×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

OS X Leopard Firewall Flawed

kdawson posted more than 6 years ago | from the block-what-i-say dept.

Security 300

cycoj writes with a report in the German IT magazine Heise, taking a look at the new OS X Leopard firewall. They find it flawed. When setting access to specific services and programs to only allow SSH access, for example, they found that a manually started service was still accessible. From the article: "So the first step after starting Leopard should be to activate the firewall. The obvious choice to do so is the option to 'Set access to specific services and programs,' which promises more control over network traffic. Mac OS X automatically enters all shared resources set up by the user, such as 'Remote login' for SSH servers, into the list of accessible resources... However, initial functional testing quickly dispels any feeling of improved security. A service started for testing purposes was able to be addressed from outside without any difficulty. The firewall records this occurrence... Even with the firewall set to 'Block all incoming connections' ports to netbios, ntp and other services were still open... Specifically these results mean that users can't rely on the firewall."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

300 comments

Never put your eggs in one basket. (5, Informative)

jellomizer (103300) | more than 6 years ago | (#21174973)

Leson 1.
Never Trust Software firewalls. Software firewalls are only should be used in protection against "internet static" attacks. Where just random worms and viruses are trying to get in. Software Firewalls
Are normally bad against direct attacks from real hackers. Because there are so many ways to trick the user to install software to get around it...

Lesson 2.
Never trust anyone to keep security up. Apple, Microsoft, Linux Distributions, even Open BSD they are all made by humans and humans make mistakes and forget to check out things...

Lesson 3.
Always keep a hardware firewall even if it is a cheap Linksys Firewall/Router they will double up protection and keep your system relatively safe.

Lesson 4.
Never assume that you are 100% safe. There are always ways around things...

Re:Never put your eggs in one basket. (4, Insightful)

MBCook (132727) | more than 6 years ago | (#21175031)

I'll agree with most of that. I've got a Mac, and it's running Leopard (yeah!). At work I surf behind a real firewall, a Watchguard I think. At home, I'm behind my Linksys. I could run no firewall and be OK. That said, I leave it on for one simple reason: I can go to other people's networks without having to think about turning the firewall on. This way if I were to go to Starbucks or something, I'd be much more safe from so guy a few tables over (malicious or just bot-infested). I don't expect things to be perfect. I don't expect a software firewall to be as good as a hardware one. It's just one more layer.

So what do I think of all this? I don't know. I saw comments somewhere the other day that claimed that these guys were just misunderstanding, but I'm not sure. I expect a firewall to block things if I tell it to though.

Re:Never put your eggs in one basket. (3, Insightful)

RobertM1968 (951074) | more than 6 years ago | (#21175971)

I'll agree with most of that. I've got a Mac, and it's running Leopard (yeah!). At work I surf behind a real firewall, a Watchguard I think. At home, I'm behind my Linksys. I could run no firewall and be OK. That said, I leave it on for one simple reason: I can go to other people's networks without having to think about turning the firewall on. This way if I were to go to Starbucks or something, I'd be much more safe from so guy a few tables over (malicious or just bot-infested). I don't expect things to be perfect. I don't expect a software firewall to be as good as a hardware one. It's just one more layer.

Regardless, if I am on a network where I dont have control of all the machines on it 24/7, then I think running the machine's OS (or add-on) Firewall is still a must. It really doesnt matter how great a hardware firewall is if someone infects their machine via a CD, DVD, USB Drive, etc from something they bring from their infected home machine or friend's machine or whatever. Since most direct network traffic doesnt (try to) pass through the hardware firewall, one should always be protected from the other machines on their network. For instance, in my office, we have a couple WinXP machines - and though they are not infected, they are constantly broadcasting nonsense trying to find their brethren (to EVERY machine on the network). Our "hardware" firewall does nothing to stop that - even though it does block the traffic from going OFF our network. I block that traffic on my other machines at their firewalls (no need to waste sockets or OS time handling the packets at all). If those XP machines were infected... well, you see the point.

Having one machine on the network, or a few machines that only you use (with taking precautions not to infect them from an external source), then yeah, a hardware firewall is probably all you need.

Re:Never put your eggs in one basket. (1, Offtopic)

ScytheBlade1 (772156) | more than 6 years ago | (#21175057)

I trust my linux based software firewall a lot more than I trust a Linksys router doing NAT.

Re:Never put your eggs in one basket. (0)

jellomizer (103300) | more than 6 years ago | (#21175713)

Except unless you are compleatly anail check the source line for line for all the application you run and do absolutly nothing as root and make sure your OS is free from all buffer Overflows.... (In this case you have little time left to do anything of use on your computer) you could run a trojin script that disables your firewall, some update to the firewall software that a compile bug makes it seem like it is running but compleatly unusabe, or like in OS X 10.5 added new features to it that actually hurt security more. The problem with software firewall is the human factor humans can be tricked to do a bunch of things...

Re:Never put your eggs in one basket. (1)

sg3235 (589034) | more than 6 years ago | (#21175947)

I run a software firewall on Linux. I seriously doubt I could be tricked into running a script that disables my firewall for the simple reason that running the firewall is the only thing the box is used for. I have a second Linux box that functions as server. I also have windows and apple machines on my network. Though the risks that you state are valid, it's not the fact that the firewall is software rather than hardware that makes it vulnerable, but that you are using it to do more than one task.

Re:Never put your eggs in one basket. (5, Insightful)

ScytheBlade1 (772156) | more than 6 years ago | (#21176013)

Really good thing that my linux software firewall is stored on a read-only filesystem then, and only allows login via SSH hostkeys.

I made my initial post pretty quickly, and likewise screwed up some things.

What is the difference between a software and a hardware firewall anyways? Heck, what is a firewall? There are so many countless ways of defining a 'firewall' that the average home router you can pick up at your local grocery store is advertised as a "router/firewall." Just because it's embedded suddenly makes it less of a software firewall, and more of a hardware one?

As mentioned, my router has a read-only root file system. It's also running a complete linux distro. Is this a hardware or software firewall?

Further, it does stateful packet inspection (four-ish lines of iptables commands? Worth $40+ on 'firewall' devices?), QoS (both host and service based), and it does this all through a transparent ethernet bridge. Then I have an admin ethernet jack, which requires IPSEC connectivity before you can touch the internal ports (22, 80).

It's a complete linux distro, so it's software. It's 100% embedded, so it's hardware.

