Home > Articles > Apple > Operating Systems
␡
Page 1 of 8Next >
This chapter focuses on mitigating and controlling access using Mac OS X firewalls on both the client and server. You’ll learn how to verify when attack attempts and system failures occur, and how to configure firewalls to guard against them.
As of Red Hat Enterprise Linux 6.5, the iptables and ip6tables services now provide the ability to assign a fallback firewall configuration if the default configuration cannot be applied. If application of the firewall rules from /etc/sysconfig/iptables fails, the fallback file is applied if it exists. Firewall Enabled by default. See the How to Create a WAN Firewall Rule article for more information on the default firewall policies. DHCPv6 If your ISP supports IPv6 using DHCPv6-PD, you will need to assign the supplied Prefix length given from the ISP, enable the default IPv6 firewall, and define the LAN interfaces that will need IPv6.
This chapter is from the book
Apple Training Series: Mac OS X Security and Mobility v10.6: A Guide to Providing Secure Mobile Access to Intranet Services Using Mac OS X Server v10.6 Snow Leopard
This chapter is from the bookThis chapter is from the book
Apple Training Series: Mac OS X Security and Mobility v10.6: A Guide to Providing Secure Mobile Access to Intranet Services Using Mac OS X Server v10.6 Snow Leopard
Security has never been more critical when administrating client and server systems.
Today’s external threats range from macro viruses embedded in documents and spreadsheets, to denial of service network attacks. All networked systems are potentially vulnerable to probes and attacks—intentional and unintentional—as assailants constantly scan systems connected to the Internet. However, attacks can also come from internal sources. In 2008 and 2009, the greatest number of reported data breaches actually came from within corporate networks.
To help administrators protect their systems, this chapter focuses on mitigating and controlling access using Mac OS X firewalls on both the client and server. In this chapter, you’ll learn how to verify when attack attempts and system failures occur, and how to configure firewalls to guard against them.
Understanding the Mac OS X Firewall
In the days before digital technology, the term firewall described an actual fireproof wall designed to contain fires, such as the barrier between a car’s engine and its passenger section.
Like those physical walls, computer firewalls work to prevent improper network packets from “burning through” a host or network perimeter. Today’s digital firewalls consist of hardware or software that blocks unauthorized network access from sources outside or inside your network.
Default Firewall Settings Windows 10
Mac OS X has two software firewalls: the IP Firewall (ipfw) and the Application Firewall. While ipfw is available in both Mac OS X and Mac OS X Server, Mac OS X Server includes a graphical user interface for detailed configuration, monitoring, and troubleshooting. Mac OS X provides basic, user-oriented service configuration, and optional advanced configuration. Mac OS X Server also includes an Adaptive Firewall, which can add and remove firewall rules based on network events.
Using the Mac OS X Application Firewall
The most common method for securing network services is to configure a firewall at the network perimeter, where the network connects to a remote network such as the Internet. Most networks use a firewall to limit inbound traffic from the Internet or remote connections. In fact, most home and small business routers, such as Apple’s AirPort base stations, are designed with built-in firewall software.
While network-level firewalls will block unauthorized traffic trying to enter your network, they will not block traffic that originated inside your network. Also, if your Mac is mobile and frequently joins new wired or wireless networks, your computer will regularly encounter networks with different firewall rules or, possibly, no firewall protection at all. So secure mobile access is an important consideration in designing your overall firewall policies.
To protect against unauthorized network access to your Mac, you can enable the Application Firewall via System Preferences. Administrators can utilize command-line tools to enable and configure the firewall.
Network-based firewalls use a set of rules that target specific service port numbers, such as TCP port 80, the port used for standard HTTP services. However, certain network services—such as iChatAgent (the background process that receives incoming connections for iChat)—use a wide range of dynamically assigned ports. These dynamic multiport services use more than one port to transfer multiple data types. For example, iChat can transmit audio, video, screen sharing, and text all at one time, which requires a multiport approach. This typically causes configuration complications with network-based firewalls because numerous ports need to be open to allow the service to function.
