Linked by Thom Holwerda on Wed 19th Dec 2007 21:46 UTC, submitted by Scott
Mac OS X "Mac OS X 10.5.2 Update, the next in a year-long series of planned updates to Apple's new Leopard operating system, promises to be one of the most hefty maintenance releases put out by the company for its operating system software in recent years. According to people familiar with the matter, Tuesday evening gave way to the first test builds of the software update for developers, including a 354MB bare-bones delta build and a 362MB combo updater- both of which were labeled OS X 10.5.2 build 9C7."
Thread beginning with comment 292326
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[2]: Firewall
by Marquis on Thu 20th Dec 2007 05:12 UTC in reply to "RE: Firewall"
Marquis
Member since:
2007-01-22

Well OSX never had PF as in OpenBSD's pf see link http://www.netbsd.org/docs/network/pf.html . The firewall that was in 10.4 and is still in 10.5 is IPFW from FreeBSD see link http://www.freebsd.org/cgi/man.cgi?query=ipfw&apropos=0&sektion=0&m...

The current thing apple is calling the firewall, is the Apple Application Firewall. This does not work the same way say PF or IPFW would. Rather then work by hooking into the kernel and filtering networking data at a low level; where you can see if the data is tcp or udp, the application firewall is allowing or denying applications ability to talk to the network. I.E. should safari.app be able to send and receive data. Now this is not a bad idea but the issue I have is that the front end program apple made for OS 10.5 is does not let you setup IPFW rules saying block all TCP traffic from IP BLAH. or Deny all IP in and then setup explicit allow rules. Apple IMHO needs to add and advanced firewall editing in the system prefs gizmo for the firewall to allow you to add ipfw rules . The application firewall's default setup does not address a number of firewall issues that ipfw + the application firewall could.

Reply Parent Score: 1

RE[3]: Firewall
by Doc Pain on Thu 20th Dec 2007 06:11 in reply to "RE[2]: Firewall"
Doc Pain Member since:
2006-10-08

Thank you for the quick reply and good clarification.

As far as I see, some functionalities of IPFW and the Application firewall do overlap, e. g. when ipfw is used to deny everything except the intended services in, and the Application firewall has to allow traffic for these services.

So, if I am correct, there needs to be a kind of link between the IPFW and AFW. For example, if you setup something for IPFW like "add allow tcp from any to any ftp" then the FTP service should be allowed to make connections and receive / send data, where the AFW would be responsible for.

"Now this is not a bad idea but the issue I have is that the front end program apple made for OS 10.5 is does not let you setup IPFW rules saying block all TCP traffic from IP BLAH. or Deny all IP in and then setup explicit allow rules."

Assuming that the some of the unterlying FreeBSD stuff is still intact, isn't it possible to create /etc/ipfw.rules and enter the intended rules, and then start /etc/rc.d/ipfw?

"Apple IMHO needs to add and advanced firewall editing in the system prefs gizmo for the firewall to allow you to add ipfw rules . The application firewall's default setup does not address a number of firewall issues that ipfw + the application firewall could."

A nice GUI frontend would be a good idea.

Reply Parent Score: 2

RE[4]: Firewall
by Marquis on Thu 20th Dec 2007 07:38 in reply to "RE[3]: Firewall"
Marquis Member since:
2007-01-22

Doc Pain,
So IPFW and AFW do not really overlap. I use my own ipfw.sh script Its not managed by launchd . NetBSD's RCng its not used by apple so no I could not use /etc/rc.d/BLAH . It should not be that hard to my script be managed by launchd or make a launchd script to kick off a custom RCng setup but it would be icky.

Application firewalls are interesting, however Networking firewalls work better in say 90% of the cases where you want to limit traffic over the network. The one thing the application firewall can do is say setup a rule to say "jim can not use safari to make files in /home/jim/Desktop but can create files in /home/jim/Downloads " Also it can make rules to say "Jim can not use text edit when jane is logged in"

So you could say make an app that does something like this . "If jim opens safari and goes to badsite and bad site connects scans me run ipfw to block all ip from badhost. " If apple were to make this it would be earth shattering . I do not know of anyting that currently does this on the Mac .


Apple does a good job at making UNIX gui things. But the firewall tool seams like an afterthought.

Reply Parent Score: 1