As mentioned, other routers are embedding linux. Cool. Hardware or software? More secure, or less? More capable? Or less capable?

Classifying 'software firewalls' as 'insecure' and classifying 'a cheap Linksys Firewall/Router' as 'secure' is kinda scary in all truth. Well, mostly just wrong. Firewalls are too generic now - just because it says 'firewall' on the front, you're supposed to think that you're safe from 'hackers.'

Re:Never put your eggs in one basket. (2, Insightful)

JCSoRocks (1142053) | more than 6 years ago | (#21175067)

Never trust anyone to keep security up. Apple, Microsoft, Linux Distributions, ...
Do you see that apply fanboys!? Quick! Attack! GO GO GO!

Seriously though, he's right. People in both camps should realize that no matter how great you think your software is, it's not perfect.

Re:Never put your eggs in one basket. (2, Insightful)

jellomizer (103300) | more than 6 years ago | (#21175621)

Looking at your Moderation and the Parents soes that you statement is true... I am using OS X right now and I am hoping my Copy of Leapoard is in the mail and planning to install it as soon as I get home... Even Though I really like the OS right now it is my favorate, I don't want to be a FanBoy and assume that it is flawless perfect system that will protect me from nuclear blasts. And that Steve Jobs is always right... There are things I dislike about the OS but I dislike them less then my dislikes of Other OS's

Re:Never put your eggs in one basket. (5, Interesting)

Anonymous Coward | more than 6 years ago | (#21175085)

Couldn't you argue that more layers = more possibilities for attack vectors?
Also, FYI, a hardware firewall is just a dedicated software firewall.

Re:Never put your eggs in one basket. (5, Funny)

gEvil (beta) (945888) | more than 6 years ago | (#21175295)

Also, FYI, a hardware firewall is just a dedicated software firewall.

I don't know if I buy that. I mean, one has the word "hard" in it, while the other has "soft" in it. Given the choice of the two, the "hard" one sounds far more secure.

Re:Never put your eggs in one basket. (5, Funny)

Sloppy (14984) | more than 6 years ago | (#21175775)

That's why, on my computer, I a use a hardware null device. I don't trust the OS' slow software-emulated null device to properly dispose of my unused bits. You never know who might be going through your trash, piecing together private information. The performance boost is just icing on the cake.

Re:Never put your eggs in one basket. (1, Funny)

peragrin (659227) | more than 6 years ago | (#21176065)

ah so you never returned your Sony Batteries.

remind me never to borrow your computer.

Attention: MODS (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#21175319)

This is just Stevie (HomelessinLaJolla) demonstrating, as usual, that he doesn't know what he's talking about.

MOD. PARENT. DOWN.

Re:Never put your eggs in one basket. (3, Insightful)

nharmon (97591) | more than 6 years ago | (#21175323)

Fine. Just don't have your main firewall be on the same machine as the data you're trying to protect.

Re:Never put your eggs in one basket. (4, Informative)

Cecil (37810) | more than 6 years ago | (#21175351)

Couldn't you argue that more layers = more possibilities for attack vectors?

That would only apply if breaking one link in the chain is as good as breaking all the links in the chain - ie, if they give special accomodations to one another because they are all part of the "same network" or one contains passwords to the others or something of that nature. In this case that should not happen, thus you must break each link in succession to get through.

Also, FYI, a hardware firewall is just a dedicated software firewall.

The key word here is "dedicated". A dedicated firewall means you are not installing other software on it which could compromise the firewall itself (either intentionally or through poor design), and it also means that should a hacker somehow break into the firewall, your losses are limited as they have not also gained entry to your files, your passwords, your keyboard, your browser, etc and they cannot rootkit your PC. They only get a tiny, wimpy processor with little-to-no storage and complete network access. Dangerous, yes, but not a complete disaster.

Re:Never put your eggs in one basket. (1)

walt-sjc (145127) | more than 6 years ago | (#21175875)

They only get a tiny, wimpy processor with little-to-no storage

This depends on what you use as a dedicated firewall. Some of the dedicated commercial firewalls are actually fairly powerful systems.

Re:Never put your eggs in one basket. (5, Informative)

Zenaku (821866) | more than 6 years ago | (#21175371)

If the the layers of security are really layers of security, then no you couldn't argue that. You have to breech the outtermost layer before you can even attack the second layer, and you have to breech that layer before you can attack the third, etc.

Re:Never put your eggs in one basket. (1)

Bryansix (761547) | more than 6 years ago | (#21175407)

Actually some firewalls do the filtering and packet checking in hardware and some (mostly newer ones) actually just run software to do the task. Linksys for instance has both. One is not better at being a firewall then the other although you might argue that the hardware version will have more uptime.

As for more layers equalling more attack vectors; that is complete hogwash. The second firewall doesn't open holes in the first in order to function. It just filters the traffic that actually makes it through the first one.

Re:Never put your eggs in one basket. (1)

jellomizer (103300) | more than 6 years ago | (#21175519)

No not for this case.

Firewall A has all ports blocked

Firewall B has all ports blocked

Breaking Firewall A doesn't effect Firewall B Tequnique for Firewall B is different the Firewall A. It is like having 2 Locked Doors with different Keys and lock types. It is like saying if you have More Keys and Doors that are locked the less time it will take for a burgler to break into you house...

Yes a Gardware furewakk us a det=ducated software firewall but that is all it is dooing you don't go install software on it that could turn it off. All it does is what is sopose to do... In some cases it is hardware control. I remember a long time ago a white paper on Sun Firewalls software that properly filters information with the OS stopped. All the traffic is handled with the Network Card settings.

Lesson 5 - Belt and suspenders (braces) (1)

JonTurner (178845) | more than 6 years ago | (#21175203)

jellomizer,

Good post, but hardware firewalls are not infallible as they are also affected by Lesson #2 (made by humans who make mistakes) and can be hacked, as per Lesson #1.

So, rather than have an either/or solution, why not apply all the tools at our disposal?
* If you have a hardware firewall, use it.
* If you have a software firewall, use that, too.

And regardless, run a service such as "Little Snitch" which requires each application explicitly ask permission before communicating with external resources (e.g. "phoning home").

