Best firewall for Mac?

[dferigmu]

Is Zonealarm available for Mac? If not, what's the best firewall for Mac?

And please don't tell me I don't need protection and Mac is so secure, ect. I know about this new virus for Mac and I'm not taking ANY chances with an almost $2000 investment.

I'm buying Tech Pro Tools 4 for a utility and Norton Anti-Virus for virus protection. Now, what about a firewall?

 

[russed]

zone alarm is not available. personally i dont think there is anything wrong with the built in firewall (look in system preferences > sharing > firewall). that appears to do hte job well just without any fancy windows that flash at you and get you worried where there is no need.

with regards to norton anti-virus for mac. i have heard nothing but bad stories about it. buy a .mac subsription instead and use the free copy of virex that you get with it.

this new virus that you have heard about isnt a virus as it cant sepread on its own. it requires people to individually run the programme which will involve the administrator tryping in the password. i really wouldnt worry about it. just be sensible with how you use your comp and you will be fine. it appears that these rouge programmes as coming off p2p's. would you put just any liquid into your car? well dont just run any programme on your computer unless you know what it is. i honestly think you are going over the top with your safety measures. even if there was a virus its not like it ould blow up your comp would it? i have been running my 12" pb (that i spent a whole summer worink and saving for) without antivirus ever since i got it. for novely value the other week i tried a copy of the anti virus softwear that we can get free from uni. i let it have a good scan through and it found nothing. all it did was slow my comp down!

 

[Gee]

Is Zonealarm available for Mac? If not, what's the best firewall for Mac?

And please don't tell me I don't need protection and Mac is so secure, ect. I know about this new virus for Mac and I'm not taking ANY chances with an almost $2000 investment.

I'm buying Tech Pro Tools 4 for a utility and Norton Anti-Virus for virus protection. Now, what about a firewall?

The built-in firewall that comes with OSX is apparently very good (plus it's free!). You can find it in System Preferences > Sharing...

 

[aswitcher]

Is Zonealarm available for Mac? If not, what's the best firewall for Mac?

And please don't tell me I don't need protection and Mac is so secure, ect. I know about this new virus for Mac and I'm not taking ANY chances with an almost $2000 investment.

I'm buying Tech Pro Tools 4 for a utility and Norton Anti-Virus for virus protection. Now, what about a firewall?

Rather than Norton Anti-Virus you may want to get .Mac and get Virex with it.

Or you may want to get Norton Internet Security which has both the firewall and virus checker.

I am trialing NetBarrier and it seems ok...a bit buggy but seems to do the job. Traceroute and WhoIs play up. And I have had some weird programs allowed out without my sanction even after saying it was needed...

 

[AmigoMac]

Is Zonealarm available for Mac? If not, what's the best firewall for Mac?

And please don't tell me I don't need protection and Mac is so secure, ect. I know about this new virus for Mac and I'm not taking ANY chances with an almost $2000 investment.

I'm buying Tech Pro Tools 4 for a utility and Norton Anti-Virus for virus protection. Now, what about a firewall?

Wrong, Norton will be your headache, I don't think there is a single mac user who think you don't need protection, and as you need it you have it... Prefrences > Sharing > Firewall...

Save yourself a bit of money and don't buy norton, if you are worried because you may transfer windows virus to other windows users, get virex from .mac, I'm a .mac user and haven't bothered to download it, get an external HD and do regularly backups... if you do need that kind of warning pop-up messages when an application is running "á la ZoneAlarm" get LittleSnitch, only 25 bucks, I guess... again save yourself time and problems... Norton?

 

[dferigmu]

Wrong, Norton will be your headache, I don't think there is a single mac user who think you don't need protection, and as you need it you have it... Prefrences > Sharing > Firewall...

Save yourself a bit of money and don't buy norton, if you are worried because you may transfer windows virus to other windows users, get virex from .mac, I'm a .mac user and haven't bothered to download it, get an external HD and do regularly backups... if you do need that kind of warning pop-up messages when an application is running "á la ZoneAlarm" get LittleSnitch, only 25 bucks, I guess... again save yourself time and problems... Norton?

Can I get Virex without getting .Mac?

 

[jsw]

Can I get Virex without getting .Mac?

Oddly, it doesn't seem that you can - or at least I can't find it on the McAfee site.

Doesn't matter, though. You don't need a virus scanner (yet), and the built-in firewall works just fine.

 

[bousozoku]

Oddly, it doesn't seem that you can - or at least I can't find it on the McAfee site.

Doesn't matter, though. You don't need a virus scanner (yet), and the built-in firewall works just fine.

Ever since NAI and McAfee got involved, it's become much more difficult to buy Virex. I found it once through a search on the site but you could only buy it in quantities of 5.

 

[jsw]

Ever since NAI and McAfee got involved, it's become much more difficult to buy Virex. I found it once through a search on the site but you could only buy it in quantities of 5.

Yeah - I saw that too. Still true as of a minute ago. You cannot buy fewer than 5 copies at ~US$40 each. But you do get a free American flag with each purchase.

