Re: [MAGNet] Norton Personal Firewall 3.0.2 incompatible with Mac OS X 10.4

Ryan,
With a million apologies for probable "I already have it"
scenarios, could you please send me a copy of the
latest version of this list?

I'll just post it and we can worry about the appropriate
links, etc. LATER.

Thank you very much,
  -Karen

>At 15:34 -0700 2005-05-18, Aron Roberts wrote:
>> Norton Personal Firewall (NPF) 3.0.2, the current version of the
>>campus's site-licensed personal ("host-based") firewall for Mac OS
>>X, is incompatible with Mac OS X 10.4 ("Tiger").
>>
>> We have just received word from its vendor, Symantec Corporation,
>>about when a compatible version will be available. From our
>>standpoint, the news isn't good: the initial update for Tiger
>>compatibility is currently expected to be released three months
>>from now, in mid-August 2005.
>>[snip: more details at <http://ls.berkeley.edu/mail/magnet/2005/0199.html>]
>
>At 10:27 -0700 2005-05-19, Gregory German wrote:
>>Please forgive my ignorance, but now that OS X 10.4 has a built-in
>>firewall that logs blocked packets, why does it not meet the campus
>>minimum security standards?
>
>In the message "Re: [MAGNet] Norton Personal Firewall 3.0.2
>incompatible wi", dated 2005-05-19, Mike Hunter wrote:
>
>>All network devices *are* subject to the MSS. I was just eluding
>>to the fact that the MSS says something about firewall and
>>anti-virus software must be installed for devices that have such
>>software available on the software.berkeley.edu page.
>
> The Campus Information Security Committee (CISC) has developed a
>supplemental list of products which meet the requirements of the
>campus minimum security standards policy, going beyond the products
>available for downloading from <http://software.berkeley.edu>.
>
> Ryan Means distributed a hardcopy draft of this supplemental list
>at the Micronet meeting on April 12, which mentioned that the
>integral Mac OS X firewall (ipfw, of BSD lineage) was an acceptable
>alternative to Norton Personal Firewall. The list also included
>other anti-virus and host-based firewall products for Windows, Mac
>OS X, Unix, and Linux.
>
> Would Ryan, Tom, or someone else from CISC be willing to catch all
>of us up on the current status - and availability - of that list?
>
> That also leads into the related question:
>
>Does Mac OS X's integral firewall meet the minimum standards?
>-------------------------------------------------------------
>At 10:47 -0700 2005-05-19, Gregory German wrote:
>>However, I want to know why the 10.4 built-in firewall doesn't meet
>>the standards. The fact that it's not listed on the software
>>distribution website doesn't make sense because it's not software
>>that anyone would download as it is part of the OS. Is there some
>>hard technical reason why the built-in firewall is not up to snuff?
>
> As noted above, from the hardcopy list distributed on April 12,
>CISC apparently believes that the integral Mac OS X firewall *does*
>meet the requirements of the implementation guidelines.
>
> However, it's not clear whether it does meet the logging
>requirements, at least under Mac OS X versions before 10.4 ("Tiger").
>
> The minimum standards implementation guidelines
><http://security.berkeley.edu:2002/MinStds/Firewalls.html> require
>that host-based firewall software be capable of, and configured to,
>"log inbound and outbound blocked packets." The following is a
>quick and dirty summary of the default logging capabilities of ipfw
>as configured by Apple under Mac OS X:
>
> Alan Oppenheimer, et al. of Open Door Networks write
><http://www.opendoor.com/whosthere/UG/WTAppendixX.html>:
>
>>Mac OS X 10.4 ("Tiger") has, for the first time, included logging
>>capabilities with its built-in firewall user interface, accessible
>>through the System Preferences Sharing window.
>>
>>... In OS X 10.4.0, and possibly in later versions [of Tiger], the
>>firewall log only includes denied connection attempts. ... An
>>additional, although much less severe, problem with logging in
>>Tiger's built-in firewall user interface is that Mac OS X archives
>>and resets the log file every 7 days, and deletes old archived logs
>>after approximately a month. ...
>
> I haven't checked whether the default configuration of ipfw under
>Tiger logs denied *outbound* packets - or if it doesn't, it can
>easily be made to do so, preferably by an unmanaged user - as
