewall to deny inbound UDP sessions would be to fake connection state for these protocols. Many popular commercial enterprise class firewalls do just this, but I'm not surprised that a desktop firewall isn't doing it.

Re:Investigation flawed, more like

[gatekeep]

Simply disallowing all incoming UDP traffick is trivially easy ... and doesn't break all that much.

Sure, if DNS isn't 'all that much'

Disallow all incoming UDP/53 traffic, and you'll lose the ability to resolve names. More secure? Maybe. Practical? Absolutely not.

Re:Investigation flawed, more like

[NNKK]

The Apache parent, the OpenSSH sshd parent(s), the postfix master process (postfix! an SMTP server built for the express purpose of security!), xinetd. These are just a few common network daemons that run as root as standard practice with their author's blessing.

Welcome to the real world, it's not so rosy as you seem to think.

Re:Investigation flawed, more like

[Tom]

You are doing the usual mistake of judging from your perspective.

Apple is the one company on the market who I trust to actually do user tests. I'm also fairly sure they found out that Joe Average clicks on "block incoming connections" and still expects stuff to work. Which is why they made it behave that way, put the info into the help file for those of us who RTFM and give you commandline access and ipfw if you really know what you're doing.

Re:Investigation flawed, more like

[dpninerSLASH]

By default DNS will fall back to TCP for requests if it receives no response via UDP.

Re:Investigation flawed, more like

[Slashcrap]

Simply disallowing all incoming UDP traffick is trivially easy ... and doesn't break all that much.

Sure, if DNS isn't 'all that much'

Disallow all incoming UDP/53 traffic, and you'll lose the ability to resolve names. More secure? Maybe. Practical? Absolutely not. Your character gains +1 Networking points for knowing that DNS uses UDP/53 by default, but sadly loses 100 points for not knowing what a stateful firewall is and an additional 50 for confusing source and destination ports. You should probably re-roll before you get eaten by an ICMP packet.

Re:Investigation flawed, more like

[gatekeep]

Your character gains +1 Networking points for knowing that DNS uses UDP/53 by default, but sadly loses 100 points for not knowing what a stateful firewall is and an additional 50 for confusing source and destination ports. You should probably re-roll before you get eaten by an ICMP packet.

I know what a stateful firewall is.. but the fact is that for UDP, there's no such thing. Some stateful firewalls were do protocol inspection to fake state by figuring out when to expect a DNS packet, but UDP is by definition stateless. Without reading the protocol at a higher layer, there's no way to tell state from only the UDP headers.

As for source and destination ports, that's irrelevant. A request from my machine going to the DNS server will have source port > 1024 and destination port 53. The response will reverse those - source port 53, destination port > 1024. How exactly am I to tell by looking at that information if a packet destined for a high port on my machine from UDP 53 is truly a reply or not? The only reliable way is to read outbound packets for requests, and keep a faux-state -table of what I should expect in response. It works similar to state, but is not the same, and has a non-trivial amount more overhead.

As any new OS

[El+Lobo]

As any new OS out there, these are childre diseases. Every new system will have problems: small problems and big problesm. The difference is that some will get praise anyway and some others will get "defectivebydesign" or "haha" tags.

Re:As any new OS

[east+coast]

Apple may not be a monopoly but they certainly act a lot more like one than Microsoft does.

Re:As any new OS

[croddy]

"Defective by design" is not typically used to refer to "any defective technology, har har", except by a few folks here on Slashdot. "Defective by Design" is a campaign of the FSF, referring specifically devices or software that are deliberately crippled with DRM. see defectivebydesign.org.

OS Firewalls

[nurb432]

Shouldn't be used in the first place. You really need an external dedicated firewall if you want to pretend to be safe.

Re:OS Firewalls

[AceCaseOR]

Unfortunatly, Apple's apparently company line (based on what I've heard from Apple sales reps) is that you don't need any "3rd party security software". Specifically, I overheard a salesperson speaking to a customer who was buying a notebook computer for his daughter (who was going to college), saying that the customer didn't need to purchase any of that kind of software, because OS X had no security holes. I did restrain myself from taking the salesperson to task for this in front of the whole store - but only because I didn't want to get kicked out of the store - as I hadn't completed my purchase yet. If I'd already gotten my iPod, I would have, as least, brought this to the manager's attention. As it is, it'd been a long day, and I wanted to get my iPod and go, so didn't make a deal about it.

In retrospect, I should have made a bit of a fuss about it, and were the situation to happen today, especialy with what I learned from TFA, I would certainly have called the salesperson on this (albeit after I'd gotten my iPod - I'd rather not get kicked out of the store before I made my purchase).

Re:OS Firewalls

[LurkerXXX]

Who the hell modded that insightful?

Yes they SHOULD be used, in ADDITION to external dedicated firewalls.

