Tuesday, August 22, 2006

OS X Firewall: Give me transparency or give me... a GUI!

I had an "entertaining" time getting a handle on OS X's firewall last night on my newest Mac Mini. For those of you unfamiliar with the OS X firewall's inner workings, I suggest you take a look at Jay Beale's DefCon presentation.

Here's the basic problem with OS X's firewall and it's configuration: It's not transparent to the user. The OS X firewall configuration interface is highly simplified and accessible but omits critical information about ports that it is leaving open regardless of the state indicated by the configuration GUI. For security conscious users like myself, it is unacceptable for the system to lead me to believe that I've blocked all ports but SSH (for example) and "stealthed" the machine when in fact it has left several other service ports wide open for access by anyone on the network and not stealthed the machine in any credible manner.

Apple needs to take this seriously. I can understand hiding complexity in UNIX systems from the user in a consumer OS , but when I ask for Advanced configuration what I'd like to see is an honest summary of which ports are not being blocked on my network interfaces. It doesn't seem like too much to ask but for some reason you just can't get that information from your Mac unless you're willing to go out to the command line and punch in some ipfw commands yourself. As has been illustrated time after time, the cost of doing security right the first time is far less than fixing it later.

Once I achieved frustration with the transparency of Apple's firewall preferences panel, I figured that someone else must have had this problem in the past and solved it with a good and completely transparent firewall configuration GUI for OS X. I checked out Flying Buttress and it was pretty good, but it seemed to have issues with hanging from time to time and it was difficult to get the actual firewall status and configuration after a policy apply. It had further problems once I accidentally tried to explore Apple's FirewallTool and it reestablished the default configuration in addition to Flying Butress's, the worst of both worlds. I then tried out Firewall Builder but there was all sorts of flakiness with it in terms of the GUI display as well as its intuitiveness. Then it crashed on me, and since they wanted money for that version I decided to pass on working with it any further. I checked out a couple other interfaces but they all had issues with transparency, utility and functionality. Flying Buttress was the closest, but it was still hiding configuration options from me while not displaying all of the ports it was leaving open. It does have an "expert" display mode that shows the exact configuration used, but it seems to be impossible to reflect any changes made to the expert mode in the regular GUI mode.

This is the exactly the sort of thing that gets people to start Open Source Projects and normally I'd use this as the perfect lead-in to starting to do some work with Cocoa (which I am deeply interested in) but I have another project on the front burner right now (more about that later).

This is exactly the kind of thing that Apple excels at, making complexity accessible to users. If they can make real-time video editing, movie creation, music creation and the like as easy and accessible to users as they have, they certainly can take on a task like configuration of the firewall for both casual and advanced users in a way that will be useful for both the casual and pro crowds.

For the record, at the end of the day I located this post (which was derived from this article) and used the info to create my final firewall rule set manually with vi and some scripting. Not exactly Apple-simple, but it got the job done.

So, anyone want to make a real firewall GUI for OS X? Is this anyone else's Dream App?

Technorati Tags: , ,


At 3:46 PM, Blogger Joel Esler said...

Didn't know you had a blog. Welcome to BlogLand

At 2:40 PM, Anonymous Anonymous said...

Anyone interested in firewall user interfaces should talk to the folks at www.matasano.com. Seriously.


Post a Comment

<< Home