Re:Never put your eggs in one basket. (2, Interesting)

physicsboy500 (645835) | more than 6 years ago | (#21175521)

Lesson 4.
Never assume that you are 100% safe. There are always ways around things...
I (unfortunately) used to work for Geek Squad and you wouldn't believe how many people got completely enraged about this one. They would bring in a virus-ridden computer in (mainly because they didn't follow lessons 1, 2 or 3) and ask why their firewall or virus software didn't catch the error. I had to explain that there are always ways around security measures and they need to continually update to help prevent this, but there is no failsafe. The conversation that generally followed is "So you're saying I spent ~$40 on a firewall and ~$40 on antivirus and it may not even prevent me from malware?!"

It made me wish I worked at a place like this [ctrlaltdel-online.com] just so I could tell them where to stick their virus protection.

Re:Never put your eggs in one basket. (2, Interesting)

VisceralLogic (911294) | more than 6 years ago | (#21175909)

Of course, I was once running OS X for quite awhile with no firewall, because I had turned it off for some reason (debugging X11 connection, I think), and forgot to turn it back on. Still no problems when I realized it was off several months later.

Investigation flawed, more like (4, Insightful)

Space cowboy (13680) | more than 6 years ago | (#21174981)

From the 'help' button available on the same screen (emphasis mine),

In addition to the sharing services you turned on in Sharing preferences, the list may include other services, applications, and programs that are allowed to open ports in the firewall. An application or program might have requested and been given access through the firewall, or might be digitally signed by a trusted certificate and therefore allowed access


IMPORTANT: Some programs have access through the firewall although they don't appear in the list. These might include system applications, services, and processes (for example, those running as "root"). They can also include digitally signed programs that are opened automatically by other programs.

... so if Leopard trusts the service (it's a root process, or it's signed with an acceptable crypto signature), it will have access through the firewall. Since Leopard ships with cryptographically-signed binaries/packages, I guess I'm not seeing the problem - if Jo(e)-evil-cracker already has 'root' on the system, the firewall isn't going to help save the system, after all... Perhaps Heise are just used to using Linux, where the firewall trumps all ?

You could argue that the 'Block all incoming connections' is badly worded, but you could argue that reading the documentation for a new firewall would be a useful thing to do as well.

And, FWIW, if I set the firewall to 'Set Access for specific services and applications', then disable SMB sharing, I can't connect using nmblookup. I can only get through when the service has been enabled (which seems reasonable).

Simon

Re:Investigation flawed, more like (0)

Anonymous Coward | more than 6 years ago | (#21175143)

I'm not familiar with Leopard, so this might be a bit of an odd question. What does it take for the certificate to be "trusted"? Is it possible for a malicious piece of software to be shipped with what the firewall will take as a trusted certificate and be granted access without user consent?

Re:Investigation flawed, more like (1)

Space cowboy (13680) | more than 6 years ago | (#21175215)

Plain answer - I don't know.

I *think* the only entity who can acceptably sign something at the moment is Apple themselves, but I wouldn't bet my life on it...

Simon.

Re:Investigation flawed, more like (4, Informative)

venicebeach (702856) | more than 6 years ago | (#21175541)

"All applications shipped with Leopard are signed by Apple, and third-party software developers can also sign their applications."

Re:Investigation flawed, more like (1)

dhavleak (912889) | more than 6 years ago | (#21176421)

If it works the same way as it does in windows, then applications can be signed by any certificate authority that the system trusts (Verisign + a few other most likely), and the OS binaries would be signed by Apple themselves.

In any case a signed module should not automatically be completely trustworthy. Verifying the digital signature merely tells you that the module has not been tampered with. If, said module has an exploitable flaw (say a simple buffer overrun), you don't usually need to tamper with the module to take advantage of it.

Re:Investigation flawed, more like (4, Informative)

Kadin2048 (468275) | more than 6 years ago | (#21175593)

I'm not 100% sure on this, but if it uses the same certificate framework that's been present in OS X up until now (which I can't see why it wouldn't, honestly), it will mean having the CA for the signing certificate in as a trusted root. I assume Apple will have its own CA cert in there by default, but there will probably be a way that users can add other certificates as they see fit. I doubt this will be easy to do, because you don't want idiots doing it because it's easy to do and basically trojaning their own systems (e.g. "To install BigBoobsPorn.app, first download xyz.p12, and install it in your X509Anchors keyring..."), but I suspect that there's no technical reason why you can't do this.

That said, according to what I've read from some people, the security might not even be that rigorous; it might be more about making sure that only the developer of an application can update it automatically (so it's more difficult for an attacker to create an update that 'fixes' your copy of Mail.app or some other approved program to do evil things) than making sure each developer has been vetted by Apple or some other Higher Authority.

There is a posting from someone who supposedly has access to the Leopard previews over at ThinkMac basically saying this:

I can't tell you much without (totally) violating my WWDC NDA, but suffice it to say that this is not as bad as you think it is.

Anyone at all can easily make a new signing identity and use it to sign an application they just compiled.

The main objective of code signing in Leopard is not the same as for SSL certificates -- it is not to evaluate the trust or confidence of something based on a list of trusted certificate authorities.

Rather, it is to provide a much better means for users to identify applications. A good example is software updates. Right now, if a user updates your application, and your application asks for an item the user's keychain, the user will get a Keychain warning telling him the application has changed.

With code signing, the user will get that dialog once the first time he or she runs your application, and if you sign every future versions of that application, the system will not bother the user again, because instead of using for example a hash of the application, it will now be using the code signature.
(source [thinkmac.co.uk] )

Re:Investigation flawed, more like (4, Insightful)

Sloppy (14984) | more than 6 years ago | (#21175359)

so if Leopard trusts the service .. it will have access through the firewall.

The default configuration represents the situation where the user defers to Leopard's estimation of what can be trusted. If the user starts modifying the configuration, then the question of what Leopard trusts or doesn't trust, should be irrelevant.

But sure: they documented the bug, thereby causing it to be merely lame design, rather than a bug.

Re:Investigation flawed, more like (5, Insightful)

kebes (861706) | more than 6 years ago | (#21175383)

if Leopard trusts the service (it's a root process, or it's signed with an acceptable crypto signature), it will have access through the firewall. Since Leopard ships with cryptographically-signed binaries/packages, I guess I'm not seeing the problem
The problem is that the user asked the OS for a certain action ("block everything") and the OS didn't implement that action. This is basically a case of the OS saying "don't worry, I'm smarter than you and I know what to do"... which isn't a good policy when it comes to security. If a user tries to activate a firewall policy (because they happen to know a certain service is insecure, or not needed, or whatever), then the firewall should implement that policy.