Anyone plugging in an infected laptop behind your LAN's firewall now has a shot at your firewall-free computer.

Use both hardware and software firewalls. Layers of protection are good.

Hm

[d3vo1d]

I guess we should expect to see 10.5.1 pretty soon.

and now for something completely different...

[Tumbleweed]

"It's not much of a firewall, is it?"

"Finest on this subnet, sir!"

"And how to you come to that conclusion?"

"Well, it's so *clean*!"

"It's certainly uncontaminated by security!"

Little Snitch anyone?

[solosaint]

most powerusers I know use Little Snitch ... its better than the firewall apple includes

Re:Little Snitch anyone?

[frodo527]

I use Little Snitch on my MacBook Pro (still running Tiger) becsuse OS X's built-in firewall doesn't configure or notify you about outbound connections. The problem reported in the OP about Leopard's firewall concerns inbound connections. Little Snitch doesn't do anything about those. IOW, Little Snitch complement's OS X's firewall but does not replace it.

Anyone tested this?

[commodoresloat]

This was pointed out on a previous slashdot article and this poster claims it is not true.

Re:Anyone tested this?

[juct]

This guy missed to run with "sudo" -- so lsof has not sufficient rights to query.
Do a

sudo lsof -iUDP

and you will see all the services listening on UDP ports.

bye, ju

Re:Anyone tested this?

[Mathi�u]

Doesn't show more with sudo:

$ sudo netstat -an | fgrep LISTEN
Password:
tcp4 0 0 127.0.0.1.631 *.* LISTEN
tcp6 0 0 ::1.631 *.* LISTEN

Clearly the article is crap, the guy doesn't have a clue. Yesterday's comment post was well enough for this article, having it posted on the main page reflects poorly on the slashdot poster.

Re:"defective by design"

[Abjifyicious]

Tagging this "defectivebydesign" doesn't make any sense here at all, whether or not Apple's a monopoly. "Defective by design" is a phrase coined to describe DRM encumbered products, because they really are designed to be that way. A defect in a firewall is most definitely not intentional. Unfortunately, "defective by design" has lost its roots, and has become a phrase that is mindlessly repeated by the slashdot hoards whenever any product has any problem with it whatsoever. Obviously it couldn't be due to oversight or incompetence, Apple must have intentionally gone out of their way to make a flaw in their firewall because they're evil. /sarcasm

Wait a second...

[CompMD]

I thought it was illegal for Germans to do this kind of investigation now. Is it? I mean, it requires "hacking tools."

All tests were run on localhost

[hbp4c]

Perhaps I missed something...

It looks like every test that was ran was run from the local machine. The tester set "block incoming connections" not "block local connections" and/or "block outbound connections"

If you lsof, you're going to see ports open to localhost, unless the firewall is specifically dropping packets to 127.0.0.1.

ntpdate is an ntp client tool, so it makes an outbound connection instead of an inbound connection.

nmblookup actually warns the guy testing this - it realized that 192.168.69.21 was the local interface, so it responded as "localhost" instead of the samba name!

The nmap test was the only tool that specifically checked a non-localhost IP, and it's not clear to me if it actually checked the localhost interface cleverly or actually sent packets out and through the firewall.

As I said, perhaps I missed some critical fact. However, I would put more credibility in the tests if the tester had used a 2nd machine on his subnet to nmap the leopard firewall.

Re:All tests were run on localhost

[juct]

Yes you are missing something.

I run all tests from a linux machine. Look at the packet dumps. It shows two machines communicating over a network.
Look at the IP address given as an argument to ntpdate -- it is a public IP of an ISP that I queried from our company network.
Look at the quoted logfile entries. All of them show that the tests have been run from external machines.

bye, ju

I am not convinced

[avatar4d]

This article is a bit fishy in its interpretation. They don't list their expectations vs the results.. They just make assumptions. For instance:

Users who want to raise their security level might choose the option "Block all incoming connections" - in the hope that this really will reject all incoming queries to network services.

Which it appears to do if you look at the quote below. They show a deny in their logs. Seems to work so far.

The initial tests looked promising. The SSH server activated for testing purposes and the primitive demo backdoor could no longer be accessed from outside. The firewall even blocked access to a test server on a UDP port:

Oct 29 11:26:49 Qf98e Firewall[44]: Deny nc data in from 193.99.145.XXX:28524 uid = 0 proto=17

However, a simple port scan was enough to destroy our misplaced optimism:

# nmap -sU 192.168.69.21
PORT STATE SERVICE
123/udp open|filtered ntp
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
631/udp open|filtered unknown
5353/udp open|filtered zeroconf
MAC Address: 00:17:F2:DF:CD:B3 (Apple Computer)

They are now basing an assumption (or marketing spin) because of output from an Nmap scan. This just indicates a flaw in the signature Nmap has (or the lack thereof) for this particular firewall implementation.

