OS X firewall - how to make it actually work
in [UK Mac]
|
From: James Taylor on 21 Jan 2010 10:38 Gordon wrote: > What about Little Snitch? Might that let you lock the system down > enough for your tastes? Yes, I have LittleSnitch. It's excellent. But as far as I know it only blocks outgoing traffic, and does not prevent incoming traffic aimed at one of the listening system services. If anyone knows otherwise please do tell me how. -- James Taylor
From: James Taylor on 21 Jan 2010 10:46 Warren Oates wrote: > James Taylor wrote: > >> I've been tinkering with this on and off for months. I'm getting >> desperate now. I'm on the point of wiping VMware and even OS X off my >> brand new MacBook Pro and installing Linux with KVM just so I can get a >> properly secured VM hosting environment for my work. > > That's a good use of an expensive MBP. Why did you buy a Mac in the > first place - there's lots of ways to run Linux cheaper. Well the thing is that my previous machine was a PowerBook, and it gave me a few years of great enjoyment. I learnt to love the Mac, despite some of it's less well thought out user interface design choices, and I would still be using that machine if I hadn't needed to run VMware on an Intel architecture for my work. So I bought the MacBook Pro because I expected to be able to have a smoother ride than if I'd bought a PC laptop to run Linux on top of Linux. Back then I didn't travel so much, and I knew a lot less about security. I had no idea it would prove so difficult to lock-down OS X. -- James Taylor
From: Jaimie Vandenbergh on 21 Jan 2010 11:34 On Thu, 21 Jan 2010 20:34:44 +0700, James Taylor <usenet(a)oakseed.demon.co.uk.invalid> wrote: >David Sankey wrote: > >> The NSA hardening guide describes what you need to do: >> <http://www.nsa.gov/ia/_files/factsheets/macosx_hardening_tips.pdf> > >Oooh, nice find. I'll take a look. Thanks > >Hmmm, mind you, I hesitate to download and view a carefully crafted PDF >file from the likes of the NSA!!! As long as you open it in something other than Adobe Reader you should be okay! Cheers - Jaimie -- "I went to a planet where the dominant lifeform had no bilateral symmetry, and all I got was this stupid F-Shirt." -- Eric Pivnik
From: Richard Tobin on 21 Jan 2010 12:56 In article <7rraacFi2vU1(a)mid.individual.net>, James Taylor <usenet(a)oakseed.demon.co.uk.invalid> wrote: >>> Apparently, Apple have pre-signed many of the standard OS components to >>> allow them access through the firewall without needing explicit rules in >>> the firewall or asking for user permission. >> Is netcat such a component? >Yes. As far as I (and spotlight) can see, netcat doesn't even exist on a vanilla Snow Leopard system. Where is it on your system? >> And many of those programs can, by design, connect to anything. For >> example, any web browser could be used to send data to an arbitrary >> port TCP on an arbitrary server >Sure, so with a web browser you'd probably allow it universal port 80 >and 443 access with specific (perhaps temporary) overrides for other >ports as the need arose. The bad guys could perfectly well use port 80 - in fact they probably would, since in many places it's one of the few ports open on a network-level firewall. I suppose just renaming the web browser would defeat most attempts to use it. -- Richard -- Please remember to mention me / in tapes you leave behind.
From: James Taylor on 21 Jan 2010 13:00
Richard Tobin wrote: > The bad guys could perfectly well use port 80 - in fact they probably > would, since in many places it's one of the few ports open on a > network-level firewall. Yes, absolutely. Port 80 is where it all happens for better or worse. > I suppose just renaming the web browser would defeat most attempts to > use it. Nice idea, but I wonder how much that would help in practise. Often these exploits come in via the browser itself, so they inject malicious code into the running process of the browser in use regardless of what filename you gave it on disc. -- James Taylor |