As a solution to this issue, Mac OS X’s Application Firewall allows connections based on application and service needs without requiring the user or administrator to know the myriad ports these apps and services may use. For example, you can authorize iChatAgent to allow incoming connections without manually configuring ports or port ranges.
The Application Firewall in Mac OS X version 10.6 includes a new feature that enables administrators to allow signed software to receive incoming connections automatically. Applications that have been digitally signed by their authors can accept inbound network connections without further configuration from the user or administrator, simplifying administration of deployed systems. Digitally signing an application provides reassurance that the application has not been tampered with.
Its adaptive nature means the Application Firewall will open necessary ports only when an application is running. This prevents several types of known attacks on personal systems.
Configuring the Mac OS X Application Firewall
To enable and configure the Max OS X firewall using System Preferences, here’s what you do:
Related Resources
Purdue Engineering Computer Network
This FAQ has instructions and graphics relevant for OS X versions 10.0 10.1.x 10.2.x 10.3.x and 10.4.x ONLY.
Mac OS X includes the ability to enable a firewall on your computer. A firewall is a software (or hardware) intermediary that screens incoming and outgoing network traffic. The main purpose of this is to stop hackers from gaining entry into your computer through various connection methods. By limiting the amount and type of traffic that is allowed to pass on your computer, you can eliminate many of these methods.
Mac OS X's firewall works by allowing certain ports to open. This is different from some firewall products, which by default allow all ports and restrict certain ports. OS X's implementation allows you to close the largest number of potentials entries with the least amount of setup. When you set up your firewall, you need to decide which ports you will need to keep open. OS X includes a number of default ports for things such as viewing web sites (port 80), SSH (port 22), and many others. To increase security, ports that have a corresponding service in the Services tab of the Sharing control panel cannot be allowed until that service is enabled. For example, Apple File Protocol (AFP), used for file sharing between Macs, uses ports 548 and 427. OS X will not allow those ports until Personal File Sharing is enabled. These 'built-in' services cannot have their settings changed, and also cannot be deleted. You might also have specific applications, such as iChat, that use ports not included with the default OS X install. We can add our own ports, and even specify a range or series of ports. Enabling the Firewall
The first step is to locate the Firewall controls. You will find it in the Sharing control panel of System Preferences.
After you are in the Sharing control panel, Firewall is the 2nd tab.
By default, the firewall is off. Now that you know what specialized ports you may need open (if any), make sure those applications or services are not running, as turning on the firewall will disrupt their connection.
Turn the firewall on by clicking the Start button in the middle of the Firewall window. The firewall should start almost immediately.
To the right of the Start/Stop button you will see a list of pre-configured services and their respective ports. The ones that are checked (enabled) have corresponding enabled services, as stated above. You cannot edit or delete these configurations.
The next step is to add any ports that are not in the default list. These could include remote access, secure ports, chat/messaging applications, and many others. For this example, we will add support for SFTP, port 115.
A complete list of common ports used is available here. Always check this site for an updated list of frequently used ports.
Since SFTP is not a default service, we will have to add it. To do so, click the New... button.
Now you will be presented with a list of pre-specified port names. Selecting one will enter the name as the port name and add the appropriate port number.
Since SFTP is not listed as a pre-configured port, we will enter it ourselves. In the Port Name pop-up box, select Other. You will be presented with blank text boxes. Enter 115 as the port number and SFTP as the description.
Click OK and the entry will be added to the list of ports allowed.
You should continue to add and tweak your own settings until your computer is as secure as possible, while not disrupting your work. Also be sure to turn off any built-in services that you don't use frequently, such as FTP or Remote Access. Turning them on only when needed will greatly decrease the risk of intrusion.
Last modified: 2014/01/29 10:48:27.426004 US/Eastern by joshua.g.davis.1
Created: 2007/11/06 14:23:33.346000 US/Eastern by brian.r.brinegar.1. Categories
Default Firewall For Os X 1Search
Type in a few keywords describing what information you are looking for in the text box below.
Default Firewall For Os X 8
Admin Options: Edit this Document
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
December 2020
Categories |