Mac OS X 10.2.4 Firewall- not working?

[A Little Peaved!]

Using Mac OS X 10.2.4 Firewall (in Systems Preferences Sharing pane):

Services: All services off.
Firewall: On. All ports (except selected custom ports) off.

I believe this should prevent all internet communication, except the selected ports.

Is this correct?

If it is correct, then why can I still browse the web (port 80 open), retrieve and send email, and perform other activities (Adium instant messaging, port 9898(?)) that use ports that should be off?

Even if all ports are turned off, I can still use these services.

I would think I should not be able to, because the firewall should block these communications.

Is this correct?

If so, why isn't firewall working?

Searched forums for info, and found discussion about a few items:

1. Mac OS X firewall might not become active with new settings, unless toggled on and off, and/or restarted. OK, I did those things.

2. Mac OS X firewall might not work if another firewall is active (but, it will usually give warning to that effect). No warning here. No other firewall here, either. (Brickhouse was installed temporarily a long time ago, but it has been removed, and, my understanding it controlled ipfw, just as the Mac OS firewall does, so not really a conflict.)


So, why is firewall not blocking ports it is set to block? or, am I misunderstanding or misusing something?


thanks in advance

[not really peaved]

[babertocci]

While I haven't used the built-in GUI firewall for ipfw in a while, I'm pretty sure that when you block ports, you block *incoming* ports. That would explain why you are able to do things like browse the web and chat on Adium; those are outgoing services. It would seem that Apple is using dynamic rules as well. If you want to check, I believe doing

Code:

sudo ipfw -a show

will show you what is actually being blocked and allowed (as long as the Apple firewall is interfacing with ipfw properly). If you don't know how to read ipfw rules, just paste it here and I can step you through it.

[A Little Peaved!]

maybe i am mistaken, then- If I browse a web page, isn't the data coming back to me "incoming"? My received email messages incoming?

If that kind of "incoming" data is not "incoming" according to firewall or by definition, then what is that kind of data called? How can it be blocked?

What is the definition and/or criteria for what the firewall will or won't block?



[not peaved, just confused]

[schwartze]

I could be wrong (cause I know nothing about the firewall) but since you are requesting info on the ports for web, mail, and chat, shouldn't that open them up to receive data.

Might it block unrequested attempts on these ports?

Quote: If it is correct, then why can I still browse the web (port 80 open)

Isn't it port 80 on the machine that is hosting the web page, not on your machine? If you try a localhost lookup does a web page appear?

[A Little Peaved!]

Quote: Originally posted by schwartze I could be wrong (cause I know nothing about the firewall) but since you are requesting info on the ports for web, mail, and chat, shouldn't that open them up to receive data.

I guess that is the same question I am asking- why is the firewall allowing data through ports that are closed? just because I requested info via those ports? or ???

[breen]

Quote: Originally posted by A Little Peaved! I guess that is the same question I am asking- why is the firewall allowing data through ports that are closed? just because I requested info via those ports? or ???

Yes, that's essentially the correct answer.
Let's look at a typical simple set of firewall rules:

Code:

[lab-g4s-Computer:~] labg4% sudo ipfw list
Password:
02000 allow ip from any to any via lo*
02010 deny ip from 127.0.0.0/8 to any in
02020 deny ip from any to 127.0.0.0/8 in
02030 deny ip from 224.0.0.0/3 to any in
02040 deny tcp from any to 224.0.0.0/3 in
02050 allow tcp from any to any out
02060 allow tcp from any to any established
02070 allow tcp from any to any 22 in
12190 deny tcp from any to any
65535 allow ip from any to any

The first lines are a bit of housekeeping.
The sixth says to allow any TCP connection outbound. That lets you send a request to a remote webserver.
The next one allows inbound TCP packets that are part of an already established connection. That's how the remote server gets a reply to you.
After that I've got a line that allows SSH connections to this machine, and then a line that denies all other TCP connections.

ipfw is a pretty remarkable tool. Reading the man page is a good exercise.

