Video Transcript / Captions
Closed captioning for this video is available on YouTube: MacMost Now 376: Snow Leopard Firewall.
Hi, this is Gary with MacMost Now. In today's episode, let's look at the Snow Leopard firewall.
So I've gotten a few questions recently about the firewall built into Leopard and Snow Leopard. People want to know if they should use it and what it is for. Let's take a closer look.
You can find the firewall in System Preferences under Security. Click on the third tab, which is the firewall tab. You can see there, by default, it's usually turned off. You can click Start to turn it on, but you're going to have to unlock it by entering in your password. And of course you have to have an admin account to do that. Click Start and now we've got the firewall going.
Right away you may get some notifications here. I've got some applications that want to use the firewall so I'll go through it. I'll allow those because I know both those applications; I installed them. And now the firewall is off and running.
Now to dig down in the firewall we click the Advanced button and we come up with this list that shows what is allowed to go through the firewall. So basically, turning on the firewall, which is blocking all connections, really doesn't do you much good because you're probably going to want to access the Internet, check your email, and surf the web. This will show you what gets through it.
You've got your basic things like file sharing, screen sharing, and web sharing. They're all turned on because I've enabled those services on my Mac. Obviously the Mac assumes that I don't want to disable them by turning on the firewall. I can go and disable each one of those under Sharing and it will automatically turn-off here in firewall as well.
And then I've got a bunch of other things here listed that have tried to go through the firewall, and whether or not they're allowed to. I can change whether they're allowed to by simply clicking here and choosing allow or block. This list will grow as you run applications that use more and more services over the Internet. You'll get prompted, just like I did before, whether or not they should go through. You could also add your own here. Click and add applications or you can select one and remove it from the firewall.
Now one of the things people really mean when they talk about firewalls is blocking all unwanted connections when they're on public wifi or something. That is done with this big check box here, right at the top. If I click that, basically what it does is it shuts down all of the ports on my Mac except for the ones that are obviously used for regular things, like Internet services or surfing the web.
One practice a lot of people do with their portable Macs is to check off this whenever they're in a situation where they're using public wifi. So maybe just before they travel or when they setup their laptop at a coffee shop; immediately go into firewall, check this off and then just surf the web and not use any of the other services they might normally use at home.
So what exactly does firewall do? Well, people love to use analogies when talking about firewall. They talk about their Mac's like a house, and you've got ports like windows and doors and things can come in and out of them. Well, I like to think of it more like an office building. Your office building has one address; that's like your IP address. But, inside of it, there are different areas of the office building that do different things. For instance, there may be a mailroom, a public relations firm, a real estate firm, all these different companies in there, and they each have individual suite numbers inside the office building.
That's kind of like ports on your Mac and the ports are used for different things. One port, like port 80, might be used for web surfing. Another port might be used for getting email and another port might be used for iChat.
Now a traditional firewall would block off ports. So say if you would close a specific port, or a whole range of ports and then try to chat, you might not be able to chat because the port used by that chat application has been closed. Snow Leopard takes a different approach and actually closes off the ports according to application. Instead of worrying about what port number iChat uses, you can simply allow iChat to have access over the firewall and your Mac will figure out automatically which ports need to be opened for that application and close off things that aren't needed.
So, is there danger? Well, danger theoretically exists if you've got all your ports, or a lot of ports open and you have a public IP address. This means the IP address of your Mac is actually open to the world. Somebody goes to that IP address from somewhere else in the world and they get your Mac.
Now this isn't typical if you were at home. If you have a cable modem, or DSL, or even if you're at work, you have a local IP address for your house or building and the public IP address is something that is handled by the network, say your router or your DSL or cable modem. In that case, it's already got kind of a firewall built-in to that modem that prevents people from accessing your Mac from outside.
But this may not necessarily be true if you're on public wifi. First of all, your local IP address on a public wifi network is available to other people on that same public network. So if you're using, say, an IP address at a conference center there might be hundreds of other people on that local network that may be able to go and see your machine.
The same thing is true if you have a static IP address for your Mac or happen to be assigned a temporary IP address that is not a local one, but can be accessed from anywhere in the world. This is rare, but if it does happen somebody can actually go to that IP address and try to use an application on a port.
