Mac OS X Firewall Question

Posted:
in macOS edited January 2014
I know that Apple has a built-in Firewall called ipfw. I've read about it on their website. The question I have is just how secure is it? I haven't enabled any ports and am using the "out-of-the-box" configuration. I would just like to hear what you all have to say about ipfw and hopefully the things you all say will be good ones. I'm hooked up to a DSL line and am susceptable if the firewall isn't able to thwart an intruder. So lets hear what you all have to say about Apple's built-in firewall with an "out-of-the-box" setup. Thank you in advance for your comments.

Comments

  • Reply 1 of 8
    bartobarto Posts: 2,246member
    IPFW is a fantastic firewall. However, it is a very complex and powerful one, and NOT enabled by default.



    If you do choose to enable it (in the "Sharing" system preference), you have a very limited range of GUI options. To give you an idea of how complex it is, check out my firewall rules at: http://homepage.mac.com/barto_act/re...x/firewall.txt. My ruleset is, believe it or not, a simple one for a single box without an services running.



    In Mac OS X, unless you enable the various advanced services (eg SSH or Apache), your box has almost total security.



    Barto
  • Reply 2 of 8
    etharethar Posts: 111member
    Is ipfw based on ipchains or iptables? Or did Apple create their own?



    Just wondering. It works great, regardless.
  • Reply 3 of 8
    Quote:

    Originally posted by ethar

    Or did Apple create their own?



    As far as I know, IPFW comes from FreeBSD, Mac OS X's crazy uncle.
  • Reply 4 of 8
    Quote:

    Originally posted by Barto

    IPFW is a fantastic firewall. However, it is a very complex and powerful one, and NOT enabled by default.



    If you do choose to enable it (in the "Sharing" system preference), you have a very limited range of GUI options. To give you an idea of how complex it is, check out my firewall rules at: http://homepage.mac.com/barto_act/re...x/firewall.txt. My ruleset is, believe it or not, a simple one for a single box without an services running.



    In Mac OS X, unless you enable the various advanced services (eg SSH or Apache), your box has almost total security.



    Barto




    yours actually is a lot more complicated than it needs to be. i mean, it certainly doesn't hurt, but you are blocking a lot of ip ranges that generally don't cause pain. like 10.x.y.z, 192.x.y.z, 169.254.y.z. Those are local networks and subnets, so you if you have a little lan setup, you probably can't comm with any of the other comps.



    but, to the originator: out of the box, your computer is extremely secure. you only really need the firewall if you feel unsafe, and if you have any services (like anything from the Sharing panel of sysprefs) enabled.



    and yes, ipfw comes from bsd. iptables and ipchains are linux deals.
  • Reply 5 of 8
    bartobarto Posts: 2,246member
    Quote:

    Originally posted by thuh Freak

    i mean, it certainly doesn't hurt, but you are blocking a lot of ip ranges that generally don't cause pain.



    Call me paranoid. One time I saw packets going in and out of my network with private network source addresses. Really weird, I can't explain what was going on. So I blocked them.



    http://www.freebsd.org/doc/en_US.ISO...firewalls.html



    The FreeBSD IPFW manual.



    Barto
  • Reply 6 of 8
    Isn't there an easy way to put up a firewall, without going into the Terminal? Perhaps a third party software or something? I know, dumbo question... but some things should be easy.
  • Reply 7 of 8
    baumanbauman Posts: 1,248member
    Quote:

    Originally posted by elbogo

    Isn't there an easy way to put up a firewall, without going into the Terminal? Perhaps a third party software or something? I know, dumbo question... but some things should be easy.



    All the information here is about the built in firewall, and there are three ways to configure it - The Sharing Preference Pane, a shareware GUI utility called "Brickhouse" and the terminal command ipfw.



    The built in preference pane does a good job, but doesn't offer more advanced options that you can get with Brickhouse or the command line. Brickhouse can do everything that you can do from the command line, so it's just a preference between simplicity, nice-looking configurability, and 1337 g33k H4Xx0r-ing.
  • Reply 8 of 8
    Thanks, Bauman... I'll look into it!
Sign In or Register to comment.