>required by the implementation guidelines. (Information from
>someone who's looked into this would be welcome; please post to
>these lists.)
>
> Under Mac OS X under 10.2 ("Jaguar") or 10.3 ("Panther"), firewall
>logging is not enabled by default. And there is no GUI interface
>that a user has at their disposal to easily enable logging, at least
>without the (possible) assistance of third-party firewall
>configuration tools.
>
> The following document describes how to enable logging under those
>earlier versions of Mac OS X. Doing this is clearly something not
>within the capabilities of an average user, unless assisted by some
>careful scripting or a (human) support provider:
>
> Daniel Cote
> "Setting up firewall rules on Mac OS X"
> http://www3.sympatico.ca/dccote/firewall.html
>
>>The rules are described below. To execute it, do sh
>>rc.firewall.current as root, or sudo sh rc.firewall.current.
>
> The relevant excerpt from the updated firewall rules enables logging:
>
># Make sure logging is enabled (disabled by default
> if [ `/usr/sbin/sysctl -n net.inet.ip.fw.verbose` == 0 ] ; then
> /usr/sbin/sysctl -w net.inet.ip.fw.verbose=1
>fi
>
>>Once you know it works, you can set up the computer to start the
>>firewall automatically.
>
> Daniel then describes additional work that needs to be done to
>make this happen - depending on whether you have a dynamic or static
>address - in the "Installing and starting the firewall" section of
>his document. Those steps might also be challenging for most
>unmanaged Mac OS X users:
>
>>1) Dynamic IP address with ppp connection (most modems)
>>
>>There used to be a shell script that would monitor the IP address
>>and adjust the firewall accordingly when required. This broke with
>>10.1.x. However, I found out in the mean time that there is a much
>>simpler way of doing that. With a ppp connection (i.e. modem), two
>>scripts are automatically called when the connection is up and when
>>the connection is taken down. They are /etc/ppp/ip-up and
>>/etc/ppp/ip-down (see man pppd for more info in the terminal).
>>Hence, one simply has to start the firewall in /etc/ppp/ip-up and
>>flush the firewall in /etc/ppp/ip-down. I have provided two very
>>simple ip-up and ip-down scripts. It assumes you will keep
>>rc.firewall.current in /usr/local/sbin/. The script ip-up also
>>works around a small bug in natd for 10.1 where it does not reset
>>itself after a change of IP address (look at ip-up for more info,
>>but it is pretty trivial).
>>Dynamic IP with ppp: start firewall when connection is up cd
>>/wherever/you/downloaded/MacOS_X_Firewall sudo install -o root -g
>>admin -m 0700 rc.firewall.current /usr/local/sbin/ sudo install -o
>>root -g admin -m 0770 ip-up ip-down /etc/ppp/
>>
>>You do not need anything in the /Library/StartupItems/ directory
>>and if you do have a /Library/StartupItems/Firewall directory, you
>>should delete it. You are done.
>>
>>2) Static IP address without ppp
>>
>>The best thing to do with a static IP address is to set up the
>>firewall at boot time by adding an item in
>>/Library/StartupItems/Firewall/. In the archive provided above, you
>>will find Firewall and StartupParameters.plist which you will copy
>>into /Library/StartupItems/. It assumes you will keep
>>rc.firewall.current in /usr/local/sbin/.
>>Static IP and no ppp: start firewall on startup cd
>>/wherever/you/downloaded/MacOS_X_Firewall sudo install -o root -g
>>admin -m 0700 rc.firewall.current /usr/local/sbin/ sudo install -o
>>root -g admin -m 0770 Firewall StartupParameters.plist
>>/Library/StartupItems/Firewall/
>>
>>Next time you reboot, the firewall will be up. For now, you should
>>simply do: sudo /Library/StartupItems/Firewall/Firewall. No need to
>>reboot, you are done.
>
>Aron Roberts
>Workstation Software Support Group
>
>
>
>------------------------------------------------------------------------
>The following was automatically added to this message by the list server:
>
>For information about Micronet, including subscribing to
>or unsubscribing from its mailing list and finding out
>about upcoming meetings, please visit the Micronet Web site:
><http://micronet.berkeley.edu/>.

-- 
=========================================================
  Karen E. Eft   Information Technology Policy Manager
  UC Berkeley (510)642-4095 http://itpolicy.berkeley.edu
=========================================================
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.