Section 133. Enable or Disable the Firewall


133. Enable or Disable the Firewall

BEFORE YOU BEGIN

30 Configure Networking Manually


SEE ALSO

134 Add or Remove Firewall Rules


Mac OS X comes with a firewall to protect it from unwanted network traffic. When a firewall is running, for data to be able to travel from your Mac to a host elsewhere on the Internet, that data must match certain criteria, among which is that the data must originate from your Macin other words, it must be a data transaction that you initiateor, if the data is coming from another computer to your Mac, the data must be one of a few specific types that the firewall knows about, such as web traffic (HTTP).

KEY TERM

Firewall A piece of software that runs at the very innermost level of the operating system (the kernel ) and serves as a traffic cop for all the Internet communications that travel in or out of your Mac.


By default, Mac OS X ships with the firewall turned off. This means that anybody can send traffic of any kind to your Mac, and the Mac's software must either handle it properly or throw it away according to what kind of traffic it is. When you turn the firewall on, all the traffic but those few exempt types is simply discarded, and your software doesn't have to deal with it at all. This can improve your system's performance, as well as protect it against unsavory characters probing your computer for a weak spot in its defenses.

NOTES

You must be logged in as an Admin user , or able to authenticate as one using the lock icon in the Sharing Preferences pane, to enable or disable the firewall.

The Internet address space for DSL, cable, and corporate network links use well-known IP ranges; if you are on such a connection, the automated scripts that "script kiddies" use to probe for holes such as the Code Red or Nimda vulnerabilities (which are still being exploited whenever anybody finds an unpatched Windows machine) constantly hit your Mac. Fortunately, Mac OS X is not vulnerable to these Windows-specific attacks, but running a firewall can definitely help you keep them from becoming a drain on your resources.


1.
Open the Sharing Preferences

Open the System Preferences application (under the Apple menu); click the Sharing icon to open the Sharing Preferences pane. Click the Firewall tab.

133. Enable or Disable the Firewall


2.
Start the Firewall

To turn on the firewall and begin shielding your computer from attack, click the Start button. The button's label immediately changes to Stop .

3.
Poke a Hole in the Firewall for a Legitimate Service

You won't notice any change in your system's behavior after turning the firewall on; normal Internet traffic such as email and web browsing should continue to work seamlessly. However, there are many other kinds of networked applicationsgames, file-sharing apps, communication systems such as iChat, and many morethat will be stopped by the firewall when they originate at another computer and are aimed at yours. To allow these types of traffic through the firewall, you must create a "hole" for each onean explicitly created exception to the general denial rules that block unknown and unwanted traffic.

Many of Mac OS X's built-in sharing services are tied in automatically with the firewall. For instance, if you turn on Web Sharing , the ports the numeric identifiers for certain well-known services, such as HTTP or web trafficassociated with the Web Sharing service are opened automatically so that traffic using those ports can reach your computer. In the case of the Personal Web Sharing service, ports 80 and 427 are made exempt from the firewall so that remote users can connect to your computer with a web browser and view your public documents. One of these "holes" in the firewall is generally known as a rule , and your firewall can have any number of rules that describe what kinds of traffic are allowed through and which are prohibited .

KEY TERM

Rule An entry in the firewall's configuration that tells it to allow or disallow a certain kind of traffic.

There are a couple of extra rule entries in the Allow list box, corresponding to popular services you might run on your Mac, that you might find useful to enable. Select the check box for iChat Bonjour to allow other people on your local network to send you iChat requests . If you don't enable this exemption, other people won't be able to contact you for voice or video chats in iChat. Similarly, select the check box for iTunes Music Sharing to allow other people to browse your shared music in iTunes.

4.
Stop the Firewall

If you are having trouble making a connection to some remote host or online service, as might happen with instant-messaging services such as ICQ, your firewall might be getting in the way. It might be a one-time or uncommon occurrence for you to try to use the service in question. By far the best solution is to properly research the behavior of the software in question so you can properly open a firewall hole for it, but in a pinch , it can be easier for you to simply turn off the firewall temporarily to allow a file transfer or other transaction to go through, rather than finding out which specific ports you need to use to allow the traffic through the firewall on a permanent basis. Use this advice with utmost caution!

To turn the firewall off, click Stop in the Firewall tab of the Sharing Preferences pane. Remember to turn it back on by clicking Start when you're done using the application that the firewall interferes with!

5.
Set Advanced Firewall Options

Click the Advanced button. The Mac OS X firewall has three built-in security enhancements you can enable to quickly and cleanly deal with certain kinds of unwanted traffic.

Block UDP Traffic prevents any activity from reaching your computer that uses the UDP protocol, such as is commonly used in Voice-over-IP (VoIP) communications, as well as in tools that attackers often use to probe computers. Don't enable this option if you use VoIP applications, as it could make them stop working.

Enable Firewall Logging writes all information about traffic stopped by the firewall into a log file, which can be read at any time by clicking the Open Log button.

Enable Stealth Mode is an option for the super-secure computer, but not for the casual user. With it enabled, any unsolicited traffic will simply be discarded by your Mac, with no acknowledgment sent in response. In other words, the only network activity your Mac can engage in is traffic that you yourself initiate, such as web browsing or email. File sharing, FTP access, and other kinds of sharing where other computers access data on your computer are rendered unusable by this option, but it does ensure that no attacker will be able to determine that your computer exists.



MAC OS X Tiger in a Snap
Mac OS X Tiger in a Snap
ISBN: 0672327066
EAN: 2147483647
Year: 2001
Pages: 212
Authors: Brian Tiemann

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net