Leopard's Firewall "Flawed"

Post by **complacent** » Wed Oct 31, 2007 11:22 am

More /. goodness found hmah.

Ok, no biggie for us n3rdz, right?

Btw, If vi-ing or pico-ing an ipfw-based firewall is beyond your comfort level - try waterroof. It's a pretty decent GUI frontend for teh configz. wewt.

ZOMG INnArWEBZ!!!!!1

Post by **Sabre** » Thu Nov 01, 2007 10:28 am

After looking at their article... they are making mountains out of mole hills in some areas (not all though). The way the Mac firewall works is by allowing any network program that is started to automatically start servicing requests. So if you start services (like they did in the first part of the article), it will allow them. Windows does the same thing...

Sounds like Apple isn't updating the Mac firewall GUI with the latest rule sets. Easy enough to fix.

Now this part is a different story:

A number of peculiarities emerged in the course of testing. A newly booted MacBook refused time synchronization - only to permit it a few moments later for no apparent reason without any changes to the security settings having been made. Further, it is not clear at what point Mac OS X starts which services, or how it decides which of these should be accessible and which should not.

This really isn't good and I have to wonder what changed. I REALLY wish they had done a "ipfw show" before and after running all of these commands.

You are right though, we (geeks in general) won't have to worry about this, but some of these problems should be addresses for regular home users.

chicken n waffles · Post by **chicken n waffles** » Thu Nov 01, 2007 11:36 am

i understood a bit of that, but for the most part,

ps - aapl... flawed software? z0mg NO WAI!!1

schvin · Post by **schvin** » Thu Nov 01, 2007 3:30 pm

ipfw makes baby jesus cry.

Libra Monkee · Post by **Libra Monkee** » Thu Nov 01, 2007 3:42 pm

I'm just hoping that Leopard has better WPA support because using my wireless on Tiger SUCKS!

Phibs · Post by **Phibs** » Thu Nov 01, 2007 3:47 pm

Before I have a seizure, plz change avatar k thx!

Libra Monkee · Post by **Libra Monkee** » Thu Nov 01, 2007 3:56 pm

No, I think you deserve a seizure.

Post by **Sabre** » Thu Nov 01, 2007 6:06 pm

schvin wrote:ipfw makes baby jesus cry.

Come on, it's not THAT bad... Hell, throw dummynet on it and you've got a rate limiting firewall

Post by **complacent** » Fri Nov 02, 2007 10:11 am

Sabre wrote:
schvin wrote:ipfw makes baby jesus cry.
Come on, it's not THAT bad... Hell, throw dummynet on it and you've got a rate limiting firewall

I was thinking the same! It's not that bad!

What would yonder security guru (teh schvin, talkin' at ya) recommend if ipfw is makin' teh jeebus cry?

Post by **Sabre** » Fri Nov 02, 2007 10:50 am

complacent wrote:
Sabre wrote:
schvin wrote:ipfw makes baby jesus cry.
Come on, it's not THAT bad... Hell, throw dummynet on it and you've got a rate limiting firewall
I was thinking the same! It's not that bad!

What would yonder security guru (teh schvin, talkin' at ya) recommend if ipfw is makin' teh jeebus cry?

If anyone says IPChains I will promptly punch them in the gonads... or cuch if need be.

Libra Monkee · Post by **Libra Monkee** » Fri Nov 02, 2007 2:41 pm

Alright, alright... back to Leopard's flaws. I have to agree with this article in thanking the Mac geeks, er... fools, no... early adopters (don't hurt me Colin

) for the getting these bugs out of the way now before the rest of us drop our hard-earned duckets on this OS.

Beyond the normal growing pains of adapting to a new OS, and the aforementioned firewall deal, there seems to be no Java 6 support in Leopard which has developers up in arms.

/. posting
Associated c|net art.

Mr Kleen · Post by **Mr Kleen** » Sat Nov 03, 2007 10:45 pm

i wish the new macbook pros weren't so damn expensive. i'd like to experiment with the dark side (light side?)

Phibs · Post by **Phibs** » Sat Nov 03, 2007 10:51 pm

Libra Monkee wrote:Alright, alright... back to Leopard's flaws. I have to agree with this article in thanking the Mac geeks, er... fools, no... early adopters (don't hurt me Colin ) for the getting these bugs out of the way now before the rest of us drop our hard-earned duckets on this OS.

Beyond the normal growing pains of adapting to a new OS, and the aforementioned firewall deal, there seems to be no Java 6 support in Leopard which has developers up in arms.

/. posting
Associated c|net art.

Congrats!

I believe I had java6 running on mine, but not 100% sure. I will say though for the record, I hate java

schvin · Post by **schvin** » Sun Nov 04, 2007 3:40 pm

Sabre wrote:
complacent wrote:
Sabre wrote: Come on, it's not THAT bad... Hell, throw dummynet on it and you've got a rate limiting firewall
I was thinking the same! It's not that bad!

What would yonder security guru (teh schvin, talkin' at ya) recommend if ipfw is makin' teh jeebus cry?
If anyone says IPChains I will promptly punch them in the gonads... or cuch if need be.

oh, not a chance

that punching would definitely be deserved!

oh, and pf ftw.

pf (and altq/etc) have been rolled out of openbsd to netbsd and freebsd so far, so i can't imagine it's much of a stretch to get it on the osx. my 2 cents.

Post by **Sabre** » Mon Nov 05, 2007 4:01 pm

schvin wrote: oh, not a chance that punching would definitely be deserved!

oh, and pf ftw.

pf (and altq/etc) have been rolled out of openbsd to netbsd and freebsd so far, so i can't imagine it's much of a stretch to get it on the osx. my 2 cents.

Ok, we can still be friends

PF should be fairly easy to get over to OSX me thinks.

schvin · Post by **schvin** » Mon Nov 05, 2007 4:10 pm

Sabre wrote:
schvin wrote: oh, not a chance that punching would definitely be deserved!

oh, and pf ftw.

pf (and altq/etc) have been rolled out of openbsd to netbsd and freebsd so far, so i can't imagine it's much of a stretch to get it on the osx. my 2 cents.
Ok, we can still be friends PF should be fairly easy to get over to OSX me thinks.

+1