Firewall in OSX

Posted:
in macOS edited January 2014
I just got a cable modem and was wondering if I need to buy firewall software or if i should turn on the firewall in OSX. Im not to sure what to check in the boxes under firewall if i start the firewall.



Click start to prevent incoming network communication to all services and ports other than those enabled below:



Personal file sharing

windows sharing

personal web sharing

remote login

ftp access

remote apple events

printer sharing



I just want to get on the internet with my cable modem. Do I need to check any of the above for any reason?

Thanks

Comments

  • Reply 1 of 8
    Though most will tell you that a hardware firewall is a lot more secure, the software firewall that comes with X should do for most needs. To set it up for just basic use, you don't need any of those boxes checked. All those boxes are for servers that X can natively run. Note that if you scroll down, iChat and, iTunes sharing have entries too that you might be using.
  • Reply 2 of 8
    steve666steve666 Posts: 2,600member
    Quote:

    Originally posted by Code Master

    Though most will tell you that a hardware firewall is a lot more secure, the software firewall that comes with X should do for most needs. To set it up for just basic use, you don't need any of those boxes checked. All those boxes are for servers that X can natively run. Note that if you scroll down, iChat and, iTunes sharing have entries too that you might be using.



    thanks, so basically i should just start the firewall and not check any boxes? If i do start using itunes do i need to check the box?
  • Reply 3 of 8
    You only need to check the iTunes box if you want to use the music sharing feature of iTunes over your local network. If you don't have a local network, this won't be a concern for you.



    Over time, you'll likely encounter some apps that will need access through the firewall, but you can add those on a case by case basis when they don't work. I'm not certain, but I think some P2P software might have issues, and some network/online games might as well.
  • Reply 4 of 8
    steve666steve666 Posts: 2,600member
    Quote:

    Originally posted by Code Master

    You only need to check the iTunes box if you want to use the music sharing feature of iTunes over your local network. If you don't have a local network, this won't be a concern for you.



    Over time, you'll likely encounter some apps that will need access through the firewall, but you can add those on a case by case basis when they don't work. I'm not certain, but I think some P2P software might have issues, and some network/online games might as well.




    I wont use P2P or online games so I didnt check any boxes. so far so good. thanks
  • Reply 5 of 8
    pbpb Posts: 4,255member
    A bit off topic, but I am wondering what exactly the built-in firewall of an Airport Extreme station does? How does it work? Could be considered as an efficient solution, especially combined with the firewall that OS X has?
  • Reply 6 of 8
    ibook911ibook911 Posts: 607member
    Quote:

    Originally posted by PB

    A bit off topic, but I am wondering what exactly the built-in firewall of an Airport Extreme station does? How does it work? Could be considered as an efficient solution, especially combined with the firewall that OS X has?



    PB - In my opinion, yes. The firewall that the airport extreme base station does, like many routers, is a benefit of what they are designed to do. They create a subnet for the computers in your house. So, with the extreme station you are no longer on the net with an IP address that could be targeted. You instead have an IP address assigned by the router, something like 192.168.100.2, or whatever. So, if something bad is tried at the actual IP address your router has from the cable or DSL company, it just goes to the router. There are ways around it, but it is still a nice feature. See, if someone went after the router's IP address, nothing would really be there. It is just the router. So, the NAT firewall basically helps you "hide." I'm sure everyone will laugh at my description and say it is inaccurate, but it might give you the beginning of an idea on how it works.



    I think by using your NAT firewall (aka wireless router in this case), and the built-in Mac OS X firewall, you have a pretty good solution. By having the NAT firewall, the Mac OS X firewall will probably not need to do much blocking. On my XP machines, very rarely, do I see that the software firewall has blocked anything because the NAT firewall prevents it. However, with the NAT firewall removed, I get about 20-30 hits per hour that the software firewall blocks from my cable connection.
  • Reply 7 of 8
    pbpb Posts: 4,255member
    Quote:

    Originally posted by ibook911

    PB - In my opinion, yes. The firewall that the airport extreme base station does, like many routers, is a benefit of what they are designed to do. They create a subnet for the computers in your house. So, with the extreme station you are no longer on the net with an IP address that could be targeted. You instead have an IP address assigned by the router, something like 192.168.100.2, or whatever. So, if something bad is tried at the actual IP address your router has from the cable or DSL company, it just goes to the router. There are ways around it, but it is still a nice feature. See, if someone went after the router's IP address, nothing would really be there. It is just the router. So, the NAT firewall basically helps you "hide." I'm sure everyone will laugh at my description and say it is inaccurate, but it might give you the beginning of an idea on how it works.





    Thanks, I start to understand. Do you know how an attacker could target a computer that has such "local" IP assigned by the router, when this router is not a computer? Or better, how could you prevent this happen, if possible?



    Quote:



    I think by using your NAT firewall (aka wireless router in this case), and the built-in Mac OS X firewall, you have a pretty good solution. By having the NAT firewall, the Mac OS X firewall will probably not need to do much blocking. On my XP machines, very rarely, do I see that the software firewall has blocked anything because the NAT firewall prevents it. However, with the NAT firewall removed, I get about 20-30 hits per hour that the software firewall blocks from my cable connection.




    Scary things. By the way, is there some way to use built-in OS X technologies/software in order to monitor such activities (e.g. hits/hour)?
  • Reply 8 of 8
    rolandgrolandg Posts: 632member
    Quote:

    Originally posted by PB

    Thanks, I start to understand. Do you know how an attacker could target a computer that has such "local" IP assigned by the router, when this router is not a computer? Or better, how could you prevent this happen, if possible?



    For more information on NAT go here.



    On your router, you can specify that certain ports be mapped to certain internal IP addresses. This is called port-forwarding.



    If, for example, you are running a Webserver behind a NAT firewall, you could tell your router to map any incoming traffic addressed on port 8080 (ususally the WWW-server port) to your webserver's IP address.



    This is not the default setting, though.



    I am not sure whether there are ways to circumvent the NAT-mapping, but there could be because the network answers need to go to the computer that put out the request. But I guess this is so heavyly related to parameters such as the IP of the computer the request was addressed to that an attack would not be worth the effort.



    Script-kiddies usually choose the easiest way.



    Quote:

    Originally posted by PB

    Scary things. By the way, is there some way to use built-in OS X technologies/software in order to monitor such activities (e.g. hits/hour)?



    I am no expert, but try VersionTracker and search for "network traffic monitor" in the OS X section.
Sign In or Register to comment.