I tried reducing the quantity to '1', but the site said 5 was the minimum.

 

[yellow]

IMO, ipfw (the firewall already built-in and running on your Mac) is a very good firewall. Unfortunately, the controls that Apple has given you render the firewall nearly useless, so I suggest learning to control it via the command line, or with a 3rd party utility like Sunshield or Brickhouse.

Why? (as people inevitably ask)

As a matter of curiosity, what can ipfw do via the command line that you can't do via the Apple-provided GUI? A blanket statement that "it's Bad" isn't much use if you don't say exactly WHY it's Bad.

I want finer grained control in my firewall. It's just not there with the Apple GUI control. But that's a small point of contention.

A larger point of contention is, there is NO WAY to turn on logging in the Apple control! What good is a firewall if you have no idea what is happening with it? Are you just going to press the "on" button and hope that it's doing a good job? How do you know if you're being targeted? How can you know who is touching which port? Logging is a very important part of a firewall and it's just no an option.

And finally, the biggest problem of all..

The Apple GUI control offers NO way to block specific IPs or ranges of IPs. It's all or nothing. This renders the firewall completely useless. It's about as effective as not running a firewall at all. Any service that is running and listening for external connections will show up through a port scan when the Mac is firewalled using the Apple-config, the same as it would if there was no firewall "running" (technically, ipfw is ALWAYS running, it's default rule set is "allow all from any to any", but this is equivalent to it being "off"). You cannot specify, hey, I'll let my buddy Foo from so-and-so connect to my FTP server, but everyone else can keep the hell out.

So, without being able to block IPs, nor have logging to know whom is touching my box (no pun), Apple has rendered ipfw impotent. It's benefits are miniscule.


Using ipfw from the command line (or BrickHouse/SunShield if you need/want GUI) allows for MUCH greater control.

I deny most external ICMP requests, and log when they connect:

02003 deny log icmp from any to any in icmptype 8,10,13,15,17

I have a blacklist of hosts that are naughty, and log when they try to connect:

# naughty host blacklist:
00500 unreach host-unknown log ip from 216.42.81.141 to any in
00501 unreach host-unknown log ip from 216.42.81.143 to any in
00502 unreach host-unknown log ip from 211.0.0.0/8 to any in
00503 unreach host-unknown log ip from 80.116.0.0/16 to any in
00504 unreach host-unknown log ip from 207.103.247.50 to any in
00505 unreach host-unknown log ip from 221.0.0.0/8 to any in
00506 unreach host-unknown log ip from 220.0.0.0/8 to any in
00507 unreach host-unknown log ip from 80.117.0.0/16 to any in
00509 unreach host-unknown log ip from 210.0.0.0/8 to any in

Unless I'm on vacation, I only allow ssh connections from a "trusted" source range of IPs, and I log all connections:

00935 allow log tcp from 152.16.0.0/16 to any 22 in

I only allow DNS from "trusted" sources, limiting my exposure to DNS spoofing:

00920 allow udp from 209.x.x.x 53 to any in
00921 allow udp from 209.x.x.x 53 to any in

Etc, etc, etc,...

No need to bore you anymore, I think you get the idea.

If you value your security, do yourself a favor and don't just click the "Start Firewall" button, learn to use it properly.

 

[jackieonasses]

I know about this new virus for Mac and I'm not taking ANY chances with an almost $2000 investment.

I am confused at what you are saying here. Even IF you get a virus (as long as you have your original cd's) then you never wasted 2000 dollars? just reinstall the OS. You never ruin your computer forever..(unless it affects the firmware)

 

[Logik]

wow... talk about someone who is over the top here... *shakes head* look.. you seem to be coming from a windows environment... let's get a few preconcieved notions out of the way.

There are no real virus threats for the mac.. it's really that simple. want to make sure you don't do something stupid if you do get a virus? back up your home directory and run as a restricted user so that if you do get a virus it cannot affect the whole system, just your files within your home directory. if you back them up, you're golden anyway.

Virex can be obtained in many ways, i can get it free from my university, or you can get it from .mac. the most that will do is remove windows viruses from your system so you can't affect windows users if you send them something or transfer files to a windows PC.

Want a good solution for a firewall as an average user? get a linksys router or similar and use that. No inbound connections unless you specifically forward them to your ip address by configuring a port or set of ports in the configuration thing. plus if you have more than one computer and have cable/dsl/etc you will be able to connect them all to the net as well. and i think they run like $40-50 now so probably cheaper than just buying a stupid firewall for one computer. others have mentioned the built in firewall, that should be sufficient otherwise..

 

[pyrrhusmj]

As Macs gain in popularity (we can dream can't we) with IPods, we will begin to see more and more viruses. People can talk about windows being so insecure when the truth is that it is about windows being so popular. No OS is secure. You just have to protect yourself, if not today... probably tomorrow.

 

[wrldwzrd89]

As Macs gain in popularity (we can dream can't we) with IPods, we will begin to see more and more viruses. People can talk about windows being so insecure when the truth is that it is about windows being so popular. No OS is secure. You just have to protect yourself, if not today... probably tomorrow.

