RE: Panther and Firewall API?
RE: Panther and Firewall API?
- Subject: RE: Panther and Firewall API?
- From: "Huyler, Christopher M" <email@hidden>
- Date: Wed, 3 Sep 2003 14:07:15 -0400
- Thread-topic: Panther and Firewall API?
>
I just don't think it's good practice to turn security products off for
the >user. Include instructions in the manual and if an API exists to
test the >availability of a port, use it, but I hope an API to shut off
thefirewall >never comes. You'll need contingency plans anyway...what
happens if another >firewall product is installed, or a firewall box
unit is installed?
Well, if someone wants a webserver, all they have to do is click on
"Personal Web Sharing" and their computer is exposed to all traffic on
port 80 whether the firewall is turned on or not. They have
successfully lowered their defenses without any knowledge of the
firewall even existing (unless they click the next tab to see that
"Personal Web Sharing (80,427)" is listed there as well. The user
didn't even have to enter a root password to do that! Even worse is the
fact that a single click will turn on Windows File Sharing or Personal
File Sharing in which other users on the network could instantly upload
viruses to the computer.
For the case of a different firewall product, the user would be aware
that he/she has installed another firewall and a specific case like that
could be worked through by support. The case of the apple firewall can
occur on every single machine running Mac OS X and many users don't even
know its there or how it works.
What if the API was limited to opening and closing individual ports and
certain ports deemed to be a security risk (such as telnet and ssh or
possibly any port <1024) were not allowed to be opened by the API?
Additionally, I agree that this is somewhat of a security risk which is
why I believe root access should be required for any modification. If
you still think it is a risk with root access consider this...everything
I'm asking and far worse can already be achieved without an API as long
as a running application is executed as root. Firewall rules can be
added and removed using getsockopt(sock,IPPROTO_IP,IP_FW_GET,...) and
the firewall kernel extension can be stopped and started using
sysctl(net.inet.ip.fw.enable). The only problem with this as a practical
solution is that the SharingPrefs Panel flushes all the rules and
re-writes them when the computer is restarted or any change is made to
the SharingPrefs. If the security risk is already there, why not make a
clean API so that legitimate applications and installers for those
applications can make things easy for the user.
_______________________________________________
macnetworkprog mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/macnetworkprog
Do not post admin requests to the list. They will be ignored.