For many users, "OS X's built-in firewall" means the GUI configuration tool found in System Preferences. But that GUI interface is really only the front-end to OS X's underlying firewall program -- the software that actually monitors and manages your Mac's incoming network traffic.

In versions of OS X up through 10.4 Tiger, that underlying firewall was a Unix-based program known as ipfw. In security parlance, ipfw is a _packet-filtering_ firewall, meaning it monitors all traffic coming or going through the MacÕs network interfaces (generally Ethernet or AirPort), and checks each packet against a set of rules specifying whether the packet can pass through the firewall or should be blocked. Many corporations and other large-scale organizations rely on ipfw for their network security.

Packet-filtering firewalls classify network activity by type (based on TCP and UDP port numbers) and by origin and destination (using IP addresses). For instance, a packet-filtering firewall would let you configure your home machine to accept ssh (Remote Login) connections from the range of IP addresses used by your network at work, but not from other addresses on the Internet -- those others might be malicious strangers looking for computers for attack. To anyone trying to connect to your packet-filtered system from a blocked address, it would appear that ssh was not running at all, yet your machine would remain fully accessible if you're connecting from work.

In those earlier versions of OS X, you could configure ipfw using a GUI interface. The Sharing preference pane listed applications and services -- Remote Login (OpenSSH), the Web server (Apache httpd), and so on. When you enabled those apps and services in System Preferences, ipfw would open the ports corresponding to those apps and services; other ports would remain disallowed unless you specifically opened them.

But while the GUI interface in Tiger and before was generally helpful, but it didnÕt allow you to customize the firewall; each service was either blocked or accessible to the entire Internet. Apple didn't provide sufficient control from the GUI to, for example, allow ssh only from work IP addresses. But if you were willing to use the command line (there's plenty of documentation on the Net) or a third-party utility such as [WaterRoof](http://www.hanynet.com/waterroof/), you could configure ipfw quite specifically.

With Leopard, Apple apparently decided that even the GUI interface to ipfw was too complicated for many of us. Instead, Leopard relies on a new _socket filter_ firewall. Rather than allowing and disallowing connections based upon network numbers (ports and IP addresses), socket filters work  application by application.

Whenever a program attempts to listen for inbound network traffic, a socket filter checks the requesting program against a list of authorized programs. If the program is on this Òwhite listÓ, the OS X firewall allows the connection to proceed. If the program isn't on the list -- as is the case with new or upgraded software -- Mac OS X asks you whether you want to allow the application to listen to the incoming traffic. By tying security to individual applications rather than IP addresses or ports, the socket filter makes it easier to distinguish trusted application programs from unknown and untrusted programs.

Unfortunately, socket filters are less flexible than many would like. Applications that are allowed to listen for network connections accept connections from anywhere on the Internet. For example, the Leopard interface provides no support for distinguishing trusted from untrusted computers across the Internet, and there's no command-line or third-party utility that'll give you finer control over it.

Fortunately, OS X 10.5 Leopard still includes ipfw. By default, it's set wide open, so it won't block any incoming network traffic. But you can still configure it from the command line or using a third-party application such as WaterRoof. And ipfw is compatible with Leopard's socket filter, so you can use both to combine the ease of application-by-application filtering with the specificity of ipfw rules to get stronger security.

Macworld buying advice
Both the new socket filter and the ÒclassicÓ ipfw are included for free in Mac OS X. If you're willing to implement and customize ipfw (either from the command line or using a third-party utility), I think they're enough for many users. A program like NetBarrier might be a more flexible replacement for ipfw, with a raft of additional non-firewall security tools. But it costs money, and it doesn't have ipfw's long history of security success. 

Compatibility: Built into Leopard.