07:26 AM

Hole-y Leopard!

A first-hand look at the problems with the new OS X OS's firewall

3:26 PM -- I did a fresh install of Mac OS X Leopard the other night. I was looking forward to all of the new features, most of which I didn't even know about. I like running the latest and greatest versions, so Leopard seemed like a good fit.

Apple had been advertising how much more secure Leopard was (cue Kanye West's song "Stronger" but with Leopard being "harder, better, faster, stronger"), but within days of its release, security researchers were already picking it apart. I've always been happy with the firewalling within Mac OS X, using ipfw. The firewall GUI has always been lackluster, but manual configuration is easy because of ipfw's simplified rule language (See Leopard With Chinks in Its Armour.)

But researchers say Leopard's firewall is full of holes. (If you were near my office yesterday, you would have heard me yelling about how their test must be flawed.) So, like other claims against something I like, I recreated the test myself. I set up an old laptop with Xubuntu and connected it to my Mac Book Pro with a crossover cable. After setting up the IPs and confirming they could ping and SSH into each other, I set forth to prove the claims wrong.

But it turns out they were right. The "set access for specific services and applications" firewall setting might as well be the "allow all incoming connections" default. If you thought setting this parameter and allowing SSH would only permit TCP port 22 inbound, you're wrong (as was I). In his test, Jürgen Schmidt used netcat to listen on a local port, and the firewall opened up to allow access to that port. When the firewall setting was changed to "block all incoming connections," access to the netcat listener was blocked. But how many people want to enable SSH, Web sharing, Bonjour, or Remote Desktop on their Leopard machines?

The firewall settings do nothing for UDP. Even at "block all incoming connections," I was able to connect from my Xubuntu laptop to the NTP daemon (ntpd) on my Leopard laptop. I still haven't figured out why Leopard has an NTP daemon accepting connections, but the fact that it is accessible even when all incoming connections are supposed to be blocked is more disturbing.

The firewall logs used to be stored in "/var/log/ipfw.log" in Tiger (Mac OS X 10.4), but are now stored in "/var/log/appfirewall.log." I guess this change is because the Leopard firewall has been enhanced to be application-aware, which is why it opened up to the netcat listener. The other big change is the rules are no longer visible by running "sudo ipfw list." The only rule listed by ipfw when "block all incoming connections" is set is "65535 allow ip from any to any." That's essentially an anti-firewall rule: It does nothing. Or in other words, it allows everything.

There is hope, though. WaterRoof is a GUI frontend to ipfw for Mac OS X and it works well with Leopard. The only issue I've found is that it still expects the logs to be in "/var/log/ipfw.log," so clicking on the view logs button comes up empty. For those of you squeamish about configuring the firewall, the pre-configured rule sets are solid and will work for you out of the box. Just tune the Leopard firewall setting to "allow all incoming connections" and manage everything with WaterRoof. You will have to build your own UDP firewall rules, because there are none included by default. UDP rules tend to get sticky, so at a minimum, deny inbound UDP for ports 123, 5353, and 5454 to cover possible vulnerabilities in NTP and Bonjour.

Even though the firewall may have been flawed to begin with in Leopard, I'm confident that I'm well-protected from network-based threats, using my custom rules. If you're thinking about upgrading, heed the warnings about Leopard's firewall: It's not on by default, and even at its most restrictive setting, it still lets in UDP, and the daemons listening on UDP ports may be vulnerable.

– John H. Sawyer is a security geek on the IT Security Team at the University of Florida. He enjoys taking long war walks on the beach and riding pwnies. When he's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-01-31
VMware vSphere Data Protection (VDP) 5.1, 5.5 before 5.5.9, and 5.8 before 5.8.1 does not properly verify X.509 certificates from vCenter Server SSL servers, which allows man-in-the-middle attackers to spoof servers, and bypass intended backup and restore access restrictions, via a crafted certifica...

Published: 2015-01-31
The key-management component in Symantec PGP Universal Server and Encryption Management Server before 3.3.2 MP7 allows remote attackers to trigger unintended content in outbound e-mail messages via a crafted key UID value in an inbound e-mail message, as demonstrated by the outbound Subject header.

Published: 2015-01-31
Symantec PGP Universal Server and Encryption Management Server before 3.3.2 MP7 allow remote authenticated administrators to execute arbitrary shell commands via a crafted command line in a database-backup restore action.

Published: 2015-01-31
Multiple cross-site scripting (XSS) vulnerabilities in the note-creation page in QPR Portal 2014.1.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) title or (2) body field.

Published: 2015-01-31
Cross-site scripting (XSS) vulnerability in QPR Portal 2014.1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the RID parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.