Re: [Fed-Talk] Firewall
Re: [Fed-Talk] Firewall
- Subject: Re: [Fed-Talk] Firewall
- From: Boyd Fletcher <email@hidden>
- Date: Thu, 10 Apr 2008 11:57:47 -0400
- Thread-topic: [Fed-Talk] Firewall
On 4/10/08 9:58 AM, "Michael" <email@hidden> wrote:
> On Apr 10, 2008, at 12:31 AM, Boyd Fletcher wrote:
>>
>> On 4/8/08 5:17 PM, "Boyd Fletcher" <email@hidden> wrote:
>>
>>> On 4/8/08 9:59 AM, "Michael" <email@hidden> wrote:
>>>
>>>> If you liked the GUI Firewall in OS X 10.3 and 10.4 then you didn't
>>>> understand how big the holes in it were. To deal with those holes
>>>> you
>>>> either did by hand which you can still do in 10.5 or you used a
>>>> third-
>>>> party GUI program to configure ipfw, i.e. Brickhouse. There is no
>>>> reason those programs shouldn't still work.
>>
>> I understand them quite well. We use a considerable number of "non-
>> native"
>> mac apps (i.e. unix apps) and being able to explicitly set ports and
>> protocols is much better. the 10.5 doesn't work with "non-native"
>> apps.
>
> There are two points with explicitly setting ports and protocols with
> 10.3. and 10.4 firewall.
>
> Opening incoming ports and protocols via the GUI was all very nice.
> You open an incoming port and protocol and it applies to all
> applications on your computer. Under OS 10.5 you should be able to
> instead set a specific application to be permitted to listen on
> whatever ports it opens. Perhaps you have specific bugs with the new
> firewall regarding unix servers you're running under OS X, I don't
> have a good test for that (sshd comes with OS X so that does not meet
> the requirement of a non-native app and I locked my configuration down
> to tight anyway).
>
> Your statement says that you are running a considerable number of unix
> servers because the 10.5 firewall only blocks servers and not
> applications that wish to talk to servers on other machines. File a
> specific bug report with Apple regarding specific unix applications
> that don't work with 10.5's firewall unless you turn it off, seems
> obvious you shouldn't tell the world the names of those apps and what
> ports they listen on, perhaps you can give Apple an example case that
> you may not be running.
>
> 2) What I'm referring to is all the ports and protocols that the GUI
> in 10.3 and 10.4 left open by default. What's the point of a firewall
> with so many ways to get around it.
>
> Your original point was that "Apple chose to degrade the firewall
> capability in leopard from the much better one in Tiger."
>
> My point is that the one in Tiger was only better for someone running
> unix servers and who didn't care that the firewall didn't really do
> much to protect them.
again, you are getting confused between my statements about how the GUI was
implemented and what the GUI actually did or did not do on the backend.
Apple users need the ability to easily and quickly configure which
ports/protocols are explicitly being used. This can not be done with 10.5's
firewall GUI. In fact, with the 10.5 GUI you really have no idea what
actually is or is not allowed. this is bad security design.
>
>> my point is that you should not have to install a 3rd party app to
>> configure
>> the firewall. apple should provide a suitable GUI that let's you do
>> it.
>
> My point is that you had to install a 3rd party app to configure the
> Firewall under 10.3 and 10.4 unless you were happy with the limited
> number of ports and protocols it blocked and that the 10.5 Application-
> based firewall is likely more secure.
I'm a firm believer in the o/s ability to protect itself. you should not
have to add 3rd party software to protect a properly designed and
implemented o/s.
>
>> in the current approach I have to write a bunch of ipfw rules by
>> hand and I
>> really have better things to be doing than writing firewall
>> policies for my
>> boxes.
>
> If you weren't writing firewall rules by hand under 10.3 and 10.4 then
> you had a very limited firewall.
I admit the 10.4 firewall implementation was flawed from the implementation
but the GUI was not. I would hope that if Apple added the ability to
explicitly set protocols and ports in 10.5 they wouldn't make the same
mistakes on the implementation side that you described below.
>
> Flaws in 10.4 standard firewall:
>
> <http://prefetch.net/blog/index.php/2006/08/13/locking-down-the-os-x-firewall/
>>
> ......
>
>
> Michael
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden