Leopard Firewall

Since the release of Leopard, Heise Security (no longer online, and not available in the wayback machine) criticized Apple Leopards firewall.

They were looking in the wrong place. I got my brand new Leopard installed on my MacBook Pro as soon as I got it. The new finder showed me my AFP and SMB shares nicely in the sidebar. A few days later, the AFP shares where still there, but the SMB shares where gone. So I went looking for what had changed.

I had turned on the firewall! A bit of rooting around later uncovered that ipfw is NOT Leopards firewall.

/usr/libexec/ApplicationFirewall/socketfilterfw is. And the file /Library/Preferences/com.apple.alf.plist is it’s config file. Changing the firewall settings in the preferences menu changes that file, and NOT ipfw.

Also, when the firewall is set to “Set access to specific services and applications”, that actually WORKS!

The trick? You have to reboot to make it work. Yes, true, you shouldn’t HAVE to. But it is a FAR cry away from “it doesn’t work”… The nc test does still fail though.

In short, Heise made some valid points. There are some odd things about the Leopard firewall. But it is not entirely non-functional. Lets see what 10.5.1 brings us :)

PS: for those of us that are truly paranoid, ipfw IS still installed :)

UPDATE: The reason the firewall lets nc through, is because it was SIGNED.

$ cp /usr/bin/nc ~/
$ strip nc -o nc.2
strip: changes being made to the file will invalidate the code signature in: /Users/cnf/nc (for architecture i386)
strip: changes being made to the file will invalidate the code signature in: /Users/cnf/nc (for architecture ppc7400)
$ ./nc.2 -l 0.0.0.0 1414

Lo and behold, Leopard’s firewall BLOCKS this…