You're half-right. Sure, as Macs get more popular, hackers will target them more. That doesn't change the fact that Windows security is downright terrible compared to Mac OS X (but that doesn't make Mac OS X perfectly secure - just better than Windows). The true reason Windows gets slammed is twofold: it is extremely popular AND it's insecure. Also, just because there aren't any Mac OS X viruses yet doesn't mean that one won't appear in the future - it's good to have a virus scanner anyway, just to make sure you don't pass on PC viruses and are prepared if a Mac OS X virus appears someday.

 

[Santiago]

As Macs gain in popularity (we can dream can't we) with IPods, we will begin to see more and more viruses. People can talk about windows being so insecure when the truth is that it is about windows being so popular. No OS is secure. You just have to protect yourself, if not today... probably tomorrow.

No OS is completely secure, but Mac OS X is certainly way more secure than Windows. If popularity is all there is to it, why is it that there are hundreds of exploits for Microsoft's IIS and next to none for Apache, when Apache is used to run over 2/3 of all websites in existence?

 

[dferigmu]

I am confused at what you are saying here. Even IF you get a virus (as long as you have your original cd's) then you never wasted 2000 dollars? just reinstall the OS. You never ruin your computer forever..(unless it affects the firmware)

Part of that $2000 is going towards a hard drive with all my stuff on it that I don't want to loose b/c I didn't bother to get anti-virus software. And no, I don't have money for an external back-up hard drive.

 

[aswitcher]

IMO, ipfw (the firewall already built-in and running on your Mac) is a very good firewall. Unfortunately, the controls that Apple has given you render the firewall nearly useless, so I suggest learning to control it via the command line, or with a 3rd party utility like Sunshield or Brickhouse.
***snip***

If you value your security, do yourself a favor and don't just click the "Start Firewall" button, learn to use it properly.

Whilst I agree (and admire) your understanding of firewall use, I want a user friendly GUI to do this work for me. I dont care to have to learn all I would have to know and keep up to speed with just to secure myself online.

I've used both Nortons and NetBarrier but neither really do everything I want. They seem to cover most of the things I need but then I find that I want more detailed information about attacks (detailed traceroute (with details graphics not little pics and doodles) and whois + links back to a central database collecting from everyones firewalls to cooridnate information exchange and identifying malware and hackers)

I want a map to appear when I ask for it identifying where all the IPs I am currently linked to are, and what apps are communicating with those IPs. Plus full history of the same.

Basically I want stateful packet inspection over which simple graphical and charting tools, along with smart alerts, help me understand whats going on.

I really hope Tiger gets the firewall ramped up...and maybe one day I will see my dreams come true.

 

[AmigoMac]

The main point of the built-in firewall is that you don't have to be looking at who will try to attack you but just enjoying your mac...

 

[Timelessblur]

I might like to point it is general not recomend you run 2 software firewalls at the same time because they can start interfiing with eachother

 

[yellow]

Personally, I need the command line for ipfw. It's a lot easier (and faster!) to ssh to a remote Mac and change firewall settings then it is using Timbuktu or some other (slower) graphical solution.

 

[wrldwzrd89]

Personally, I need the command line for ipfw. It's a lot easier (and faster!) to ssh to a remote Mac and change firewall settings then it is using Timbuktu or some other (slower) graphical solution.

Easier for you - not so for me. I don't even know where the configuration file is, let alone what all the settings do.

 

[aswitcher]

Easier for you - not so for me. I don't even know where the configuration file is, let alone what all the settings do.

Yeah, Apple is about making computer easy for the user. Command line is powerful but archaic. Hopefully Tiger will address this.

 

[yellow]

I don't even know where the configuration file is, let alone what all the settings do.

It's where ever you want it to be, for me, it's in /etc with most other config files.

Here is all you need to set it up as a startup item in /Library/StartupItems/: http://www3.sympatico.ca/dccote/firewall.html

Here is all you need to learn about ipfw:
http://www.hmug.org/man/8/ipfw.html

 

[syniac]

yellow -

If you just want to block everything, except a certain range of ports for a particular network/application such as BitTorrent or an IM program, isn't that precisely what Apple's firewall is good for, or is your point that you might know of something in particular using one of those ports that you might want to block? Most users wouldn't have a clue what to block and what to let through.

From another of your posts:

The Apple GUI control offers NO way to block specific IPs or ranges of IPs. It's all or nothing. This renders the firewall completely useless. It's about as effective as not running a firewall at all. Any service that is running and listening for external connections will show up through a port scan when the Mac is firewalled using the Apple-config, the same as it would if there was no firewall "running" (technically, ipfw is ALWAYS running, it's default rule set is "allow all from any to any", but this is equivalent to it being "off"). You cannot specify, hey, I'll let my buddy Foo from so-and-so connect to my FTP server, but everyone else can keep the hell out.

If you just wanted to block everything [or 'everything' specified by port rather than by server], it would be pretty effective, right?

 

[fedora]

can you set the built in firewall in mac os x to ask you if you want a program to connect to the internet?