"Mac OS X 10.5.2 Update, the next in a year-long series of planned updates to Apple's new Leopard operating system, promises to be one of the most hefty maintenance releases put out by the company for its operating system software in recent years. According to people familiar with the matter, Tuesday evening gave way to the first test builds of the software update for developers, including a 354MB bare-bones delta build and a 362MB combo updater- both of which were labeled OS X 10.5.2 build 9C7."
To view parent comment, click here.
To read all comments associated with this story, please click here.
Member since:2007-01-22
Well OSX never had PF as in OpenBSD's pf see link http://www.netbsd.org/docs/network/pf.html . The firewall that was in 10.4 and is still in 10.5 is IPFW from FreeBSD see link http://www.freebsd.org/cgi/man.cgi?query=ipfw&apropos=0&sektion=0&m...
The current thing apple is calling the firewall, is the Apple Application Firewall. This does not work the same way say PF or IPFW would. Rather then work by hooking into the kernel and filtering networking data at a low level; where you can see if the data is tcp or udp, the application firewall is allowing or denying applications ability to talk to the network. I.E. should safari.app be able to send and receive data. Now this is not a bad idea but the issue I have is that the front end program apple made for OS 10.5 is does not let you setup IPFW rules saying block all TCP traffic from IP BLAH. or Deny all IP in and then setup explicit allow rules. Apple IMHO needs to add and advanced firewall editing in the system prefs gizmo for the firewall to allow you to add ipfw rules . The application firewall's default setup does not address a number of firewall issues that ipfw + the application firewall could.
Member since:2006-10-08
Thank you for the quick reply and good clarification.
As far as I see, some functionalities of IPFW and the Application firewall do overlap, e. g. when ipfw is used to deny everything except the intended services in, and the Application firewall has to allow traffic for these services.
So, if I am correct, there needs to be a kind of link between the IPFW and AFW. For example, if you setup something for IPFW like "add allow tcp from any to any ftp" then the FTP service should be allowed to make connections and receive / send data, where the AFW would be responsible for.
"Now this is not a bad idea but the issue I have is that the front end program apple made for OS 10.5 is does not let you setup IPFW rules saying block all TCP traffic from IP BLAH. or Deny all IP in and then setup explicit allow rules."
Assuming that the some of the unterlying FreeBSD stuff is still intact, isn't it possible to create /etc/ipfw.rules and enter the intended rules, and then start /etc/rc.d/ipfw?
"Apple IMHO needs to add and advanced firewall editing in the system prefs gizmo for the firewall to allow you to add ipfw rules . The application firewall's default setup does not address a number of firewall issues that ipfw + the application firewall could."
A nice GUI frontend would be a good idea.
Member since:
2006-10-08
"I hope they get rid of that crappy application firewall and go back to using IPFW2 . Arghhh!"
I'm not a regular Mac OS X user, but didn't it use the packet filter (pf) instead of the IP firewall (ipfw2), or am I mixing up things here?
From my experience, ipfw2 (used on FreeBSD machines) does a great job. along with its ability to be configured very easily. You can setup a well configured firewall mechanism with very few rules and still have intended things working.