Leopard Firewall Security

Similar Messages

• WEIRD TCP requests in Leopard Firewall Log

  I decided to double check my security today and enabled the Leopard firewall to block all connections and I enabled stealth mode. I then took a look at the log, and I am seeing a lot of Stealth Mode connection attempt to TCP MY.IP:PORT from XX.XX.XXX.XXX. I traced one of the IPs and its coming from ANTIGUA AND BARBUDA, (according to http://remote.12dt.com/lookup.php). Should I be worried?
  Edit: Oh yeah, I also use NAT to forward this port in my Time Machine. I'm thinking it has more to do with it being forwarded. I also checked some of the other IPs and many are form the US as well, it was luck (or unluck) that the first one I checked was from a foreign country.
  null

  It has to do with the Transmission.app library. It uses the system to connect.

• Airport Express & Leopard Firewall

  I have 2 AEXs connected to my wireless network (Linksys WRT54GS). They work fine when my Leopard firewall is set to allow all incoming connections, but don't show up in either iTunes or Airport Utility when the firewall is on, despite me still being able to access my router & the internet. I have set Airport Utility to accept incoming connections in the firewall settings.
  I didn't have this problem with Tiger. Any ideas what's going on? Is there a way that I can have the firewall on & still connect with my Airport Expresses?
  Thanks.

  Sorry my friend, by the firewall is the problem. When it is switched on AirTunes does not stream and when it is switched off it works fine. I, and it seems others on this forum, have checked this a number of times - I did at least a dozen of times or so. Firewalls are not just on the border of the network as you seem suggesting, but they can also protect an individual machine and each comes with its own application and/or ipfw firewall.
  There is no question about the fact that the *OS X Server* Firewall/AirTunes have an incompatibility, the question is how to resolve it...
  Thanks for trying anyway.

• Firewall Security Set up

  I have a Wrt-54G Ver 8 router. I would like to know which blocks need to be checked in the firewall security screen. On my router the filter Multicast and Filter IDENT (Port 113) are checked. Is that all that is needed? Thank you in advance for the help.

  For good connectivity uncheck all possible boxes, for secure connection check all possible boxes and default is block anonymous internet requests and filter ident(port 113) checked.

• Passive FTP and the Leopard firewall

  Hi,
  We have an staff upload server that uses the built-in Leopard firewall. It is fed by two proprietary applications, one of which uses passive ftp only. We are getting a small number of incidents where the passive upload is unsuccessful. Initial contact is made (visible in the logs and as a connection in the server admin gui) but the upload doesn't proceed. A user might try uploading several times without success. On other occasions, the same user from the same computer has no problems at all.
  We have the ftp service enabled on port 20-21 and the FTP service PASV port range enabled 49152-65535.
  If I add the uploading computers' ip number to an access group with no port restrictions on the firewall, the uploads are always successful.
  With my very limited knowledge of ftp and firewalls, this suggest that the negotiated port for the data transfer is outside the default port range used by Apple. Is this likely? Are there any implications in changing the range?
  Or am I totally confused and should I be looking elsewhere?
  Thanks,
  Ross Glover

  By default, the FTP server doesn't restrict itself to any particular passive port range. To make it match what the firewall claims it should be, edit the file /Library/FTPServer/Configuration/ftpaccess and add the line:
  passive ports 0.0.0.0/0 49152 65535
  ...then restart the FTP service and retest.

• IPhoto 08 and Leopard Firewall not compatible

  Since I turned on the Leopard Firewall in the mode where it automatically add applications that need access iPhoto has been asking for permission to accept incoming Internet connections.
  Every time it does this I say 'Allow' and enter the Admin password, but it does not seem to take as this comes up every time I start iPhoto.
  iPhoto is listed in the Firewall with 'Allow incoming connections', but it still asks every time.
  Clearly a bug that needs sorting out.

  Ian:
  I've set my firewall to the 3rd option, "Set access for specific services and application". iPhoto is not listed in the list, only some applications that I want to block incoming connections for. No problems with that setup.
  Happy Holidays
  TIP: For insurance against the iPhoto database corruption that many users have experienced I recommend making a backup copy of the Library6.iPhoto database file and keep it current. If problems crop up where iPhoto suddenly can't see any photos or thinks there are no photos in the library, replacing the working Library6.iPhoto file with the backup will often get the library back. By keeping it current I mean backup after each import and/or any serious editing or work on books, slideshows, calendars, cards, etc. That insures that if a problem pops up and you do need to replace the database file, you'll retain all those efforts. It doesn't take long to make the backup and it's good insurance.
  I've created an Automator workflow application (requires Tiger), iPhoto dB File Backup, that will copy the selected Library6.iPhoto file from your iPhoto Library folder to the Pictures folder, replacing any previous version of it. It's compatible with iPhoto 08 libraries and Leopard. iPhoto does not have to be closed to run the application, just idle. You can download it at Toad's Cellar. Be sure to read the Read Me pdf file.

• Firewall security setting blocking Outlook Express

  I'm a Verizon DSL customer with a Versalink 7500.
  If I set the Firewall security setting to anything above Minimum, Outlook Express fails with the following:
  The connection to the server has failed.
  Account: 'verizon email', Server: 'pop.verizon.net',
  Protocol: POP3, Port: 995, Secure(SSL): Yes, Socket Error: 10060,
  Error Number: 0x800CCC0E
  Suggestions?

  I didn't notice that the port got changed.  In any event, I changed it back to 995 and got a similar error.
  I rechecked the "This server requires a secure connection (SSL)" box.  
  The "Log on using Secure Password Authentication" box is already unchecked.  
  Here are my OE settings.

• Bit Confused About Leopard Firewall

  Hey ya'll!
  I'm a little confused about what's going on with the Leopard firewall. It seemed that before, you could choose an application, and which ports you wanted to associate with it, via the System Preferences > Sharing > Firewall tab. Now, they went and moved it, and you can only choose the app, and whether it can receive incoming connections. OK, fine. So let's see what ports are open:
  Thee-MacBook:~ rick$ sudo ipfw list
  Password:
  33300 deny icmp from any to me in icmptypes 8
  65535 allow ip from any to any
  Huh? How come I'm only seeing two rules here?
  My original concern was for SoulseeX, and whether the required range of ports were open. While I can search and download, others have problems downloading from me, and I cannot directly connect to others, and other weirdness. So I decided to start checking things out.
  I do have SoulseeX listed in the Firewall tab, and set to receive incoming connections. But when I used this site <http://closer.s11.xrea.com/etc/port_scan.php> to test port 2234, it returned "failed".
  In short, here's what I'm wondering:
  Is the Firewall tab in System Preferences using ipfw?
  By setting an app in the Firewall tab in System Preferences, is the entire range of ports the app wants, in SoulseeX' case, 2234, 2235, 2236, 2237, 2238, 2239, and 2240, made available?
  How can I see what rules are being used, what ports are open?
  Will writing (a couple of) my own rules to ipfw screw up the other settings in the Firewall tab? I would, if possible, like to keeps things simple, and not have to rewrite all the rules by hand. Besides, I'm not exactly an expert!
  TIA!

  Leopard's application firewall is not a port firewall. I'm not sure where you would be able to see the actual port numbers that an application has opened, but your failures may be due to the ports being stealthed. Theipfw firewall is still there if you want to use it - the new firewall won't overrule it.

• Mac OS X Leopard Firewall/default open ports rpcbind?

  Hi,
  I'm looking into hardening/securing mac os x leopard and noticed that port 111 rpcbind is open. Is rpcbind open by default? What are leopards default open ports on a fresh install?
  Also is there any way to run openbsd/freebsd PF firewall?
  Thanks!

  This is what nmap reports:
  Starting Nmap 4.76 ( http://nmap.org ) at 2009-03-02 12:28 EST
  Warning: Unable to open interface vmnet8 -- skipping it.
  Warning: Unable to open interface vmnet1 -- skipping it.
  Interesting ports on localhost (127.0.0.1):
  Not shown: 993 closed ports
  PORT STATE SERVICE
  111/tcp open rpcbind
  631/tcp open ipp
  1021/tcp open unknown
  1022/tcp open unknown
  1023/tcp open netvenuechat
  2049/tcp open nfs
  49152/tcp open unknown
  Nmap done: 1 IP address (1 host up) scanned in 10.55 seconds
  nestat -a | grep LISTEN confirms:
  tcp6 0 0 localhost.ipp . LISTEN
  tcp4 0 0 *.49152 . LISTEN
  tcp4 0 0 *.1021 . LISTEN
  tcp4 0 0 *.1022 . LISTEN
  tcp4 0 0 *.sunrpc . LISTEN
  tcp4 0 0 *.nfsd . LISTEN
  tcp4 0 0 *.1023 . LISTEN
  tcp4 0 0 localhost.ipp . LISTEN
  tcp6 0 0 localhost.ipp . LISTEN
  Not too sure what netvenuechat is and I have no idea why NFS is open/running. I'm not connecting to any NFS shares. How do I lock everything down?
  Any suggested IPFW rules?
  Here is what 'ipfw show' returns:
  3300 36 2160 deny icmp from any to me in icmptypes 8
  65535 866558 351141790 allow ip from any to any
  Thanks,
  Juan

• Itunes9 on Snow Leopard Firewall always asking to be allowed

  Since installing iTunes9 on Snow Leopard I get the "Do you want the application "iTunes.app" to accept incoming network connection" every time I open it! I have clicked "Allow" each time and have made sure to have it listed as "Allow incoming connection" in the Security/Firewall/Advanced Pref pane and it still asks each and ever time I open iTunes.
  As far as trying to fix this I have tryed reinstalling iTunes9 and have removed the iTunes entry from the Firewall pref pane, removed iTunes from the start on boot menu, rebooted my Mac, then added iTunes to the Firewall setting, then launched. Still asks every time I open iTunes. Done this and several variations of it several times already to no effect.
  In iTunes8 it was set the same in the Firewall settings and only asked me to allow it once the very first time I opened it, after that it was allowed by default and I never saw the pop-up window again asking me to allow it. This is becoming an annoying issue for me and I am wondering if anyone else has this same issue and/or knows a way to permanently set it to be allowed by default.
  Any thoughts or ideas as to where I can change the file containing the Firewall settings manually or another way to default allow iTunes again would be greatly appreciated.
  Thank you.
  A normally happy Mac user...

  Hi,
  I had this issue, and reinstalling iTunes worked for me - did you remove the iTunes Helper app from your login items before uninstalling iTunes? You need to quit it in Activity monitor first.
  There are other solutions in This Thread
  Regards

• Firewall security - what does this mean:

  Hi there,
  what does "allow all incoming traffic" mean ... does that mean, I have disabled my firewall?!?
  What should I do (I want to share screens): set access for specific apps ... and select iChat?
  What else do I need to consider?
  Thanks a lot
  Andreas

  That's the default or OFF option. The firewall is always off by default. If you turn on the firewall and want to give people access to the computer or use iChat, for example, then you must open the specific ports required. With Leopard this is done in the firewall configuration section of the Security preferences. Select Mac Help from the Finder's Help menu and search for "firewall" without quotes. You will get a list of relevant articles to help you.

• "Shields UP! Leopard Firewall Test"

  I have been testing my firewall here. http://www.grc.com/x/ne.dll?rh1dkyd2
  These are the results I am experiencing.
  Shields Up test results are the same for me on all 3 firewall settings, with stealth enabled.
  Allow all incoming connections
  Block all incoming connections
  Set access for specific services and applications.
  On all 3 settings ports 136, 137, 139, and 445 are stealth. Ports 53 and 23 are open, and all others are closed. My computer fails the "solicited TCP Packets" and "Ping reply" tests, and passes the unsolicited packets test. No matter which of the 3 firewall settings I use, the test results are the same.
  Can anyone explain to me why all the results are the same regardless of the setting?

  Ferd,
  I actually don't know yet. I read the server link from a google ("leopard macosx server firewall"), http://www.heise-security.co.uk/articles/98120. If you want to know the truth, I got out my New Rider's "Linux Firewalls" by Robert Ziegler, second edition, and was starting to read through it. It does give ipfw examples, but admittedly I have not implemented them yet and was only really considering using them for my MacOSX server which I mentioned in my prior post. It is behind a Linksys router. So, it is somewhat secure, but it is my second line of defense. ipfw looks to be a PITA however.
  As far as I know, no one has broken into my Mac Book Pro under Tiger with all services off but web-sharing and I have never done a port scan on it. (I use web-sharing for a localhost website that I have restricted to just localhost via apache.)
  The article mentioned above looks to be valid and I will be doing port scans on Leopard server when I get it installed to see if any holes exist.
  Anyway, that is where my post came from and it was only a suggestion. Hope that helps.
  An Inconvenient Carbon Credit,
  I would suggest that you submit your findings to http://www.apple.com/feedback/macosx.html so that Apple will know about it and I would specifically state how you preformed the tests. HTH
  Message was edited by: Bob White

• Leopard firewall

  What does Leopard use for a firewall?
  Would fwbuilder(sp) be a good place to start enhancing the built in firewall?