You could argue that the 'Block all incoming connections' is badly worded, but you could argue that reading the documentation for a new firewall would be a useful thing to do as well.
If the situation is indeed as you describe (that the problem here is just that the firewall is allowing certain connections that it "knows" are okay) then you're right: this isn't a security vulnerability, but rather a case of poor UI design. The UI is saying "I'm blocking all connections" even though it isn't. You're also right that in principle the user should educate themselves about their software. However the software should, as much as possible, not misrepresent what's going on. Saying "blocking all connections" and then allowing something to connect is a recipe for security mistakes.

Re:Investigation flawed, more like (1)

elrous0 (869638) | more than 6 years ago | (#21176221)

This is basically a case of the OS saying "don't worry, I'm smarter than you and I know what to do"

If you don't trust Father Steve, you don't deserve an Apple, Heathen Infidel!!

Re:Investigation flawed, more like (1)

Genady (27988) | more than 6 years ago | (#21176329)

Part of me wants to think: "You know if you're serious about firewalling you'll write your own rules", but I think you're right. Someone (not it) needs to take a look at this research and confirm it, preferably from another machine on the subnet and not localhost. If I say 'drop outside access' by damned the OS/UI should do that.

All that said Apple REALLLLLLLY needs to offer up a pro firewall config tool. I'm all about writing my own rules, but I know they could provide a nice interface to this if they wanted to.

Re:Investigation flawed, more like (1, Troll)

mcrbids (148650) | more than 6 years ago | (#21175391)

... so if Leopard trusts the service (it's a root process, or it's signed with an acceptable crypto signature), it will have access through the firewall. Since Leopard ships with cryptographically-signed binaries/packages, I guess I'm not seeing the problem - if Jo(e)-evil-cracker already has 'root' on the system, the firewall isn't going to help save the system, after all... Perhaps Heise are just used to using Linux, where the firewall trumps all ? ... and there are good reasons why this is useful.

For example, if you want to allow a database connection from the local DMZ but not anywhere else, you want to allow the database to connect to the wild, wooly Internet, but only from the DMZ. If the mere fact that the database server is "trusted" allows it to pierce the firewall, this capability is severely mitigated.

As a thought experiment, how is this "firewall" really any better than no firewall at all? Other than the warm and fuzzy "I have a firewall" effect, what good does it do if it doesn't block connections to applications, and worse, doesn't even properly report this fact to you?

The one that really takes the cake:

Some programs have access through the firewall although they don't appear in the list. These might include system applications, services, and processes (for example, those running as "root").

So running an application as root alone is enough to render it open to the world? And it's not even properly reported as such? And you are OK with this? Glad to know that you aren't my security administrator...

You could argue that the 'Block all incoming connections' is badly worded

That's not all that I'd argue. This is a "let me know I'm safe" button. This is "Don't let anybody in" button. People will check it, and not bother to think about it any more. That this button has almost no actual effect on security is simply awful.

This is a problem - expect a hotfix soon.

Re:Investigation flawed, more like (1)

Space cowboy (13680) | more than 6 years ago | (#21175609)

As a thought experiment, how is this "firewall" really any better than no firewall at all? Other than the warm and fuzzy "I have a firewall" effect, what good does it do if it doesn't block connections to applications, and worse, doesn't even properly report this fact to you?
Well, that's the thing, you see. It *does*block connections to applications. Did you miss that part ?

There are some processes that are allowed to punch through the firewall, and Heise found those. I'd not argue against reporting those processes (perhaps in an 'advanced' tab, to prevent unknowing users from worrying needlessly), but anything not running as root, or crypto-signed, is blocked.

Here's another thought-experiment: How do you stop a root process from modifying the firewall on any unix box ? On Linux it could alter the rules, make the connection, break the connection, replace the rules. I guess I don't see the point in trying to block root. That's what 'root' is for...

That this button has almost no actual effect on security is simply awful."
This is of course complete rubbish. It has a huge effect on security.

Enough. I'm done defending this - I think all it needs is some more UI to show the ports remaining open, and perhaps a reason why (root process, crypto-signed,...). Even if they put that in, it won't make a difference to the *actual* security, it'll just be some more information on the current firewall state, anyone who cares that much about it will be using netstat/lsof. If you want to get all in a tizzy about that, feel free.

Simon.

Re:Investigation flawed, more like (1)

NNKK (218503) | more than 6 years ago | (#21176021)

This isn't about a root process being able to bypass the firewall, it's about external users being able to bypass the firewall to talk to a process running as root. I happily run such processes behind firewalls without caring much about potential vulnerabilities, because I know only trusted users have access to it, therefore only trusted users, who would already have full access to the box (either physically or by remote sudo/root access) anyway could exploit it and gain root.

A firewall that allows unrestricted connections to any process running as root completely breaks this model, and though one may argue about its theoretical wisdom and purity, it's a model that is incredibly critical to a great many networks in practice.

Re:Investigation flawed, more like (2, Informative)

Have Blue (616) | more than 6 years ago | (#21175705)

If you have specific advanced requirements like that, pop open the command line and enter it into the config yourself. The "firewall preferences" screen is just a wizard on top of ipfw.

Re:Investigation flawed, more like (2, Funny)

autophile (640621) | more than 6 years ago | (#21175869)

As a thought experiment, how is this "firewall" really any better than no firewall at all? Other than the warm and fuzzy "I have a firewall" effect...

If it's warm and fuzzy, it should be "I has a firewall (what I do wif it?)"

Lolz,

--Rob

Re:Investigation flawed, more like (2, Interesting)

ByOhTek (1181381) | more than 6 years ago | (#21175509)

The argument against that is in TFS even.

If you are testing software and don't want it accessible from the outside world, Leopards trust be damned, you want it blocked. I agree with the author here, even if he managed to miss the obvious text: any hole in the firewall should be put there explicitly via the administrator of said firewall (or the machine it is on), not left default by the OS and it's own preferences. If MS didn't the same thing everyone would get pissed. If Linux did the same thing [I'd hope] everyone would get pissed. If *BSD did the same thing, the devs would probably get brutalized by their own fanatics.

Re:Investigation flawed, more like (1)

roystgnr (4015) | more than 6 years ago | (#21175633)

An application or program might have requested and been given access through the firewall, or

So, this firewall, it just blocks remote access to applications who don't open TCP or UDP ports for listening? Awesome! I've been running a firewall for years and I didn't even know it!

