Mac OS X Built-In Firewall Options
By Damien Gallop

April 12th, 2003

Regardless of operating system, every computer connected to a network requires a firewall. Mac OS X comes with one built in, always has, always will. All you have to do is turn it on.

What is a firewall? A computer firewall is the software or hardware analog of its brick-and-mortar counterpart that separates two buildings in close proximity. In the event that one catches fire, the flames cannot readily damage the other building. So too, if there is destructive activity on your computer network, a firewall will prevent that activity from touching your machine.

In the world of computing, the only zeros are the digital zeroes that, together with a lot of digital ones, form the most basic cells of your data. Otherwise, everything is just as subject to the vagaries of the material universe as everything else. There is a probability that your hard drive will spin off its axis after so many millions of revolutions, that your motherboard will drop dead after so many thousands of hours, and so on. Likewise, a firewall vastly reduces the probability of your being hacked. But the probability is never zero. Security is never 100%. Anyone who tells you that it is isn't telling you something. When it comes to firewalls, it's a matter of being 99% likely to getting hacked versus 99% likely to be left alone. Which would you choose? It's a no-brainer.

Firewalls can be a software program, a hardware device, or something in-between, such as a dedicated firewall computer that contains two network cards. The better networks will use some combination of these, and not just one.

Mac OS X has come with a built-in firewall since its very first release. This firewall is a software program called ipfw, as cryptic a name as any, I suppose, reflecting its unix heritage. By default it's switched off. My single goal in this article is to convince you to switch it on. And, with the advent of Mac OS X Jaguar, it's a mere click of your mouse.

Open up the Sharing system preference, choose the Firewall tab, and press Start. Press again to stop. There you are.

Now that you have it running, I must point out that what you see isn't the firewall itself, but the graphical interface that operates it. ipfw is a unix program with nothing graphical about it. Early adopters of OS X, such as myself, had to either configure ipfw manually (not!) or download a clever graphical interface for it called BrickHouse for Mac OS X. If Jaguar's interface doesn't give you the flexibility you need, then use BrickHouse instead. You're still accessing the same firewall. Here are the firewall rules from my home machine, using each interface. You can easily guess which is which by the level of complexity. The paramount firewall rule? Some firewall is better than no firewall. Good.

In fact, ipfw is itself an interface, and not the actual firewall. Rather, it drives two programs called ipfirewall and dummynet. For more on this, type man ipfw at a Terminal prompt. In particular, notice the bit about ipfw's stateful behavior, a very clever concept. This feature isn't utilized by default in either of the above graphical interfaces, though. Pity.

BrickHouse has an option to install a start script. Should you do this and subsequently choose to use Jaguar's default interface instead of BrickHouse, then you need to pull that script. Open up your Macintosh HD desktop icon, then open /Library/StartupItems. In there you'll find a folder simply called Firewall, put there by BrickHouse. Select it, and press Cmd-I to get the information summary for it. Open the Ownership tab, and claim ownership from System. Now you can delete this entire folder. Do so. Reboot for effect. Then restart the firewall as above.

One of the beauties of the Jaguar firewall interface is how it automatically cooks a rule to open a network port to match a service you may choose to run on your Mac, a web server, say. Otherwise, it basically leaves your machine locked down. If you turn off that service, the corresponding firewall rule is automatically removed. If patience isn't your virtue, then this is the firewall for you.

Should you feel the urge to tinker with its settings, take a look at the /Library/Preferences/com.apple.sharing.firewall.plist file, using TextEdit. That tidbit comes courtesy of a discussion group thread I happened upon. Do I recommend you play with it? No, actually. But now you know where it is.

There are other firewalls made for OS X, some of which we've visited together previously. There are also hardware solutions, particularly the combo NAT gateway variety, which we also considered. But here and now, ipfw is the star of the show. It's free and it works. For a nice overview of how it works, check out a recent O'Reilly article on the subject.

Okay, so you have your firewall running, but how do you know it's working? One of my favorite diagnostic sites is Gibson Research Corp. Its ShieldsUP!! facility is a good benchmark of how secure your machine is. Now, this site is designed for Windows users, who seem to suffer the most vulnerabilities. Nevertheless, a computer is a computer, and the tests work just fine on a Mac. Open the page, and run the two tests called Test My Shields and Probe My Ports respectively. If you haven't yet installed a firewall, you'll get some interesting results. If you have, odds are pretty good that ShieldsUP!! will give you a five star rating. This isn't an exhaustive test, but it does represent several of the major internet access points on a computer. Note that even without a firewall your Mac is reasonably secure, though it remains visible on the network. A good firewall will cloak your machine with invisibility, which is exactly what you want. For firewalling that Windows machine on your network, look no further than ZoneAlarm for Windows, free for home use.

Regardless of whether you chose BrickHouse or Jaguar's own interface to enable your firewall, your Mac will pass the ShieldsUP!! tests with flying colors. Yet, the most cursory perusal of the sample firewall rules, above, will reveal that one setup is clearly more secure than the other. If you have the patience to play a little and the need for finer control of your firewall, then have a go with BrickHouse. But if automatic port management is more important to you than that last few percent of security insurance, then use the default interface. Either way, you'll sleep better.

For even better security, particularly at home on a broadband connection such as cable or DSL internet, get a combo NAT gateway for yourself. Next to a VCR, these little "black boxes" are the technology bargain of the decade. Installing one between your home computer or network and your broadband modem will give you a two-tiered level of firewalling. It could be the next-smartest security thing, after enabling OS X's firewall itself, that you ever do on your setup. Not only will you be able to sleep like a log, you'll also be able to experiment in peace and play with firewall rules between your home machines, say. And, if you inadvertently leave OS X's firewall off, you're still covered. What a deal.

My publisher pointed out that this will have been my hundredth article for this column. That's a milestone and occasion for a little celebration. Had I known that before I started writing this article, I certainly would have selected an appropriate topic. And, odds are very good that it would have been about firewalls, historically my favorite topic. I am glad and thankful to be able to share it with you now. Ciao.