  WaterRoof2 is a free GUI for ipfw that also allows traffic shaping and will do a nice log analysis for you. I tried it but did not like the fact that you cannot include comments in the rule sets, nor will it translate ports (so 80 is shown as 80 not http) If you want to use ipfw (I continue to use it rather than the new application fw - how security-conscious is the default "allow everything"?) and don't want to set rules with a text editor it is worth a look.
  AK

• Web Sharing, Firewall, & Security Issue

  I recently turned on/activated Web Sharing, but I forgot to turn on the Firewall. Now I think I may have gotten malware, or some other sort of bad stuff on my machine.
  Am I right in this thinking? If so, what steps might I take to offset the damage? Thanks.
  Quick background note: I was experimenting with the using the Apache server that comes built in with Mac (because I'm learning mysql, php, etc.) And this tutorial mentions the importance of activating the Firewall if the user turns on Web Sharing http://www.macinstruct.com/node/112
  Specs:

  I didn't know about Quarantine being included in the Leopard OS ("Quarantine is a feature of Mac OS X introduced in version 10.5 (aka Leopard)) Thanks for pointing that out.
  More generally, I've been using Macs for several years and really like them, but this was the first time I activated/enabled Web Sharing for using the Apache server software and so I was just a little worried about that. And also, it seems as though my system has been working more slowly than it usually does.
  BTW: I did some of the most commonly suggested steps for improving performance.
  1. Check to see I have latest OS updates. [Done]
  2. Run/verify/repair disk permissions via Disk Utility [Done]
  3. Clear browser caches [Done]
  Thanks again.

• Mac firewall security flaw in Adobe CS3

  Security experts are warning of an issue within Adobe CS3's Version Cue application which can disable a Mac's built-in firewall.
  An alert from the experts at Secunia warns that Adobe Version Cue disables a Mac's firewall when it is installed. It does so in order to set certain ports up for "controlled access through the firewall", the experts said.
  The probelm is that the installer doesn't re-enable the firewall once installation is complete, leaving certain system services vulnerable to attacks.
  The security issue is reported in Adobe Version Cue CS3 Server, installed as part of Adobe Creative Suite 3 Design Premium, Design Standard, Web Premium, or Web Standard editions, Secunia explains.
  There is a simple fix to the flaw, which is rated as "less critical" – users simply need to re-enable their Mac OS X firewall in System Preferences once installation is complete.
  http://www.macworld.co.uk/procreative/news/index.cfm?newsid=18066&pagtype=allcha ndate
  I'm rather surprised that an application can simply turn off the firewall without any red flags to the user.
  Any comments?

  ..."From a user perspective, I did give authorization to install the software - I did not give authorization to turn the firewall off and keep it off."...
  That's the thing though - you may not think you gave it authorization to modify the firewall, but by providing an "admin" password, you actually did. It is a matter of education, but users must be made to recognize that inputing an "admin" password is giving the process that asked for it carte blanche powers. Such an arrangement seems to be fairly typical in personal computing. Installers that use Apple's installer do sometimes break things down a little and providing a bit of detail to what right is being requested, but from what I recall, Adobe uses something else.
  ..."Apple should probably have provided some safety net. After all, we are talking "firewall" here, not just some preference setting. "...
  I guess it's beside the point but in this case, this installer legitimately needed to modify firewall settings - you told it to install a type of server. It just happened that, there was a bug so it didn't restore the firewall after it was done. How does the system know that you didn't really want to turn off the firewall? Considering the diverse functions software can perform, it would probably be overly intrusive for the OS to try to second guess a programme every time it tried to do something. Changing any sort of user preference setting would not have required a password at all. If a programme asks for your "admin" password, that is the tip off that it intends to make changes to the system. The requirement for a password is actually a huge "safety net".
  With anything related to security, there's always a compromise between security and convenience. The presumption is that as the "admin", you are a person with authority over the computer and have some level of trust in the software you are about to install. If you think about it, compared to the alternative, the current arrangement saves you from having to click "Cancel" or "Allow" for every single file that the installer is going to create, or approve every individual port it wanted to open in the firewall (keeping in mind you are installing some sort of server), and in particular, from learning the ins and outs of every detail of the guts of OS X so you fully understand what it is that you are agreeing to. Now if it turns out that your trust in Adobe's intent or competence were misplaced, the result will unfortunately be the occasional problem like this one.
  ..."I wonder what happens if changes to the firewall are locked? Can a software install just override this without any authorization?"...
  With your "admin" password, yes. Files can be locked in certain ways where an installer or other process wouldn't be able to modify them, but as far as simply turning off the firewall, I don't think you could prevent something with authorization from your "admin" password from doing so.