Unlike many other operating systems, Mac OS X ships in a secure state with all network services disabled. This means you can be fairly certain that no matter what network you find yourself on, the likelihood of somebody cracking into your machine is very low. However, as you turn on various services, such as file or web sharing, the ports used to support those services on your computer are opened up, which means they can receive data from the network. For the most part, Apple does a good job releasing security updates, making sure that these services are patched as soon as vulnerabilities are discovered.
If you are truly paranoid and want to take every step possible to control access to your Mac, you can enable Mac OS X’s built-in firewall, based on ipfw
, which performs packet filtering at the kernel level. You can turn on the firewall by using System Preferences → Sharing → Firewall, as shown in Figure 11-17.
When you enable the firewall, only packets that correspond to the rules that you set up in the Allow list are allowed into your machine. All other packets are dropped. The default rules are set up so that any services that you share are allowed. However, other ports, such as those needed to use iChat over Bonjour, are closed by default. To allow these ports, you can enable the corresponding rule for the service you want to allow.
To open ports for services not listed, you’ll need to create rules. Clicking the New button in the firewall pane brings up the sheet shown in Figure 11-18. Several default services are listed in the Port Name pull-down menu for easy selection. However, only a limited number of services that you might want to enable are listed. For example, the ports used by iChat during a voice or video chat aren’t listed in the default rules or in the list of rules to add. You’ll have to add the ports yourself using the Other option in the pull-down menu.
Tip
Information about which ports to open for iChat AV can be found in Apple Knowledge Base article 93208 (http://docs.info.apple.com/article.html?artnum=93208). A list of the well-known ports used by Apple software is contained in Apple Knowledge Base article 106439 (http://docs.info.apple.com/article.html?artnum=106439). You can also find a list of the ports commonly used on Mac OS X in Table 11-1.
Since the firewall is based on ipfw, it is possible to manipulate the firewall and its rules from the command line. However, doing so is dangerous. It is easy to craft rules that look secure, yet can make things worse than they were to begin with. This gives you a false sense of security. It is also easy to lock yourself out of your computer when editing rules remotely or even to put your computer in an unusable state by tweaking the wrong rule. The bottom line is that even though you can go into the depths of firewall configuration using ipfw, you’re strongly urged not to. It’s an area where it is way too easy to do more harm than good.
If you need more flexibility in your firewall than the GUI gives you, you should be using an external firewall. In fact, if you are worried about the security of your system enough to turn on the built-in firewall, you really should be using an external firewall. It is much more effective to have network security performed in a dedicated external device than it is to configure a piece of software on the machine that, if compromised, can give access to the internals of the machine. This is as true of third-party, add-on firewall products as it is of ipfw.
When you want to secure your machine in a network environment that you don’t control, such as in a café, you should turn off all the services that your machine has on in the Sharing preference pane, make sure that iChat’s Bonjour mode is turned off, and make sure that you aren’t sharing your iTunes music library. By turning off these services, you’ve done more to secure your machine than any firewall can do.
For Tiger, Apple added a few small enhancements to the built-in firewall. You can find these new options by clicking the Advanced button on the Firewall pane, revealing a sheet with these new options:
- Block UDP Traffic
As was mentioned earlier, UDP is one of the two primary IP protocols used to access a network. When enabled, Mac OS X’s built-in firewall blocks all inbound TCP connections except those specifically allowed. However, its default configuration does nothing to block UDP traffic. By enabling this option, the firewall blocks all inbound UDP traffic, except that which has been specifically allowed.
- Enable Firewall Logging
The beauty of Mac OS X’s firewall is that, consistent with Apple’s other creations, it just works. You enable it and it runs in the background, never to disturb you again. However, it isn’t very forthcoming, either. By default, the firewall does not log the connections it denies. Upon enabling this advanced option, Mac OS X logs unauthorized network access attempts to
/var/log/ipfw.log. You can view the log by clicking the Open Log button, which opens Mac OS X’s Console (/Applications/Utilities) to the appropriate logfile.- Enable Stealth Mode
When Mac OS X blocks a connection, it specifically notifies the offending host that the connection has been denied. With Stealth Mode enabled, the firewall still blocks the connection, but it does not notify the offender. To an attacker, this makes it seem as if your computer does not exist on the network.
Warning
While Stealth Mode deters many attackers, a savvier miscreant will see through the façade. When a host is truly not there, Internet standards require that the last router before the destination host respond with an ICMP message indicating that the host or network is unavailable. Stealth Mode simply doesn’t respond, signaling to the attacker that something must still be there.