Avoid file-sharing risks

Page 2 of 3

Set your firewall for sharing files

A firewall creates a virtual barricade between one part of a network and another, preventing all kinds of data from passing in and out, depending on how the firewall is configured. A firewall can protect an entire network, but more typically, you install a firewall on a single computer to prevent other computers on a local network or the Internet from accessing any services that you haven’t specifically allowed.

To turn on Leopard’s built-in firewall service, open the Firewall view of the Security system preference pane. You have three distinct options to choose among:

  • Allow All Incoming Connections: This default option blocks no traffic. The firewall is off.
  • Allow Only Essential Services: An extreme option, this prevents any traffic from the outside world from initiating an unsolicited connection to any service on your computer, but allows you to connect out as much as you want.
  • Limit Incoming Connections to Specific Services and Applications: This option lets you pick and choose what gets in to which programs.
  • If you have any Sharing services enabled, they appear at the top of the list below Limit Incoming Connections. If you have chosen to control incoming access for specific applications—including Apple programs like iPhoto or iTunes that add themselves to the list with your permission when you enable sharing within those programs—they appear in this list, too. When both services and applications are shown in the list, they’re separated by a line with services on top and applications on the bottom.

    Whenever you turn on or off any service, it is added or removed from this list to create or remove an exception to the firewall. If you launch a program that needs access from the outside world, Mac OS X prompts you for permission to allow such access; if you agree, the application is automatically added.

    You can also click the plus (+) button to add an application to the list. Or, to remove an application from the firewall settings, select it from the list and click the minus (-) button.

    The Firewall view lets you control how the outside world reaches your computer’s services and applications.

    Each application can be set to Block Incoming Connections or Allow Incoming Connections, but the setting applies only if you chose Limit Incoming Connections as your overall approach (as seen on the right).

    The firewall for Leopard lacks the fine-grained ability that Tiger offered to control access based on ports (see the note below). Port-based access control is a typical feature of a firewall, and it’s odd that Apple changed its philosophy here.

    Apple’s firewall has never offered control over which IP addresses or ranges were allowed or banned. Most firewalls can monitor for abuse and lock out specific addresses or networks, or make sure only authorized parties have access by allowing access to a services from only a few addresses.

    If you need this level of control or need to control access to services that aren’t supplied with Mac OS X, you need a third-party firewall—such as one of those listed a few pages earlier, or a router with firewall functions built in. These firewalls allow more elaborate rules to permit—among other purposes—file-sharing traffic to pass if you’re trying (wisely) to restrict who connects to your computer. See the table below for the ports you must enable for each service.

    Ports to Enable for Different File Sharing Services

    Service Ports Notes
    FTP Incoming 20 and 21, both UDP and TCP, and incoming ports 1024 through 65535 only when queried from another machine’s ports 20 and 21 FTP clients send requests from ports 20 and 21, but if passive FTP is enabled on the client&8212;an option required for some firewalls—the client connects from a high-numbered port.
    Web 80, 443 80 is regular Web, 443 is the secure version
    Samba 136-139, 445 Apple opens just port 139 for Samba, but other ports might be required for various Windows networking services.
    Timbuktu 407
    AFP 548, 427
    iPhoto 8770
    iTunes 3689

    Note: Ports 443 and 4500 are needed to enable Leopard’s Back to My Mac feature .

    A note on ports: A port is to an IP address like an apartment number is to an apartment building: ports are used to offer services, like file sharing or a Web server, and Internet-enabled software knows at which ports services are typically found. Ports can handle one of two forms of IP data: TCP and UDP. You may be familiar with the name TCP from TCP/IP, the area in the Network preference pane for each adapter in which you set up connectivity. But TCP is one form of wrapping up data; UDP is the other. TCP is typically used for communications in which ever bit of data is important; UDP is often used for streaming media where losing some data doesn’t affect overall reception.

    You can configure Leopard’s firewall with one special feature for greater security—Stealth Mode. To access it, from the Firewall view, click the Advanced button.

    The Stealth Mode option in the Firewall view lets you lock down Leopard tight as a sealed drum.

    Check Enable Stealth Mode (as seen in the screenshot) to make your Mac appear essentially invisible to the outside world. Your computer won’t respond in any way to queries from the outside world that try to see if any port has a service behind it. This is a recommended approach for keeping a low profile. All outbound connections that your Mac originates will still work.

    Protect Your Passwords

    The last part of protecting your file-serving system is to make sure that neither you nor any of your remote users inadvertently let slip the passwords that are used to access it. Should a password fall into the hands of an unauthorized person, the contents of your read-only repositories will suddenly be available that person. And, a read/write server could be compromised with stolen software, as I noted above.

    Web and FTP services that use passwords don’t protect those passwords, nor do they scramble the data that passes back and forth from a client to a server. So, if users connect to your file services over a Wi-Fi hotspot in a public location such as a coffee shop or airport—they should use either a virtual private network (VPN) that encrypts all network traffic or an encrypted version of FTP. They should avoid Samba, too, which poorly protects passwords, and non-SSL-based WebDAV.

    Tip : If you don’t have access to a VPN server, and most of us don’t, you can “rent” this encrypted service from WiTopia for $40 per year or publicVPN for $6 per month or $60 per year. Both firms provide a simple way to start or stop a VPN connection. (WiTopia uses a separate application; publicVPN uses built-in Mac OS X support.)

    [Glenn Fleishman is editor of Wi-Fi Networking News, a contributing editor for TidBits, the Practical Mac columnist for The Seattle Times, and a regular contributor to Macworld . His latest book is Take Control of Sharing Files in Leopard ( TidBits Publishing, 2007). ]

    | 1 2 3 Page 2
    Shop Tech Products at Amazon