There are two schools of thought when it comes to the software firewall built into OS X.
One school says that it’s not necessary. Firewalls prevent unapproved connections from opening ports on a computer’s network interface. Ports are how a software service talks to a network. You can think of a port as a window in a wall; some ports are left open on purpose to allow incoming and outgoing data traffic. But by default, OS X doesn’t leave many ports open. In contrast, most versions of Windows ship with a bunch of open ports, which is one reason why that operating system is a riper target for malicious hackers. And while Leopard leaves open more ports than earlier versions of Mac OS X, so far there have been no known attacks on those default services.
The other school says that the best security mantra is ‘never assume’. As you install and use programs on your system, you often open ports without realising it. And there’s always the possibility that a chink in OS X’s armour will lead to a wave of new exploits. That’s why we would recommend that all Mac users turn on OS X’s built-in firewall.
By selecting the Set Access For Specific Services And Applications option, you can control incoming network traffic
The problem is that, while OS X has long included basic firewall software, Leopard introduced some significant changes to it, leaving many Leopard users confused as to how to keep their Macs secure. But though the firewall interface in Mac OS X 10.5 is quite different from that in earlier versions of the OS, it’s still relatively easy to use, especially since the release of the 10.5.1 update.
What’s new In previous editions of OS X, you configured the firewall in the Sharing preference pane. In Leopard, you do it in the Security pane.
That’s not the only change. Instead of the Start/Stop button found in those earlier incarnations, the firewall in the initial release of Leopard gave you three options: Allow All Incoming Connections, Block All Incoming Connections, and Set Access For Specific Services And Applications.
Those options confused many users. For one thing, the terminology was vague. Also, the Block All Incoming Connections option actually left a number of ports open, including any service running as the root user; none of those open services were shown in the user interface.
The firewall also broke some programs, such as Skype, that change their internal code when they run. The reason is that the firewall creates a digital signature for each program that tries to communicate across the network interface. That signature enables OS X to know if the program’s code has been modified; if it has, OS X will refuse to run it. Such modified programs would bounce on the Dock a few times, and then shut down.
OS X 10.5.1 remedied these flaws by changing that second option to Allow Only Essential Services, tightening and documenting which essential services are allowed, and prompting users to reactivate programs (such as Skype) that change themselves, instead of simply breaking them.
Configuring the firewall Leopard’s Allow All Incoming Connections option is the functional equivalent of the old Stop button: it turns your firewall off. We wouldn’t recommend this setting to anyone.
The Allow Only Essential Services option will block anything except a few default networking services, such as Bonjour. It prevents file sharing, remote access, and other optional services. You should use this option only if you really want to block everything. You could use this option when on potentially hostile networks, such as those in hotels or public hotspots, and don’t want to bother with manually turning off all your shared services (see ‘Firewalls on the road’, right).
The third option, Set Access For Specific Services And Applications, is the one best suited for everyday use. It’s actually a new kind of firewall for OS X. It’s what’s known as an application firewall.
Previous versions of OS X used a technology known as stateful packet inspection – a fancy way of saying the firewall blocked ports that weren’t being held open for use by approved applications. An application firewall like the one in Leopard blocks traffic targeting specific applications, not specific ports.
Leopard still includes a stateful-packet-inspection firewall, called ipfw, but by default it’s set to let all traffic through. That firewall can be configured to be more secure, but doing so is for advanced users only; if you don’t know how to do it already, you probably shouldn’t attempt it at this time.
In the Firewall configuration tab, below the three options, you should see a list of network services that are currently authorised to accept or deny incoming connections. If you’ve enabled any services in the Sharing preference pane, they should appear here; you can’t disable them from the firewall.
After you select the Set Access For Specific Services And Applications option, any time you launch a program that uses networking, Leopard will ask if you want to allow or block incoming connections to it.
If you select Allow, that program will be added to this list and digitally signed (if it isn’t already) so Mac OS X can detect if it has been tampered with. You can select an application in this list, and allow or deny incoming connections using a drop-down menu.
The Leopard firewall doesn’t prevent programs from making outgoing connections. So, for example, it might be fine to set iTunes to share music from your laptop when you’re at home. But if you then move to a public network, the only way to block access to your iTunes library is to turn sharing off in iTunes’ preferences (or to adjust the firewall to Allow Only Essential Services).
Whether you choose Allow Only Essential Services or Set Access For Specific Services And Applications, you should then click on Advanced and select Enable Stealth Mode to hide closed services from someone probing your computer.
The future of the firewall Because the firewall in OS X is now application-based, there’s some concern in the security community that it will leave the Mac vulnerable to low-level attacks. Apple may need to address this in future security updates or by adding a graphical-interface tool that will let users configure ipfw.
It would also be good to have some way to configure the application firewall to block outbound connections. We already know about the QuickTime rtsp vulnerability: it would, in theory, allow an attacker to embed a QuickTime link in an email or web page directing you to a hostile site in order to exploit your computer. That hole was plugged with the QuickTime 7.3.1 update. But now Apple needs to provide a tool for blocking outgoing connections across all applications.