So, the thing is that the analogy of a house with doors and windows open is not really good for firewalls and ports on your machine because if a door is open somebody can walk in. Well, it's not really true with a port. See, there's got to be something on the other side for them to communicate with. For instance, if it's a port used for chat, there's got to be a chat application running for them to go in and chat with you.
If somebody from the outside wants to come to your Mac, just simply having an open port is not going to allow them to do that. However, if there's a backdoor way for them to communicate with something already running on your system that allows them to get into your Mac, then you could have a security problem
So that's easy to say, but the truth is that it's only a theoretical problem. There's really no way for a hacker to come in to an open port on your Mac and get access to your Mac; at least none that I could find on any website or reported by anybody. It's a theoretical problem, and one that you could basically take the theory out of completely by turning on firewall and blocking all your unused ports.
Think of firewall as more of a safety precaution; not really a necessity. You may want to just forget about it or you may want to go ahead and turn on the firewall option, which blocks almost all incoming connections, while you're outside of your house or outside of work.
But there's kind of a trap here. You see, some people notice that if they take their Mac on somebody else's network and they have sharing turned on, that the other person can see their shared folders. They think the way to stop that is turning firewall on, but that won't work. What happens if you turn firewall on, but you have file sharing still turned on, then, simply, firewall will allow sharing to go through because you've turned it on. The way to stop somebody from seeing your shared folders on a network is to turn off file sharing, at least temporarily while you're on that other network, and then the firewall doesn't matter. Your file sharing is turned off; there's nothing for them to see even if you're machine is on the same network as them and your firewall is off.
So, to sum up, if you're very concerned about security and you're on some sort of public network or network shared by people other than people in your household, then you may want to turn file sharing off, as just a precaution. If you've never really though about it before and you're not to worried about it, then don't worry about it now. A lot of people go years and years without turning their firewall on. I certainly don't use it on the machines in my house. There's no way for anybody from the outside to get to them and I trust all the Macs that are in my house and my office.
I'd love for this video to be the start of a discussion about firewall and its usefulness. You can post comments on this video on http://www.MacMost.com and add to the discussion.
Til next time, this is Gary Rosenzweig with MacMost Now.
Hi, this is Gary with MacMost Now. In today's episode, let's look at the Snow Leopard firewall.
So I've gotten a few questions recently about the firewall built into Leopard and Snow Leopard. People want to know if they should use it and what it is for. Let's take a closer look.
You can find the firewall in System Preferences under Security. Click on the third tab, which is the firewall tab. You can see there, by default, it's usually turned off. You can click Start to turn it on, but you're going to have to unlock it by entering in your password. And of course you have to have an admin account to do that. Click Start and now we've got the firewall going.
Right away you may get some notifications here. I've got some applications that want to use the firewall so I'll go through it. I'll allow those because I know both those applications; I installed them. And now the firewall is off and running.
Now to dig down in the firewall we click the Advanced button and we come up with this list that shows what is allowed to go through the firewall. So basically, turning on the firewall, which is blocking all connections, really doesn't do you much good because you're probably going to want to access the Internet, check your email, and surf the web. This will show you what gets through it.
You've got your basic things like file sharing, screen sharing, and web sharing. They're all turned on because I've enabled those services on my Mac. Obviously the Mac assumes that I don't want to disable them by turning on the firewall. I can go and disable each one of those under Sharing and it will automatically turn-off here in firewall as well.
And then I've got a bunch of other things here listed that have tried to go through the firewall, and whether or not they're allowed to. I can change whether they're allowed to by simply clicking here and choosing allow or block. This list will grow as you run applications that use more and more services over the Internet. You'll get prompted, just like I did before, whether or not they should go through. You could also add your own here. Click and add applications or you can select one and remove it from the firewall.
Now one of the things people really mean when they talk about firewalls is blocking all unwanted connections when they're on public wifi or something. That is done with this big check box here, right at the top. If I click that, basically what it does is it shuts down all of the ports on my Mac except for the ones that are obviously used for regular things, like Internet services or surfing the web.
One practice a lot of people do with their portable Macs is to check off this whenever they're in a situation where they're using public wifi. So maybe just before they travel or when they setup their laptop at a coffee shop; immediately go into firewall, check this off and then just surf the web and not use any of the other services they might normally use at home.
