Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Leopard Firewall? (new mac owner)

Jan 29, 2008 2:10PM PST

Do I need to enable the firewall? It is currently set to allow all incoming connections (default). I would never consider not running a firewall on a windows computer, but I've heard that Macs are not vulnerable to spyware and viruses.
With that said, do I need to download anti virus software?
Any security recommendations would really be appreciated.
Thanks!

Discussion is locked

- Collapse -
You can do this. But why?
Jan 29, 2008 8:02PM PST

First let me write I've written responders or daemons for Linux so I'm pretty conversant about why we don't need a firewall in Unix based systems. But with the debacle that was Windows where you can't examine what is responding to inbound packets the need for a firewall was not optional.

-> So turn it on if it makes you feel better. I'd rather see you do that than worry. Be sure to research LITTLE SNITCH.

Bob

- Collapse -
odd one.
Jan 31, 2008 11:21AM PST

Some people argue you don't need a firewall on Mac OS X, or any UNIX based variant, because of the design of the system itself. Unlike Windows, the way UNIX is designed, in a way, kinda renders the need for a firewall null. But, turning it on is no harm, it is included with the OS so it really won't do any harm. There are holes in UNIX too and using a firewall can help. I use it on my Mac, on Puppy Linux on my laptop, and Windows too. No harm done, just piece of mind really.

I even run ClamXav on my Mac, just to make sure I am not holding any viruses...

Ya can never be too careful.

- Collapse -
"There are holes in UNIX too and using a firewall can help."
Jan 31, 2008 8:40PM PST

Please supply an example for the last MacOSx. I can't find it.

In fact, given how the inetd works, what does the firewall add to the party?

Remember I'm a programmer that has written Unix responders or daemons so I might use a term here or there that you should ask for a definition.

Bob

- Collapse -
...
Jan 31, 2008 9:24PM PST

it's a computer. It connects to the internet. There are bound to be flaws. There are, apple has patched plenty. Mainly in Quicktime.

I am not disputing your knowledge, and you have asked me about inetd before, and I gave you an answer. You aren't seriously saying that UNIX has no holes and is impenetrable - right?

- Collapse -
I'm asking you...
Jan 31, 2008 9:48PM PST

How the firewall adds security to this OS given how inetd works. Since all is known about what packets fire up what service or responder, what did I add for security besides a warm feeling?

Be specific.

I am not asking you about quicktime.

Bob

- Collapse -
Okay.
Feb 3, 2008 7:30AM PST

I admit inetd serves the similar purpose of the firewall. But not the same thing. I don't know much about inetd so I referred to Wikipedia. According to it, inetd listens on designated ports, and launches the appropriate server program to handle the incoming packet request. Basically, what you said.

A firewall is designed to keep out intruders, and allow you to filter packets by rules. Wikipedia even says that for protocols that have heavy traffic, a dedicated server may be preferable over inetd. Maybe I don't understand, but I don't see much of a connection between a firewall and this "inetd" you so regularly speak of, except for the fact that they have to do with packets.

I don't even have the firewall turned on, on my own Mac OS system. But it must have some sort of purpose or Apple wouldn't add it.

Now, as a learner, I am asking you to educate me. Why don't I need a firewall if inetd is so great, and why do most systems, Linux, Mac OS, include one?

- Collapse -
Your logic is somewhat outdated.
Feb 3, 2008 7:37AM PST

Just been doing some more research, and it appears inetd is barely even used anymore.

This taken directly from the Wiki.

"inetd replacements

In recent years, because of the security limitations in the original design of inetd, it has been replaced by xinetd, rlinetd, ucspi-tcp, Upstart and others in many systems. Distributions of Linux especially have many options and Mac OS X (beginning with Mac OS X v10.2) uses xinetd. As of version Mac OS X v10.4, Apple has merged the functionality of inetd into launchd.
The services provided by inetd can be omitted entirely. This is becoming more common where machines are dedicated to a single function. For example, an HTTP server could be configured to just run httpd and have no other ports open. A dedicated firewall could have no services started.

[edit]Security concerns

While the inetd concept as a service dispatcher is not inherently insecure, the long list of services that inetd traditionally provided gave computer security experts pause. The possibility of a service having an exploitable flaw, or the service just being abused, had to be considered. Unnecessary services were disabled and off by default became the mantra. It is not uncommon to find an /etc/inetd.conf with almost all the services commented out in a modern Unix distribution."

