OS X firewall - how to make it actually work
in [UK Mac]
|
From: Woody on 21 Jan 2010 05:44 James Taylor <usenet(a)oakseed.demon.co.uk.invalid> wrote: > You're confirming that the firewall doesn't do its job? So Apple's own > flagship security feature is well known to be snake oil is it? Why is it the flagship security feature? they don't even mention it on their security page. Their flagship feature appears to be library randomization, sandboxing and code execute disable. -- Woody
From: James Taylor on 21 Jan 2010 05:49 Woody wrote: > I have used VMWare server. It does mostly work but there is a good > reason it is free. Oh dear, that doesn't bode well. > For servers it is mostly ok. For use as a desktop it is sluggish to say > the least (ignoring its faffyness to run and set up). I can do without faffyness. Time is too short for much of that. My immediate need for a VM platform is now so pressing that I will just have to put this machine into service in an insecure configuration on OSX, and worry about sorting out a Linux based system at a later date. It really would be a lot better if I could just find a way to disable the OSX network daemons (they're just not needed when VMware guests are bridged and have direct access to layer 2) or otherwise get the application firewall to work properly (which I expected to be easier). Frankly I'm astonished that the much advertised new Leopard firewall doesn't actually work and there doesn't seem to be a big stink about it. Indeed most Mac users believe their platform is the most secure system in existence when in fact the exact opposite is true. Apple must be doing some kind of mass hypnosis to pull off this scale of deception. -- James Taylor
From: Jaimie Vandenbergh on 21 Jan 2010 05:54 On Thu, 21 Jan 2010 10:32:17 +0000, usenet(a)alienrat.co.uk (Woody) wrote: >James Taylor <usenet(a)oakseed.demon.co.uk.invalid> wrote: > >> Jaimie Vandenbergh wrote: >> >> > Then stick with VMware rather than using KVM. Server is free on Linux, >> > and all the VMwares use the same machine format. >> >> Oh really? That's such good news. > >I have used VMWare server. It does mostly work but there is a good >reason it is free. > >For servers it is mostly ok. For use as a desktop it is sluggish to say >the least (ignoring its faffyness to run and set up). I never had any of that, using Server on Windows or Linux. No faffyness, and no particular change to the product after the expensive pay-for original went free. Certainly no sluggishness issues, either of the servery stuff or the UI. OTOH, going back to Server on Linux now, after using Fusion with all its simplicity, might be a bit of a jerk. Not because Server has changed, but because my habits have - Server has a lot more to offer than Fusion, so it's more complex if you dive into it. Just migrating VMs back and forward is almost no effort at all. Cheers - Jaimie -- "You hear someone break into your home. You pull out your chainsaw and crank it up. It makes its very distinctive chainsaw noise; he hears it. What criminal is going to stay in a house with someone that crazy?" -- Home defence with Franklin Hummel, rasfw
From: James Taylor on 21 Jan 2010 05:56 Jaimie Vandenbergh wrote: > James Taylor wrote: > >> You're confirming that the firewall doesn't do its job? So Apple's own >> flagship security feature is well known to be snake oil is it? > > Nope. It does exactly what it says it does, which doesn't happen to be > what you need. But it's an application firewall isn't it? So it should allow me to specify which processes are allowed incoming and outgoing network access. But all the system daemons get access regardless, even the ones running as root! And then any non system process, or malware, can get access through the firewall just by piping through netcat or similar. It really is hard to imagine what Apple were thinking the purpose of an application firewall is. They clearly weren't thinking that people would want to use it to harden their machine against unwanted network access. What in fact *does* the firewall do that you might conceivably want? -- James Taylor
From: James Taylor on 21 Jan 2010 06:05
Woody wrote: > James Taylor wrote: > >> You're confirming that the firewall doesn't do its job? So Apple's own >> flagship security feature is well known to be snake oil is it? > > Why is it the flagship security feature? they don't even mention it on > their security page. Oh, then perhaps I just picked up the wrong impression from some of their marketing spin about how Leopard was a major security upgrade. > Their flagship feature appears to be library > randomization, sandboxing and code execute disable. I heard that, although those features are present, they're not widely used and thus the benefit is negligible. I don't have the expertise to test and verify that myself but, knowing Apple, it wouldn't surprise me. -- James Taylor |