Leopard Firewall Woes

I have been using Mac OS X Leopard for the last few weeks and the article on Heise Security caught my attention. I use a 3G connection to the internet quite often and have to assume that a NAT firewall wont always be available.

I did some of my own tests and as far as I could tell setting the firewall to "Block All Incoming Connections" just does not seem to work.

The output of "sudo ipfw list" does not seem to change when switching between "Allow All" and "Block All"...

Here is what I recommend for now:
- Download WaterRoof ipfw at: http://www.hanynet.com/waterroof/ (its OSS).
- Run through the Wizard, just clicking next is the equivalent of "Block All"
- If you want "Stealth", go to "Static Rules" and add a rule to block all ICMP from "Any" to "Me".
- Make these changes permanent through: Tools -> Startup Script -> Install Startup Script.

To test if your setup is any good head over to Shields Up! Steve Gibson's excellent resource and run some tests to check that your firewall is actually working as planned. Shields Up! can be found at: http://www.grc.com/.

Please note that this test is most effective if you are directly connected to the internet. If you cannot connect directly rather Google for nmap and run some tests on your LAN. I used nmap to run some tests against the firewall to confirm the results - consider just trying to ping your machine from another host at least.

For reference here are my rules, running "sudo ipfw list" from the terminal should give you similar results.

$sudo ipfw list

00100 allow ip from any to any via lo*
00110 deny ip from 127.0.0.0/8 to any in
00120 deny ip from any to 127.0.0.0/8 in
00130 deny ip from 224.0.0.0/3 to any in
00140 deny tcp from any to 224.0.0.0/3 in
01000 allow tcp from any to any out
01000 allow tcp from any to any established
01100 deny icmp from any to me
65534 deny tcp from any to any
65535 allow ip from any to any

And remember: "Friends do not let friends get Owned" - Pauldotcom Security Weekly