zenneon32

Q: Apple Firewall Vs a paid for Firewall (internet security)

Is Apple inbuilt firewall a two way firewall ?

Should one buy a software firewall like Intego ? (if so what the benefit over Apple inbuilt firewall)

Is a firewall worth turning on behind a router that has one?

iMac, OS X Yosemite (10.10.4)

Posted on Aug 12, 2015 10:51 PM

Close

Q: Apple Firewall Vs a paid for Firewall (internet security)

  • All replies
  • Helpful answers

  • by ckuan,

    ckuan ckuan Aug 12, 2015 10:52 PM in response to zenneon32
    Level 7 (33,832 points)
    Aug 12, 2015 10:52 PM in response to zenneon32

    Unless you're running a server for remote access, you do not need one.

  • by John Lockwood,Helpful

    John Lockwood John Lockwood Aug 13, 2015 4:29 AM in response to zenneon32
    Level 6 (9,324 points)
    Servers Enterprise
    Aug 13, 2015 4:29 AM in response to zenneon32

    OS X has two built-in software firewalls, the very basic one you see in System Preferences -> Security & Privacy generally referred to as the Application Firewall, and a much more powerful one called PF or pfctl.

     

    PF is also used in other operating systems and I believe even used as the basis for some firewall 'appliances'.

     

    For those people needing more control than the one in Security & Privacy you should look at pf as an option.

     

    See OS X: About the application firewall - Apple Support

    See OS X Server: How to enable the adaptive firewall - Apple Support

     

    Note: The second link above merely shows how to turn it on, you would have to read further on how to configure pfctl to customise it to your needs.

     

    By the way, I would not bother buying any third-party software firewall. If you are not happy with Apple's software solutions then look at a hardware Firewall.

  • by BobHarris,

    BobHarris BobHarris Aug 13, 2015 6:01 AM in response to zenneon32
    Level 6 (19,479 points)
    Mac OS X
    Aug 13, 2015 6:01 AM in response to zenneon32

    If you are using a home router, it is acting as a firewall preventing unsolicited connections to your iMac.

  • by John Galt,Helpful

    John Galt John Galt Aug 13, 2015 6:22 AM in response to zenneon32
    Level 8 (49,226 points)
    Mac OS X
    Aug 13, 2015 6:22 AM in response to zenneon32

    Should one buy a software firewall like Intego ?

     

    Not if one wants one's Mac to work, no. Installing Intego's "Net Barrier" and "Virus Barrier" products resulted in the worst performance degradation of any similar products I tested. No knowledgeable Mac user would consider it even remotely acceptable. Read below the horizontal line that follows for general information regarding non-Apple "Internet security" or similarly categorized "anti-virus" and "anti-malware" utilities.

     

    The function of a "firewall" is frequently misunderstood. Not surprising, since it is also woefully misnamed. There is no fire and there is no wall. If the Mac you are using is a client on a LAN managed by a router that you own and control, and you share that LAN only with users you know and trust, enabling the application firewall will only result in your own inconvenience. It is not intended for, and cannot be relied upon to protect your Mac from malware intrusion.

     


     

    There will always be threats to your information security associated with using any Internet - connected communications tool:

     

    1. You can mitigate those threats by following commonsense practices
    2. Delegating that responsibility to software is an ineffective defense
    3. Assuming that any product will protect you from those threats is a hazardous attitude that is likely to result in neglecting point #1 above.


    OS X already includes everything it needs to protect itself from viruses and malware. Keep it that way with software updates from Apple.

     

    A much better question is "how should I protect my Mac":


