Thursday, November 01, 2007

Investigating the Leopard Firewall |

Investigating the Leopard Firewall | "I feel like I'm missing something, but I think that's it. In short, block mode seems to block inbound connections but ports show as open/filtered. Stealth mode works, partially, but some ports still show on a port scan no matter what (like Kerberos). Bonjour is ALWAYS accessible, unless you're in stealth mode. Application ('Set access') mode is a mess- code signing breaks applications, and the behavior is inconsistent. Any launched services are authorized and you can't change the settings in the firewall GUI.

The good news is that ipfw is still enabled and you can manually configure it or use a GUI like WaterRoof."

(Via Matasano Chargen.)

On my firewall in leopard I have "Set access for specific services and applications" selected. The only service I want available is SSH. Running nmap from another machine, I get:

adnan@adnan-desktop:~$ nmap

Starting Nmap 4.20 ( ) at 2007-11-01 22:08 CDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
Nmap finished: 1 IP address (0 hosts up) scanned in 4.044 seconds

With the -P0 flag:
adnan@adnan-desktop:~$ nmap -P0

Starting Nmap 4.20 ( ) at 2007-11-01 22:09 CDT
Interesting ports on
Not shown: 1696 filtered ports
22/tcp open ssh

Nmap finished: 1 IP address (1 host up) scanned in 31.862 seconds

Looks good to me.

Update: Ouch!
Nick left an interesting comment. I'm not sure whats going on here yet. But definitely not nice!