This is a terrific thread.

Radoslav made one of the two points I intended to make: we've been here
before, courtesy of Microsoft.

What I find curious about decisions like this is that Apple did not stop
to consider how easily they could satisfy multiple needs through a more
thoughtful UI.

1) expose the firewall as a unique system preference (at least MSFT got
this right). Hiding it under sharing is not helpful.

2) accurately describe the purpose of the firewall. Sharing says little
about the firewall itself and what it says ("Click start to prevent
incoming network communication to all services..." in 10.4) is incorrect.

3) provide a complete and accurate description of each action and the
associated result. List the services that will be inbound enabled even
when you click Start. Provide a warning that says "you may want to make
certain you are operating behind a firewall appliance that will block
unknown parties and bad actors from accessing these services before you
choose this option".

4) provide a "do not allow *any* inbound connections" choice, and
accompany this with a warning that says, "if you do this you will block
the following applications. Choose this option if you are connecting to
an untrusted network (public WiFi, ...)

Radoslav Dejanoviæ wrote:
> Todd Woodward wrote:
>> Apple today released Mac OS X v10.5.1 with Application Firewall
>> updates which cover the following issues:
>>
>>
>> * "Block all incoming connections" setting renamed to "Allow only
>> essential services" to more "accurately [describe] the option"
>>
> What a nice WTF. This is a good example of what IMHO is Apple's wrong
> tactics. There's *huge* difference between "block all incoming
> connections" and "allow only essential services". Those are two
> completely different things. :-)
>
> And then, for the average user, the statement "allow only essential
> services" is quite confusing. What are essential services? What if user
> has no need for some of them, yet can't easily turn them off because
> they're in the "essential" pack? What if someone really wants to disable
> all incoming connections (say, lots of people that use just an DSL
> connection, Mac and an USB printer)? If the setting has been *renamed*,
> does that mean that there's actually no way to fully disable incoming
> connections? Or is it still there somewhere?
>
> Granted, you can still use ipfw to set up fine-grained firewall
> policies, so you're not really stuck with Application Layer Firewall.
> But, how many users know how to handle ipfw?
>
>
> That's weird - while it is true that many users would like to have a
> firewall that's easy to set up, denying them ability to completely lock
> their computers is not something I would call good security practice.
> Mixing descriptions, and having deceptive descriptions that don't
> reflect the true status of the firewall - I can't see the point here.
> Is this, like, being user-friendly?
>
>
> P.S. Application Layer Firewall, AFAIK, doesn't filter out programs
> running with superuser privileges. That calls for trouble.
>
begin:vcard
fn:David Piscitello
n:Piscitello;David
adr;dom:;;3 Myrtle Bank Lane;Hilton Head;SC;29926
email;internet:dave (at) corecom (dot) com [email concealed]
x-mozilla-html:FALSE
url:http://hhi.corecom.com/weblogindex.htm
version:2.1
end:vcard

[ reply ]