    • Never install any product that claims to "clean up", "speed up", "optimize", "boost" or "accelerate" your Mac; to "wash" it, "tune" it, or to make it "shiny". Those claims are absurd.
      • Such products are very aggressively marketed. They are all scams.
    • Never install pirated or "cracked" software, software obtained from dubious websites, or other questionable sources.
      • Illegally obtained software is almost certain to contain malware.
      • "Questionable sources" include but are not limited to spontaneously appearing web pages or popups, download hosting sites such as C net dot com, Softonic dot com, Soft pedia dot com, Download dot com, Mac Update dot com, or any other site whose revenue is primarily derived from junk product advertisements.
      • If you need to install software that isn't available from the Mac App Store, obtain it only from legitimate sources authorized by the software's developer.
    • Don’t supply your password in response to a popup window requesting it, unless you know what it is and the reason your credentials are required.
    • Don’t open email attachments from email addresses that you do not recognize, or click links contained in an email:
      • Most of these are scams that direct you to fraudulent sites that attempt to convince you to disclose personal information.
      • Such "phishing" attempts are the 21st century equivalent of a social exploit that has existed since the dawn of civilization. Don’t fall for it.
      • Apple will never ask you to reveal personal information in an email. If you receive an unexpected email from Apple saying your account will be closed unless you take immediate action, just ignore it. If your iCloud, iTunes, or App Store account becomes disabled for valid reasons, you will know when you try to buy something or log in to this support site, and are unable to.
    • Don’t install browser extensions unless you understand their purpose:
      • Go to the Safari menu > Preferences > Extensions. If you see any extensions that you do not recognize or understand, simply click the Uninstall button and they will be gone.
    • Don’t install Java unless you are certain that you need it:
      • Java, a non-Apple product, is a potential vector for malware. If you are required to use Java, be mindful of that possibility.
      • Java can be disabled in System Preferences.
      • Despite its name JavaScript is unrelated to Java. No malware can infect your Mac through JavaScript. It’s OK to leave it enabled.
      • The same precaution applies to Adobe Flash Player. Newly discovered Flash vulnerabilities appear almost weekly.
    • Beware spontaneous popups: Safari menu > Preferences > Security > check "Block popup windows".
      • Popup windows are useful and required for some websites, but unsolicited popups are commonly used to deceive people into installing unwanted software they would never intentionally install.
      • The mere appearance of a popup itself does not infect your Mac with anything malicious, but many contain resource-hungry code that will slow down Internet browsing.
      • If you ever receive a popup window indicating that your Mac is infested with some ick or that you won some prize, it is 100% fraudulent. Ignore it.
      • The same goes for a spontaneously appearing dialog insisting that you upgrade your video player right this instant. Such popups are frequently associated with sites that promise to deliver "free" movies, music, or other copyrighted content that is not normally "free".
      • If you find Safari has locked up, leaving you unable to dismiss the page, read Phony "tech support" / "ransomware" popups and web pages for the solution.
    • Ignore hyperventilating popular media outlets that thrive by promoting fear and discord with entertainment products arrogantly presented as "news". Learn what real threats actually exist and how to arm yourself against them:
      • The most serious threat to your data security is phishing. Most of these attempts are pathetic and are easily recognized, but that hasn't stopped prominent public figures from recently succumbing to this age-old scam.
      • OS X viruses do not exist, but intentionally malicious or poorly written code, created by either nefarious or inept individuals, is nothing new.
      • Never install something without first knowing what it is, what it does, how it works, and how to get rid of it when you don’t want it any more.
      • If you elect to use "anti-virus" software, familiarize yourself with its limitations and potential to cause adverse effects, and apply the principle immediately preceding this one.
      • Most such utilities will only slow down and destabilize your Mac while they look for viruses that do not exist, conveying no benefit whatsoever - other than to make you "feel good" about security, when you should actually be exercising sound judgment, derived from accurate knowledge, based on verifiable facts.
    • Do install updates from Apple as they become available. No one knows more about Macs and how to protect them than the company that builds them.

     

    Summary: Use common sense and caution when you use your Mac, just like you would in any social context. There is no product, utility, or magic talisman that can protect you from all the evils of mankind.

  • by Linc Davis,

    Linc Davis Linc Davis Aug 13, 2015 8:47 AM in response to zenneon32
    Level 10 (207,990 points)
    Applications
    Aug 13, 2015 8:47 AM in response to zenneon32

    What problem do you expect a firewall to solve?

  • by k.light33,

    k.light33 k.light33 Aug 13, 2015 2:43 PM in response to John Galt
    Level 1 (0 points)
    Aug 13, 2015 2:43 PM in response to John Galt

        Hi John Galt,

    My name is Karla and I just wanted to thank you for what you wrote. It's info that I really needed to read. I've fallen prey before and had to learn the hard way. I even just recently purchased Kapersky Internet Protectecion. I've purchased 'protectors' like Secure Line, Kapersky and non apple apps for Mac that protect my Facebook account. I reacted in response to online fear, but you're correct, a dose of common sense was a great reminder for me.

         Thankyou!

    Karla W.

  • by John Galt,

    John Galt John Galt Aug 13, 2015 4:06 PM in response to k.light33
    Level 8 (49,226 points)
    Mac OS X
    Aug 13, 2015 4:06 PM in response to k.light33

    Thank you for your kind words Karla, it is very gracious of you to write.

     

    I reacted in response to online fear ...

     

    Most people will. It is a highly effective tactic. Knowledge conquers fear, and knowledge is available to anyone seeking it.