Badly worded ... (1)

Pinky's Brain (1158667) | more than 6 years ago | (#21175861)

The netbios name service and NTP run regardless of how empty the services list seems to be. Also they never mentioned root, they ran netcat as a user and it was remotely accessible.

I can't see how you could argue Leopard's setting are badly worthed, or the other way around ... it's a completely meaningless argument. It's just plain untruthful. Heise are used to the meaning of words not being changed just to make it so Apple is right.

Re:Investigation flawed, more like (0)

Anonymous Coward | more than 6 years ago | (#21176167)

>... so if Leopard trusts the service (it's a root process, or it's signed with an acceptable crypto signature), it will have access >through the firewall. Since Leopard ships with cryptographically-signed binaries/packages, I guess I'm not seeing the problem - if >Jo(e)-evil-cracker already has 'root' on the system, the firewall isn't going to help save the system, after all... Perhaps Heise >are just used to using Linux, where the firewall trumps all ?

assuming the packages are bug free are we?

Don't backpedal too much, or you'll fall over. (3, Insightful)

mattgreen (701203) | more than 6 years ago | (#21176295)

... so if Leopard trusts the service (it's a root process, or it's signed with an acceptable crypto signature), it will have access through the firewall. Since Leopard ships with cryptographically-signed binaries/packages, I guess I'm not seeing the problem - if Jo(e)-evil-cracker already has 'root' on the system, the firewall isn't going to help save the system, after all... Perhaps Heise are just used to using Linux, where the firewall trumps all ?
And what happens in the event the trust system is subverted somehow? Either the user accidentally trusts malware, or malware manages to squeeze itself in, what would the user do? The only option they have left is to pull the network connection. At least with a real firewall, a savvy user can lock down their machine and safely investigate further.

You could argue that the 'Block all incoming connections' is badly worded, but you could argue that reading the documentation for a new firewall would be a useful thing to do as well.
I thought the appeal of Apple was that Things Just Work and it is so intuitive you don't have read the documentation? This is a major bug. Don't try to downplay it like its no big deal. Security is always a big deal. I thought we all learned that from the countless Windows worms?

As any new OS (4, Interesting)

El Lobo (994537) | more than 6 years ago | (#21174985)

As any new OS out there, these are childre diseases. Every new system will have problems: small problems and big problesm. The difference is that some will get praise anyway and some others will get "defectivebydesign" or "haha" tags.

Re:As any new OS (1)

marcello_dl (667940) | more than 6 years ago | (#21175149)

"defective by design" makes no sense if you're not a monopoly.

Re:"defective by design" (2, Informative)

Abjifyicious (696433) | more than 6 years ago | (#21175679)

Tagging this "defectivebydesign" doesn't make any sense here at all, whether or not Apple's a monopoly. "Defective by design" is a phrase coined to describe DRM encumbered products, because they really are designed to be that way. A defect in a firewall is most definitely not intentional. Unfortunately, "defective by design" has lost its roots, and has become a phrase that is mindlessly repeated by the slashdot hoards whenever any product has any problem with it whatsoever. Obviously it couldn't be due to oversight or incompetence, Apple must have intentionally gone out of their way to make a flaw in their firewall because they're evil. /sarcasm

Re:"defective by design" (1)

rkanodia (211354) | more than 6 years ago | (#21176235)

Agreed. There's a huge difference between "designed to be defective" and "designed defectively". Perhaps "defective by intent" would be more accurate, but you lose the satisfying and easy-to-remember assonance.

(Offtopic-ish) Re:"defective by design" (1)

recoiledsnake (879048) | more than 6 years ago | (#21176355)

The roots of this slashdot tag are in the juvenile site Bad Vista [fsf.org] run by Stallman's FSF.

They were asking people(don't know if they still do) as part of a astroturfing campaign to help out by tagging all Vista stories as defectivebydesign. Thus, it has lost its meaning and is just mindless people doing off topic tagging.

I once attended a talk by Stallman, it was fun and all, and the hall was jampacked. But seriously, FSF needs to close that site, it's full of meaningless and mindless half-true FUD and the joke's on FSF for creating that site. Maybe it was just an attempt at spreading FUD on MS to counter(or complement?) MS's anti-Linux FUD, but to anyone with half a brain, the joke's on FSF.

Re:As any new OS (5, Informative)

croddy (659025) | more than 6 years ago | (#21175565)

"Defective by design" is not typically used to refer to "any defective technology, har har", except by a few folks here on Slashdot. "Defective by Design" is a campaign of the FSF, referring specifically devices or software that are deliberately crippled with DRM. see defectivebydesign.org [defectivebydesign.org] .

Sandboxing is fun! (0)

Anonymous Coward | more than 6 years ago | (#21176071)

ls /usr/share/sandbox/
bsd.sb quicklookd.sb
krb5kdc.sb syslogd.sb
mDNSResponder.sb update.sb
mdworker.sb xgridagentd.sb
named.sb xgridagentd_task_nobody.sb
ntpd.sb xgridagentd_task_somebody.sb
portmap.sb xgridcontrollerd.sb


No one ever thinks of the sandbox. Just sayin, is all.

OS Firewalls (5, Insightful)

nurb432 (527695) | more than 6 years ago | (#21174997)

Shouldn't be used in the first place. You really need an external dedicated firewall if you want to pretend to be safe.

Re:OS Firewalls (1)

pandrijeczko (588093) | more than 6 years ago | (#21175121)

Actually, a good security policy is to take a layered approach & to not simply just trust one device.

Yes, an external NAT/firewall/router is advisable but there's nothing wrong activating the computer's firewall also - especially because firewall activation is usually associated with additional activity logging which, on a computer will be more comprehensive & more likely to be looked at than any logging on the router.

Re:OS Firewalls (1, Interesting)

Anonymous Coward | more than 6 years ago | (#21175349)

Exactly right, having a firewall perimiter ONLY is a disaster waiting to happen. If something is unleashed internally, every machine should be self-protected as well.

Re:OS Firewalls (1)

pandrijeczko (588093) | more than 6 years ago | (#21175379)

And of course, both of them together are still *NO EXCUSE* for not putting on regular software updates, turning off unneeded services and making sure everything is configured securely...

