Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Best firewall for Mac?
- Thread starter dferigmu
- Start date
- Sort by reaction score
syniac said:
But then how do I connect to my machine if the port is blocked? What am I gaining? If the firewall is off completely, the only things that answer to port scans are services that are listening for connections. Why are you bothering to run services if you don't want them to be connected to? The little you gain from the Apple-control firewall is that if you don't know what the hell you're doing and accidently turn on a service (that happens to be insecure) but don't open the ports in the firewall, you're at least protected from your own folly. But if you cannot effectively block IPs from services, you might as well not have a firewall running at all. Take this for example..
With the Mac GUI ipfw control.. I want to have remote access turned on (ssh, port 22). So I poke a hole in the firewall and allow access to port 22. When someone from anywhere in the world scans my Mac, they see port 22 open.
I turn off the firewall. The only service I have running that is listening for connections is port 22. Again, when someone from anywhere in the world scans my Mac, they only see port 22 open.
There's no effective difference, therefore, the firewall is pretty much worthless. I'm unable to protect my ports with the Apple control, they are either open to the world, or they are closed off completely, which doesn't do any good either, since I need to connect to my Mac with ssh. With the current spate of ssh attacks coming from asia, I prefer to protect myself as much as possible.
See the difference?
My argument is, like you said, that people typically don't know what they're doing with the firewall and just poke so many holes in it to so many inherintly insecure services, that they might as well save themselves the trouble and turn "off" ipfw, since it's not doing anything for them anyway. I guess what puts a burr under my saddle is that people want to be "secure" but don't want to spend the time to learn what that actually means. They simply want it fed to them with a silver spoon.. press this button and you're "secure".
Personally, I couldn't care less about the IPFW configuration on the command line, since I never turn the firewall on anyway. That's just me.yellow said:
I have Virex too - just in case - but it hardly ever gets used. I'm not terribly concerned about my Mac's security since my internet connection is well protected with a firewall/router/NAT device.yellow said:
I have a PC, but I don't surf the internet with it. All internet downloads destined for my PC must pass through my Mac first.
wrldwzrd89 said:
I thought I was too, until it dawned on me one day that my router had ports forwarded. And that some of those ports on my Mac were vulnerable. Checking back through the logs showed me that I was getting ssh attacks quite regularly. I quickly reinstituted my software firewall policy and got back on my high horse.
aswitcher said:
I hope you didn't spend the money for NetBarrier? While it works fine it is expensive. Not only do they want a nice chuck of your money of front to buy it, they expect you to pay if they upgrade their product, while you are supossedly covered under the "free updates & upgrades" within a year policy. They they will want more money after your year is up to keep getting updates. Avoid intego like it is the plague. Turn on the apple firewall and get a copy of little snitch and you will be set.
Stewie said:
Well, NetBarrier is more than just a firewall. If they had kept up with Mac OS X major updates, I would probably still be using it but they lagged so far behind them, it was dangerous due to a lack of patience.
I liked the fact that it monitored so well. Activity Monitor can give you minimal information, but if someone is flooding you, you'll just notice a slowdown. NetBarrier will help you deal with it. Don't want ads? NetBarrier will help you build rules to eliminate anything from the servers.
yellow said:
What about just running ssh-keygen (or its equivalent, depending on the OS of the client) on the client computers you use, and then setting sshd on your Mac to only accept connections that use key authentication? That would give you better security overall, regardless of what IP restrictions you put on ipfw.
sshd is already only accepting a limited number of users, as specifiable in sshd_config. However, I prefer to actually be able to see what is getting thru the hardware firewall on the router (which doesn't log). Is it a bit of overkill? Perhaps. Paranoia? Maybe. Does it log and I get to read it? Yeppers. Is there noticable overhead to having a software firewall checking all my incoming packets? Not noticable to me or my wife, so I don't sweat it.
But please realize, this thread is well over a year old, so things have changed a bit.
But please realize, this thread is well over a year old, so things have changed a bit.
yellow said:sshd is already only accepting a limited number of users, as specifiable in sshd_config. However, I prefer to actually be able to see what is getting thru the hardware firewall on the router (which doesn't log). Is it a bit of overkill? Perhaps. Paranoia? Maybe. Does it log and I get to read it? Yeppers. Is there noticable overhead to having a software firewall checking all my incoming packets? Not noticable to me or my wife, so I don't sweat it.
But please realize, this thread is well over a year old, so things have changed a bit.
Whoops! I guess I must have read the 2004 dates as "2005."