S 5.166 Configuration of the Mac OS X Personal Firewall

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

The security mechanisms offered by Mac OS X include a personal firewall. A personal firewall offers various security functions such as a packet filter function to prevent the network communication of incoming and outgoing connections of the local system.

Before using the personal firewall under Mac OS X, two facts need to be checked. The personal firewall can be used to filter incoming or outgoing connections or to restrict the access of programs and services to the Internet. Before disabling the network communication for individual programs, it should be examined whether it is possible to disable the network communication internally within the program. Furthermore, it should be checked that no undesirable side-effects occur with the relevant program or service after blocking the network communication. If an attempt is made to directly prevent the network communication of a program by means of a personal firewall, problems may arise, as a program may depend on the network communication and wait for a response from the network before the program continues to be executed.

The use of a personal firewall directly operated on the client computer to be protected by no means replaces an independent security gateway (firewall) which protects the institution's entire internal network. The use of a personal firewall can make sense in order to protect Mac OS X computers against attacks from the local network in case of higher protection requirements. During mobile use of Mac OS X computers, the use of a personal firewall is always recommended in order to protect the computer against attacks from the Internet.

Before using a personal firewall, it must be specified which programs are to be granted network access and which not. In general, all network communication should be blocked, and in a second step the required ports or applications enabled. When configuring the personal firewall the recommendations in safeguard S 4.238 Use of local packet filters should be followed.

Mac OS X offers two firewalls operating on different levels:

Application firewall

The application fire wall allows you to block and to enable the communication of specific application programs. To do so the user does not need to know which port is used. The application firewall also verifies the signature of a program. It is not possible to manipulate a program released for network communication without a new query for a firewall rule definition. Under Mac OS X, the application firewall is disabled in the default configuration. It should be enabled under "System Settings | Security | Firewall". The menu item "Advanced options" can be used to adjust the settings:

If the option "Block all incoming connections" is selected, only the following Mac OS X data connections or communication services are allowed:
configd: For implementation of DHCP and other network configuration services
mDNSResponder: For implementation of Bonjour
racoon: For implementation of IPSec

Note: If shares such as "File share" or "Remote login" are enabled, Mac OS X automatically opens the required ports in the firewall used by the services for communication.

If the option "Block all incoming connections" is not used, the list of the application firewall is used to define which services and programs are allowed to open ports in the firewall. By clicking on the "+" symbol with the mouse programs can be added to this list. After a program has been added to this list, you have to specify if incoming connections for this program are to be allowed or blocked. Command line programs can also be added to this list. When an application software is added to this list Mac OS X automatically includes a digital signature in the program, if this has not already been done before. If a program included in this list is subsequently changed, the user will be requested again to allow or to block incoming network connections for the program. For programs without digital signature which are not included in this list, the user will also be shown a dialogue box with options for allowing or blocking connections. Once the user has allowed or blocked the connection, Mac OS X includes a digital signature in the program and automatically adds it to the list of the application firewall including the authorisations assigned.

If the option "Automatically allow signed software to receive incoming connections" is enabled, all programs provided with a digital signature can receive the incoming connection, even if the programs are not displayed in the list. This digital signature must have been issued by a certification authority (CA) trusted by Apple. In Leopard and higher versions, every executable operating system component is provided with a digital signature by Apple and can receive incoming connections. Digitally signed programs which are automatically opened by other programs can also be part of this group. In order to block the network access of a program with a digital signature via the firewall, the program must first be added to the application firewall list and then the connection expressly blocked. If the access of a program is blocked via the firewall, this can cause malfunctions of a program or other programs based on it or affect the performance of other programs and services used. Due to the lack of transparency this option should not be used.

The option "Enable stealth mode" should not be used as this option contradicts the Internet standard RFC1122. If stealth mode is enabled, no responses are sent to requests made by a blocked application. Ping, for instance, is one of the ICMP messages which no longer work in stealth mode. Stealth mode does not offer any additional protection. If the computer did actually not exist, the last station before the computer would report to the sender that the target could not be reached. In stealth mode, however, no message is returned. The sender can conclude from this that the computer exists but does not reply.
The packet filter or IP firewall (ipfw)

The other personal firewall supplied with Mac OS is the IP firewall (ipfw) or the packet filter. The packet filter operates on a lower OSI layer and has priority over the application firewall. The IP firewall ipfw is only suitable for Internet protocol version 4; if the data traffic is to be controlled by IPv6 the command line application IP6FW can be used. If both Internet protocol versions are used, several files are inevitably needed for configuration of the firewall; the difference is largely restricted to the address formats of IPv4 and IPv6.

The IP firewall and the application firewall can be operated simultaneously and together allow comprehensive control of the network communication. The application firewall can be enabled and configured in the system settings under Security in the menu tab "Firewall".

ipfw allows you to define finer rules than with the application fire wall. The handling is slightly more complicated as ipfw is configured via the command line.

In order to use ipfw to block a TCP connection to different servers on port 80 the following command can be used:

ipfw add 500 deny tcp from any to any dst-port 80

Every firewall rule has a number and is processed by the system from the highest to the lowest number. It is therefore possible for a rule to be modified or invalidated by another rule. As ipfw operates very close to the system, administrator rights are required to execute commands. If comprehensive firewall rules are created the content should be stored in a configuration file. To automatically load the rules from this configuration file a shell script is required which could appear as follows:

#!/bin/sh

# remove previous FW rules

/sbin/ipfw -q flush

execute #IPFW and load rules from file

/sbin/ipfw -q /STORAGE LOCATION/firewall rules.conf

# Logging after enable /var/log/system.log

/usr/sbin/sysctl -w net.inet.ip.fw.verbose=1

Subsequently, corresponding rights must be assigned for the shell script to enable the execution of the commands:

sudo chown root:admin Shellscript.sh

sudo chmod 544 Shellscript.sh

After this step, the shell script must be executed every time the computer is started. Under Mac OS X, Apples recommends the use of "launchd" for this task. The "launchd" system service requires a specially formatted file (Plist) in the directory /Library/LaunchDaemons to launch programs. The content of this file is as follows:

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Label</key>

<string>com.apple.firewall</string>

<key>ProgramArguments</key>

<array>

<string>/usr/local/bin/Shellscript.sh</string>

</array>

<key>RunAtLoad</key>

<true/>

</dict>

</plist>

In the final step, this Plist file must receive corresponding rights, for example, by means of the following command:

sudo chown root:admin NameOf.plist

The changes can be read in and activated directly without the need for a restart by means of the following command:

sudo launchctl load /Library/LaunchDaemons/NameOf.plist

The log file of the personal firewall, to be found under /private/var/log/ipfw.log, should be checked regularly for irregularities such as an increased number of failed remote access and login attempts. Firewall log files can grow rapidly and use a considerable amount of storage space. For this reason, it makes sense to clarify which rules have a high priority and should be logged and which not. A corresponding command can appear as follows:

ipfw allow log tcp from any to any dst-port 6112-6119

This command logs all connection attempts to a server on a TCP basis to port 6112 to 6119.

Review questions:

Has it been specified which programs receive network access under Mac OS?
Has the personal firewall of Mac OS X been enabled and configured according to the recommendations?
Is the log file of the personal firewall of Mac OS X checked regularly for irregularities?