Understanding and using Leopard's firewall

Mac OS X has long included a basic firewall, but with the release of Mac OS X 10.5—also known as Leopard—this fundamental security technology is moving in a new and innovative direction. As with any major change in a popular operating system this transition comes with a learning curve, but thanks to the recent OS X 10.5.1 update from Apple, Leopard’s firewall is fairly straightforward and recommended for the average Mac user.

As a security professional I’m often asked by Mac users if they need a firewall. It’s a surprisingly difficult question to answer. Firewalls prevent unapproved connections to open ports on a computer or network, but the average Mac, by default, doesn’t open many ports in the first place.

Leopard is a bit chattier than earlier versions of Mac OS X, but out of the box (at the time of this writing), there are no known attacks for these default services. This is unlike most versions of Windows that ship with a bunch of open services for an attacker to target.

But one security mantra is, “never assume,” and what’s true today won’t be true tomorrow. As you install and use programs on your system you often open ports without realizing it, and there’s always the possibility (make that probability) of a new attack. Since the Leopard firewall is easy to use for non-technical users I recommend activating it, even if you’ll never need it.

Drawing fire

When Leopard was released in late October, the firewall behaved differently than what you’ll see in the current version. “Allow only essential services”—an option for configuring the firewall we’ll discuss more below—had another label: “Block all incoming connections.” However, this option left a number of open ports, including any service running as the root user, none of which were shown in the user interface.

The application firewall also allowed these open services, but broke some applications, such as Skype, that change their internal code when they run. The firewall would digitally sign the application, but if the application’s code changed at all, Mac OS X would think it was an unapproved modification and refuse to run it. These applications would bounce on the Dock a few times and close, confusing users.

OS X 10.5.1 fixed these flaws by properly labeling the options, tightening and documenting which “essential services” are allowed, and re-prompting users to activate changed applications instead of breaking them.

Users uncomfortable with the application firewall can still manually configure the included stateful packet inspection firewall, ipfw, that’s always running in the background. This is for advanced users only, and I’ve posted configuration instructions and a base rules set here.

Configuring the firewall

In previous versions of OS X the firewall was hidden in the Sharing pane of System Preferences. Leopard changes things—you’ll now find the firewall in System Preferences’ Security pane. When you click on Security -> Firewall you’ll see three options. The first, “Accept all incoming connections,” is the default setting we’ll change.

(Note that the following only applies to OS X 10.5.1 or later, as that update changed the way the firewall behaved from the original Leopard release.)

The second option, “Allow only essential services,” will block anything except a few default services that support networking, such as Bonjour. Only use this option if you want to block everything; this will prevent any file sharing, remote access, or other services activated elsewhere on your Mac. I tend to use this setting when I’m on potentially hostile networks, such as the ones at hotels, and don’t want to go through the effort of manually turning all my sharing off.

The “Set Access for specific services and applications” option for configuring Leopard’s firewall blocks traffic based on the target application instead of the port—the bottom half of the screen shows applications you’ve authorized to accept or deny incoming connections.

The third option, “Set access for specific services and applications,” is a new kind of application firewall for OS X. Previous versions of the Mac operating system used a technology known as stateful packet inspection, which is a fancy way of saying it blocked specific ports. Leopard still includes this, but it’s set to allow all traffic. The application firewall works a level above and blocks traffic based on the target application (socket), not port. The top section of the window lists any running network services. These are automatically set when you start services on in the Sharing preferences pane, and you can’t disable them from the firewall.

Below that are applications you’ve authorized to accept or deny incoming connections. The first time you launch an application that uses networking, Leopard will ask if you want to allow or block incoming connections. That application is then added to the list and digitally signed (if it isn’t already) so Mac OS X can detect if it’s been tampered with. You can then choose to allow or deny incoming connections on an application basis.

The firewall doesn’t block any outgoing connections, something we’ll discuss in a moment. For example, if you share iTunes at home, you can change the setting and manually block anyone from connecting when you’re on a public network.

After activating the firewall you should click on the “Advanced” button followed by “Enable Stealth Mode.” This hides closed services from someone probing your computer using certain techniques while adding just a little extra security.

The future

Since the application firewall works at a different layer than the traditional firewall, there is concern in the security community that certain low level attacks could still succeed. None of these attacks are known today, but we’ve seen them in the past, and Apple may need to address this with future updates or adding options to configure ipfw.

The application firewall also only blocks inbound connections; an attacker (or careless user) can still connect to hostile services and be compromised. An example was the recent Quicktime rtsp vulnerability in which an attacker could embed a link in e-mail or a web page, direct you to a hostile site in order to exploit your computer. Had Apple included outbound blocking, you could have blocked Quicktime from network connections but still safely played files locally. Last week’s QuickTime 7.3.1 update tackled this issue.

Thanks to the 10.5.1 update the firewall is recommended to all Mac users. And with only a few changes, Apple can significantly improve the security of this already useful tool.

[Rich Mogull is an independent security consultant who blogs regularly on security issues at Securosis.com. He is also a contributing editor at TidBits.]

Subscribe to the Apple @ Work Newsletter

Comments