OS X firewall - how to make it actually work
in [UK Mac]
|
From: James Taylor on 21 Jan 2010 13:02 Jaimie Vandenbergh wrote: > James Taylor wrote: > >> Hmmm, mind you, I hesitate to download and view a carefully crafted PDF >> file from the likes of the NSA!!! > > As long as you open it in something other than Adobe Reader you should > be okay! Hehe. :-) -- James Taylor
From: David Empson on 21 Jan 2010 17:39 Richard Tobin <richard(a)cogsci.ed.ac.uk> wrote: > In article <7rr1pcFojU1(a)mid.individual.net>, > James Taylor <usenet(a)oakseed.demon.co.uk.invalid> wrote: > > >> Why can netcat do things that the malware itself can't? Are you > >> suggesting that netcat would be an application trusted by the > >> firewall? > > >Apparently, Apple have pre-signed many of the standard OS components to > >allow them access through the firewall without needing explicit rules in > >the firewall or asking for user permission. > > Is netcat such a component? > > But see below about web browsers. > > >> I would have thought it was too tedious to control outgoing > >> connections by application (rather than port). > > >No, that's the whole point of an "application" firewall as opposed to a > >network level firewall. > > I understand the distinction between application and network level > firewalls. But for *outgoing* connections connections controlling it > at the application level seems too tedious: there are hundreds of > commonly used programs that make outgoing connections, but just a few > that accept incoming ones. That is precisely what Little Snitch does. Its default mode of operation is to prompt you whenever anything makes an outgoing connection. It tells you the application and asks what you want to do about it. Choices are: - Deny or Allow connection - Once only, until application quits or forever - Specific port but any IP address, specific IP address but any port, specific port and IP address, or any network connection. You can also configure it to default to using a particular combination and create a temporary rule. As you use it to create "forever" rules it builds up a list of everything you have permitted and asks you questions less often. You can go and edit that list later, or temporarily enable/disable certain rules. If you are in a context where it can't display a dialog box (e.g. a full-screen game) then it automatically denies the connection and uses text-to-speech to tell you that "Little Snitch has automatically blocked an outgoing connection [with a description]". You can then edit the temporary rule after you get back to the normal user interface. -- David Empson dempson(a)actrix.gen.nz
From: James Taylor on 21 Jan 2010 17:47 David Empson wrote: > If you are in a context where it can't display a dialog box (e.g. a > full-screen game) then it automatically denies the connection and uses > text-to-speech to tell you that "Little Snitch has automatically blocked > an outgoing connection [with a description]". You can then edit the > temporary rule after you get back to the normal user interface. Wow, I didn't know it did that too. Wow! You don't hapen to know whether it can be made to block incoming connections too do you? -- James Taylor
From: Tim McNamara on 21 Jan 2010 19:44 In article <hja4fl$1puu$1(a)pc-news.cogsci.ed.ac.uk>, richard(a)cogsci.ed.ac.uk (Richard Tobin) wrote: > In article <7rraacFi2vU1(a)mid.individual.net>, > James Taylor <usenet(a)oakseed.demon.co.uk.invalid> wrote: > > >>> Apparently, Apple have pre-signed many of the standard OS components to > >>> allow them access through the firewall without needing explicit rules in > >>> the firewall or asking for user permission. > > >> Is netcat such a component? > > >Yes. > > As far as I (and spotlight) can see, netcat doesn't even exist on > a vanilla Snow Leopard system. Where is it on your system? 10.4.11: Last login: Sat Dec 19 09:52:18 on ttyp1 Welcome to Darwin! [tim ~]$ locate netcat /usr/share/zsh/4.2.3/functions/_netcat [tim ~]$ find netcat find: netcat: No such file or directory [tim ~]$ which netcat no netcat in /Users/tim /usr/local/bin /usr/local/lib /usr/local/share /usr/bin /usr/lib /bin /usr/X11R6/bin /usr/X11R6/lib /usr/local/sbin /usr/sbin /sbin /usr/share /etc] [tim ~]$ > >> And many of those programs can, by design, connect to anything. For > >> example, any web browser could be used to send data to an arbitrary > >> port TCP on an arbitrary server > > >Sure, so with a web browser you'd probably allow it universal port 80 > >and 443 access with specific (perhaps temporary) overrides for other > >ports as the need arose. > > The bad guys could perfectly well use port 80 - in fact they probably > would, since in many places it's one of the few ports open on a > network-level firewall. > > I suppose just renaming the web browser would defeat most attempts to > use it. > > -- Richard -- "I wear the cheese, it does not wear me."
From: James Taylor on 21 Jan 2010 21:00
Tim McNamara wrote: > 10.4.11: > > Last login: Sat Dec 19 09:52:18 on ttyp1 > Welcome to Darwin! > [tim ~]$ locate netcat > /usr/share/zsh/4.2.3/functions/_netcat Actually the binary is called nc not netcat. It is in /usr/bin. > [tim ~]$ find netcat > find: netcat: No such file or directory That's not how you use find. You should write: find /bin /sbin /usr -name nc or similar > [tim ~]$ which netcat > no netcat in /Users/tim /usr/local/bin /usr/local/lib /usr/local/share > /usr/bin /usr/lib /bin /usr/X11R6/bin /usr/X11R6/lib /usr/local/sbin > /usr/sbin /sbin /usr/share /etc] $ which nc /usr/bin/nc -- James Taylor |