Then straight from NMAP's documentation:

"Nmap reports the state combinations open|filtered and closed|filtered when it cannot determine which of the two states describe a port." -(http://insecure.org/nmap/man/)

And as for the NTP response being received, well that goes back to what we should expect to see. Apple is about usability. I would suspect that "Block all INCOMING connections" to not refuse information that I request. Basically this just does ingress filtering and not egress.

I haven't read the entire article yet, but from my brief scan I don't see how this is not a "functioning" firewall.

Re:I am not convinced

[Todd+Knarr]

The NTP port is easy enough to explain. NTP is a UDP-based protocol, so there aren't any connections. When operating properly, the time interval between packet exchanges with the time servers is long so maintaining the equivalent of a TCP masquerading map isn't feasible (you either need unreasonably long timeouts leading to odd behavior when the entries become invalid but aren't timed-out, or you tend to time out active entries). Since NTP packets are fairly simple and, being UDP, arrive in a single message with the length known as the packet is read, NTP clients aren't generally subject to buffer overflow attacks. Since they also default to not trusting or accepting synchronization from any hosts other than those they're configured to use and to only accept packets from those hosts that're in response to a known request from the client, and serving time up to random clients is considered safe for the server, it's not considered a risk to have them accessible and it simplifies the firewall rules considerably to just leave the NTP port open to the world.

Misleading descriptions

[Todd+Knarr]

I notice in their report that they complain about services Nmap lists as "open/filtered". Nmap reports that result when it encounters a port that elicits no reply whatsoever to a probe. This happens only when a firewall is dropping all traffic to a port and not generating any ICMP error packet for the attempt. The TCP spec says if a port isn't open the client should get an ICMP error, so Nmap knows that there's something there even if access to it's being blocked. If this is any indication of the quality of this "analysis", we can discount the article.

A hardware firewall explained

[mkiwi]

I've read too many posts to ignore this.

[Rant]

There is no such thing as a purely hardware firewall in modern times.

The hardware like a Cisco pix has software (i.e. firmware) running on top of a simple (usually Linux or bsd architecture). A true hardware firewall is John or Jane sitting at a switchboard plugging in and unplugging cables, like way back when telephones first existed. You could also theoretically unplug the networking cable every-so-often to get a firewall-like effect, but the bottom line is that there is something (a brain) that decides what goes in and what goes out. The brain is a bunch of code (software) that is the firewall.

Hell, create a searing flame capable of burning anyone to death who dare walks through it- that's the literal definition of a firewall. The heat caused by the burning of wood or something else is a "hardware" firewall.

[/Rant]

Re:A hardware firewall explained

Actually, no, the literal definition of a firewall is a wall built to block the spread of fire, like the wall between the engine and passenger sections of a car. Not a wall made of fire, lol.

Why isn't this story also tagged as "haha"?

[PipingSnail]

Why isn't this story also tagged as "haha"?

If this was a story about a Windows Firewall, as well as defectivebydesign you'd also have the "haha" tag. Do I detect bias?

Don't backpedal too much, or you'll fall over.

[mattgreen]

... so if Leopard trusts the service (it's a root process, or it's signed with an acceptable crypto signature), it will have access through the firewall. Since Leopard ships with cryptographically-signed binaries/packages, I guess I'm not seeing the problem - if Jo(e)-evil-cracker already has 'root' on the system, the firewall isn't going to help save the system, after all... Perhaps Heise are just used to using Linux, where the firewall trumps all ? And what happens in the event the trust system is subverted somehow? Either the user accidentally trusts malware, or malware manages to squeeze itself in, what would the user do? The only option they have left is to pull the network connection. At least with a real firewall, a savvy user can lock down their machine and safely investigate further.

You could argue that the 'Block all incoming connections' is badly worded, but you could argue that reading the documentation for a new firewall would be a useful thing to do as well. I thought the appeal of Apple was that Things Just Work and it is so intuitive you don't have read the documentation? This is a major bug. Don't try to downplay it like its no big deal. Security is always a big deal. I thought we all learned that from the countless Windows worms?

Re:Don't backpedal too much, or you'll fall over.

[Bill_the_Engineer]

I thought the appeal of Apple was that Things Just Work and it is so intuitive you don't have read the documentation? This is a major bug.

I think you missed a huge point in your haste to make a point against Apple. When the "Block all incoming connections" it blocks all user applications, not root applications.

now for a legitimate complaint -- Why did it disable my firewall during the upgrade? or did it??