So what exactly does firewall do? Well, people love to use analogies when talking about firewall. They talk about their Mac's like a house, and you've got ports like windows and doors and things can come in and out of them. Well, I like to think of it more like an office building. Your office building has one address; that's like your IP address. But, inside of it, there are different areas of the office building that do different things. For instance, there may be a mailroom, a public relations firm, a real estate firm, all these different companies in there, and they each have individual suite numbers inside the office building.
That's kind of like ports on your Mac and the ports are used for different things. One port, like port 80, might be used for web surfing. Another port might be used for getting email and another port might be used for iChat.
Now a traditional firewall would block off ports. So say if you would close a specific port, or a whole range of ports and then try to chat, you might not be able to chat because the port used by that chat application has been closed. Snow Leopard takes a different approach and actually closes off the ports according to application. Instead of worrying about what port number iChat uses, you can simply allow iChat to have access over the firewall and your Mac will figure out automatically which ports need to be opened for that application and close off things that aren't needed.
So, is there danger? Well, danger theoretically exists if you've got all your ports, or a lot of ports open and you have a public IP address. This means the IP address of your Mac is actually open to the world. Somebody goes to that IP address from somewhere else in the world and they get your Mac.
Now this isn't typical if you were at home. If you have a cable modem, or DSL, or even if you're at work, you have a local IP address for your house or building and the public IP address is something that is handled by the network, say your router or your DSL or cable modem. In that case, it's already got kind of a firewall built-in to that modem that prevents people from accessing your Mac from outside.
But this may not necessarily be true if you're on public wifi. First of all, your local IP address on a public wifi network is available to other people on that same public network. So if you're using, say, an IP address at a conference center there might be hundreds of other people on that local network that may be able to go and see your machine.
The same thing is true if you have a static IP address for your Mac or happen to be assigned a temporary IP address that is not a local one, but can be accessed from anywhere in the world. This is rare, but if it does happen somebody can actually go to that IP address and try to use an application on a port.
So, the thing is that the analogy of a house with doors and windows open is not really good for firewalls and ports on your machine because if a door is open somebody can walk in. Well, it's not really true with a port. See, there's got to be something on the other side for them to communicate with. For instance, if it's a port used for chat, there's got to be a chat application running for them to go in and chat with you.
If somebody from the outside wants to come to your Mac, just simply having an open port is not going to allow them to do that. However, if there's a backdoor way for them to communicate with something already running on your system that allows them to get into your Mac, then you could have a security problem
So that's easy to say, but the truth is that it's only a theoretical problem. There's really no way for a hacker to come in to an open port on your Mac and get access to your Mac; at least none that I could find on any website or reported by anybody. It's a theoretical problem, and one that you could basically take the theory out of completely by turning on firewall and blocking all your unused ports.
Think of firewall as more of a safety precaution; not really a necessity. You may want to just forget about it or you may want to go ahead and turn on the firewall option, which blocks almost all incoming connections, while you're outside of your house or outside of work.
But there's kind of a trap here. You see, some people notice that if they take their Mac on somebody else's network and they have sharing turned on, that the other person can see their shared folders. They think the way to stop that is turning firewall on, but that won't work. What happens if you turn firewall on, but you have file sharing still turned on, then, simply, firewall will allow sharing to go through because you've turned it on. The way to stop somebody from seeing your shared folders on a network is to turn off file sharing, at least temporarily while you're on that other network, and then the firewall doesn't matter. Your file sharing is turned off; there's nothing for them to see even if you're machine is on the same network as them and your firewall is off.
So, to sum up, if you're very concerned about security and you're on some sort of public network or network shared by people other than people in your household, then you may want to turn file sharing off, as just a precaution. If you've never really though about it before and you're not to worried about it, then don't worry about it now. A lot of people go years and years without turning their firewall on. I certainly don't use it on the machines in my house. There's no way for anybody from the outside to get to them and I trust all the Macs that are in my house and my office.
I'd love for this video to be the start of a discussion about firewall and its usefulness. You can post comments on this video on http://www.MacMost.com and add to the discussion.
Til next time, this is Gary Rosenzweig with MacMost Now.
Thank you Gary!
Any way to create custom ports on a Mac? For example. I know on a Windows PC, Remote Desktop Connection uses port 3389. I can go open specifically port 3389.
