FIREWALL HED TK OS X has a firewall built-in. So why would you need another one? by Rich Mogull and Chris Pepper You probably know that OS X has a firewall built into it. IF you didn't, just go to System Preferences: Security and click on the Firewall tab. But do you really know what that firewall is or what it does? If you're like most Mac users, you probably don't. And what you don't know could indeed hurt you. Who's That Knocking? ----- Simply put, firewalls let you regulate the data traffic in and out of your computer or your network. That means they can help you keep bad guys from connecting to your system or network, without interfering with access for the good guys (i.e. programs with legitimate business on the network). Firewalls block unwanted network traffic (and allow the traffic you want) based on a set of rules that you define. Sneaking up on your computer through its network connection is much more effective than, say, waiting for you to click on a virus-infected e-mail attachment. And it's certainly been used repeatedly through computing history, even against supposedly safe Macs. For example, a long-fixed bug called the "Ping of Death" let attackers crash many Macs just by sending them specially designed network traffic. It may seem like the odds of your particular Mac being targeted for attack, out of all the millions of computers worldwide, are awfully long. But, in fact, there are computers out there that do nothing all day but probe Net-connected machines for vulnerability; it's certainly possible one will find yours. And don't forget that anytime you're on a network -- the local coffee-shop's Wi-Fi system, for example -- you're vulnerable to anyone else on the same net. The potential risks -- the loss of private data, the hijacking of your Mac's computing power by someone else -- are great enough, and the cost of prevention low enough, that implementing a good firewall on your Mac and on your local network is considered a no-brainer by most security experts. Leopard's Firewalls ----- OS X has long included its own firewall. In Mac OS X versions through 10.4 Tiger, that underlying firewall was a Unix-based program called ipfw. In security parlance, ipfw is a _packet-filtering_ firewall, meaning it monitors all traffic coming or going through the Mac's network interfaces, and checks each packet against a set of rules specifying whether it can pass through or should be blocked. Many corporations and other organizations rely on ipfw for their network security. Packet-filtering firewalls classify network activity two main ways: by type, based on port numbers; and by origin and destination, based on IP addresses. For instance, a packet-filtering firewall enables you to configure your home computer to accept file sharing connections from the IP addresses of your network at work, but not other addresses on the Internet (where attacks might come from). To anyone trying to connect to your packet-filtered system from a blocked address, it looks like file sharing isn't running at all, while your machine remains fully accessible from work. With Leopard, Apple took the firewall in a completely different direction, apparently to make it easier for Mac users to understand. Leopard relies on a new _socket filter_ firewall (also known as an _application firewall_). Rather than allowing and disallowing connections based on network ports and IP addresses, it allows and disallows them based on the application that wants to listen for network traffic. Whenever a program makes such a request, a socket filter checks the program against a list of those that have been authorized to do so. If the program is on this "white list", the firewall allows the connection. If the program isn't on the list -- as in the case of new or upgraded software -- Mac OS X asks you whether to allow the program to accept incoming traffic. You access the Leopard firewall in System Preferences: Security: Firewall by selecting Set Access For Specific Programs And Services; your allowed and blocked programs will appear in the box below. If you'd like to block _all_ nonessential traffic, you can select Allow Only Essential Services", but beware: Doing so could break some applications. You'll still be able to browse the Web and use e-mail, but other inbound connections are blocked. Unfortunately, application firewalls are less flexible than many would like. Applications that are allowed to listen for network connections will accept communications from anywhere on the Internet; they can't be told to distinguish between trusted from untrusted Net addresses. The Leopard application firewall also only blocks _inbound_ connections; it won't prevent programs from making outbound connection. This has become a big problem in the Windows world: Spyware programs lodge themselves on your hard drive and then attempt to "phone home" with your sensitive private information. Fortunately, OS X 10.5 Leopard still includes ipfw. By default, it's effectively disabled, and does not block any traffic, but you can configure it from the command line or using a third-party application such as [WaterRoof 2.0 or Noobproof 1.1](http://www.macworld.com/article/133929/2008/06/noobproof_waterroof.html) (both mmmm). And ipfw is compatible with Leopard's socket filter, so you can combine the two to block untrusted applications from listening, and simultaneously restrict inbound and outbound traffic by ports and IP addresses with the specificity of ipfw rules. Third-Party Products ----- So why would you want to buy and install a third-party firewall, when OS X's seem to cover the bases pretty well? The first and best reasons are that you more flexibility or better protection. For example, you might want to block Internet connections to services on your Mac, but allow local users to connect. A tool like [NetBarrier X5](URL TK) (rating TK) lets you set different rules based on where connections are coming from. NetBarrier also includes privacy features to protect you when browsing the Web, and other advanced options such as application control, for more precise restrictions without resorting to the command line. You can get similar control from free tools such as WaterRoof, but they don't offer those same features beyond the firewall. Another limitation of Leopard's built-in socket filter: It can't change rules based on your location. For example, you might want to leave iTunes-sharing open at home, but want to shut it off when you take your laptop down to the local Internet cafe. Open Door Networks' [DoorStop X Firewall](http://www.macworld.com/article/50995/2006/05/doorstopx.html) (mmmm) lets you define locations and, with a quick click of your menu bar, set the firewall to use preset rules for where you are. NetBarrier also allows you to create different rules for local network addresses versus those on the Internet -- a remarkably simple and useful distinction. If you want fine-grained application control -- not only over which applications send and receive information from the Internet, but also which Net addresses they can contact -- you can use [Little Snitch](http://www.macworld.com/article/133363/2008/05/littlesnitch2.html) (mmmmh); it's particularly effective against spyware. The Final Word ----- For most users, the firewalls built into OS X are enough. Many Mac firewall vendors seem to recognize this, because they're continually adding extra security features -- intrusion detection, anti-phishing, outbound application control, and smarter location awareness -- beyond the basic firewall, to make their products more enticing. In addition to enabling OS X's basic, socket-filter firewall from the Security preference pane (we recommend you set it to "Set access for specific programs and services"), be sure you're also setting strong passwords for file sharing and other services and keeping your system up to date with Apple's latest security patches. And if you want to add the extra protection of OS X's ipfw firewall, use the excellent, free NoobProof to configure it. [[BIO]] Rich Mogull is TK. Chris Pepper is TK.