Mac OS X 10.5 Leopard built-in firewall

The firewall in Mac OS X 10.5 Leopard is confusing, to say the least. It is not enabled by default, which is a huge mistake, in my humble opinion. Also, the graphical user interface offers less flexibility than in previous version while trying to configure it. Besides allowing you to independently control the blocking of incoming ICMP Echo Requests and logging via syslog, it has the following main operation modes:

  • Allow all incoming connections.

    Seems obvious that choosing this setting means that the firewall is essentially disabled and any traffic can freely flow in and out of the computer.

    I would not recommend this setting, even for trusted networks. It is easy for a laptop computer to attach to a different network at any time and have the user forget to re-enable the firewall, posing as a potential victim for other users or computers. For a desktop computer it is more and more common to be attached to a network that has some sort of wireless bridging or routing device that might be used by untrusted users to get access to the network, or by trusted users that carry (maybe without their knowledge) malware, for example.

    This setting offers little or no security, but makes very easy to share contents or provide external services.

  • Block al incoming connections.

    This seems the safest choice, but might not always be desirable if you are sharing content or have services running that you want to make accessible from the outside (like an SSH server, or even the iTunes music collection).

    This is my preferred setting, I have to say. This setting offers adequate security, but stops you from sharing content or offering access to services externally. However, it seems that Leopard’s firewall does not block all services, and some of them are still accessible from the outside (see at the end of the post for more information).

  • Set access for specific services and applications.

    This is by far the most confusing setting. First, because it doesn’t seem to add any rules to IPFW. I’m starting to believe that Leopard offers two layers of filtering. It seems IPFW is one of them, but it defaults to use a ruleset with only default accept entry in it (sequence 65535):

    # ipfw list
    65535 allow ip from any to any
    

    (NOTE: if you enable the Stealth functionality, a IPFW rule is added before the default entry, and it looks like this:

    33300 deny icmp from any to me in icmptypes 8
    

    This blocks ICMP Echo Requests, but be aware that Stealth mode is not enabled by default).

    About the other filtering layer, I’m not sure what it is used or how it is implemented, but it seems to be the result of some sort of kernel-level and user-space cooperation. The second reason why I think this setting can be confusing is because it seems to only affect a particular user (normally the logged user), but not the system or other users like root.

    For example, I compiled synergy and ran it as user root. Then, I configured the Leopard’s firewall for access to specific services and applications, but I left the list empty. I verified that I could reach the synergys server at port 24800 from other computer in the same network segment. I was really surprised, to be honest.

    The next thing I tried is to kill synergys and to re-run it as my currently logged in user. This time, Leopard presented me with a dialog box that asked whether to allow synergys to accept incoming connections:

    Do you want the application “synergys” to accept incoming network connections?

    Clicking Deny may limit the application’s behavior. This setting can be changed in the Firewall pane of Security Preferences.

    This caused the expected behavior: any attempt to connect to port 24800 from the outside was blocked by Leopard’s firewall:

    22:02:30.989097 IP 10.42.242.16.49950 > 10.42.242.12.24800:
      S 3207271609:3207271609(0) win 65535
      <mss 1460,nop,wscale 3,nop,nop,timestamp 699234003 0,sackOK,eol>
    22:02:31.913244 IP 10.42.242.16.49950 > 10.42.242.12.24800:
      S 3207271609:3207271609(0) win 65535
      <mss 1460,nop,wscale 3,nop,nop,timestamp 699234012 0,sackOK,eol>
    22:02:32.914300 IP 10.42.242.16.49950 > 10.42.242.12.24800:
      S 3207271609:3207271609(0) win 65535
      <mss 1460,nop,wscale 3,nop,nop,timestamp 699234022 0,sackOK,eol>
    22:02:33.915334 IP 10.42.242.16.49950 > 10.42.242.12.24800:
      S 3207271609:3207271609(0) win 65535
      <mss 1460,sackOK,eol>
    22:02:34.916398 IP 10.42.242.16.49950 > 10.42.242.12.24800:
      S 3207271609:3207271609(0) win 65535
      <mss 1460,sackOK,eol>
    22:02:35.917319 IP 10.42.242.16.49950 > 10.42.242.12.24800:
      S 3207271609:3207271609(0) win 65535
      <mss 1460,sackOK,eol>
    22:02:37.919629 IP 10.42.242.16.49950 > 10.42.242.12.24800:
      S 3207271609:3207271609(0) win 65535
      <mss 1460,sackOK,eol>
    22:02:41.924491 IP 10.42.242.16.49950 > 10.42.242.12.24800:
      S 3207271609:3207271609(0) win 65535
      <mss 1460,sackOK,eol>
    

    Note how the first three segments had the time-stamp and window scaling options activated. The remaining SYN segments didn’t. This is probably due to Leopard thinking that there was congestion or that it was talking to an old system.

