Do most of you enable firewall?

I do. I use the default settings and open up the ports/services as I add them.

I don't and never did. First of all I have a hardware firewall at my house and second, when no services are enabled in the "Sharing" preference panel, attacks from the outside are very, very unlikely.

What's a firewall?

It is the one that gives your back (or a$$ if you wish ) some fire and makes you run around trying to figure out what is burning, or protects it from that if enabled.

How do you surf the net with no open ports? Did you use the force to type that post? You do not have it on - therefore I think ALL your services are enabled.

Gwoodpecker is right. By default OS X does not have any open ports. Someone from the outside will not be able to establish a connection to your box unless you start some of the "Sharing" services.

In the case of you making a request on your machine, and having it be answered (ex. surfing the web), a firewall buys you nothing. It lets the reply traffic through. Think about it, you don't have to open port 80 to surf the web, but you sure do to run a web server.

Now come on, you know exactly that the discussion about desktop firewalls is in over 90% of all cases about blocking open ports into the computer only. Nothing can (in Windows: should) come in on its own from the outside when no ports are open (or the computer is completely firewalled).

We were not talking about server services going out or anything else...

Enable the firewall. Restart your computer and try to surf the web without opening any ports. It wont work - Mine didn't.

That still has nothing to do with incoming packets.

Are we talking about the same things here? If you enable the firewall that is built into the Sharing System Preference then you can surf, FTP, send and receive email. It doesn't block TCP requests from your computer. It will block unsolicited requests from the outside world trying to access your computer. If I understand correctly, if you go to a web site that issues a cookie or interacts with a database, then that is a request from your computer and it will be allowed by the system firewall.

There are firewalls, third party software, built-in to the OS X Server and hardware that if they are fully activated you are dead in the water.

OS X uses ipfw for the firewall. If you turn it on and have no services enabled the rule set is...

02000 92 10952 allow ip from any to any via lo*
02010 0 0 deny ip from 127.0.0.0/8 to any in
02020 0 0 deny ip from any to 127.0.0.0/8 in
02030 0 0 deny ip from 224.0.0.0/3 to any in
02040 0 0 deny tcp from any to 224.0.0.0/3 in
02050 3 351 allow tcp from any to any out
02060 3 290 allow tcp from any to any established
02065 0 0 allow tcp from any to any frag
12190 1 48 deny tcp from any to any
65535 22065384 21876305651 allow ip from any to any

and will allow surfing, passive ftp, etc. as long as it initiates from your system. This is because of dynamic rules that are put in place by the rules 02050 and 02060 above that allow for routes to be established from internal. Enabling services does two things.

1) It starts the appropriate daemon for the service to allow outsider to get something from your computer - httpd for web, sshd for remote login, etc.

2) if the firewall is active the appropriate port is opened in the firewall for these services. port 443 and 80 for web/http, port 22 for sshd/login, etc.

If you close the port then the service never gets a request.

If you have a typical home router with NAT between your system and the internet then you have reasonable protection against external attacks. This does nothing for e-mail/malicious web sites, etc. but those are very few a far between on the Mac. Your router may also have a firewall as well and you may route a given port, say 80, to your computer so it can act as a web server. That would increase your risk of an attack.

BTW you don't need to restart your system to have changes in the firewall take effect.

How good is the OSX firewall anyway ? I read somewhere that it's just somewhat mediocre ...

Any software firewall solution could be considered as mediocre. But, in the Mac OS X case, it can be fine tuned using the terminal utility ipfw, like on any BSD Unix system, so what you have read is just nonsene. Although the firewall settings accessed through System Preferences are pretty basic, there are utilities with GUI that can do the trick for those who would not risk to mess with the terminal as administrators.

Anybody use a hardware firewall on their mac? And does anybody know a good hardware firewall for the mac?

- Mark

I assume you're referring to a dedicated firewall appliance. As such it would have nothing to do with with being either mac or pc or linux as it would be a separate piece of hardware.

Why would you want to? The built in firewall in OS X can pretty much do all you'd really want. The only reason to purchase a hardware firewall is to protect a whole network segment. (You could use OS X for this, but it would kinda be a waste of a machine. Perhaps if you had an old box with 2 network cards in it ...)

Not exactly an answer to your question, but the NAT firewall coming with Airport and other routers is something to be considered too. Not exactly a hardware firewall, but a good companion to the computer software firewall.

Honestly, I disabled ALL my firewalls. I had three going for no real reason, but if I was to ever firewall anything it would be through my router, not my OS. It just makes more sense, and to be honest if someone REALLY wants in your computer, they will find a way. After hacking through my own router, I gave up with firewalls in general. So for all of you out there who have nothing better to do, have at it.