Breen

[dafuser]

Quote: Originally posted by A Little Peaved! I guess that is the same question I am asking- why is the firewall allowing data through ports that are closed? just because I requested info via those ports? or ???

Open a terminal and enter this command:

netstat -an

You'll see a list of ports which your machine is using for various reasons. You can see which tcp or udp ports are in use.

The ports will show up as ESTABLISHED, CLOSED, or LISTEN.

[bassi]

This website gives you some in-depth information not in the manual. Look at the section called stateful firewall. That's our beast. ipfw is intelligent, and regulates your incoming connections in a "safe manner" whilst you ask for them. Not too bad for OSX, but you can be pinged no problem or port scanned. I don't think ipfw can circumvent these problems.

So, the short answer is, it's OK. Until they invent a good trojan for OSX.

[brmic]

btw: the default rules in syspreferences do not allow you to lock yourself out of the web or e-mail. as far as i know these ports are meant to stay open. (just imagine the number of calls to customer support if there was an innocent looking button whil allowed people to lock themselves in.) btw, why would i want autism-on-demand ?

[A Little Peaved!]

thanks, everyone, for all the good info!

If port is opened by requesting data, how are other computers prevented from using that port (ie, "bad" data following the "good" data in)?

[A Little Peaved!]

more questions/observations about port scanning- Apple's Network Utility seems lacking in some ways:

1. fails to show known open ports on the same computer (tried both IP address and 127.0.0.1).

2. it doesn't provide any feedback about progress.

3. if it doesn't find any open ports, it does notihing, instead of reporting "no open ports found."

4. it seems to take FOREVER (and without any progress indications). the only way I could complete a port scan was to limit scan to narrow port range. Is there room for improvement here, or is it necessary for port scanning to be so slow?



Is there a better utility for port scanning?

[mervTormel]

test from the outside...

https://grc.com/x/ne.dll?bh0bkyd2

[breen]

I'll take a couple of your posts at once...

Quote: Originally posted by A Little Peaved! If port is opened by requesting data, how are other computers prevented from using that port (ie, "bad" data following the "good" data in)?

Look at the firewall rules I posted. The part about ESTABLISHED (I'm capitalizing because that's the way netstat prints it) is the important one.

Here's a line from my netstat output:

Code:

tcp4       0      0  192.168.1.4.50257      192.xxx.xxx.xxx.22      ESTABLISHED

I've got an SSH session open to my workstation at work. It's in the TCP established state -- we've completed the three-way handshake. (See Stevens' TCP/IP Illustrated http://www.aw.com/catalog/academic/p...633469,00.html>
for full details.)
Port 50257 is open in this case but only if the connection attempt comes from my workstation's IP and from port 22 there.

That's why ipfw is called a stateful firewall.

Quote: more questions/observations about port scanning- Apple's Network Utility seems lacking in some ways: 4. it seems to take FOREVER (and without any progress indications). the only way I could complete a port scan was to limit scan to narrow port range. Is there room for improvement here, or is it necessary for port scanning to be so slow? Is there a better utility for port scanning?

Your scans are so slow because the default action of a rule that's disallowing connections is to drop the packets. This means that the higher level protocols have to wait for a timeout on every port that's being tested. That takes a significant amount of time.

Scanning your own computer isn't usually very useful. You want to scan from outside -- the link mervTormel posted to Steve Gibson's Shields Up is the best known but there are others.

The port scanning utility usually considered best is called nmap: http://www.insecure.org.

Breen

[AKcrab]

Ya'll are paranoid. Nobody wants your stuff.

[dafuser]

Quote: Originally posted by AKcrab Ya'll are paranoid. Nobody wants your stuff.

Famous last words.... they may not be interested in your data. They just may want to use your machine as a stepping stone to attack someone else.

So don't bother protecting your machine. Then they won't bother us because it's too much trouble, but they'll have yours.

[mervTormel]

Quote: Originally posted by dafuser Famous last words ... but they'll have yours.

too-shay

peeved: there are >65,000 ports to scan, and when one don't answer, the min timeout of 300 seconds (?) needs to pass before passing to the next port, unless some provision has been made to shorten the timeout.