    Once I chose Always allow, Leopard added an entry into the Firewall list named synergys. From here on, I was able connect to port 24800. This is the the network capture that tcpdump displayed when trying to connect to port 24800 from another compuer after synergys had been granted access:

    22:24:20.674656 IP 10.42.242.16.50055 > 10.42.242.12.24800:
      S 2514913060:2514913060(0) win 65535
      <mss 1460,nop,wscale 3,nop,nop,timestamp 699247086 0,sackOK,eol>
    22:24:20.675544 IP 10.42.242.12.24800 > 10.42.242.16.50055:
      S 812848149:812848149(0) ack 2514913061 win 65535
      <mss 1460,nop,wscale 1,nop,nop,timestamp 473026159 699247086,sackOK,eol>
    22:24:20.675591 IP 10.42.242.16.50055 > 10.42.242.12.24800:
      . ack 1 win 65535 <nop ,nop,timestamp 699247086 473026159>
    22:24:20.677911 IP 10.42.242.12.24800 > 10.42.242.16.50055:
      P 1:16(15) ack 1 win 33304 <nop ,nop,timestamp 473026159 699247086>
    22:24:20.677959 IP 10.42.242.16.50055 > 10.42.242.12.24800:
      . ack 16 win 65535 <nop ,nop,timestamp 699247086 473026159>
    

    Funny enough, keeping my telnet client running while trying to connect at port 24800, waiting for Leopard to remove the time-stamp and window scaling options, then allowing this traffic, didn’t make Leopard to try to re-negotiate the time-stamp and window scaling options.

    Another thing worth mentioning is that once synergys had been granted access to incoming traffic at port 24800, removing it from the list of allowed applications and services didn’t stop it from receiving traffic. To block synergys from receiving traffic it was necessary to change Allow incoming connections to Block incoming connections (removing its entry from the list did still allow it to receive incoming traffic).

    Another interesting feature is that Leopard’s seems to be aware of service dependency. For example, enabling the Screen Sharing service also starts a local Kerberos 5 KDC which is used to authenticate users. This is fascinating since users of Screen Sharing, for example, will first request a TGT to this local Kerberos 5 KDC (and will be able to decrypt that TGT if they know the correct password), then using the TGT request a service ticket for the Screen Sharing service that can present to it in order to get authenticated. But moreover, trying to connect to the Screen Sharing service for a second time will not require the user to provide his credentials again because a Kerberos service ticket is already available (provided that it didn’t expire). This is Single Sign-On in its true form.

Conclusion

In conclusion, I can’t say that the graphical user interface provides a lot of room for configuration, neither does it offer any way to configure egress filtering (that is, traffic that originates on the local computer and is to be sent out externally via a network interface).

In general, Leopard’s default administration tools are probably on par with those from Windows Vista. Even though the underpinnings of the newest member of the Mac OS X family are powered by IPFW, I feel Leopard’s firewall has a long way to go to in order to get closer to the powerful functionality and configurability of PF or Netfilter/IPtables, for example.

Also, not enabling the firewall by default is a big mistake in my opinion. One of my Mac OS X laptops is listening on port 111/tcp, 1020/tcp and 1021/tcp. The first one is iCalAlarmAgent and the other two are related to launchd. Even if you configure the firewall to block all traffic, these three ports are still accessible from the outside.

Advertisements

16 thoughts on “Mac OS X 10.5 Leopard built-in firewall

  1. Pingback: meneame.net

  2. I couldn’t understand some parts of this article Mac OS X 10.5 Leopard built-in firewall, but I guess I just need to check some more resources regarding this, because it sounds interesting.

  3. Hi Daniel.

    What is it that you don’t understand? Is it because of the way that I write? Since I’m no English native speaker, I might have made some spelling or grammatical errors. Can you provide more details so that I can fix what is wrong or confusing?

    Thanks!

