Thursday, November 01, 2007

Investigating the Leopard Firewall | securosis.com

Investigating the Leopard Firewall | securosis.com: "I feel like I'm missing something, but I think that's it. In short, block mode seems to block inbound connections but ports show as open/filtered. Stealth mode works, partially, but some ports still show on a port scan no matter what (like Kerberos). Bonjour is ALWAYS accessible, unless you're in stealth mode. Application ('Set access') mode is a mess- code signing breaks applications, and the behavior is inconsistent. Any launched services are authorized and you can't change the settings in the firewall GUI.

The good news is that ipfw is still enabled and you can manually configure it or use a GUI like WaterRoof."


(Via Matasano Chargen.)



On my firewall in leopard I have "Set access for specific services and applications" selected. The only service I want available is SSH. Running nmap from another machine, I get:

adnan@adnan-desktop:~$ nmap 192.168.xxx.xxx

Starting Nmap 4.20 ( http://insecure.org ) at 2007-11-01 22:08 CDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
Nmap finished: 1 IP address (0 hosts up) scanned in 4.044 seconds

With the -P0 flag:
adnan@adnan-desktop:~$ nmap 192.168.xxx.xxx -P0

Starting Nmap 4.20 ( http://insecure.org ) at 2007-11-01 22:09 CDT
Interesting ports on 192.168.xxx.xxx:
Not shown: 1696 filtered ports
PORT STATE SERVICE
22/tcp open ssh

Nmap finished: 1 IP address (1 host up) scanned in 31.862 seconds

Looks good to me.

Update: Ouch!
Nick left an interesting comment. I'm not sure whats going on here yet. But definitely not nice!