Re:OS Firewalls (1)

walt-sjc (145127) | more than 6 years ago | (#21176055)

If something is unleashed internally

Such as an un-patched laptop that is totally infested with malware... Work in any corporate environment and these things eventually find there way in... So what you do is only allow "trusted" machines on your "trusted" VLAN. A machine has to pass certain tests to maintain trust every time it is connected to the network. Untrusted "outsider" machines can still get to the internet and a "guest printer" though. This is what Network Access Control is all about. Furthermore, IDS systems can detect and shut down net access from anything that is behaving in an untrusted manor.

Re:OS Firewalls (3, Interesting)

AceCaseOR (594637) | more than 6 years ago | (#21175823)

Unfortunatly, Apple's apparently company line (based on what I've heard from Apple sales reps) is that you don't need any "3rd party security software". Specifically, I overheard a salesperson speaking to a customer who was buying a notebook computer for his daughter (who was going to college), saying that the customer didn't need to purchase any of that kind of software, because OS X had no security holes. I did restrain myself from taking the salesperson to task for this in front of the whole store - but only because I didn't want to get kicked out of the store - as I hadn't completed my purchase yet. If I'd already gotten my iPod, I would have, as least, brought this to the manager's attention. As it is, it'd been a long day, and I wanted to get my iPod and go, so didn't make a deal about it.

In retrospect, I should have made a bit of a fuss about it, and were the situation to happen today, especialy with what I learned from TFA, I would certainly have called the salesperson on this (albeit after I'd gotten my iPod - I'd rather not get kicked out of the store before I made my purchase).

Re:OS Firewalls (1)

cycoj (1010923) | more than 6 years ago | (#21175873)

Shouldn't be used in the first place. You really need an external dedicated firewall if you want to pretend to be safe.
Yeah that's why I always carry around my router with me, in case I need to access wireless at an hotspot.

Apple product insecure? No WAY! (0, Troll)

barbam (1134455) | more than 6 years ago | (#21175059)

Why is anyone surprised by this? After the iPhone security abomination and Apple's history of security vulnerabilities (remember that WiFi mess?), why would we expect that Leopard would be secure on release?

Software firewall (1)

GodCandy (1132301) | more than 6 years ago | (#21175089)

I tend to agree with the fact that software firewalls are more or less a joke. Some I would consider OK for some things such as blocking out the "static" that tends to make its way across any network from time to time. Else the best protection for most users is a simple hardware firewall. It keeps the bad people outside and allows you to do what you need to do with few restrictions. This is however no replacement for good old common sense which seems to get lost in the translation for todays society. Normally if you are surfing slashdot, e-bay, google, yahoo, and other popular sites you wont end up with worms and malware on your computer. If your running a mac you will end up with less. However a mac is not the answer to all the problems. The answer lies with the end user.

Else I feel that the firewall could probably use some work. I am sure that Apple is already working hard to correct whatever problems they are seeing and will be patching this within the first few weeks. I hate to see a patch that early as it reminds me a lot of a Microsoft release however it has to happen in this case.

Re:Software firewall (-1, Offtopic)

pandrijeczko (588093) | more than 6 years ago | (#21175229)

If it was Microsoft who had committed this "crime", all the Microsoft and Apple users would be up in arms & throwing abuse at them.

However, because it's Apple, all the Apple fanbois think it's just fine and dandy - you're both laughable and pitiful in your devotion.

And before you say anything, I use Windows XP about a fifth as much as I use Linux - and have never owned a single Apple product because I've never yet found a need to own one.

Re:Software firewall (1)

GodCandy (1132301) | more than 6 years ago | (#21175527)

If you would like to argue... I think the firewall in XP sucked sense day one. I again didn't use it opting for a hardware solution. I could care less if you use mac, windows, linux, or if your computer still runs off punch cards. It matters not. I am an equal opportunity hater. I however will never rely on a software firewall.

I am however a part of the Apple camp. I would expect more from them but some of there more recent endevours have not been up to there usually strict standards. However for that I can forgive them. Microsoft on the other hand has not been able to release a product with any consistency that does not cause me grief. My linux distro's tend to be stable however I sometimes find some things on the bleeding edge that should not be included in those releases either.

Else I was simply stating that yes software firewalls will always suck and yes you should get a real firewall router if you want any form of security on your local network. This is regardless of the os that you use as there are exploits targeting all of them now days.

Re:Software firewall (1)

pandrijeczko (588093) | more than 6 years ago | (#21175635)

I however will never rely on a software firewall.

Then you are a fool who has no idea what he is talking about.

As I said in a previous post on this thread, security is about layered protection, not one single point of potential failure. A sensible person deploys a hardware *AND* software firewall, as well as turning off unneeded services and checking everything is configured correctly.

Re:Software firewall (1)

GodCandy (1132301) | more than 6 years ago | (#21175857)

Perhaps you mis-interpreted... I was stating exactly what you are attempting to rebuttal with. I do not depend on a software firewall. I would never take a computer be it a Mac or a PC and hook it directly to my cable modem and expect it to be secure using only the software firewall. There are layers of protection including but not limited to software. I do however argue that the software firewall is weak in its defenses and should only be used as a last line of defense. I also agree that services that are not in use should not be running on your system. This just leaves you open for attacks. Every network I work with is setup in a layered architecture to help curb outbreaks on my systems.

To this date I have had no problems with that setup. I however also use good common sense in my activities on the internet as not to become the victim of malware or other such programs.

To clarify once and for all when I stated "I however will never rely on a software firewall" I was simply referring to the fact that that is not a 100% fail safe line of defense be it hardware or software. Everything is only safe until someone figures out how to get into it.

Re:Software firewall (1)

cycoj (1010923) | more than 6 years ago | (#21175999)

So what do you consider a software firewall? A machine running iptables can be considered a software firewall, hey iptables is software. Also you do realize that what you're saying is totally impractical for say laptops. You might never leave the house (as any good slashdot nerd ;), but other people might actually go outside, and they might want to connect to a wireless hotspot. What do you do then? Where's your hardware firewall?

and now for something completely different... (5, Funny)

Tumbleweed (3706) | more than 6 years ago | (#21175099)

"It's not much of a firewall, is it?"

"Finest on this subnet, sir!"

"And how to you come to that conclusion?"

"Well, it's so *clean*!"

"It's certainly uncontaminated by security!"

Re:and now for something completely different... (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21175183)

as much as i do appreciate the posting don't be surprised if the apple fanbois mod you down. they're the most humorless gimps i've ever seen.

