Mac OS X 10.2.4 Firewall- not working?
 

Using Mac OS X 10.2.4 Firewall (in Systems Preferences Sharing pane):

Services: All services off.
Firewall: On. All ports (except selected custom ports) off.

I believe this should prevent all internet communication, except the selected ports.

Is this correct?

If it is correct, then why can I still browse the web (port 80 open), retrieve and send email, and perform other activities (Adium instant messaging, port 9898(?)) that use ports that should be off?

Even if all ports are turned off, I can still use these services.

I would think I should not be able to, because the firewall should block these communications.

Is this correct?

If so, why isn't firewall working?

Searched forums for info, and found discussion about a few items:

1. Mac OS X firewall might not become active with new settings, unless toggled on and off, and/or restarted. OK, I did those things.

2. Mac OS X firewall might not work if another firewall is active (but, it will usually give warning to that effect). No warning here. No other firewall here, either. (Brickhouse was installed temporarily a long time ago, but it has been removed, and, my understanding it controlled ipfw, just as the Mac OS firewall does, so not really a conflict.)


So, why is firewall not blocking ports it is set to block? or, am I misunderstanding or misusing something?


thanks in advance

[not really peaved]

While I haven't used the built-in GUI firewall for ipfw in a while, I'm pretty sure that when you block ports, you block *incoming* ports. That would explain why you are able to do things like browse the web and chat on Adium; those are outgoing services. It would seem that Apple is using dynamic rules as well. If you want to check, I believe doing
will show you what is actually being blocked and allowed (as long as the Apple firewall is interfacing with ipfw properly). If you don't know how to read ipfw rules, just paste it here and I can step you through it.

maybe i am mistaken, then- If I browse a web page, isn't the data coming back to me "incoming"? My received email messages incoming?

If that kind of "incoming" data is not "incoming" according to firewall or by definition, then what is that kind of data called? How can it be blocked?

What is the definition and/or criteria for what the firewall will or won't block?



[not peaved, just confused]

I could be wrong (cause I know nothing about the firewall) but since you are requesting info on the ports for web, mail, and chat, shouldn't that open them up to receive data.

Might it block unrequested attempts on these ports?

Isn't it port 80 on the machine that is hosting the web page, not on your machine? If you try a localhost lookup does a web page appear?

I guess that is the same question I am asking- why is the firewall allowing data through ports that are closed? just because I requested info via those ports? or ???

Yes, that's essentially the correct answer.
Let's look at a typical simple set of firewall rules:
The first lines are a bit of housekeeping.
The sixth says to allow any TCP connection outbound. That lets you send a request to a remote webserver.
The next one allows inbound TCP packets that are part of an already established connection. That's how the remote server gets a reply to you.
After that I've got a line that allows SSH connections to this machine, and then a line that denies all other TCP connections.

ipfw is a pretty remarkable tool. Reading the man page is a good exercise.

Breen

Open a terminal and enter this command:

netstat -an

You'll see a list of ports which your machine is using for various reasons. You can see which tcp or udp ports are in use.

The ports will show up as ESTABLISHED, CLOSED, or LISTEN.

This website gives you some in-depth information not in the manual. Look at the section called stateful firewall. That's our beast. ipfw is intelligent, and regulates your incoming connections in a "safe manner" whilst you ask for them. Not too bad for OSX, but you can be pinged no problem or port scanned. I don't think ipfw can circumvent these problems.

So, the short answer is, it's OK. Until they invent a good trojan for OSX. ;)

btw: the default rules in syspreferences do not allow you to lock yourself out of the web or e-mail. as far as i know these ports are meant to stay open. (just imagine the number of calls to customer support if there was an innocent looking button whil allowed people to lock themselves in.) btw, why would i want autism-on-demand ?

thanks, everyone, for all the good info!

If port is opened by requesting data, how are other computers prevented from using that port (ie, "bad" data following the "good" data in)?

more questions/observations about port scanning- Apple's Network Utility seems lacking in some ways:

1. fails to show known open ports on the same computer (tried both IP address and 127.0.0.1).

