Close the ports
There are two schools of thought when it comes to the software firewall built into OS X.
One school says that it’s not necessary. Firewalls prevent unapproved connections from opening ports on a computer’s network interface. (Ports are how a software service talks to a network. You can think of a port as a window in a wall; some ports are left open on purpose to allow incoming and outgoing data traffic.) But by default, OS X doesn’t leave many ports open. In contrast, most versions of Windows ship with a bunch of open ports, which is one reason that operating system is a riper target for malicious hackers. And while Leopard leaves open more ports than earlier versions of Mac OS X, so far there have been no known attacks on those default services.
The other school (to which I belong) says that the best security mantra is “never assume.” As you install and use programs on your system, you often open ports without realizing it. And there’s always the possibility that a chink in OS X’s armor will lead to a wave of new exploits. That’s why I recommend that all Mac users turn on OS X’s built-in firewall.
The problem is that, while OS X has long included basic firewall software, Leopard introduced some significant changes to it, leaving many Leopard users confused as to how to keep their Macs secure. But though the firewall interface in Mac OS X 10.5 is indeed quite different from that in earlier versions of the OS, it’s still relatively easy to use, especially since the release of the 10.5.1 update.
In previous editions of OS X, you configured the firewall in the Sharing preference pane. In Leopard, you do it in the Security pane.
That’s not the only change. Instead of the Start/Stop button found in those earlier incarnations, the firewall in the initial release of Leopard gave you three options: Allow All Incoming Connections, Block All Incoming Connections, and Set Access For Specific Services And Applications.
Those options confused many users. For one thing, the terminology was vague. Also, the Block All Incoming Connections option actually left a number of ports open, including any service running as the root user; none of those open services were shown in the user interface.
The firewall also broke some programs, such as Skype, that change their internal code when they run. The reason is that the firewall creates a digital signature for each program that tries to communicate across the network interface. That signature enables OS X to know if the program’s code has been modified; if it has, OS X will refuse to run it. Such modified programs would bounce on the Dock a few times, and then shut down.
OS X 10.5.1 remedied these flaws by changing that second option to Allow Only Essential Services, tightening and documenting which essential services are allowed, and prompting users to reactivate programs (like Skype) that change themselves, instead of simply breaking them.
Configuring the firewall
Leopard’s Allow All Incoming Connections option is the functional equivalent of the old Stop button: it turns your firewall off. I wouldn’t recommend this setting to anyone.
The Allow Only Essential Services option will block anything except a few default networking services, such as Bonjour. It prevents file sharing, remote access, and other optional services. You should use this option only if you really want to block everything. I use this option when I’m on potentially hostile networks, such as those in hotels or public hotspots, and don’t want to bother with manually turning off all my shared services (see “Firewalls on the Road”).
The third option, Set Access For Specific Services And Applications, is the one I recommend for everyday use. It’s actually a new kind of firewall for OS X. It’s what’s known as an application firewall. Previous versions of OS X used a technology known as stateful packet inspection—a fancy way of saying the firewall blocked ports that weren’t being held open for use by approved applications. An application firewall like the one in Leopard blocks traffic targeting specific applications, not specific ports.
(Leopard still includes a stateful-packet-inspection firewall, called ipfw, but by default it’s set to let all traffic through. That firewall can be configured to be more secure, but doing so is for advanced users only; if you don’t know how to do it already, you probably shouldn’t attempt it at this time.)
In the Firewall configuration tab, below the three options, you should see a list of network services that are currently authorized to accept or deny incoming connections. If you’ve enabled any services in the Sharing preference pane, they should appear here; you can’t disable them from the firewall.
After you select the Set Access For Specific Services And Applications option, any time you launch a program that uses networking, Leopard will ask if you want to allow or block incoming connections to it. If you select Allow, that program will be added to this list and digitally signed (if it isn’t already) so Mac OS X can detect if it’s been tampered with. You can select an application in this list, and allow or deny incoming connections using a drop-down menu.
The Leopard firewall doesn’t prevent programs from making outgoing connections. So, for example, it might be fine to set iTunes to share music from your laptop when you’re at home. But if you then move to a public network, the only way to block access to your iTunes library is to turn sharing off in iTunes’ preferences (or to adjust the firewall to Allow Only Essential Services).
Whether you choose Allow Only Essential Services or Set Access for Specific Services And Applications, you should then click on Advanced and select Enable Stealth Mode. This hides closed services from someone probing your computer, which adds a little extra security. It’s akin to bricking over a door instead of just locking it.
The future of the firewall
Because the firewall in OS X is now application-based, there’s some concern in the security community that it will leave the Mac vulnerable to low-level attacks. Apple may need to address this in future security updates or by adding some kind of graphical-interface tool that’ll let you configure ipfw.
It would also be good to have some way to configure the application firewall to block outbound connections. We already know about the QuickTime rtsp vulnerability: it would, in theory, allow an attacker to embed a QuickTime link in an e-mail or Web page directing you to a hostile site in order to exploit your computer. With the QuickTime 7.3.1 update, Apple plugged that hole. But I think Apple needs to give us some kind of tool for blocking outgoing connections across all applications.
Firewalls on the road
While it’s nice to have the OS X firewall running when you’re at home and have your Mac sitting safely behind a router, enabling it becomes absolutely mandatory when you take your Mac on the road.
Even the most basic home or office router, like the AirPort Extreme, uses Network Address Translation (NAT) to hide your computers from being directly accessed over the Internet. NAT allows a single router to connect hundreds of individual computers to the Internet through one public address. A side benefit of a NAT router is that it serves as a basic, yet effective, hardware firewall.
But it can’t protect you when you hit the road and leave it behind, especially if you’ve configured your Mac’s firewall loosely. On one recent business trip, for example, I connected to my hotel’s network and was surprised to see three shared Macs in my Finder sidebar; in iTunes, I saw two shared libraries. All were listed under their owners’ names. A less-than-law-abiding person could have tried connecting to those systems to run attack tools or force their way past weak passwords.
For that reason, you should switch your Leopard firewall to Allow Only Essential Services and enable Stealth mode when you travel. It’s an easy way to avoid exposing yourself to attacks; when you return home, you can switch back to Set Access For Specific Services And Applications, and the firewall will restore your original settings.
[Rich Mogull is an independent security consultant who blogs on security issues at Securosis.com. He is also a contributing editor at TidBits.]