  4. Wow… The only problem I was having was that it wouldn’t remember that I told it that Psi was allowed to accept incomming connections. …or, well, it remembers it, but it still prompts to ask every time I run Psi anyway, which is rather annoying.

    My MacBook is the first Mac I’ve ever used, and so far the only thing I really don’t like about it is that it generally assumes that I’m dumb or something and that too many configuration options will confuse me. Everywhere I go I find the bare minimum of configurability which is annoying to say the least, and the firewall options are just one more example of that. There’s no more configurability there than necessary to be able to say that there is a configurable firewall, and like everthing else, it leaves me wanting more options.

    I think one simple example of what I’m talking about is the system file open dialoge: Using KDE in Linux, when I open a file, the file open dialoge is basically a complete file manager. In the process of choosing a file I can navigate to any folder, create or delete folders, rename or delete files, or anything. In Mac OS X I get a little window that does nothing more than let me choose the name of the file and one of just a few directories that Mac OS X thinks I should be allowed to save to. The entire GUI is oversimplified like that.

    …but that’s not to say that I think Linux is better or anything. I hate Linux, which is why I bought a Mac. However, the KDE people definately know how to provide configuration options. If Linux weren’t such a terrible OS, Linux combined with KDE would be a wonderful thing.

    Anyway, there’s nothing wrong with your writing. Daniel is just a spammer. Look at the link to his web site, it’s just an ad. The reason he didn’t go into any detail is because he didn’t actually read the article, he just left a vague message that mentioned the name of the article, but he didn’t actually read the article which is why he didn’t say anything specific.

  5. my firwall.sh
    #!/bin/sh
    ipfw -f flush
    sysctl -w net.inet.ip.fw.verbose=2
    ipfw -f add 100 allow ip from any to any via lo0
    ipfw -f add 110 deny log ip from 127.0.0.0/8 to any in
    ipfw -f add 120 deny log ip from any to 127.0.0.0/8 in
    ipfw -f add 20000 check-state
    ipfw -f add allow tcp from me to any established
    ipfw -f add allow tcp from me to any out keep-state
    ipfw -f add allow udp from me to any out keep-state
    ipfw -f add allow icmp from me to any out
    ipfw -f add deny ip from any to any

  6. Hola Felipe;

    Quisiera saber como puedo montar un directorio nfs, pues me esta diciendo todo el rato que:
    “mount_nfs: /Users/user/tmp: Operation not permitted”

    gracias y un saludo

  7. Jorge,

    Lo único que necesitas es configurar correctamente el fichero /etc/exports. Este fichero no existe por defecto, así que tendrás que crearlo. Por ejemplo:

    /Users/user -maproot=nobody:nobody -alldirs -network 131.104.48 -mask 255.255.255.0

    Esto exportaría el directorio /Users/user a cualquier máquina de la red 131.104.48.*, y mapeando al usuario root desde una máquina remota al usuario nobody.

    Después, ejecuta “nfsd update”. A partir de este momento, tus clientes deberían ser capaces de montar /Users/user desde tu máquina. Creo que onvia decir que tendrás que configurar el firewall correctamente para permitir el acceso a través de NFS.

    Espero que te sirva de ayuda.

  8. Jorge,

    Si lo que quieres es montar un directorio de otra máquina a través de NFS, puedes utilizar el Finder para montar dicho directorio o, desde la línea de comandos:

    sudo mount server:/Users/user /mnt

  9. After research a number of of the weblog posts on your web site now, and I really like your way of blogging. I bookmarked it to my bookmark web site list and shall be checking again soon. Pls take a look at my web site as nicely and let me know what you think.

  10. I think that what you wrote made a bunch of sense. But, think about this, suppose you wrote a catchier post title? I am not suggesting your content isn’t good., but what if you added a title that grabbed people’s attention? I mean Felipe Alfaro Solana » Blog Archive » Mac OS X 10.5 Leopard built-in firewall is kinda boring. You should look at Yahoo’s front page and note how they create article titles to grab people to open the links. You might try adding a video or a related pic or two to get people interested about what you’ve got to say. In my opinion, it would make your posts a little livelier.

  11. 1. Your own website presents you more credit and makes you a lot more expert. The quantity of affiliate marketers is increasing all the time and only those who have their own spots on the web will stand out from the others. There should be a difference among significant marketers and opportunists that will disappear faster or afterwards.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s