The Safe Mac

Do I need a firewall?

Firewalls have always been poorly understood, even by knowledgeable people. With the recent upsurge in Mac malware, there has been a lot of questionable advice circulating, some of which related to firewalls. People are recommending firewalls for avoiding malware, blocking hackers, preventing spam and any number of other things.  Some of these recommendations have some validity and some do not…  but how is the average user to know the difference?

What is a firewall?

To determine whether you need a firewall, we first need to examine exactly what a firewall is. Firewalls are essentially filters between your computer and the outside world that, in typical use, allow some network traffic to pass and block other traffic. The goal is to improve the security of the computer by blocking unsolicited, malicious connection attempts.

Network traffic comes in the form of “packets.” Think of packets as being similar to letters, which you and a friend might send back and forth via the post office during a long-distance conversation. (If you found yourselves in the 19th century, that is!) Packets are sent back and forth between your computer and a server during any network communication. It is these packets that a firewall either blocks or allows to pass, just as you might tell your local postmaster that you don’t want to receive any more letters from an obnoxious acquaintance who keeps sending you annoying letters.

Packets are addressed not just to a particular machine, but to specific “ports” on that machine. Ports are kind of like apartment numbers that tell you where to go in a large apartment building. But they’re also unlike apartment numbers, since you can have multiple applications that can use a particular port and multiple ports used by one application. Port 80, for example, is used for all web traffic, whether you’re using Safari or Firefox or something else. Port 110 is used for unencrypted e-mail communications with a POP mail server; Mail uses that port in addition to others (995 for encrypted POP traffic, 143 for unencrypted IMAP, 993 for encrypted IMAP, etc).

Are there different kinds of firewall?

There are two basic firewall types, each taking a different approach to filtering packets. One is called an “application firewall,” because it either allows or blocks packets to specific applications, regardless of the port the traffic is addressed to. So, for example, you could allow or block all packets sent to Mail. Mac OS X 10.5 (Leopard) and 10.6 (Snow Leopard) have this kind of firewall built-in.

The other kind of firewall blocks or allows traffic on specific ports, regardless of which application the traffic is meant for. Blocking port 110, for example, would prevent all e-mail software – not just Mail – from communicating with POP servers via unencrypted connections. There is a Unix firewall on multiple versions of Mac OS X called ipfw which uses this method of filtering packets. It is still present in Snow Leopard, but is only accessible via the command line or using third-party tools. The user interface for ipfw was dropped in Leopard in favor of the newer application firewall.

Firewalls also differ in whether they can block incoming packets (coming to your machine from somewhere on the internet), outgoing packets (sent from your machine to somewhere on the internet) or both. The application firewall in recent versions of Mac OS X blocks incoming packets only. The ipfw firewall, on the other hand, can block both incoming and outgoing packets.

If there are firewalls built in, I must need one, right?

Not necessarily. First, consider again what firewalls are for: they block packets that might be malicious. But how do malicious packets get sent to your machine? The most important part of the answer to that question is that hackers have to be able to see you somehow. If hackers can see you, you might need a firewall. If they can’t, you probably don’t.

So how do hackers see you?  The internet is a very large neighborhood, but hackers can create automated programs that basically walk up to one “house” after another and knock on every door, looking for a way in. However, most personal computers don’t live right on Main Street, so to speak. They typically live in gated communities, where everyone who wants in has to pass the guardhouse first.

To clarify all the metaphors, you almost certainly are accessing the internet from behind some kind of router. All wireless networks, for example, are managed by one or more routers. Those routers act like the gatehouse, separating the “local” network from the internet and routing all traffic coming inside to the right places (ie, computers). In such a case, you are safe from outside hacking attempts.

If you’re not sure whether you are behind a router, and thus hidden from the internet, there’s an easy test. First, connect to a web site like WhatIsMyIP. This tells you the address of your computer according to the outside world. If you are behind a router, that is the router’s IP address, and your computer’s IP address will be very different. Open System Profiler (in /Applications/Utilities) and select Network in the left-hand column. Now look for a column on the right side titled “IPv4 Addresses”… if you don’t see the IP address reported by WhatIsMyIP in that column somewhere, you are safely hidden behind a router.

Of course, you also need to consider hackers on the local network. You only have control over who is on your local network at home, on a wired connection or an encrypted wireless network. If you take a laptop computer to someone else’s network, or if you have a machine on a large network at work, or you have an open wireless network (ie, no password) at home and other people live nearby, or any number of other scenarios, you may not know if everyone else on that local network is trustworthy.