Sounds to me like inetd isn't as perfect as originally thought. And your hint about Little Snitch kinda proves this. Why go adding third party software to the system (this is one thing that always gets me) when the feature you need is inherent in the OS.

Sorry, I can't seem to keep a straight face here. Did Wikipedia just PWN you?!

- Collapse -
Actually we have a deprogramming group for ex Windows users
Feb 3, 2008 8:14AM PST

It's very hard to deprogram them from firewalls and antivirus. Yes I may have oversimplified inetd and not talk about the super demon but am ready to talk about such.

You on the other hand had to go out and research how the inetd worked so I put it to you that your advice in this area is borne out of the Windows fiasco and not from living with Unix (look at SUN Computers and the ATT 3B2s) then Linux and now Macosx.

You are thinking there is some flaw in the service (a responder to the IP request packet) yet we can't find such documented. Please supply some article that shows this flaw in this OS.

Thanks but you are trying to convince an old die hard Unix head.

Bob

- Collapse -
I am not an ex-Windows user.
Feb 3, 2008 8:27AM PST

While I am feeling the need or desire to use Windows less and less everyday (Linux on laptop, Mac OS X on the Mac) I wouldn't call myself an ex Windows user. It has it's place and that is that.

Yes, I did have to go out and research inetd, and you are correct, I haven't lived with UNIX for very long at all. I am only 17, and my main computing system has been Windows for the majority of my life. I only got into *nix based systems recently, so you gotta let me have a chance at learning - if you'd be so kind...

I am just a natural skepticist. Or however it is spelt. I know I may not be able to provide proof, and I didn't mention flaws in the inetd program, I just mentioned that it was old and according to the wiki, not necessarily substantial on its own. But, a computer system of any kind will have flaws for as long as my *** points downwards. You asked me to provide flaws for Mac OS X and I gave you the mess that is Quicktime, and the patches that Apple makes. I am not a security expert, but I have eyes, and I can read. Apple *IS* patching flaws in their system, whether you believe it or not. You then said in the next paragraph that you weren't asking about Quicktime, and quickly directed the conversation elsewhere. ***?! Don't ask for something and then shove it aside once I give it to you, please.

You've still not answered my question as to the purpose of firewalls in the *nix based OS's if, as according to you, they have no substantial purpose. So I am asking. Why are they there?

Sorry, and no offense, but I just don't understand you sometimes.

- Collapse -
Yes, I used the ATT 3B2 and various SUNs.
Feb 3, 2008 8:36AM PST

Don't fret about it. It's just sad to see those adding such to systems that don't need it.

-> But you'll still see me note "Little Snitch."

Ever watch Lil' Abner?

Bob

- Collapse -
I'll take your word for it...
Feb 3, 2008 8:46AM PST

My firewall will most likely remain off. I don't keep file sharing on, either.

I will continue to learn about UNIX, Linux, Macs, and see what I come up with. I was pure Windows up until only really a few months ago, so I think I am doing well.

The truth? I think Windows will eventually fade and UNIX will rule the planet. Part of the reason I am getting into other OS's. Also, because Vista does not really excite me.

But I still don't believe in flawless systems Wink

- Collapse -
There will never be such a "flawless" thing
Feb 3, 2008 10:26AM PST

I've found that disabling the firewall on my Mac actually helps when connecting to Wi-Fi networks... Most routers have them built-in anyway, so there's less of a risk for those with UNIX systems.

Give Vista another year (or two) and then we can see what MS makes of it. If it isn't any better within that period of time, then we can only hope Windows 7 is better. By then though, Apple will have an even better OS: Lion 10.6. Eventually they're going to run out of cats to choose from. Dog names are better Steve, come on Grin.

-BMF

- Collapse -
Unix, Linux, Mac or Win...it doesn't matter.
Feb 8, 2008 12:14PM PST

I've been in IT for 20 years...and no matter *what* system you run, if it is "open" to the Internet (or any other network...) it should be firewalled. The reason? There are always some idiots or crooks out there willing to hack you to take advantage of your system. Whether it be for money or just to hi-jack your processor power, or whatever...it can be done easily if you are not protected from the outside world.

This said, *nix based systems do have a slightly lower risk due to their inherant nature, but the risk is still there.

Firewall your incoming connection using a hardware firewall (most routers come with them built in these days) and you probably don't have to worry with a software firewall on your system, but make sure you run some kind of firewall. Software firewalls on the end point system are a last resort and I personally don't use them unless there isn't a better option, such as a hardware firewall on the router.

