On Nov 15, 2007, at 2:08 PM, Radoslav DejanoviÄ? wrote:

> Todd Woodward wrote:
>> Apple today released Mac OS X v10.5.1 with Application Firewall
>> updates which cover the following issues:
>>
>>
>> * "Block all incoming connections" setting renamed to "Allow only
>> essential services" to more "accurately [describe] the option"
>>
> What a nice WTF. This is a good example of what IMHO is Apple's
> wrong tactics. There's *huge* difference between "block all incoming
> connections" and "allow only essential services". Those are two
> completely different things. :-)

I was waiting for someone to comment on this...

Apple's "everything just works" niceties *depend* on things like
Bonjour in particular being able to be accessed, and most users would
end up selecting "Block all incoming collections" when making a
firewall choice, because they won't really understand anything
else...and "more" is "better", right? So blocking all must mean I'm
*super* secure.

...Except that now when I get my AppleTV and buy my son or daughter a
Mac and expect to be able to do all the cool stuff that doesn't
require any configuration, nothing works. Why doesn't it work? They
won't be able to answer that any more than they know what to pick on
the Firewall preferences screen.

So what Apple does is a little bit of deciding for the user what makes
sense. The first step was going to an intelligent application level
firewall. The next was making some policies that allow services Apple
considers "essential" to the whole Mac OS X user experience. And like
it or not, Bonjour is part of that.

> And then, for the average user, the statement "allow only essential
> services" is quite confusing. What are essential services? What if
> user has no need for some of them, yet can't easily turn them off
> because they're in the "essential" pack? What if someone really
> wants to disable all incoming connections (say, lots of people that
> use just an DSL connection, Mac and an USB printer)? If the setting
> has been *renamed*, does that mean that there's actually no way to
> fully disable incoming connections? Or is it still there somewhere?

Yes. Well, "still" there would be inaccurate. It was never there on
Leopard. "Block all incoming connections" didn't actually block all
incoming connections.

> Granted, you can still use ipfw to set up fine-grained firewall
> policies, so you're not really stuck with Application Layer
> Firewall. But, how many users know how to handle ipfw?

Anyone who knows enough to know, for certain, that they don't want,
e.g., Bonjour open also knows how to use any of a number of free or
commercial commandline or graphical options to set up ipfw any way
they wish.

That's the bottom line: anyone who knows enough to "know" they
"really" want to disable all incoming connections can easily do so.
Your example of "lots of people that use just an DSL connection, Mac
and an USB printer" aren't necessarily people for whom it would be
appropriate to make that judgment.

> That's weird - while it is true that many users would like to have a
> firewall that's easy to set up, denying them ability to completely
> lock their computers is not something I would call good security
> practice. Mixing descriptions, and having deceptive descriptions
> that don't reflect the true status of the firewall - I can't see the
> point here. Is this, like, being user-friendly?

Yes, it is. Thats the point. And if anything, the description was
deceptive in 10.5.0. It no longer is.

This is about making security *easy* for typical users, while still
keeping things that make the Mac experience "just work".

Now, I *do* wish that Apple had one more option: Block *everything*,
but explain, hey, this is going to break some things like Bonjour,
etc., so be SURE that you want to do this, and don't complain if all
of a sudden your AppleTV syncing and iTunes sharing and automatic
local machine discovery no longer work.

> P.S. Application Layer Firewall, AFAIK, doesn't filter out programs
> running with superuser privileges. That calls for trouble.

Apple describes all of this very explicitly here:

http://docs.info.apple.com/article.html?artnum=306938

The 10.5.0 Application Firewall blocked all but:

â?¢ Processes that are running as UID 0
â?¢ mDNSResponder

The 10.5.1 Application Firewall blocks all but:

â?¢ configd, which implements DHCP and other network configuration
services
â?¢ mDNSResponder, which implements Bonjour
â?¢ racoon, which implements IPSec

So, while I haven't tested yet, it does NOT appear to allow all UID 0
processes, but rather only the above processes. If this is accurate,
that concern is now moot.

- Dave0? *?H?÷

 ?0?

