Blocking the Bad Guys at the Door by Chris Pepper and Rich Mogull _Mac OS X Leopard comes with not just one, but two firewalls for protecting your Mac, with third party tools available for those with special needs._ Firewalls are a fundamental security tools, but like any tool they only solve certain problems. For firewalls, that problem is that it's often difficult to keep bad guys from connecting to systems or networks we don't want them to, while still allowing good guys access. If you're running a network, firewalls are great to separate inside and outside traffic. As a matter of fact, if you're sitting at home behind a router or wireless access point like an Airport Extreme you're already behind a firewall. This prevents bad guys from trying to directly attack your computer over the network, which used to be one of the most effective methods of attack. But a network firewall can't protect you from attacks on the same network or if move to a different networks. In steps the personal firewall: a software tool running on your Mac, not the network. OS X has long included a firewall, and OS X 10.5 Leopard includes two different firewalls. **Using Leopard's firewalls** In versions of OS X up through 10.4 Tiger, that firewall was the Unix tool ipfw. Ipfw is a _packet-filtering_ firewall, meaning it monitors all traffic coming or going through the Mac, and checks each packet against rules specifying whether it can pass or should be blocked. Packet-filtering firewalls classify network activity by type, origin, and destination. For instance, a packet-filtering firewall lets you configure your home machine to accept file sharing from the IP addresses used by your network at work, but not other addresses on the Internet. With Leopard, Apple took the firewall in a different direction, likely to make it more understandable for users. Leopard relies on a new _socket filter_ firewall, also known as an _application firewall_. Rather than allowing and disallowing connections based upon network numbers (ports and IP addresses), it works application by application. Whenever a program attempts to listen for network traffic, a socket filter checks it against a list of authorized programs. If the program is on this Òwhite listÓ, the firewall allows the connection. If the program isn't on the list Mac OS X asks if you want to allow it. By tying security to individual applications, the application firewall makes it easier to distinguish trusted programs from untrusted programs. You enable the Leopard firewall in System Preferences > Security > Firewall by selecting 'Set access for specific programs and services'. If you'd like to block _all_ nonessential traffic, select 'Allow only essential services', but this breaks some applications. See for more details on using the Leopard firewall). Unfortunately, applications that are allowed to listen for network connections accept them from anywhere on the Internet. For example, Leopard provides no support for distinguishing trusted from untrusted computers across the Internet. The Leopard application firewall also only blocks _inbound_ connections, and many times we'd like to prevent a program from making an outbound connection. Fortunately, OS X 10.5 Leopard still includes ipfw. By default, it's set wide open and won't block any traffic, but you can still configure it from the command line or using a third-party application such as WaterRoof 2.0 or Noobproof 1.1. And ipfw is compatible with Leopard's application firewall, so you can even combine both. **Third party firewalls** Some users might want a little more flexibility or protection than the built-in firewalls offer. For example, you might want to block Internet connections to services on your Mac, but allow local users to connect. A tool like NetBarrier X5 lets you set different rules based on where a connection comes from. Netbarrier X5 also includes privacy features to protect you when web browsing, and other advanced options, like application control, for more detailed configurations. Another option lacking from Leopard is the ability to change rules based on your location. For example, you might leave iTunes sharing open at home, but want to shut it off when at the local Internet cafe. Open Door Software's DoorStop X Firewall 2.2 let's you define locations, and using the menu bar you can set the firewall to use different rules sets. If you want the ultimate in application control, you can use Little Snitch 2.0 for fine grained control of applications and which Internet destinations they are allowed to contact. **Deciding to use a firewall** After all this discussion of firewall options it might disappoint you to learn that there currently aren't any network level exploits against your Mac. Sure, if you happen to leave file or screen sharing open and insecure someone can access your system, of course you can just as easily open yourself up those attacks with or without a firewall. But Macs, like any computer system, aren't perfect and we've seen network level vulnerabilities previously in OS X. Keeping your system up to date with the latest patches is your first defense, but since the OS X firewall is so non-intrusive, we recommend you turn it on in application mode. If you'd like to use the ipfw firewall without becoming a firewall expert, the free NoobProof is an excellent option. Most users don't require third party firewalls, something many of the vendors seem to recognize. They continue to add security features beyond the basic firewall, such as intrusion detection, anti-phishing, outbound application control, and smarter location awareness. These aren't for everyone, but it's clear the firewall is evolving far beyond a basic packet filter.