So, if I’m not hidden behind a router, or if I’m on a local network with untrusted people, I need a firewall?

Once again, not necessarily.  One way a hacker gets access to your machine is by using bugs in the system that can provide a “back door” to a remote attacker.  There are no such bugs, as far as we know, on a Mac as it is configured out of the box.  The biggest weak point for your Mac would be if you are potentially visible to hackers and have services open in the Sharing pane of System Preferences.  However, such services would be useless if blocked by a firewall, and potentially vulnerable if not blocked by a firewall.  The solution is not a firewall, but simply using good security techniques, like using secure passwords, installing all security updates and only opening services that you actually need.

It’s also important to realize that firewalls can only act within their own limitations. For example, one frequent error people have been making lately is to expect the Snow Leopard application firewall to prevent a malicious application (such as one of the MacDefender trojans) from transmitting data back “home”. That firewall only blocks incoming packets, so malware that is on your machine can still “phone home” unimpeded. Similarly, you cannot expect the firewall to keep you from getting infected, since the malware would be downloaded via your web browser, which the firewall cannot block without blocking all web access in general.  The same is true of the erroneous idea of firewalls blocking spam… they can block all e-mail traffic between your mail software and your mail server, or they can allow all of it, but they cannot filter packets based on the data contained in the packet.

If firewalls are so useless, why have one?

Firewalls do have their uses when connected to a network that contain untrusted users, such as open wifi at a coffee shop or having a direct connection to the internet (ie, not hidden behind something like a wireless router).  For example, although there are no currently known bugs in Mac OS X that will allow hackers to gain remote access, there’s no law that says this has to continue.  Should such a bug be discovered, safety is just a click away.  Turning on the firewall would protect you from remote exploits.

In addition, there are many server processes running on any normal Mac. You may forget that you have file sharing turned on when you pull out your computer at a Starbucks. In addition to built-in server processes, plenty of apps include server functionality as well. 1Password’s wifi syncing, for example, involves 1Password on your Mac acting as a server and accepting connections from 1Password on your phone or tablet.

When you’re on an untrusted network temporarily, it would be wise to turn on the firewall, and set the firewall options to block all incoming connections. This won’t make any difference in your ability to browse the web or check e-mail, but it will prevent any attackers from even trying to gain access to your Mac.

If your Mac is connected to an untrusted network all the time (which is fairly uncommon with consumer Macs these days), then you need to take other measures. The built-in firewall is capable of what is called “stealth mode,” which basically makes your machine invisible on the network. Your machine becomes like 12 Grimmauld Place in the Harry Potter series: to those who know it’s there, it is visible. Everyone else, though, can look as hard as they like and never find it. Turning on stealth mode on such machines is important. However, it’s important to understand that this may not be sufficient, and all server processes should be kept turned off whenever possible.

Unfortunately, such a firewall is completely useless at preventing untrusted software from “phoning home.”  For such things, Little Snitch is a third-party firewall that blocks outgoing data rather than incoming data.  Little Snitch can tell you a lot about what applications are making connection attempts and can help you to manage them.  This is the most useful kind of firewall, in my opinion, as it can allow you to detect and block attempts to transmit data by applications that you don’t fully trust. Of course, in untrained hands, Little Snitch can also cause a lot of paranoia when it brings perfectly normal processes that you’ve never heard of to your attention.

The ipfw firewall also has its uses.  Since it can block packets going to or coming from specific IP addresses, or ranges of IP addresses, it can be used to ensure certain ports don’t get used at all or blacklist certain sites.  For example, ipfw could be used on machines in a high school computer lab to keep kids from being able to access social media sites when they’re supposed to be doing other things.

Final Word

For the most part, the average user does not need a firewall.  A firewall is not a magical solution to problems like malware and spam, and is not much use at protecting a system that is left unsecured.  While some users may find them useful, they should be used with full knowledge of their purpose, and as only a part of a more complete security strategy.  For more advice on securing your system, see the Corsaire Whitepaper on Securing Mac OS X Leopard 10.5, the Mac OS X Security Configuration For Leopard Second Edition and the Mac OS X Security Configuration for Snow Leopard.






Leave a Reply

Your email address will not be published. Required fields are marked *