[A Little Peaved!]

thanks again, everyone, for all the good info.

why close all ports? well, i just thought it would be safer to close all ports except ones I knew I wanted to use. but now, after the discussion about establishing ports, i would like to block unwanted spyware transmissions outgoing from my computer. No one wants sneaky spyware running about. but, if I understand now, it seems the basic firewall settings are insufficient to prevent this? but it should still be possible somehow? then, I suppose they would be sneaky enough to use commonly used ports, such as 80, to avoid detection and/or bypass routine security. So, is there a way to specify which applications have permission to access ports? another approach? other suggestions, info?

A broader question- how to log port activity/firewall activity/etc effectively so information is finely detailed to review history later, but also so breaches or unwanted activity is easily recognized?

minor Apple Network Utility observation: the slow performance occurs also when scanning other computers on the local network (ie. scanning from "outside"). but, this is still part of known behavior, ie. waiting for timeouts, correct? so, is it worthwhile/useful/effective to somehow reduce timeout wait by the Network Utility (or other port scanning software)? how is it done? or, is that undesireable?

lastly, the TCP/IP illustrated book looks like a good one and just what the doctor ordered. Is there something similar for Unix in general? I think I like the "illustrated" approach describing the underlying mechanisms and standards in some detail, better than other introductory or unix-how-to books. Eventually, I would like to start writing programs for Mac OS X- I've written Mac OS applications before, just not familiar at all with Unix and need some fast, but detailed, education- if there is/are books similar to TCP/IP Illustrated, that seems like best approach for me. Suggestions?


tia

[larkost]

With most firewalls they are "statefull" that is they remember what conversations are going on. When you request a web page from a server the request goes out from some port on your computer, say 5000, to port 80 on the serving computer (default). When you do this you are also setting up a TCP "stream". This stream allows for information to flow both ways, and provides a way for packets that flow back and forth to be re-assembled in the right order (packet numbers).

As long as that stream is open the firewall will accept packets on that port that come from that computer (or at least say they do) that seem to have the right packet numbers, and when things get re-assembled this information "stream" is delivered to the program that opened the stream.

Welcome to TCP 101

[breen]

Quote: Originally posted by A Little Peaved! thanks again, everyone, for all the good info. why close all ports? well, i just thought it would be safer to close all ports except ones I knew I wanted to use. but now, after the discussion about establishing ports, i would like to block unwanted spyware transmissions outgoing from my computer. No one wants sneaky spyware running about. but, if I understand now, it seems the basic firewall settings are insufficient to prevent this?

Your firewall is the wrong place to block transmissions from assorted ratware that may be running on your computer. For that you'll want a host-based scanner.

Why do you suspect that you have such stuff anyway? The best way to avoid these is to practice safe computing -- don't load anything from untrusted sources, run virus checkers, don't allow your email client to open messages automatically.

I actually think you're starting to overreact. We can certainly make your computer perfectly safe -- by disconnecting it from the Internet. But that's throwing the baby out with the bathwater. Prudent behavior that doesn't transform into paranoia should be good enough for almost anybody.

Breen

[A Little Peaved!]

no worries, i'm not paranoid or overreacting to fears of unsafe computing... this is just exploring and more a technical learning exercise than anything. Would rather flex and train some geek muscles, rather than be ignorant and uninvolved in actively getting more from all this powerful technology we now have access to.

spyware- no big deal. I would at least like to be knowledgeable and alert enough to detect it when it happens, rather than have to wait for some of you more savvy users to report to the mac news sites that such-and-such application is sending spurious transmissions back to the mother ship, and the like.

I don't know about most of you, but I prefer to know what's going on inside my computer, as much as possible, and perhaps control some of its behavior, if worthwhile enough and within my grasp.

then, beyond that, translate some of what I've learned into software applications to share that with others and help them also get more from computing.

really seeking technical information here, rather than philosophy.



hth

tia