Re:and now for something completely different... (0, Flamebait)

Cally (10873) | more than 6 years ago | (#21176121)

Flawed? So what's the nature of this flaw? Well, it doesn't really, well, work [neohapsis.com] . Not as such. Not as such. Yeah, we've heard there's some BSD firewalls already out there [google.co.uk] , and apparently some of them are supposed [openbsd.org] to be pretty secure [openbsd.org] , but... hell, we don't need firewalls, this is a Mac! And, as the strip "Osama Bin Laden's Computer Nightmare" in the latest issue of Viz so perspicaciously pointed out, Macs can't get viruses.

yup (-1, Offtopic)

gspawn (703815) | more than 6 years ago | (#21175181)

I work for an ISP, and several programs we distribute don't work with 10.4 at all, but do work with anything 10.0+ and above otherwise. Yes, 10.4 has issues at the moment.

Little Snitch anyone? (5, Informative)

solosaint (699000) | more than 6 years ago | (#21175213)

most powerusers I know use Little Snitch ... its better than the firewall apple includes

Re:Little Snitch anyone? (3, Informative)

frodo527 (614767) | more than 6 years ago | (#21175761)

I use Little Snitch on my MacBook Pro (still running Tiger) becsuse OS X's built-in firewall doesn't configure or notify you about outbound connections. The problem reported in the OP about Leopard's firewall concerns inbound connections. Little Snitch doesn't do anything about those. IOW, Little Snitch complement's OS X's firewall but does not replace it.

Negative story about Mac on Slashdot/ (0)

Anonymous Coward | more than 6 years ago | (#21175307)

It must be Tuesday.......Wednesday, Thursday, Friday.........

apple defense force (1, Funny)

Anonymous Coward | more than 6 years ago | (#21175375)

to the rescue!

Apple's security model is... (1)

throatmonster (147275) | more than 6 years ago | (#21175381)

Security through obscurity! The saddest part is, way too much (i.e. more than zero) of the stuff I do and deal with use that security model too.

Default Leopard install NMAP 4.20 scan (1)

Kancer (61362) | more than 6 years ago | (#21175419)

Strange nmap picks it up as an IronPort C60. I know they run a BSD variant on those boxes but the dump is that similar.

PORT STATE SERVICE VERSION
22/tcp filtered ssh
80/tcp filtered http
443/tcp filtered https
554/tcp filtered rtsp
1755/tcp filtered wms
Device type: specialized
Running: IronPort AsyncOS
OS details: IronPort C60 email security appliance

Anyone tested this? (2, Interesting)

commodoresloat (172735) | more than 6 years ago | (#21175461)

This was pointed out on a previous slashdot article and this poster [slashdot.org] claims it is not true.

Re:Anyone tested this? (1)

prockcore (543967) | more than 6 years ago | (#21175607)

That poster didn't have permission to view all the running services. He should've used sudo.

Re:Anyone tested this? (2, Interesting)

juct (549812) | more than 6 years ago | (#21175659)

This guy missed to run with "sudo" -- so lsof has not sufficient rights to query.
Do a

sudo lsof -iUDP

and you will see all the services listening on UDP ports.

bye, ju

Wait a second... (5, Interesting)

CompMD (522020) | more than 6 years ago | (#21175681)

I thought it was illegal for Germans to do this kind of investigation now. Is it? I mean, it requires "hacking tools."

MAC firewall is mostly TCP. UDP is optional. (0)

Anonymous Coward | more than 6 years ago | (#21175697)

This is a known issue with the Tiger firewall. It only filters TCP unless you check the "Block UDP Traffic" advanced option. Even then it doesn't block all UDP traffic.
Why would they change this in Leopard?

"Software firewall" != "firewall" (1, Informative)

Anonymous Coward | more than 6 years ago | (#21175727)

The firewall maintained by the OS is, at best, a weak packet filtering defense when compared with a stand-alone, in-the-network firewall. The problem is that the on-board firewall is always at the mercy of the OS; anything with sufficient privileges can tamper with it. (Yes, I know of exceptions like FreeBSD's security levels, but that sort of defense is rare on most desktop computers.) A real network firewall
  1. sits inline in the network path
  2. is completely stand-alone, and not directly affected by changes to users' desktop environments
  3. is capable of moderately fine-grained access controls
  4. does not supplant other security measures, e.g., keeping your systems patched, practicing sanitary computing, etc.


Ideally, a firewall also
  1. can do stateful inspection
  2. has some higher level awareness on the OSI stack (e.g., it can tell something might be amiss if it sees an SSH session being negotiated on 80/tcp and can react accordingly)
  3. can have a management interface that's completely separate from the interfaces on which it applies its rulesets


Although I loathe analogies, in cars a real firewall sits between the dangerous (engine) and habitable (passenger) compartments, has a few holes poked in it to allow certain things through (throttle controls, wiring, etc.), and hopefully blocks everything else. The counterpart to a "software firewall" in such a case would be a piece of sheet metal between the engine and passenger compartments that spontaneously opened new holes whenever someone turned on the A/C, played a CD, or unfastened their seat belt. That's NOT A FIREWALL!

All tests were run on localhost (5, Insightful)

hbp4c (315334) | more than 6 years ago | (#21175751)

Perhaps I missed something...

It looks like every test that was ran was run from the local machine. The tester set "block incoming connections" not "block local connections" and/or "block outbound connections"

If you lsof, you're going to see ports open to localhost, unless the firewall is specifically dropping packets to 127.0.0.1.

ntpdate is an ntp client tool, so it makes an outbound connection instead of an inbound connection.

nmblookup actually warns the guy testing this - it realized that 192.168.69.21 was the local interface, so it responded as "localhost" instead of the samba name!

The nmap test was the only tool that specifically checked a non-localhost IP, and it's not clear to me if it actually checked the localhost interface cleverly or actually sent packets out and through the firewall.

As I said, perhaps I missed some critical fact. However, I would put more credibility in the tests if the tester had used a 2nd machine on his subnet to nmap the leopard firewall.

Re:All tests were run on localhost (4, Informative)

juct (549812) | more than 6 years ago | (#21176045)

Yes you are missing something.

