Leopard Firewall - Testing Analysis and Speculation

Click Here for an Updated Summary of Leopard Firewall Issues Here at Geek Precis

After all the discussion on the web concerning Leopard's new firewall, I wanted to do some testing in an attempt to better understand what was happening. I've divided my results and the related discussion into sections for easy digestion.

Summary
Apple has made significant changes to how the firewall functions in Mac OS X 10.5 (Leopard). In an apparent attempt to tightly integrate the firewall with their applications and services of their new OS, they have added a proprietary firewall to provide different/additional functionality and flexibility. The previous firewall (ipfw) is still there and running, but not really doing anything by default.

I think things are not as bad as some articles have made it seem, but I think Apple should make some changes to fix both the perception and the reality.


Background

• Heise Security Article - original analysis of potential flaws in Leopard's firewall
• My initial post
• Slashdot discussion
• Securosis analysis - some good testing
• ipfw - Wikipedia, FreeBSD
  
• IANA TCP/IP Port List - for good measure

More Good Links

• Bruno Morisson (Confessions of a dangerous mind)
• Leofud #1 #2
  
• Slashdot discussion
  

How Leopard's Firewall Performs
After reading everything I could find, I did some testing of my own. Here's what I found:


I started with a few basic services (File Sharing, Printer Sharing, and Remote Login) turned on in the Sharing preference pane. After testing that basic configuration, I turned everything off in the Sharing pane and disabled the sharing activated by my iLife applications to see how the firewall would respond with no user selected sharing active.

Leopard's new firewall does a few things that might be expected and a few that might be considered unexpected:

Expected

• Allows any traffic associated active shared resources (as determined by the Sharing Preference Panel). This is what previous versions of Mac OS X did by default.
  
• Blocks traffic destined for various "random" ports.
  

Unexpected

• The default firewall setting is to "Allow all".
  
• Allows any traffic associated with (signed) applications that have sharing activated (as determined by individual application UI's).
• Allows certain system traffic (Kerberos and NTP).

Basically, Leopard's firewall allows traffic associated with sharing that the user has selected in the usual way, allows traffic destined for "trusted" applications (if requested by the user in the application's interface), and allows traffic you will not find anywhere in the firewall interface.

Any shared services (e.g. file or printer sharing) the user has activated will be allowed access, unless the user manually deactivates that service share or manually blocks it in the firewall. And some services used by the system will accept traffic under almost any circumstances. This is odd, and I'm not yet sure what the intention is here.


What Apple Has Done
It appears to me Apple has added their own application-based firewall in a layer above the open source ipfw firewall (see below).


It looks like you can manually configure ipfw via the command prompt or use a GUI-based configuration utility (e.g. WaterProof) and restore the functionality that was previous exposed by the firewall portion of Tiger's Sharing pane. Ipfw is installed and running, but it appears to only have a single rule allowing any and all traffic. All the traffic allowed by ipfw would then pass to Apple's new firewall for further inspection. If a default configuration, Apple's firewall would be providing the only practical packet inspection and filtering; ipfw is there, but not really doing anything.


Why Apple Configured the Firewall This Way
I believe Apple decided ipfw did not provide the kind of flexibility and integration with their applications that they wanted in order to produce an elegant, user-friendly OS. They wanted a solution that was tightly integrated with the services and sharing provided by MacOS X 10.5 and Apple's applications.

In what I hope is NOT a return to the mistakes of the "old" Apple, they decided to create a new firewall from scratch rather than using well-developed and mature open source solutions like ipfw. In the past, Apple has chosen to take the proprietary (sometimes incompatible) path, and I fervently hope this is not a sign they are returning to that behavior.

I can understand Apple's desire to create a firewall configuration process that is easy to use to most non-geek users. The previous setup was easily understood by people with some networking knowledge, but fairly difficult to understand by non-techies. And it was often the case that 3rd-party configuration utilities and Apple GUI were not compatible and would could not work together without resetting the ipfw rules to match the configuration of the last UI used.

And I think there might be other justifications for this change including the sharing and services (e.g. Back to My Mac) Apple is offering and plans to offer, and a desire to integrate with some of Apple's new security features (i.e. sandboxing, application signing, and tagging downloaded applications). Apple is not likely to announce any plans that might use this new functionality, at least not before they are released.

But in the end, I think Apple has done themselves a disservice from a public relations perspective. Prior to this, Apple was universally praised for being more secure than its Windows competition. The news surrounding the firewall changes, while maybe overblown, is conspiring with the recent announcement of a Mac Trojan to make Mac OS X's security look weaker.

While the perception will likely last, only time will tell if the technical performance is better or worse than ipfw in previous versions of Mac OS X.


Recommendations
I recommend Apple do a few things to improve the situation:

• First, Apple must get out on this story and explain in detail what has changed and why. Without doing this, it is too easy to speculate and create FUD. I cannot understand why they have not responded to the bad press during Leopard's launch.
• Second, Apple should change the default behavior to set the firewall to "Block All Incoming". The user can then be notified if and when this setting needs to be changed.
  

After this they have a few options:

1. Apple could re-implement their application-based firewall as a control layer that works with ipfw to make the necessary changes instead of using a separate, proprietary firewall.
2. They could change the default rule in ipfw to block more incoming traffic that is not needed or wanted by any of the sharing features they appear to be so concerned about. At least this would close a few potential doors, while still allowing them to use their new firewall too.
   
3. They could provide an "advanced" mode and UI returning the firewall behavior to the previous configuration relying on ipfw and disabling the new firewall layer. This would give the advanced user the control he or she wants, although it might disrupt some functionality in the areas of remote access and sharing.

What I do not believe is a good option is for Apple to leave things alone and/or not change anything.







Tools and Software

• WaterProof - ipfw GUI configuration
• Apple's built-in port scan (/Applications/Utiltities/Network Utility)
• Nessus
• Bonjour Browser
• Observation Post

Books

• Mac OS X Security
• Maximum Mac OS X Security
• Internet Security for Your Macintosh
• Building Linux And Openbsd Firewalls
• Firewalls for Dummies, Second Edition
• Firewall Fundamentals
• Building Internet Firewalls (2nd Edition)