Firewalls are best when used through your router. Unfortunately many users aren't technical enough to use that route, even OS firewall for that matter.

Many users don't have a router, so the OS firewall is necessary for them.

And does Apple turn the firewall on by default in x.5? It never was previously.

Just for laughs I thought I'd try some of the things they tried. I wasn't able to reproduce anything, problem or otherwise so maybe I'm missing something about their testing procedures. Seems a bit murky to me. Seems like they are doing some things locally and others remotely but I don't know which when.

I did try some easy ones myself like turning AFP on and turning the firewall on and off and everything works as expected.

For a bit of clarity: Firewall is off after installing Leopard fresh. I'm really surprised Apple doesn't appear to be using ipfw for the client firewall. They do for the server in Tiger. I confirmed that ipfw list is unchanged regardless of firewall settings in System Preferences:Security.

I'd like an explanation from Apple on this one. What kind of firewall is this really supposed to be? What are we supposed to expect?

while where in here arguing about this ambiguous report, you went ahead and put it to the test, great job, we all should do that more often.

So why don't we, self-proclaimed security experts, being as incompetent as we are (who else would use words like "Further, it is not clear at what point Mac OS X starts which services, or how it decides which of these should be accessible and which should not.") won't write some kind of security report on Leopard security? It better be a negative one, this way it surely will end in headlines of MacNN and the likes.

About real exploits and proofs... who cares about it these days, people are paranoid about security, and many will likely believe to anything "security experts" are going to say, no matter what their credibility is.

I'd like an explanation from Apple on this one. What kind of firewall is this really supposed to be? What are we supposed to expect?

I think its supposed to be similar to Little Snitch (or ZoneAlarm for you PC geeks). But I just assumed it was still using ipfw. If not that, what software is it using? Is it another open-source firewall or a in-house solution?

We live in the "Blame Game" environment through lawsuits. No one wants to be accountable for ANYTHING. If you trust Apple or MSFT to totally safeguard your computer for you, then it's too late. I have been using OS-X since it's been released and I have never enabled my Firewall from the Sharing System Preferences to date. In fact I have never used an Anti Virus since Virex. But If something was to happen to my macs, it's not Apple's fault. It's mine. So regardless what all these "security experts" have to say, you are not going to catch them all. The user HAS to take the initiative. Also, we should be greatful that the people at 1 Infinite Loop typically acknowledges when there is something SIGNIFICANTLY wrong in terms of security and they take corrective actions... Whom do you trust? Your computing habit is what you should trust!

We live in the "Blame Game" environment through lawsuits. No one wants to be accountable for ANYTHING. If you trust Apple or MSFT to totally safeguard your computer for you, then it's too late. I have been using OS-X since it's been released and I have never enabled my Firewall from the Sharing System Preferences to date. In fact I have never used an Anti Virus since Virex. But If something was to happen to my macs, it's not Apple's fault. It's mine. So regardless what all these "security experts" have to say, you are not going to catch them all. The user HAS to take the initiative. Also, we should be greatful that the people at 1 Infinite Loop typically acknowledges when there is something SIGNIFICANTLY wrong in terms of security and they take corrective actions... Whom do you trust? Your computing habit is what you should trust!

How many Macs in the real world have been remotely compromised? Answer NONE! ZERO, ZILCH, NADA! There's a real security flaw with that alright compared to Windows, hundreds of thousands of times with big companies losing millions in data loss if not billions. Believe me I would trust the Macs firewall as it has not been compromised to date which is 7 years running in the real world.

The firewall may not be on, but neither are most of the services. Until someone compromises NTP, is there really anything to worry about?

Does it need to be fixed? Sure. But I'd rather these security articles simply present the facts and consequences rather than try to inject personal opinions.

When a media outlet starts quoting unnamed "experts" you know they are fluffing. Any expert worth the name is most certainly willing, indeed proud, to have their name attached to his work. Unnamed experts are by definition either hacks, or invited whole from the reporter's pen.

before jumping out of airplane:

1. unbuckle safety belt 2. remove cocktail from kungfoo tighting grip 3. confirm silk parachute is tighly secured around neck 4. jump 5. configure ipfw 6. jump 7. wait for landing 8. else fails 9. disable ipfw (NOT) (!)

errr.... does anyone take this !@#$%^& seriously

I have discovered a serious and crucial flaw in the OXS operating system, which can be exploited easily and will destroy all of your data within seconds of a malicious attack.

All you have to do is buy my services and I will fix it for you.

Doofuses.

Over on slashdot.org, where their readership is mainly Linux geeks, many of whom also love OS X, they have already "outed" the shoddy and even outright dishonest techniques employed by the Heise people. Sorry to crosspost, but here is a snippet from one of the commenters to the slashdot article on the Heise report:

"I notice in their report that they complain about services Nmap lists as "open/filtered". Nmap reports that result when it encounters a port that elicits no reply whatsoever to a probe. This happens only when a firewall is dropping all traffic to a port and not generating any ICMP error packet for the attempt. The TCP spec says if a port isn't open the client should get an ICMP error, so Nmap knows that there's something there even if access to it's being blocked. If this is any indication of the quality of this "analysis", we can discount the article."

'Nuff said!

The firewall in Leopard does not use ipfw,it uses a new socket firewall that works on the application level (/usr/libexec/ApplicationFirewall).

However this does cause problems because Apple wants to allow the built-in system daemons like ntpd and mDNSResponder. You should know, both have been shown to have remotely-exploitale vulnerabilities, as recently as August (http://www.securityfocus.com/bid/24159, http://www.securityfocus.com/bid/24924). So obviously some users would want to block access to those applications, especially enterprise IT, but they must resort to using ipfw from the command line in Leopard. However, it is important this is no different in Tiger, where the GUI for the firewall automatically allowed all traffic on ports 5353 and 123. So Leopard isn't better or worse in that area.

Where Leopard's firewall does fail is its limited options. For example: 1) On computer A set the firewall in Leopard to "Set access for specific services and applications" 2) On the command line from computer A, type "nc -l 5000" 3) On computer B, from the command line, type "nc 5000" and hit return 4) Type "Foobar" from computer B. You'll see "Foobar" echoed on Computer A, meaning you connected to computer A successfully, without the firewall ever alerting you.

It would seem that the firewall does not work. However this is not the case. The firewall is actually allowing nc automatically because it is installed with OS X and has the Apple codesigning signature. It's not really desirable to let nc just start listening on any port it wants however because any malware could simply fork/exec nc (or use a shell script), pipe its output into a new file descriptor, and use that to communicate and bypass the firewall.

IMHO this is an unusable firewall, and Apple needs to (a) clarify how it works and (b) make it better before it's considered an actual security mechanism and not just a marketing feature.

Turn on the Firewall In security settings and then click on the advanced button. Turn on Stealth mode. I ran a complete port check at Steve Gibson's security site Shields Up which tests your systems security and firewall settings. In Stealth mode on leopard my Mac achieved a perfect score with no ports open to be compromised. The firewall setting needs to be turned on, that's obvious for most users. I think this story is over blown and OSX's security speaks for itself 7 years running without being compromised in the real world. Turning on Stealth mode will ensure that will continue.