10 +0? *?H?÷


 ?>0?ô0?] 
DM0
 *?H?÷


0S10 UUS10U
Equifax Secure Inc.1&0$UEquifax Secure eBusiness CA-10
050829160720Z
150829160720Z0?10 UUS1+0)U
"Division of Information Technology1#0!UFaculty - Staff - Students1(0&UUniversity of Wisconsin-Madison0?0
 *?H?÷



0?èHQÜ%wË ktëùNßM}V?ïȶÂ#¹.³S*?¥I|R±%ö3?~?cëG:!+·Ä? ÇL$ò­©«
8)?¿.Æ01qL|?I?¿Öm²\×[¼'¯íG̪»´V ?ëùçe><|¯÷?°
æp;?Ã??

£?0?0U

ÿ
?0U?RRbG,k,
¸iñ©7,#$0U
#0?Jx2RÛY6^ßÁ6@jG|L¡0U

ÿ0

ÿ09U2000. , *?(http://cr
l.geotrust.com/crls/ebizca1.crl0
 *?H?÷


%ñDX3wç֍ת· ?7kæÞßµ±z°c_?+åLÓPpGOsÉ>ف¬ÐDÓ±Ü-++?ü}£Z??d£Áù'öTï¡*)ÿw~G²?¨ø
Oµö¬U~ºbSJh,óN¨GTaßs\ÇDØéR#êeb¨Åg0?B0?« 
?0
 *?H?÷


0?10 UUS1+0)U
"Division of Information Technology1#0!UFaculty - Staff - Students1(0&UUniversity of Wisconsin-Madison0
070724175606Z
080920175606Z0Ð10 UUS10U Wisconsin10UMadison1(0&U
University of Wisconsin-Madison1#0!UFaculty - Staff - Students10UToken -10UDavid Schroeder1 0 *?H?÷


das (at) doit.wisc (dot) edu0 [email concealed]?0
 *?H?÷



0????èöÆ?³G¡J[¨×
Qò?sJ?'Uî.øë
ÂC«ÓmÂ?5(¢?äðÛ¢1?Hµ8iä¬C°«é£ Ê¢4ÝsR|F?Sû?©¶2±ï?Æ?´zó?¬ÿPïí?ð?ÖÜ5àò?ݐ?ÕÍnæ?y
>ªÛ% ?ä¹

£p0n0U

ÿà0;U40200 . ,?*http://crl.geotrust.com/cr
ls/wisconsin.crl0U#0??RRbG,k,
¸iñ©7,#$0
 *?H?÷


ß¢úx IíN®?tý¼¬Åƪ¡q?Þ¦`,]H?)u?Há?tm³°é¥¾0ñÊOV6¾Ô?
&@v?@¯IÿßO=?~ÿuC"i?Â?N??0ÔÉ® G¥ªÙ»rs5ì#¯P?ÑËpÍX¯âô³©ÖÙ?Ðz?YuVC?ö?1?â0?Þ

00?10 UUS1+0)U
"Division of Information Technology1#0!UFaculty - Staff - Students1(0&UUniversity of Wisconsin-Madison?0 + ?
§0 *?H?÷

1 *?H?÷


0 *?H?÷

1
071115215102Z0# *?H?÷

1àB5ö?BÀ
Æ?ûø??§?Ë?0¡ +

?71?00?10 UUS1+0)U
"Division of Information Technology1#0!UFaculty - Staff - Students1(0&UUniversity of Wisconsin-Madison?0£*?H?÷

1? 0?10 UUS1+0)U
"Division of Information Technology1#0!UFaculty - Staff - Students1(0&UUniversity of Wisconsin-Madison?0
 *?H?÷



?'×??ôP|?ìi9VïëV?$íÝè ?Ï5t~ö
¦{j?·Qhqz1?¶¦?òÍì§b?åÆo³©ZÍâCü«·îÖ?Ñ3­?BDÏ,¯?{S(Sö?ªý«¤Úw¥×R¯Pò??.
âÆøºIn?PÁ;-?oåÌÜ?

[ reply ]