Three options make the configuration of the firewall in Mac-OS X 10.5 Leopard selection difficult – security software takes some getting used to.
Clear as off: a firewall prevents connections between one computer and another. Which connections these are, you decide with rules; for example “Don’t answer to a ‘Hello?’.” So the setting of the firewall should be simple. It is not, which is among other things due to the confusing terms.
In the language of technicians the previous paragraph reads: A firewall blocks connections from and to certain ports, for example “Ignore ICMP echo requests”. In Apple’s own German, this is called something else: “Enable stealth mode” (in the System Preferences of Mac-OS X 10.5 under “Security> Firewall> More options”).
This is a “port”
Under “Port” it is best to imagine a kind of window in a wall. When one software establishes a connection to another, it needs open windows on both computers to do so. The windows on the computers are numbered from 1 to 65535, where the first 1024 numbers are almost completely considered “well known” or better “pre-populated” – these windows always lead to the same software.
Example: If a browser wants to load data from a server, it establishes a connection to port 80 of the server, because behind the window with the number 80 the server software is waiting (for example Apache or Microsoft IIS).
Open more windows
Mac OS X 10.5 opens a number of ports by default (less than Windows XP, but more than Mac-OS X 10.4). Any active software can open others – provided that a user with administrative rights has started the software or answered a query with username and password. Since probably no one keeps accurate records of when they gave permission to which software, we recommend to turn on the firewall. Unfortunately, the corresponding options in the system settings under “Security> Firewall” need some explanation Firewall” need explanation.
How to turn on the firewall
In the system settings there is an option under “Security> Firewall” three checkboxes. The first one is not a useful option: “Allow all incoming connections” means “Firewall off”.
The second option on the other hand is radical: The firewall blocks all incoming connections. The only exceptions are essential services like Bonjour or the Unix program configd, which is necessary for the service DHCP, which enables the Mac to establish an internet connection via a router.
If you allow “only necessary services”, you get a very secure Mac. This makes sense, for example, when working with a notebook in a hotel or at the airport. Because with this setting for example Mail can still read emails from the server or the browser can load internet pages. But among other things it is not possible to establish a chat connection (see “Chat blocker” on the left).
Control over the firewall
For everyday use we always recommend the third option “Allow access for certain services and programs”. It works partially different than the firewall of Mac-OS X 10.4. A new feature is that the firewall offers settings for individual programs; it is not necessary to deal with the ports mentioned at the beginning of this article.
The entries in this list are partly created automatically, partly they are based on the decisions you make in case of certain queries. Services that are activated in the system settings under “Sharing” are automatically entered. Each of these services can’t work without incoming connections, that’s why Apple built in this automatism. If services are active, you will find their names above the horizontal line in the firewall list. You have no further possibilities to influence this.
With the programs on the other hand the firewall works with a different mechanism: If you start a software, which the firewall does not know, you get the query “Do you want the program XYZ to accept incoming network connections??”. The operating system then enters the answer into the list in the system settings (“Security> Firewall”) a. There you can change your mind in case of doubt or remove the entry from the list. The latter can be done by clicking on the minus sign below the list, the former by clicking on the entry in the second column of the list.
Camouflage on
We recommend to set the firewall in the settings of Mac-OS X 10.5 to activate the stealth mode (under System Preferences> Security> Firewall> More options). This makes the work of a hacker a bit more difficult, because he does not get an answer to a number of standard analyses. However, the Mac is not invisible, although Apple uses the word “cloaking”. Because an experienced hacker knows that the answer to a service request should actually be “Service not available. If he does not get an answer – with the stealth mode enabled – it means for him: “There is a computer here that is protected by a firewall.” Some hackers feel challenged by such “feedback…
Recommendations for the road
As long as you work at home, the firewall is only active if you are directly connected to the Internet via modem (analog or ISDN). If you are active on the Internet via a router or via WLAN (also: Airport), you are already reasonably well protected. Almost all routers available today (without or with WLAN) contain an always-on basic firewall. In addition, they use “NAT” (“network address translation”) to separate the computers in the house from the Internet, so that you can connect from the inside to the outside, but a hacker cannot connect the other way around.
Quite different if you are on the road with a notebook. For example, if you have activated “File Sharing” or “Screen Sharing” in the system preferences, the computer is visible to other guests in some hotels, if they also have Mac-OS X 10.5 – it is enough to open a window in the Finder and click on the entry “Shares>” All…” to make. You experience similar surprises when you start iTunes in a public WLAN (for example, “T-Mobile Hotspot”) and suddenly the music libraries of complete strangers become visible.
In public networks, we therefore recommend the second option of the firewall, “Allow only necessary services”. Alternatively, you could also disable the server services in the respective programs; in the settings of iTunes, for example, in the “Sharing” section with the option “Share my library on the local network”. Less work, however, is the restriction to necessary services in the System Preferences under “Security> Firewall”. The previously compiled list, with which you allow access to certain software, remains the same. At home it is relatively easy to select the comfortable third option of the firewall in the system preferences again.
Conclusion
The firewall of Mac-OS X 10.5 takes some getting used to. Apple offers a relatively useful explanation on the Internet, but there is no reference to the side effects of an active firewall. For the future, we hope that Apple will offer additional blocking aids for those connections that originate from one’s own Mac – for example, because software checks whether an update is available on the manufacturer’s server. Because at the moment there is only the software Little Snitch from Objective Development, which is not easy to understand either.
Info – Before Mac-OS X 10.5.1
From October 2007 until mid-November 2007 it was found in the system preferences under “Security> Firewall” the “Block all incoming connections” option. An outright lie, which Apple has fixed with the update to Mac-OS X 10.5.1 corrected. Because in the background some applications (considered “trusted” by Apple) are able to establish internet connections despite this setting.
With the same update, Apple has changed a mechanism that previously crippled software like Skype. Because the firewall stores a kind of checksum for each software, if this software tries to open a port. If the checksum changes (for example because a virus has changed the software), the firewall blocks all connection attempts to this software. If you try to start the software, it automatically quits after a few seconds. Skype has its own very similar checking mechanism, which was used until the update to Mac-OS X 10.5.1 however the firewall obstructed. That’s why it was impossible to use Skype at that time.