2. it doesn't provide any feedback about progress.

3. if it doesn't find any open ports, it does notihing, instead of reporting "no open ports found."

4. it seems to take FOREVER (and without any progress indications). the only way I could complete a port scan was to limit scan to narrow port range. Is there room for improvement here, or is it necessary for port scanning to be so slow?



Is there a better utility for port scanning?

shields up!
 

test from the outside...

https://grc.com/x/ne.dll?bh0bkyd2

I'll take a couple of your posts at once...

Look at the firewall rules I posted. The part about ESTABLISHED (I'm capitalizing because that's the way netstat prints it) is the important one.

Here's a line from my netstat output:
I've got an SSH session open to my workstation at work. It's in the TCP established state -- we've completed the three-way handshake. (See Stevens' TCP/IP Illustrated http://www.aw.com/catalog/academic/p...633469,00.html>
for full details.)
Port 50257 is open in this case but only if the connection attempt comes from my workstation's IP and from port 22 there.

That's why ipfw is called a stateful firewall.

Your scans are so slow because the default action of a rule that's disallowing connections is to drop the packets. This means that the higher level protocols have to wait for a timeout on every port that's being tested. That takes a significant amount of time.

Scanning your own computer isn't usually very useful. You want to scan from outside -- the link mervTormel posted to Steve Gibson's Shields Up is the best known but there are others.

The port scanning utility usually considered best is called nmap: http://www.insecure.org.

Breen

Ya'll are paranoid. Nobody wants your stuff. ;)

:D
Famous last words.... they may not be interested in your data. They just may want to use your machine as a stepping stone to attack someone else.

So don't bother protecting your machine. Then they won't bother us because it's too much trouble, but they'll have yours. :p

too-shay

peeved: there are >65,000 ports to scan, and when one don't answer, the min timeout of 300 seconds (?) needs to pass before passing to the next port, unless some provision has been made to shorten the timeout.

thanks again, everyone, for all the good info.

why close all ports? well, i just thought it would be safer to close all ports except ones I knew I wanted to use. but now, after the discussion about establishing ports, i would like to block unwanted spyware transmissions outgoing from my computer. No one wants sneaky spyware running about. but, if I understand now, it seems the basic firewall settings are insufficient to prevent this? but it should still be possible somehow? then, I suppose they would be sneaky enough to use commonly used ports, such as 80, to avoid detection and/or bypass routine security. So, is there a way to specify which applications have permission to access ports? another approach? other suggestions, info?

A broader question- how to log port activity/firewall activity/etc effectively so information is finely detailed to review history later, but also so breaches or unwanted activity is easily recognized?

minor Apple Network Utility observation: the slow performance occurs also when scanning other computers on the local network (ie. scanning from "outside"). but, this is still part of known behavior, ie. waiting for timeouts, correct? so, is it worthwhile/useful/effective to somehow reduce timeout wait by the Network Utility (or other port scanning software)? how is it done? or, is that undesireable?

lastly, the TCP/IP illustrated book looks like a good one and just what the doctor ordered. Is there something similar for Unix in general? I think I like the "illustrated" approach describing the underlying mechanisms and standards in some detail, better than other introductory or unix-how-to books. Eventually, I would like to start writing programs for Mac OS X- I've written Mac OS applications before, just not familiar at all with Unix and need some fast, but detailed, education- if there is/are books similar to TCP/IP Illustrated, that seems like best approach for me. Suggestions?


tia

With most firewalls they are "statefull" that is they remember what conversations are going on. When you request a web page from a server the request goes out from some port on your computer, say 5000, to port 80 on the serving computer (default). When you do this you are also setting up a TCP "stream". This stream allows for information to flow both ways, and provides a way for packets that flow back and forth to be re-assembled in the right order (packet numbers).

As long as that stream is open the firewall will accept packets on that port that come from that computer (or at least say they do) that seem to have the right packet numbers, and when things get re-assembled this information "stream" is delivered to the program that opened the stream.

Welcome to TCP 101

Your firewall is the wrong place to block transmissions from assorted ratware that may be running on your computer. For that you'll want a host-based scanner.