  • by zenneon32,

    zenneon32 zenneon32 Aug 13, 2015 4:29 PM in response to John Lockwood
    Level 1 (0 points)
    Aug 13, 2015 4:29 PM in response to John Lockwood

    John Lockwood: Thank you for that information it was helpful.

     

    John Galt: Thank you for that information and the time you also spent giving detailed information.

     

    Thank you to all of you wanting to help and give advice.

     

    I personally have gone in a different direction to using Apple firewall and as some of you will say; I've gone to extreme and wasn't money.

     

    Still thou no clear answer on Apple firewall been a one way firewall that stops not only hackers getting in or is it a two way firewall that also prevents the software installed phoning home at will without notify you or having that option to say yes or no upon been notified?

     

    My set up:

     

    iMac 27" that's only 12 months old, 16GB memory and a lot of other more advanced configurations in hardware then the norm.

     

    At the router level I have configured my router to not only have the firewall turn on but also have created an account with www.Opendns.com

    and with that account have manual chosen what the household is protected from on the internet e.g.: ****, adware, tasteless sites etc.

     

    With that opendns.com account I changed the DNS setting within the router to always point at Opendns.com. (more information please checkout opendns.com)

     

    Now here is what some of you will think I've wasted money.

    I have bought a 2 year license of Intego Internet security.      (I have not notice any difference in system performance)

     

    With this software installed I feel I have much more control over what can access the internet; easily view or been notified in what is trying to contact to the internet.

     

    Antivirus come with that but as I know' antivirus is dead these days and its more about malware, phishing, ransom ware etc.

     

    I configured within the security software more changes to network access as well. In my area of residence there are around 20 wireless network connections I can see to connect to. That has always concerned me about wireless intrusions by those networks I can see.


    With these measures I have put into place and having two frames of mind I like to think I have taken a more advanced approach in my household in protecting against internet threats.

     

    Of course as you guys have mentioned common sense also come into play but that's only for those who are computer illiterate.

     

    Your thoughts?

     

    Thanks

    Zenneon32

  • by BobHarris,

    BobHarris BobHarris Aug 13, 2015 4:36 PM in response to zenneon32
    Level 6 (19,479 points)
    Mac OS X
    Aug 13, 2015 4:36 PM in response to zenneon32

    or is it a two way firewall that also prevents the software installed phoning home at will without notify you or having that option to say yes or no upon been notified?

    It does NOT block out-bound traffic.  Nor does your home router.

     

    If you really want to stop Phone Home traffic, then look at LittleSnitch.  NOTE, you will find that LittleSnitch will initially drive you crazy because lots of things check the internet for things, including software updates for the apps you use, or to get data, etc...

  • by zenneon32,

    zenneon32 zenneon32 Aug 13, 2015 6:31 PM in response to BobHarris
    Level 1 (0 points)
    Aug 13, 2015 6:31 PM in response to BobHarris

    Thanks for the LittleSnitch advice Bob. I have looked at that one in the past an as you mentioned I found LittleSnitch bothersome in getting in the way of dong things on the internet. A great free alternative no doubt if your happy to use this software.

  • by BobHarris,

    BobHarris BobHarris Aug 13, 2015 7:11 PM in response to zenneon32
    Level 6 (19,479 points)
    Mac OS X
    Aug 13, 2015 7:11 PM in response to zenneon32

    zenneon32 wrote:

     

    Thanks for the LittleSnitch advice Bob. I have looked at that one in the past an as you mentioned I found LittleSnitch bothersome in getting in the way of dong things on the internet. A great free alternative no doubt if your happy to use this software.

    Not Me.  I played with LittleSnitch when it first became available (too many years ago), and I found it way too annoying.  But there are those that like it.  I'm just not one of them.

     

    But if you want to stop unsolicited out-bound-phone-home actions, I think LittleSnitch is the easiest approach.

  • by John Lockwood,

    John Lockwood John Lockwood Aug 13, 2015 8:02 PM in response to zenneon32
    Level 6 (9,324 points)
    Servers Enterprise
    Aug 13, 2015 8:02 PM in response to zenneon32

    If your talking about a Mac being run for normal user applications then Little Snitch is a nice simple way of blocking outgoing traffic. If however your talking about a Mac server then it is not suitable. As I previously mentioned OS X includes two firewalls and of those two the pfctl firewall can be configured to block outgoing traffic but it needs far more work on your side to set this up.

     

    As mentioned pfctl is even used to create full-blown 'appliance' i.e. firewall in a box type products it is so flexible and powerful.