At 15:34 -0700 2005-05-18, Aron Roberts wrote:
> Norton Personal Firewall (NPF) 3.0.2, the current version of the
>campus's site-licensed personal ("host-based") firewall for Mac OS
>X, is incompatible with Mac OS X 10.4 ("Tiger").
>
> We have just received word from its vendor, Symantec Corporation,
>about when a compatible version will be available. From our
>standpoint, the news isn't good: the initial update for Tiger
>compatibility is currently expected to be released three months from
>now, in mid-August 2005.
>[snip: more details at <http://ls.berkeley.edu/mail/magnet/2005/0199.html>]
At 10:27 -0700 2005-05-19, Gregory German wrote:
>Please forgive my ignorance, but now that OS X 10.4 has a built-in
>firewall that logs blocked packets, why does it not meet the campus
>minimum security standards?
In the message "Re: [MAGNet] Norton Personal Firewall 3.0.2
incompatible wi", dated 2005-05-19, Mike Hunter wrote:
>All network devices *are* subject to the MSS. I was just eluding to
>the fact that the MSS says something about firewall and anti-virus
>software must be installed for devices that have such software
>available on the software.berkeley.edu page.
The Campus Information Security Committee (CISC) has developed a
supplemental list of products which meet the requirements of the
campus minimum security standards policy, going beyond the products
available for downloading from <http://software.berkeley.edu>.
Ryan Means distributed a hardcopy draft of this supplemental list
at the Micronet meeting on April 12, which mentioned that the
integral Mac OS X firewall (ipfw, of BSD lineage) was an acceptable
alternative to Norton Personal Firewall. The list also included
other anti-virus and host-based firewall products for Windows, Mac OS
X, Unix, and Linux.
Would Ryan, Tom, or someone else from CISC be willing to catch all
of us up on the current status - and availability - of that list?
That also leads into the related question:
Does Mac OS X's integral firewall meet the minimum standards?
-------------------------------------------------------------
At 10:47 -0700 2005-05-19, Gregory German wrote:
>However, I want to know why the 10.4 built-in firewall doesn't meet
>the standards. The fact that it's not listed on the software
>distribution website doesn't make sense because it's not software
>that anyone would download as it is part of the OS. Is there some
>hard technical reason why the built-in firewall is not up to snuff?
As noted above, from the hardcopy list distributed on April 12,
CISC apparently believes that the integral Mac OS X firewall *does*
meet the requirements of the implementation guidelines.
However, it's not clear whether it does meet the logging
requirements, at least under Mac OS X versions before 10.4 ("Tiger").
The minimum standards implementation guidelines
<http://security.berkeley.edu:2002/MinStds/Firewalls.html> require
that host-based firewall software be capable of, and configured to,
"log inbound and outbound blocked packets." The following is a quick
and dirty summary of the default logging capabilities of ipfw as
configured by Apple under Mac OS X:
Alan Oppenheimer, et al. of Open Door Networks write
<http://www.opendoor.com/whosthere/UG/WTAppendixX.html>:
>Mac OS X 10.4 ("Tiger") has, for the first time, included logging
>capabilities with its built-in firewall user interface, accessible
>through the System Preferences Sharing window.
>
>... In OS X 10.4.0, and possibly in later versions [of Tiger], the
>firewall log only includes denied connection attempts. ... An
>additional, although much less severe, problem with logging in
>Tiger's built-in firewall user interface is that Mac OS X archives
>and resets the log file every 7 days, and deletes old archived logs
>after approximately a month. ...
I haven't checked whether the default configuration of ipfw under
Tiger logs denied *outbound* packets - or if it doesn't, it can
easily be made to do so, preferably by an unmanaged user - as
required by the implementation guidelines. (Information from someone
who's looked into this would be welcome; please post to these lists.)
Under Mac OS X under 10.2 ("Jaguar") or 10.3 ("Panther"), firewall
logging is not enabled by default. And there is no GUI interface
that a user has at their disposal to easily enable logging, at least
without the (possible) assistance of third-party firewall
configuration tools.
The following document describes how to enable logging under those
earlier versions of Mac OS X. Doing this is clearly something not
within the capabilities of an average user, unless assisted by some
careful scripting or a (human) support provider:
Daniel Cote
"Setting up firewall rules on Mac OS X"
http://www3.sympatico.ca/dccote/firewall.html
>The rules are described below. To execute it, do sh
>rc.firewall.current as root, or sudo sh rc.firewall.current.
The relevant excerpt from the updated firewall rules enables logging:
# Make sure logging is enabled (disabled by default
if [ `/usr/sbin/sysctl -n net.inet.ip.fw.verbose` == 0 ] ; then
/usr/sbin/sysctl -w net.inet.ip.fw.verbose=1
fi
>Once you know it works, you can set up the computer to start the
>firewall automatically.
Daniel then describes additional work that needs to be done to make
this happen - depending on whether you have a dynamic or static
address - in the "Installing and starting the firewall" section of
his document. Those steps might also be challenging for most
unmanaged Mac OS X users:
>1) Dynamic IP address with ppp connection (most modems)
>
>There used to be a shell script that would monitor the IP address
>and adjust the firewall accordingly when required. This broke with
>10.1.x. However, I found out in the mean time that there is a much
>simpler way of doing that. With a ppp connection (i.e. modem), two
>scripts are automatically called when the connection is up and when
>the connection is taken down. They are /etc/ppp/ip-up and
>/etc/ppp/ip-down (see man pppd for more info in the terminal).
>Hence, one simply has to start the firewall in /etc/ppp/ip-up and
>flush the firewall in /etc/ppp/ip-down. I have provided two very
>simple ip-up and ip-down scripts. It assumes you will keep
>rc.firewall.current in /usr/local/sbin/. The script ip-up also works
>around a small bug in natd for 10.1 where it does not reset itself
>after a change of IP address (look at ip-up for more info, but it is
>pretty trivial).
>Dynamic IP with ppp: start firewall when connection is up cd
>/wherever/you/downloaded/MacOS_X_Firewall sudo install -o root -g
>admin -m 0700 rc.firewall.current /usr/local/sbin/ sudo install -o
>root -g admin -m 0770 ip-up ip-down /etc/ppp/
>
>You do not need anything in the /Library/StartupItems/ directory and
>if you do have a /Library/StartupItems/Firewall directory, you
>should delete it. You are done.
>
>2) Static IP address without ppp
>
>The best thing to do with a static IP address is to set up the
>firewall at boot time by adding an item in
>/Library/StartupItems/Firewall/. In the archive provided above, you
>will find Firewall and StartupParameters.plist which you will copy
>into /Library/StartupItems/. It assumes you will keep
>rc.firewall.current in /usr/local/sbin/.
>Static IP and no ppp: start firewall on startup cd
>/wherever/you/downloaded/MacOS_X_Firewall sudo install -o root -g
>admin -m 0700 rc.firewall.current /usr/local/sbin/ sudo install -o
>root -g admin -m 0770 Firewall StartupParameters.plist
>/Library/StartupItems/Firewall/
>
>Next time you reboot, the firewall will be up. For now, you should
>simply do: sudo /Library/StartupItems/Firewall/Firewall. No need to
>reboot, you are done.
Aron Roberts
Workstation Software Support Group
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about MAGNet, its meetings and events, and its
mailing list, including information on subscribing and unsubscribing,
see the MAGNet Web site at <http://magnet.berkeley.edu/>.
Received on Thu May 19 11:18:07 2005
This archive was generated by hypermail 2.1.8 : Thu May 19 2005 - 11:18:08 PDT