You can debate all day long the wonderous aspects of different OS's, but the fact remains that if you expose yourself to the outside world, eventually someone will find you and attack.

- Collapse -
Quoted for truth!
Feb 8, 2008 4:54PM PST

That is pretty much *exactly* what I was trying to ascertain above in my first reply post.

Just like you said, because of the inherent design (and design flaws, in some cases) of different systems it does mean UNIX, Linux and BSD based systems have "less" of a need for software firewall, but where possible a hardware firewall is still desirable.

In the best case though, common sense....

I run Antivirus on my Mac, ClamXav. In fact I do on Windows as well, no because I need the protection - but often because other people do. Happy

- Collapse -
Today, there is no need for it.
Feb 9, 2008 12:25AM PST

The Windows culture has sadly been seeping into other areas with issues we don't have here.

-> But let's get down to it. Where is the exploit? Today there are none.

Bob

- Collapse -
You believe what you want, I'll believe what I want.
Feb 9, 2008 1:34AM PST

You repeatedly call the Windows culture, like it's a bad thing. (Say, this is the system that has 85+ market share, right?)

Personally, the way you treat some people in here, and the way you speak of others (I'm generalising, as in, user of an OS), I think you should have your moderator status taken away from you.

But people will be people, ears will be deaf, and all that.

On the flip side, you speak of *nix users like it's a superiority.

I stand by what I said up top there. Everything has flaws, everything will have flaws, for as long as my butt end points down.

yeah, I use a Mac as my main system, and Linux as well as Windows on my laptop. You see me using that as a status symbol, or so called "superiority?" I don't think so buddy.

No exploits for UNIX, Linux, FreeBSD, Mac OS X? You are beyond a joke.

I am done with this thread.

- Collapse -
You can keep going down that road.
Feb 9, 2008 1:44AM PST

What tells you the firewall doesn't have an exploit or bug?

This is why I asked for a documented exploit.

Bob

- Collapse -
Back at you
Feb 9, 2008 2:07AM PST

I'm sorry if your feelings are hurt in any way here. My background is from designing and programming electronics from about the '70s to today. As I'm good to go in discussions from electrons to operating systems my view on this is based on working on the insides of these systems and not from the usual consumer view.

-> If you want to discuss the deep dark reasons then I'm your man. If you want me to write this firewall is needed for this OS then you are asking the wrong person.

Let's extend your reasoning to the other devices we own. Did you install a firewall on your smartphone? Since we can install 3rd party apps there, please explain why you didn't.

As to your links. None of these are flying here. All were either patched, from years ago or required the user to do a dumb thing. If you are advocating a system that protects us from being dumb then you want a PS3, XBOX 360 and not any computer that allows you to add what you want or write code.

The best one I remember since we looked deeply at it was the wifi driver exploit. The exploit appeared to be beyond the capability of today's programmers.

Now if you had written about the bluetooth exploits (which are not limited to Mac or PCs) I would have been impressed. That was a true blunder and the firewall wouldn't have helped.

Bob

- Collapse -
I've heard you say this before, too.
Feb 9, 2008 2:11AM PST

No, I did not install a firewall on my phone.

Phone =! Computer.

We can argue about this all day or you can just accept that I don't hide behind status symbol.

If I could install a firewall for my phone? I would!

- Collapse -
Today's cell phones are more than
Feb 9, 2008 2:17AM PST

I pick up my Treo cell phone and it's more computer than my old Windows 3.1 machine. And I can install 3rd party apps on many of those.

What status? I'm totally unarmed here save my few decades of working inside and underneath the designs that you are talking about. This gives me a better view of the issue.

Bob

- Collapse -
(NT) PS. Did you read where I noted Little Snitch?
Feb 9, 2008 2:32AM PST
- Collapse -
(NT) Very funny.
Feb 9, 2008 2:42AM PST
- Collapse -
Yes - opened ports by default
Feb 8, 2008 5:21PM PST

The answer is 'yes' - on Mac OS X, you should be running a firewall.

The good news is, if you have an ADSL modem/router it may already have a fully-activated firewall built-in. A separate firewall like this is much better than an OS-resident firewall, and will stop any services from exposing themselves across the internet. Mac OS X's firewall doesn't *quite* do that...

But to weigh into the actual debate: If it's a system where you'll be only installing software that you know and trust, and other users cannot install new software, and the software you're using doesn't open ports, then you're safe without a firewall. If you're likely to install software that you're not intimately familiar with (e.g. a normal home desktop computer), then a firewall is a good idea in case some new software responds to socket requests.