Saturday 22 August 2015

Configure the OS X application firewall

Configure the OS X application firewall

With the number of malicious attacks on Macs increasing, Matthew JC. Powell shows you how to build a wall against them

If you watch a lot of Hollywood movies, you’re probably familiar with the term ‘fi rewall’ as some sort of defence mechanism against computer-based attacks. Of course, since no screenwriter in Hollywood actually seems to know what a firewall is or what it does, that may well be the extent of your understanding of it.


A firewall is just a program that monitors traffic coming in and out of your computer. If you wish, you can instruct the firewall to allow certain traffic through and to deny access to other traffic. And that is basically it — there’s no actual fire involved.

Until fairly recently, Mac users have been able to be fairly blasé about understanding and using things like firewalls and antivirus software because the number of malicious attacks on Macs has been vanishingly small. It’s still vanishingly small as a proportion of the overall malware picture, but it’s significant enough now that you should arm yourself with a bit of basic knowledge.

Thankfully, the Mac comes with not one, but two firewalls built in. There’s the Unix-based ipfw application, which has shipped with every Mac since OS X was introduced, and the Application Firewall, which was introduced in OS X 10.5 and has undergone significant refinement since.

The difference between the two is simple: ipfw is a port-based firewall, while the Application Firewall is, as its name suggests, application-based. That is, ipfw looks at specific ports on which network traffic is coming into the Mac and makes sure it’s all kosher, while the Application Firewall looks at traffic associated with certain applications and blocks whatever hasn’t been authorised.

In this context, a port isn’t the same as a physical connector on the outside of your computer. There are literally tens of thousands of virtual ports on which network traffic can travel, and well-behaved applications use specific ports for their traffic.

Obviously, configuring a firewall to monitor tens of thousands of ports is not a trivial task, so ipfw tinkering is the realm of serious geekdom. If you don’t activate the Application Firewall, ipfw operates in a good-enough-for-most-people default mode to keep you reasonably safe.

There are third-party utilities available, which make ipfw simpler to use (for example, Norton Personal Firewall is really just a graphical interface for ipfw), although for most people, the Application Firewall is as good and much easier to use.

To turn on the Application Firewall, go to ‘System Preferences > Security & Privacy’ pane and then click on the Firewall tab. If you are then told that the firewall is off, click the button to ‘Turn Firewall On’ (note that it may be necessary to enter an admin username and password).

And that’s more or less it, if you’re happy enough for Apple to decide which of your applications can communicate over the network and which cannot. However, you shouldn’t be, so let’s investigate further.

CLICK ON FIREWALL OPTIONS


In the next pane, you’ll see the option to ‘Block all incoming connections’ — only click on this if you’re very paranoid and really only want a minimally useful Mac. Nothing aside from web browsing and email that requires a network connection will work. If you share your iTunes library with other people in the house, for instance, they will get very cranky.

If you’re not blocking all incoming connections, you have the option to set access for specific applications. And this is where the simplicity of the application-based firewall wins over ipfw: you don’t need to know which ports a particular application wants to use, only whether or not you want to allow it to use your network.

To add an application to the list, click on the ‘+’ symbol and then navigate to its location using the Finder. Once it’s added to the list you have the option to allow or block it. Services that require network access (for example, File Sharing if you’ve activated it under the Sharing pane of ‘System Preferences’) are added to the list automatically and cannot be blocked. Again, you have no need to know which ports any of these applications or services use.

Next, you have the option to allow ‘signed’ applications (software that has a valid security certificate) automatically. Generally speaking, this is pretty safe. If you tick this and then run an unsigned application, you will be asked whether to allow or deny it. If you deny it, it will be added to the list and blocked. (You can also add signed applications to the list and explicitly block them yourself if this is necessary.)

Finally there’s the option to ‘Enable stealth mode’. This is a handy thing to do regardless of whatever else you do with your firewall. Basically, it means that if any malware, bots or other nasties go looking for computers on the internet, they won’t find yours. Any ‘ping’ requests your Mac receives will not be bounced back — just ignored. It’s as if a burglar went up to your front door to try the lock and discovered that your house wasn’t even there. Cool.

A word of warning, though. Once you activate your firewall, things can get a little annoying for a while. That chat program you like to use may or may not be signed, so you might have some problems with it until it’s configured. There might be a utility you’re running in the background doing something very useful, which it can no longer do because it requires network access. Expect to have a few awkward days while you work out your particular firewall needs.

The Application Firewall also doesn’t monitor any outgoing traffic, only incoming. This isn’t a huge problem yet, as spyware and keyloggers aren’t really a thing for Macs so far. If you want to keep an eye on applications sending traffic out from your Mac, there’s a utility called Little Snitch (www.obdev.at/products/littlesnitch/index.html) that can do it for you. It costs US$34.95, but offers a demo mode for free, so you can install it and see whether it’s right for you.