So I decided to do an EXTERNAL port scan to see what was happening. Admittedly, I'm too lazy right now to set up my other computer and run nmap, so I'm using a TCP port scanner hosted on the internet. After running port 0 through 1055, all the ports came back closed with the exception of ports 135-139 and port 445 being stealthed. Ok this is a minor bug, because my computer now responds to pings and actively returns the port status for all but the Microsoft related ports (ok maybe Netbios is a better term than Microsoft related). However, NONE of the ports are functional.

So the default firewall settings are to drop the ICMP packets for 135-139 and 445.

So after setting the firewall to "block incoming connections for applications" running as my user account, I can re-enable the advance option to stealth all closed ports. I re-ran the tests and my computer no longer accepts pings or return the ICMP messages. As far as the external scanner knows, my computer no longer exists.

OK so what does this mean? Well it means that if I ran an application that used the network, I wouldn't be asked to allow the connection. OK, so I *may* become stupid one day and run a program that creates an available port - what's the big deal? Well it will have access to my directory and anything my user account can access, but not my root account. This is a user education problem, not an OS design issue. enabling the "block incoming options" should safeguard against some lapses in judgement.

What about the services running a root (like bonjour)? From Apple:

"Sandbox tested.
Sometimes hackers try to hijack an application to run malicious code. Sandboxing helps ensure that applications do only what they're intended to by restricting which files they can access, whether they can talk to the network, and whether they can be used to launch other applications. Helper applications in Leopard -- including the software that enables Bonjour and the Spotlight indexer -- are sandboxed to guard against attackers."

OK - So can we now dial down the hyperbole a little???

Don't try to downplay it like its no big deal. Security is always a big deal. I thought we all learned that from the countless Windows worms?

In order for a worm to work, we would have to have some method of it being able to propagate itself without user intervention. This requires teaching the user not to run applications from dubious sources, I see this as a problem for ALL operation systems.

Firewalls are for wimps!

[OptimusPaul]

Firewalls are half-assed anyway, why bother with half-assed security, never do it halfway... I say go full-assed and leave all ports open! Take back the internet! Let our data flow! Freedom! DISCLAIMER: I don't know shit about security, as a result I don't keep any sensitive info on my computer.

Re:"defective by design"

[Cally]

"Designed by defectives", perhaps?

Out in hall, wasn't it? No, don't get up...

Re:other quirks with OSX and the services/firewall

[wolrahnaes]

This is on OSX 10.4. I wanted to share an internet connection (internet to eth0, then the airport card serving as a gateway for 2 laptops and an iphone to access the internet). All peachy, but this stupid OS does not let me do it unless I also setup an apache webserver?!?!?! What the fuck are you smoking?

I'm sitting here on my Macbook sharing my 3G connection from my phone over WiFi to a few of my coworkers' laptops, and Apache is certainly not running. Currently I'm on 10.5, but I never had to turn it on with 10.4 either.

Re:Default Leopard install NMAP 4.20 scan

[Todd+Knarr]

No. It means that the firewall's black-holing (dropping without generating any ICMP response) all packets to ports 80 and 443. It can do this whether or not a Web server's running.

Don't depend on services being disabled.

[argent]

Unlike Windows, OSX does not run with services enabled unless you explicitly enable them.

It sounds like if you don't enable a service, it doesn't enable the firewall rules for that service. If you do enable the service, then it turns on the firewall rules for that service. This is not a problem unless you install a third-party program that provides the same network service, *and* you want to restrict access to it.

The argument in the article that the firewall would prevent a trojan from opening a listener on a low port is bogus, because any program that can open a listener on a low port can also remove the corresponding firewall rule... you have to be root to do either.

The fact that Samba processes were still running after sharing was turned off, however, is a concern. That absolutely should not happen, and Apple needs to fix it.

The workaround is to make sure that after you disable a service, you reboot to make sure it is really disabled. If you don't enable any services that should not be an issue.

Might also be a flawed analysis...

[CatOne]

http://leofud.blogspot.com/

Specifically that the open|filtered may mean the ports are in a stealth mode... which is what you want!

I did a port scan of my Leopard machine from a Tiger machine and didn't see any open ports at all. I'm not running the firewall either -- but I don't have any services turned on right now. That's the way OS X ships by default (and has since as least 10.2).

Not arguing that things couldn't be better communicated by Apple, but I think an article claiming they're taking a Microsoft-esque tact toward security is more than likely politically loaded.

UDP blocking requires separate activation

[amoney]

In OS 10.4 Tiger, in order to block UDP traffic, one had to click on the Advanced tab in the Firewall pane and select "block UDP traffic" otherwise the firewall would only block TCP traffic. If you notice in the article, all the open ports are UDP. I don't have a copy of Leopard yet, but given that the author didn't mention anything about the advanced tab I wouldn't be surprised if it's still the same for Leopard and that he didn't make this selection.

Blocking UDP traffic in 10.4:

http://docs.info.apple.com/article.html?path=Mac/10.4/en/mh1242.html