Blocking the Bad Guys at the Door by Rich Mogull and Chris Pepper _Mac OS X Leopard comes with not just one, but two firewalls for protecting your Mac, with third party tools available for those with special needs._ We all hear the word ÔfirewallÕ thrown around any time thereÕs a discussion of computer security; generally either as an all-powerful security defense, or as little more than a speed bump for crafty movie hackers. But most users have little idea what a firewall really does, much less if whether really need one for their Macs. Firewalls are basic security tools, but like any tool they only address certain problems. With firewalls, that problem is that it is often difficult to keep bad guys from connecting to systems or networks we donÕt want them to, without interfering with access for the Ògood guysÓ (assuming we can tell the difference). Firewalls help with this problem by blocking unwanted network traffic. Think of them as a filter that blocks or allows traffic based on a set of rules. If you have a network, firewalls are great for separating inside from outside traffic. You filter Internet traffic through a firewall and block outsiders from peering into your network, or can even compartmentalize different areas of your own the network. As a matter of fact, if youÕre sitting at home behind a router or wireless access point like an Airport Extreme youÕre already behind a firewall. This prevents bad guys from trying to directly attack your computer over the network, which used to be one of the most effective methods of attack. For example, a long-fixed bug called the ÒPing of DeathÓ let attackers crash many Macs just by sending them specially designed network traffic. More complex attacks can let them people take control of vulnerable computers. And while you likely often find yourself behind some sort of network firewall, they canÕt protect you from attackers on the same network (which can change with every coffee shop you visit). Cue the personal firewall: a software tool running directly on your Mac, not the network. OS X has long included a firewall, and Mac OS X 10.5 Leopard includes two different firewalls. **Using LeopardÕs firewalls** In Mac OS X versions through 10.4 Tiger, that underlying firewall was a Unix-based program called ipfw. In security parlance, ipfw is a _packet-filtering_ firewall, meaning it monitors all traffic coming or going through the MacÕs network interfaces, and checks each packet against a set of rules specifying whether it can pass through or should be blocked. Many corporations and other organizations rely on ipfw for their network security. Packet-filtering firewalls classify network activity in two main ways: by type, based on port numbers; and by origin and destination, based IP addresses. For instance, a packet-filtering firewall enables you to configure your home computer to accept file sharing connections from the IP addresses of your network at work, but not other addresses on the Internet (where most attacks come from). To anyone trying to connect to your packet-filtered system from a blocked address, it looks like file sharing isnÕt running at all, while your machine remains fully accessible at work. With Leopard, Apple decided to take the firewall in a completely different direction, presumably to make it easier for Mac users to understand. Leopard relies on a new _socket filter_ firewall, also known as an _application firewall_. Rather than allowing and disallowing connections based upon network numbers (ports and IP addresses), it works application by application. Whenever a program attempts to listen for network traffic, the socket filter checks it against a list of authorized programs. If the program is on this Òwhite listÓ, the firewall allows the connection. If the program isnÕt on the list Ñ as is the case with new or upgraded software Ñ Mac OS X asks you whether to allow the program to accept incoming traffic. By tying security to individual applications rather than IP addresses or ports, the application firewall makes it easier to distinguish trusted programs from unknown and untrusted programs. You access the Leopard firewall in System Preferences > Security > Firewall by selecting ÒSet access for specific programs and servicesÓ, and your allowed and blocked programs appear in the box below. If youÕd like to block _all_ nonessential traffic, select ÒAllow only essential servicesÓ, but beware that this breaks some applications (you can still browse the web and use email, but any inbound connections are blocked. See for more details on using LeopardÕs firewall. Unfortunately, application firewalls are less flexible than many would like. In particular, Apple doesnÕt distinguish trusted from untrusted addresses on the Internet; applications which are allowed to listen for network connections always accept communications from anywhere on the Internet. The Leopard application firewall also only blocks _inbound_ connections, and does not enable us to prevent programs from making outbound connection; this is a big deal on Windows, where many spyware programs are in circulation, each of which attempts to Òphone homeÓ with sensitive private information such as passwords and bank accounts. Fortunately, OS X 10.5 Leopard still includes ipfw. By default, itÕs effectively disabled, and does not block any traffic, but you can configure it from the command line or using a third-party application such as WaterRoof 2.0 or Noobproof 1.1. And ipfw is compatible with LeopardÕs socket filter, so you can combine the two to block untrusted applications from listening, and simultaneously restrict inbound and outbound traffic by ports and IP addresses with the specificity of ipfw rules. **Third party firewalls** Some users want a little more flexibility or protection than the built-in firewalls offer. For example, you might want to block Internet connections to services on your Mac, but allow local users to connect. A tool like NetBarrier X5 lets you set different rules based on where a connection comes from. NetBarrier also includes privacy features to protect you when web browsing, and other advanced options such as application control, for more precise restrictions without resorting to the command line. The free tools such as WaterRoof leverage AppleÕs ipfw to provide powerful packet filtering, but do not provide the non-firewall features included in NetBarrier. One option lacking from LeopardÕs built in socket filter is the ability to change rules based on your location. For example, you might leave iTunes sharing open at home, but want to shut it off when at the local Internet cafe. Open Door NetworksÕ DoorStop X Firewall 2.2 lets you define locations, and with a quick click of your menu bar you can set the firewall to use preset rules for where you are. If you want the ultimate in application control, you can use Little Snitch 2.0 for fine-grained control ÑÊnot only over which applications send and receive information from the Internet, but even which destinations they are allowed to contact. Many a spyware tool has been outed by Little Snitch when it attempted to transmit information unexpectedly. NetBarrier also allows different rules for addresses on the "local network" than from the Internet, which is a remarkably simple and useful distinction. **Deciding to use a firewall** After all this discussion of firewall options it may disappoint you to learn that there currently arenÕt currently any network-level exploits against your Mac. Sure, if you happen to leave file or screen sharing open and insecure, someone could access your Mac, and more than a few applications open unwanted network connections. A properly configured firewall might protect you, but configuring a firewall isn't generally any easier than setting strong passwords for file sharing and other services. But Macs (like other computers) arenÕt perfect, and weÕve seen more than a few network-level vulnerabilities during the lifetime of Mac OS X. Keeping your system up to date with the latest patches is your first defense, but since Leopard's firewall is so unintrusive, we recommend you set it to ÒSet access for specific programs and servicesÓ. If youÕd like to use ipfw firewall without becoming a firewall expert, the free NoobProof is an excellent option. Most users donÕt require third party firewalls, something many of the vendors seem to recognize. They continue to add security features beyond the basic firewall, such as intrusion detection, anti-phishing, outbound application control, and smarter location awareness. These arenÕt for everyone, but itÕs clear the firewall is evolving far beyond the classic packet filter.