Why do you suspect that you have such stuff anyway? The best way to avoid these is to practice safe computing -- don't load anything from untrusted sources, run virus checkers, don't allow your email client to open messages automatically.

I actually think you're starting to overreact. We can certainly make your computer perfectly safe -- by disconnecting it from the Internet. But that's throwing the baby out with the bathwater. Prudent behavior that doesn't transform into paranoia should be good enough for almost anybody.

Breen

no worries, i'm not paranoid or overreacting to fears of unsafe computing... this is just exploring and more a technical learning exercise than anything. Would rather flex and train some geek muscles, rather than be ignorant and uninvolved in actively getting more from all this powerful technology we now have access to.

spyware- no big deal. I would at least like to be knowledgeable and alert enough to detect it when it happens, rather than have to wait for some of you more savvy users to report to the mac news sites that such-and-such application is sending spurious transmissions back to the mother ship, and the like.

I don't know about most of you, but I prefer to know what's going on inside my computer, as much as possible, and perhaps control some of its behavior, if worthwhile enough and within my grasp.

then, beyond that, translate some of what I've learned into software applications to share that with others and help them also get more from computing.

really seeking technical information here, rather than philosophy.



hth

tia

Little Snitch
 

There is a commercial application that claims to detect the sort of spyware you are worried about. It is called "Little Snitch": http://obdev.at/products/littlesnitch/
I haven't tried it myself but would be interested in reports about how well it works.

hayne, thanks for the link to little snitch, i tried the demo. it seems to work as advertised- notifies you of outgoing connections and allows you to add rules to block. it's a little opaque- does not doucment whether or not it is simply adding rules to ipfw or what. does anyone know?

it is very nice that it notifies user about outgoing communications, but it would be much better if it had a logging capability.

also, it's weird that in order to add a rule, you must also checkbox the option to never show the notification again--- sucks if you want to have a rule to allow, but also want to be notified next time again.

close but not quite there

ditto. what peaved said re: li'l Snitch - let's submit some feedback to the developer; it has a lot of potential.

it appears to be autonomous of ipfw. ipfw show doesn't reveal any new rules added.

A Little Peaved,

I know that NetBarrier has it's advocates, I like it for what it does but I completely switched to Firewalk X about 9 months ago. I would take some of the comments on VT with a pinch of salt, some of their comments smack of ignorance.

It is a very good firewall utility, shareware. It has all the necessary tools to limit and log incoming/outgoing connections, gives consistent alerts which are configurable, time dependent rules, blackholing etc. etc.
It installs a daemon and preference pane which I've had no trouble with and is completely independent of ipfw, if you wish you can actually have ipfw on as well and it works well with that. I don't do that anymore.
In regards to little snitch, if it's spyware you're looking for, then you can easily configure Firewalk to monitor your TCP/UDP or ICMP outgoing connections and give pop-up alerts. You can also limit applications from accessing the internet if you're very paranoid.

more about spyware, little snitch-

It seems some applications cause your browser to open and perhaps load a web page, thereby evading little snitch, because it is likely there is already a rule in place to allow your browser to send outgoing data on port 80.

Is there an effective way to prevent this kind of thing?

HenWen is a freeware Mac OS X interface for snort, a network intrusion detection software. It is not a firewall, but still a helpful utility for security purposes.

HenWen is here:
http://home.attbi.com/~dreamless/henwen.html

bassi- i am also negative on Netbarrier- haven't looked at it lately, but in OS 9 it reportedly modified the System file- that kind of behavior is not something i want to tolerate.

Firewalk looks very nice. I am starting to become a believer in more open source and unix software, though, and the firewalk firewall is proprietary.

The Little Snitch firewall is proprietary, too, I think, which is a drawback (IMHO).

So, some good software around, but still looking for:

1. freeware, preferably open source and unix-based, firewall that blocks ougoing packets to replace/combine with ipfw, has logging, and nice user interface.

2. solution for above problem- sneaky software starts up, launches your browser and loads webpage via 80, bypassing your firewall security.