A site I like to visit to test my firewall is ShieldsUP by Steve Gibson
https://www.grc.com/x/ne.dll?bh0bkyd2
Sorry I mean specially open port 3390 instead of 3389
In Snow Leopard, don’t think ports before you think applications. Applications may or may not give you control over which ports they use. For instance, in Mail you can specify different POP and SMTP ports. In my FTP program I can specify ports for any connection. So think about which application you are trying to use, and then see if it allows you to set a preference for which port it uses.
Thank you, Gary, for very informative videos.
With the firewall, is there a performance overhead, or any other undesirable side effects, if it is switched on?
Considering what you said in the video (i.e. it depends on the setup: ADSL modem or Wi-Fi, local IP or common, etc.), is there a way to determine if switching built-in Mac OS firewall on will add anything to the security?
It is difficult to say if a Firewall will add security. But it shouldn’t add any overhead. The downside might be that you could turn something off that you didn’t realize you needed. For instance, if you switch off file sharing and then weeks later try to access your computer from elsewhere only to remember that you had turned file sharing off. Things like that.
Great tutorial Gary. Cleared up some questions I had.
How do you turn off File Sharing?
System Preferences. Sharing. Uncheck “File Sharing.” See episode 320 for some basics: http://macmost.com/simple-mac-file-sharing.html
Being basically a newbie to Mac, how can I know what to allow or not allow to bypass my firewall?
You don’t need to worry about it. if you decide to turn Firewall on, then things you have enabled (like file sharing) will automatically be allowed. If an application you are using (like Skype) needs access, you will be asked the first time. So there really is no need to decide anything — you can handle it all on the fly.
I’m so happy that it out today. That is all. Have a good day.
I’m so happy that it is out today. That is all. Have a good day.
Hello i was just checking to see if turning on the firewall of my little brothers mac before he goes off to college would be a good idea? What would be your viewpoint on this? thanks for your time!
Turning it on can’t hurt — unless he doesn’t know how to turn it off and he gets in a situation where he needs to. Unlikely, though. But just make sure he understands what it is for and how to work with it if he needs to.
Thanks alot for the video… I have a question….
how can I open a port in Snow Leopard. when I run the command:
sudo lsof -i -P | grep -i “listen”
I can see all the open ports on my laptop but the ports like 7,23 are not open… I just wanna open the port and locally connect telnet to my local host by the mentioned ports…
thanks alot
I don’t know if you are approaching it in the right way. If they are closed, you should be asking yourself, why are they closed? Look in your Sharing Firewall settings. If you have the things that use 7 and 23 turned off, then those ports would appear to be “closed” as nothing is receiving on those ports. Is Remote Login turned on in Sharing? If not, then that is why you can’t connect via SSH.
In Snow Leopard, don’t think “ports,” think “services.” Turn a service on, don’t “open a port.”
I prefer use protemac. com ProteMac NetMine.It’s really good firewall.It’s must be helpful to everyone:)
i’m new to mac. do i need to add iChat in the list of allowed connections before i could use it? i tried it the first time and it won’t connect. haven’t used it ever since.
Allowed connections? Do you mean in your firewall? You shouldn’t have to. But try it. It is more likely that something else is the problem — like a firewall in your router or with your ISP. Very difficult to tell.
thank you.
Hi Gary,
I’m running Leopard 10.5.8 on a G5 PPC.
My old modem/router broke so I bought a new one (Actiontec). I’m having problems with it staying connected. Whenever I turn “off” Leopard firewall it connects. When I turn firewall “on” and use selected applications only, it does not connect. What file/app should I put in the list of “allow incoming applications” in order for the modem/router to connect?
Thanks…
Which applications are having trouble? Just add those. Personally, I would just turn off the firewall and leave it off. If it is causing trouble, then it isn’t worth it. You can always call your ISP and ask them.
The ones that allow email, web browser (Safari), and automatic date and time settings…which are all on in “allow incoming applications”.
Not sure why the firewall is getting in the way. Perhaps some setting on the router. I’d call your ISP or refer to the router manual.
Thanks for your help and time Gary! Spoke with ISP provider and router company and they were no help in resolving the problem.
One more question…If I turned “off” the OS firewall, would the one built-in to the router/modem be enough to give me the security I would need for a home network? (only print sharing is turned “on”.)
Thanks again for your help:)
Firewall isn’t that important. Setting a password for our user account is what is most important.
Thanks Gary…just put a stronger password on my User Account…