"Shields UP! Leopard Firewall Test"

There was a Leopard Server google similar to this. It stated that turning on the firewall did NOT turn off all incoming ports especially NTP and some others that I can not remember at the moment. However, they suggested that you use your own ipfw commands to create a better firewall. Not ideal by any means and much more complicated, but they did say that that was a solution. You might give it a try.

Bob,

they suggested that you use your own ipfw commands to create a better firewall.

What would those ipfw commands be?

This is what Google lists for Leopard Firewall.

ipfw leopard produces equally confusing results.

These searches result in almost exclusively negative comments, with no viable solutions. When I go through the Shields UP! test with Tiger, my system gets a perfect score.

;~)

Ferd,

I actually don't know yet. I read the server link from a google ("leopard macosx server firewall"), http://www.heise-security.co.uk/articles/98120. If you want to know the truth, I got out my New Rider's "Linux Firewalls" by Robert Ziegler, second edition, and was starting to read through it. It does give ipfw examples, but admittedly I have not implemented them yet and was only really considering using them for my MacOSX server which I mentioned in my prior post. It is behind a Linksys router. So, it is somewhat secure, but it is my second line of defense. ipfw looks to be a PITA however.

As far as I know, no one has broken into my Mac Book Pro under Tiger with all services off but web-sharing and I have never done a port scan on it. (I use web-sharing for a localhost website that I have restricted to just localhost via apache.)

The article mentioned above looks to be valid and I will be doing port scans on Leopard server when I get it installed to see if any holes exist.

Anyway, that is where my post came from and it was only a suggestion. Hope that helps.


An Inconvenient Carbon Credit,

I would suggest that you submit your findings to http://www.apple.com/feedback/macosx.html so that Apple will know about it and I would specifically state how you preformed the tests. HTH

Message was edited by: Bob White

Here is an article that does discuss using ipfw, http://www.ibiblio.org/macsupport/ipfw/. HTH

I read somewhere (don't remember) that if you have a system with 10.4 and the firewall is turned on, you can use the ifpw command in the terminal to get the settings and then apply these to your 10.5 based machine.

- Mark

So what about us who are using a home wireless system? Aren't these wireless routers considered hardware based firewalls (assuming the option is turned on)?

I find it hard to believe...with all of Windows vulnerability issues, and resulting bad karma...Apple would open itself to the same problems?

naaaaah

I have my leopard's firewall set to allow all incoming, have att's callvantage VoIP router
with a firewall enabled,
behind that is a ZyXel wireless router with firewall turned off (cuts my download speed if on),
I get full steath on all ports from Shields Up.

my suggestion is to get yourself a router w/firewall.

dj

Message was edited by: dj640

Most of the routers (linksys, belkin, etc.) I've used have a provision for blocking a Ping request and almost all of the 65,000 ports are blocked at the router, and you have NAT firewall, and sometimes "Stateful Packet Inspection" in even the cheapest routers.

Wired and Wireless, it makes no difference to the firewall. Sometimes you have to open and forward ports on these routers to use a service at all. The ports for many online games, and services like Bit Torrent are blocked automatically.

The end result is that your hardware firewall blocks most incoming scans or access attempts before your Mac gets bothered.

An exception would be if you turned on the DMZ for one of your LAN ip numbers and put a machine on that ip.

This morning, I turned off all outside services on Leopard Client machine. I went to a Tiger machine and did a port scan. It showed no ports available. You do port scans using /Applications/Utilities/Network Utility.app. Port 53 is for DNS inquiries/responses and may or may not be serious security breach depending on how buggy the DNS software is. Port 23, however, being open is a serious security breach and one that you need to research since it allows full access to your computer. So, next I tried to telnet into the Leopard machine and the connection was always refused. Thankfully! So, unless you specifically opened up port 23, I doubt that it is actually open and I would doubt that 53 is open either. From the tests that I made, I would question whether Shields UP! is giving you valid results.

But you should run your own tests using another MacOSX machine in a lan either behind a router or not connected to the internet, so you will understand it better.

Also, I fully agree with the comments on using a router. It does offer a great amount of security, is normally cheap and easy to set up these days. I have used one for years and actually have two in place, a Linksys router and behind that MacOSX server with its NAT and firewall turned on.

Last, Ferd was right. I should have done my homework before posting. I tend to like the tech stuff too much. So, sometimes I get a little carried away. Sorry about that.

Message was edited by: Bob White

Bob,

Hackerwatch.org is another Firewall Test site that I found, which validates my Tiger Firewall.

As the OP states...

if this is normal of the Leopard firewall, or is something amiss with my particular system.

;~)

Mark T1 wrote:
I read somewhere (don't remember) that if you have a system with 10.4 and the firewall is turned on, you can use the ifpw command in the terminal to get the settings and then apply these to your 10.5 based machine.

- Mark

That would be
sudo ipfw list > some.file.name

Applying them, and setting it up so they get activated each time you reboot, is not so easy. Perhaps those shareware apps such as Brickhouse, FireWalk will have a resurgence.

I have used this with good results

http://www.hanynet.com/waterroof/