OS X firewall - how to make it actually work
in [UK Mac]
|
From: Woody on 21 Jan 2010 07:16 James Taylor <usenet(a)oakseed.demon.co.uk.invalid> wrote: > Woody wrote: > > I never trusted software firewalls, I mean if you allow the network you > > allow the network so you can fool the thing behind it > > Agreed. The firewall itself is a potential point of vulnerability, but > at least it should have been engineered very carefully to be small and > robust as possible, and it should be better than leaving several > different system daemons accessible. Hmm.. don't know. The system daemons are older than the firewall and have had greater testing. You would certainly like to think it had been written differently, but it is adding more software. -- Woody
From: David Sankey on 21 Jan 2010 07:24 In article <1jco4db.piro281c7hri6N%usenet(a)alienrat.co.uk>, usenet(a)alienrat.co.uk (Woody) wrote: > James Taylor <usenet(a)oakseed.demon.co.uk.invalid> wrote: > > > Woody wrote: > > > > I never trusted software firewalls, I mean if you allow the network you > > > allow the network so you can fool the thing behind it > > > > Agreed. The firewall itself is a potential point of vulnerability, but > > at least it should have been engineered very carefully to be small and > > robust as possible, and it should be better than leaving several > > different system daemons accessible. > > Hmm.. don't know. The system daemons are older than the firewall and > have had greater testing. You would certainly like to think it had been > written differently, but it is adding more software. My previous post suggested ways of configuring the firewall to do what you want. But turning off the unwanted daemons is also no bad thing. The NSA hardening guide describes what you need to do: <http://www.nsa.gov/ia/_files/factsheets/macosx_hardening_tips.pdf> Kind regards, Dave
From: D.M. Procida on 21 Jan 2010 07:50 Ben Shimmin <bas(a)llamaselector.com> wrote: > > There is an increasing > > shortage of time pressing upon me with the work I'm doing, > > It's amazing how much time you can save by the simple expedient of > posting to usenet less often. That's all very well, but what if the other person in your discussion is just *wrong*? Daniele
From: James Taylor on 21 Jan 2010 07:50 Graham J wrote: > Why not put the Mac on its own LAN segment? Set up an ethernet > router between it and the rest of the LAN, then none of its > broadcasts will get out. Yes, that's what I will do as a stopgap solution for now, because I really must make progress with my work on it. But ultimately I want to be able travel to client premises with it, and not have to worrying that the hypervisor OS is exposed. -- James Taylor
From: Jaimie Vandenbergh on 21 Jan 2010 07:53
On Thu, 21 Jan 2010 12:24:47 +0000, David Sankey <David.Sankey(a)stfc.ac.uk> wrote: >My previous post suggested ways of configuring the firewall to do what >you want. But turning off the unwanted daemons is also no bad thing. > >The NSA hardening guide describes what you need to do: ><http://www.nsa.gov/ia/_files/factsheets/macosx_hardening_tips.pdf> There's a lot of good stuff over there. Browsing from http://www.nsa.gov/ia/guidance/security_configuration_guides/index.shtml is interesting. No mentions of Flash that I can find! Cheers - Jaimie -- "Usenet is like a herd of performing elephants with diarrhea - massive, difficult to redirect, awe-inspiring, entertaining, and a source of mind-boggling amounts of excrement when you least expect it." -- Gene Spafford |