Blocking the Bad Guys at the Door by Chris Pepper and Rich Mogull _Mac OS X Leopard comes with not just one, but two firewalls for protecting your Mac, with third party tools available for those with special needs._ We all hear the word 'firewall' thrown around anytime there's a discussion of computer security; often in popular fiction as either an all-powerful security defense, or little more than a speed bump for those crafty movie hackers . But most users have little idea what a firewall really does, never mind if they really need one for their Mac. Firewalls are a fundamental security tools, but like any tool they only solve certain problems. For firewalls, that problem is that it's often difficult to keep bad guys from connecting to systems or networks we don't want them to, while still allowing good guys access. Firewalls help with this problem by blocking unwanted network traffic. Think of them as a filter that blocks or allows traffic based on a set of rules. If you're running a network, firewalls are great to separate inside and outside traffic. You filter Internet traffic through a firewall and block outsiders from peering into your network, or even to compartmentalize the network. As a matter of fact, if you're sitting at home behind a router or wireless access point like an Airport Extreme you're already behind a firewall. This prevents bad guys from trying to directly attack your computer over the network, which used to be one of the most effective methods of attack. For example, there used to be a bug called the "Ping of Death" that let an attacker crash your Mac just by sending it malicious network traffic. More complex attacks even let them take over your a vulnerable computer. And while you're often behind a network firewall, that can't protect you from attacks on the same network or if you use a laptop on different networks. In steps the personal firewall: a software tool running on your Mac, not the network. OS X has long included a firewall, and OS X 10.5 Leopard includes two different firewalls. **Using Leopard's firewalls** In versions of OS X up through 10.4 Tiger, that underlying firewall was a Unix-based program called ipfw. In security parlance, ipfw is a _packet-filtering_ firewall, meaning it monitors all traffic coming or going through the MacÕs network interfaces, and checks each packet against a set of rules specifying whether it can pass through or should be blocked. Many corporations and other organizations rely on ipfw for their network security. Packet-filtering firewalls classify network activity by type (based on port numbers), origin, and destination (IP addresses). For instance, a packet-filtering firewall lets you configure your home machine to accept file sharing connections from the IP addresses used by your network at work, but not other addresses on the Internet (which might be an attacker). To anyone trying to connect to your packet-filtered system from a blocked address, it looks like file sharing isn't running at all, yet your machine remains fully accessible at work. With Leopard, Apple decided to take the firewall in a completely different direction, likely to make it more understandable for users. Leopard relies on a new _socket filter_ firewall, also known as an _application firewall_. Rather than allowing and disallowing connections based upon network numbers (ports and IP addresses), it works application by application. Whenever a program attempts to listen for network traffic, a socket filter checks it against a list of authorized programs. If the program is on this Òwhite listÓ, the firewall allows the connection. If the program isn't on the list -- as is the case with new or upgraded software -- Mac OS X asks you whether you want to allow it to listen to incoming traffic. By tying security to individual applications rather than IP addresses or ports, the application firewall makes it easier to distinguish trusted programs from unknown and untrusted programs. You access the Leopard firewall in System Preferences > Security > Firewall by selecting 'Set access for specific programs and services', and your allowed and blocked programs appear in the box below. If you'd like to block _all_ nonessential traffic, select 'Allow only essential services', but this breaks some applications (you can still browse the web and use email, but any inbound connections are blocked. See for more details on using the Leopard firewall). Unfortunately, application firewalls are less flexible than many would like. Applications that are allowed to listen for network connections accept them from anywhere on the Internet. For example, Leopard provides no support for distinguishing trusted from untrusted computers across the Internet. The Leopard application firewall also only blocks _inbound_ connections, and many times we'd like to prevent a program from making an outbound connection (for example, to stop it from phoning home and revealing private information). Fortunately, OS X 10.5 Leopard still includes ipfw. By default, it's set wide open and won't block any incoming traffic, but you can still configure it from the command line or using a third-party application such as WaterRoof 2.0 or Noobproof 1.1. And ipfw is compatible with Leopard's socket filter, so you can use both to combine application filtering with the specificity of ipfw rules for get stronger security. **Third party firewalls** Some users might want a little more flexibility or protection than the built-in firewalls offer. For example, you might want to block Internet connections to services on your Mac, but allow local users to connect. A tool like NetBarrier X5 lets you set different rules based on where a connection comes from. Netbarrier X5 also includes privacy features to protect you when web browsing, and other advanced options, like application control, for more detailed configurations without forcing you to use the command line. One option lacking from the built in firewall is the ability to change rules based on your location. For example, you might leave iTunes sharing open at home, but want to shut it off when at the local Internet cafe. Open Door Software's DoorStop X Firewall 2.2 let's you define locations, and with a quick click of your menu bar you can set the firewall to use preset rules for where you are. If you want the ultimate in application control, you can use Little Snitch 2.0 for fine grained control not only on which applications send or receive information to the Internet, but even which destinations they are allowed to contact. Many a spyware tool has been outed as Little Snitch catches it sending out unexpected information. **Deciding to use a firewall** After all this discussion of firewall options it might disappoint you to learn that there currently aren't any network level exploits against your Mac. Sure, if you happen to leave file or screen sharing open and insecure someone can access your system, and more than a few applications open unwanted network connections. Of course you can just as easily open yourself up those attacks with or without a firewall. But Macs, like any computer system, aren't perfect and we've seen more than a few network level vulnerabilities in the life of OS X. Keeping your system up to date with the latest patches is your first defense, but since the OS X firewall is so non-intrusive, we recommend you turn it on in application mode. If you'd like to use the ipfw firewall without becoming a firewall expert, the free NoobProof is an excellent option. Most users don't require third party firewalls, something many of the vendors seem to recognize. They continue to add security features beyond the basic firewall, such as intrusion detection, anti-phishing, outbound application control, and smarter location awareness. These aren't for everyone, but it's clear the firewall is evolving far beyond a basic packet filter.