I run all tests from a linux machine. Look at the packet dumps. It shows two machines communicating over a network.
Look at the IP address given as an argument to ntpdate -- it is a public IP of an ISP that I queried from our company network.
Look at the quoted logfile entries. All of them show that the tests have been run from external machines.

bye, ju

Re:All tests were run on localhost (1)

Pinky's Brain (1158667) | more than 6 years ago | (#21176137)

Lsof was of course done locally, but if you look at the image in the article of their connection to the NETBIOS name server you can see it was from a different IP (192.168.69.2 192.168.69.21). In theory he could have run the ntp request and the connection to the netcat service they started locally, but it seems wholly unlikely. Give the guy some credit, C't isn't written by complete idiots.

http://www.heise-security.co.uk/bilder/98120/1/1 [heise-security.co.uk]

I am not convinced (5, Informative)

avatar4d (192234) | more than 6 years ago | (#21176061)

This article is a bit fishy in its interpretation. They don't list their expectations vs the results.. They just make assumptions. For instance:

Users who want to raise their security level might choose the option "Block all incoming connections" - in the hope that this really will reject all incoming queries to network services.


Which it appears to do if you look at the quote below. They show a deny in their logs. Seems to work so far.

The initial tests looked promising. The SSH server activated for testing purposes and the primitive demo backdoor could no longer be accessed from outside. The firewall even blocked access to a test server on a UDP port:

Oct 29 11:26:49 Qf98e Firewall[44]: Deny nc data in from 193.99.145.XXX:28524 uid = 0 proto=17

However, a simple port scan was enough to destroy our misplaced optimism:

# nmap -sU 192.168.69.21
PORT STATE SERVICE
123/udp open|filtered ntp
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
631/udp open|filtered unknown
5353/udp open|filtered zeroconf
MAC Address: 00:17:F2:DF:CD:B3 (Apple Computer)


They are now basing an assumption (or marketing spin) because of output from an Nmap scan. This just indicates a flaw in the signature Nmap has (or the lack thereof) for this particular firewall implementation.

Then straight from NMAP's documentation:

"Nmap reports the state combinations open|filtered and closed|filtered when it cannot determine which of the two states describe a port." -(http://insecure.org/nmap/man/ [insecure.org] )

And as for the NTP response being received, well that goes back to what we should expect to see. Apple is about usability. I would suspect that "Block all INCOMING connections" to not refuse information that I request. Basically this just does ingress filtering and not egress.

I haven't read the entire article yet, but from my brief scan I don't see how this is not a "functioning" firewall.

Misleading descriptions (4, Informative)

Todd Knarr (15451) | more than 6 years ago | (#21176095)

I notice in their report that they complain about services Nmap lists as "open/filtered". Nmap reports that result when it encounters a port that elicits no reply whatsoever to a probe. This happens only when a firewall is dropping all traffic to a port and not generating any ICMP error packet for the attempt. The TCP spec says if a port isn't open the client should get an ICMP error, so Nmap knows that there's something there even if access to it's being blocked. If this is any indication of the quality of this "analysis", we can discount the article.

A hardware firewall explained (3, Informative)

mkiwi (585287) | more than 6 years ago | (#21176097)

I've read too many posts to ignore this.

[Rant]

There is no such thing as a purely hardware firewall in modern times.

The hardware like a Cisco pix has software (i.e. firmware) running on top of a simple (usually Linux or bsd architecture). A true hardware firewall is John or Jane sitting at a switchboard plugging in and unplugging cables, like way back when telephones first existed. You could also theoretically unplug the networking cable every-so-often to get a firewall-like effect, but the bottom line is that there is something (a brain) that decides what goes in and what goes out. The brain is a bunch of code (software) that is the firewall.

Hell, create a searing flame capable of burning anyone to death who dare walks through it- that's the literal definition of a firewall. The heat caused by the burning of wood or something else is a "hardware" firewall.

[/Rant]

Re:A hardware firewall explained (5, Informative)

Anonymous Coward | more than 6 years ago | (#21176285)

Actually, no, the literal definition of a firewall is a wall built to block the spread of fire, like the wall between the engine and passenger sections of a car. Not a wall made of fire, lol.

other quirks with OSX and the services/firewall (0)

cpotoso (606303) | more than 6 years ago | (#21176173)

This is on OSX 10.4. I wanted to share an internet connection (internet to eth0, then the airport card serving as a gateway for 2 laptops and an iphone to access the internet). All peachy, but this stupid OS does not let me do it unless I also setup an apache webserver?!?!?! Why? Why? Why? Why? Why? Why? Why? I do NOT want a webserver, just for the machine to be a gateway, but no... (sure there must be a way, but I did not feel like digging through pages of documentation... ended up allowing the server but changing the httpd config file to listen only to 127.0.0.1. The Macs always force you do work around the OS in silly ways... Sure it is a nicer system than Windoze and it has more apps available than linux (I used to be a linux-only person), but it is weird...

Re:other quirks with OSX and the services/firewall (0)

Anonymous Coward | more than 6 years ago | (#21176375)

Huh? Apache? I think this might be a case where you just happened to click it and didn't realize the internet sharing was working. I've never had to enable Apache to share my internet connection.

quote (0)

Anonymous Coward | more than 6 years ago | (#21176185)

In the words of Nelson Muntz "Ha Ha"

Why isn't this story also tagged as "haha"? (3, Insightful)

PipingSnail (1112161) | more than 6 years ago | (#21176291)

Why isn't this story also tagged as "haha"?

If this was a story about a Windows Firewall, as well as defectivebydesign you'd also have the "haha" tag. Do I detect bias?

Solution? (1)

failedlogic (627314) | more than 6 years ago | (#21176439)

I'm using Leopard and enabled the firewall and per-application blocking. I find it convienient at its enabled in two or three mouse clicks like the Windows firewall. I'm not a security techie but I understand as far as OS firewalls and there never being a magic bullet that should not ever be the only solution I should use.

Given that Apple may or likely has a flaw to fix in its Firewall, what solutions are there for additional protection? I'd been using PortSentry (a former Cisco package, now OSS on Sourceforge) on my Tiger system. It compiled, installed and worked on Tiger using GCC but no longer on Leopard. I frankly don't trust Norton and some of the other "firewall" expert 'solutions' companies. I'd like to say I would be willing to learn IPFW firewall rules (I assume Leopard uses this) but the level of technical expertise needed is well beyond my knowledge level. I'm not a techie and learning to implement firewall rules demands expertise and is a fine art in itself - as is computer security.

So, what other level of security might make up for Leopard's lack of a good firewall? I like using OSS as there is support, its free (can't afford more software) and the code is open for review by community. Suggestions?
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...