OS X firewall - how to make it actually work
in [UK Mac]
|
From: Jaimie Vandenbergh on 21 Jan 2010 04:36 On Thu, 21 Jan 2010 16:29:20 +0700, James Taylor <usenet(a)oakseed.demon.co.uk.invalid> wrote: >Woody wrote: > >> if you are using your macbook entirely as a VM tool with no >> use of the host operating system, is there actually much point keeping >> OSX on there? I mean you are not using it, and if you can't set it up >> the way you want, is it worth the effort to try when you are clearly OK >> running linux, so why not just run that? > >It's sorely tempting. The problem is in the inertia of time and money >already invested in the current setup. I have already paid for VMware, I >have some familiarity with it, and a number of VM guests in VMware >format that I spent considerable time setting up. Then stick with VMware rather than using KVM. Server is free on Linux, and all the VMwares use the same machine format. Cheers - Jaimie -- If you own a jackhammer, every problem looks like hours of fun
From: Woody on 21 Jan 2010 04:37 James Taylor <usenet(a)oakseed.demon.co.uk.invalid> wrote: > Woody wrote: > > > if you are using your macbook entirely as a VM tool with no > > use of the host operating system, is there actually much point keeping > > OSX on there? I mean you are not using it, and if you can't set it up > > the way you want, is it worth the effort to try when you are clearly OK > > running linux, so why not just run that? > > It's sorely tempting. The problem is in the inertia of time and money > already invested in the current setup. I have already paid for VMware, I > have some familiarity with it, and a number of VM guests in VMware > format that I spent considerable time setting up. Oh ok, I assumed that there was a VMWare on linux and you could just transfer your VMs (and license) to linux. It makes more sense staying if there isn't -- Woody
From: James Taylor on 21 Jan 2010 04:48 Jaimie Vandenbergh wrote: > James Taylor wrote: > >> Can anyone tell me how to get the application firewall to actually >> do its job and block incoming access to everything but VMware? > > You can't, it just doesn't do that. You're confirming that the firewall doesn't do its job? So Apple's own flagship security feature is well known to be snake oil is it? > But you can get in at the ipfw interface The trouble is ipfw is a packet level firewall not an application firewall and it is therefore not useful to me. I want the VMware guests to be able to fully access the network (eg. for scapy packet crafting, nmap and nessus scanning, etc). I just want the the VM hypervisor OS itself to be invisible and unreachable, while allowing full access to the VM guests. On Linux I'd just disable all listening daemons and that would be the end of it, but on OS X this seems to be impossible, or at least I don't know how and nobody else does either. > The firewall in 10.6 server is still ipfw based rather than > application-centric, apparently. Unfortunately so. > Launchd it is. Lingon is a useful UI for managing these, I've spent a lot of time staring blankly into the lists of daemons in Lingon, and googling their names to get some idea of what they do, but not finding much information at all. I've tried experimentally disabling them, but managed to lock myself out of my computer, so I'm reluctant to try that again without more guidance. > I have no idea what damage (if any) disabling them might do. I can tell you that disabling DirectoryService prevents login. I had to put the machine into target disc mode and repair the .plist manually. >> I've been tinkering with this on and off for months. I'm getting >> desperate now. I'm on the point of wiping VMware and even OS X off my >> brand new MacBook Pro and installing Linux with KVM just so I can get a >> properly secured VM hosting environment for my work. > > Honestly, I'm surprised you've left it so long! It sticks in my craw that I purchased an expensive Mac, but OS X is so insecure it can't even be secured when you try very very hard. I feel let down by Apple on several aspects of security actually. They just don't seem to get it at all. -- James Taylor
From: James Taylor on 21 Jan 2010 04:50 Jaimie Vandenbergh wrote: > Then stick with VMware rather than using KVM. Server is free on Linux, > and all the VMwares use the same machine format. Oh really? That's such good news. This should lower the barrier to switching considerably. If I'm unable to secure OS X, this is definitely a good second option. Thanks. -- James Taylor
From: James Taylor on 21 Jan 2010 04:56
Jim wrote: > This is probably a hopelessly simplistic answer, but could you not simply > put the Mac's network adaptor on a 10.x.y.z network, then put the VM's > adaptors onto the realworld network? Nice idea Jim, but sadly that doesn't stop OS X from Bonjouring everyone on the network about your machine name, IP address, listening services, etc, and thus it would be very easy for a malicious agent (virus, hacker, whatever) on the same LAN segment to see you and then attack the IP address you were on whatever you set it to. -- James Taylor |