OS X firewall - how to make it actually work
in [UK Mac]
|
From: James Taylor on 21 Jan 2010 03:59 Hi, I'm trying to find out how to get the OS X application firewall to block access to all incoming traffic except for one application, VMware. Unfortunately the OS X application firewall is essentially useless because it allows all manner of things to easily bypass it, either directly or by using a command line tool ushc as netcat. See: <http://www.h-online.com/security/news/item/Apple-documents-Leopard-firewall-functionality-and-holes-733932.html> I know Apple are pretty clueless about security, but leaving all root owned listening processes open even when the firewall is fully locked? That's crazy! Can anyone tell me how to get the application firewall to actually do its job and block incoming access to everything but VMware? Equally, I'd like to disable completely (or at least block the incoming and outgoing traffic of) system daemons such as configd, mDNSResponder, the Finder using nmblookup and smbclient, DirectoryService, ntpd, and there may be others. I want total "silence on the wire". If anyone knows how to disable any of those chatty daemons I'd be very very grateful to hear how (launchd maybe?). I've been tinkering with this on and off for months. I'm getting desperate now. I'm on the point of wiping VMware and even OS X off my brand new MacBook Pro and installing Linux with KVM just so I can get a properly secured VM hosting environment for my work. Anyone know anything about Mac networking here? -- James Taylor
From: Woody on 21 Jan 2010 04:07 James Taylor <usenet(a)oakseed.demon.co.uk.invalid> wrote: > Hi, > > I'm trying to find out how to get the OS X application firewall to block > access to all incoming traffic except for one application, VMware. > Unfortunately the OS X application firewall is essentially useless > because it allows all manner of things to easily bypass it, ... > > I've been tinkering with this on and off for months. I'm getting > desperate now. I'm on the point of wiping VMware and even OS X off my > brand new MacBook Pro and installing Linux with KVM just so I can get a > properly secured VM hosting environment for my work. > > Anyone know anything about Mac networking here? Although I am sure that it is possible by configuring the applications themselves, if you are using your macbook entirely as a VM tool with no use of the host operating system, is there actuall much point keeping OSX on there? I mean you are not using it, and if you can't set it up the way you want, is it worth the effort to try when you are clearly OK running linux, so why not just run that? -- Woody
From: Jaimie Vandenbergh on 21 Jan 2010 04:24 On Thu, 21 Jan 2010 15:59:17 +0700, James Taylor <usenet(a)oakseed.demon.co.uk.invalid> wrote: >Hi, > >I'm trying to find out how to get the OS X application firewall to block >access to all incoming traffic except for one application, VMware. >Unfortunately the OS X application firewall is essentially useless >because it allows all manner of things to easily bypass it, either >directly or by using a command line tool ushc as netcat. See: ><http://www.h-online.com/security/news/item/Apple-documents-Leopard-firewall-functionality-and-holes-733932.html> > >I know Apple are pretty clueless about security, but leaving all root >owned listening processes open even when the firewall is fully locked? >That's crazy! Can anyone tell me how to get the application firewall to >actually do its job and block incoming access to everything but VMware? You can't, it just doesn't do that. But you can get in at the ipfw interface - which happens lower down the stack, of course - and roll your own rules. Or use a UI, like Doorstop X. The firewall in 10.6 server is still ipfw based rather than application-centric, apparently. >Equally, I'd like to disable completely (or at least block the incoming >and outgoing traffic of) system daemons such as configd, mDNSResponder, >the Finder using nmblookup and smbclient, DirectoryService, ntpd, and >there may be others. I want total "silence on the wire". If anyone knows >how to disable any of those chatty daemons I'd be very very grateful to >hear how (launchd maybe?). Launchd it is. Lingon is a useful UI for managing these, though you can mess around in /System/Library/LaunchDaemons if you prefer. I have no idea what damage (if any) disabling them might do. For blocking, back up to ipfw. >I've been tinkering with this on and off for months. I'm getting >desperate now. I'm on the point of wiping VMware and even OS X off my >brand new MacBook Pro and installing Linux with KVM just so I can get a >properly secured VM hosting environment for my work. Honestly, I'm surprised you've left it so long! Cheers - Jaimie -- 220 mail.sessile.org ESMTP Sendmail 8.13.4 ICBM ENABLED ; Wed, 23 Jun 2005 15:04:40 GMT HELO spammers.org 250 mail.sessile.org MAIL FROM:<scumball(a)spammers.org> 550 you have four minutes to say goodbye to your family
From: James Taylor on 21 Jan 2010 04:29 Woody wrote: > if you are using your macbook entirely as a VM tool with no > use of the host operating system, is there actually much point keeping > OSX on there? I mean you are not using it, and if you can't set it up > the way you want, is it worth the effort to try when you are clearly OK > running linux, so why not just run that? It's sorely tempting. The problem is in the inertia of time and money already invested in the current setup. I have already paid for VMware, I have some familiarity with it, and a number of VM guests in VMware format that I spent considerable time setting up. There is an increasing shortage of time pressing upon me with the work I'm doing, and I really don't want to have to spend yet more time familiarising myself with the KVM way of doing things and then rebuilding (or somehow translating) all the VM guests. I just want to be able to get on with building virtual servers on a hypervisor platform I know is unreachable (hopefully even undetectable) over the network. -- James Taylor
From: Jim on 21 Jan 2010 04:34
On 2010-01-21, James Taylor <usenet(a)oakseed.demon.co.uk.invalid> wrote: > Woody wrote: > >> if you are using your macbook entirely as a VM tool with no >> use of the host operating system, is there actually much point keeping >> OSX on there? I mean you are not using it, and if you can't set it up >> the way you want, is it worth the effort to try when you are clearly OK >> running linux, so why not just run that? > > It's sorely tempting. The problem is in the inertia of time and money > already invested in the current setup. I have already paid for VMware, I > have some familiarity with it, and a number of VM guests in VMware > format that I spent considerable time setting up. There is an increasing > shortage of time pressing upon me with the work I'm doing, and I really > don't want to have to spend yet more time familiarising myself with the > KVM way of doing things and then rebuilding (or somehow translating) all > the VM guests. I just want to be able to get on with building virtual > servers on a hypervisor platform I know is unreachable (hopefully even > undetectable) over the network. > This is probably a hopelessly simplistic answer, but could you not simply put the Mac's network adaptor on a 10.x.y.z network, then put the VM's adaptors onto the realworld network? Jim -- http://www.ursaMinorBeta.co.uk http://twitter.com/GreyAreaUK "Get over here. Now. Might be advisable to wear brown trousers and a shirt the colour of blood." Malcolm Tucker, "The Thick of It" |