Mac OS X 10.5 Leopard: About the Application Firewall
Summary
Mac OS X 10.5 Leopard includes a new technology called the Application Firewall.
One of the basic purposes of a firewall is to control connections made to your computer from other computers on the network. In most firewall software, you must know the network ports and protocols an application uses to communicate, in order to control that application's network connections.
Note: This article applies to the version of the Application Firewall included with Mac OS X 10.5.1 and later. Update to Mac OS X 10.5.1 or later if you have not yet done so.
The Firewall in Leopard is an Application Firewall. This type of firewall allows you to control connections on a per-application basis, rather than a per-port basis. This makes it easier for less experienced users to gain the benefits of firewall protection and helps prevent undesirable applications from taking control of network ports that have been opened for legitimate applications.
The Firewall applies to the Internet protocols most commonly used by applications, TCP and UDP. It does not affect AppleTalk. The Firewall may be set to block incoming ICMP "pings" by enabling Stealth Mode in the Advanced settings.
Earlier ipfw technology is still accessible from the command line (in Terminal) and the Application Firewall does not overrule rules set with ipfw; if ipfw blocks an incoming packet, the Application Firewall will not process it.
This article applies to the version of the Application Firewall included with Mac OS X 10.5.1 and later.
Products Affected
Mac OS X 10.5
Configuring the Application Firewall
Follow these steps:
- Choose System Preferences from the Apple menu.
- Click Security.
- Click the Firewall tab.
- Choose what mode you would like the firewall to use.
Application Firewall's three modes of operation
1. Allow all incoming connections:
This is the most "open" mode. Mac OS X will not block any incoming connections to your computer. This is the default mode for Leopard. If you upgraded from Mac OS X 10.4.x, your Application Firewall will default to this mode.
2. Allow only essential services:
This is the most conservative mode. Mac OS X will block all connections except a limited list of services essential to the operation of your computer.
The system services that are still allowed to receive incoming connections are:
- configd, which implements DHCP and other network configuration services
- mDNSResponder, which implements Bonjour
- racoon, which implements IPSec
3. Set access for specific services and applications:
This mode offers you the most flexibility. You can choose whether to allow or deny incoming connections for any application on your system.
You can click the "+" button to add an application to this list. You can select an application and click the "-" button to remove it. Control-clicking on the application name gives you the option to reveal the application's location in Finder.
Once you've added an application to the list, you can choose whether to allow or deny incoming connections for that application. You can even add command line applications to this list.
When you add an application to this list, Mac OS X digitally signs the application (if it has not been signed already). If the application is later modified, you will be prompted to allow or deny incoming network connections to it. Most applications do not modify themselves, and this is a safety feature that notifies you of the change.
Digitally signed applications
All applications not in the list that have been digitally signed by a Certificate Authority trusted by the system (for the purpose of code signing) are allowed to receive incoming connections. Every Apple application in Leopard has been signed by Apple and is allowed to receive incoming connections. If you wish to deny a digitally signed application you should first add it to the list and then explicitly deny it.
If you run an unsigned application not in the Application Firewall list, you will be presented with a dialog with options to Allow or Deny connections for the application. If you choose Allow, Mac OS X 10.5 will sign the application and automatically add it to the Application Firewall list. If you choose Deny, Mac OS X 10.5 will sign the application, automatically add it to the Application Firewall list and deny the connection.
Some applications check their own integrity when they are run without using code signing. If the Application Firewall recognizes such an application it will not sign it, but then it will re-present the dialog every time the application is run. This may be avoided by upgrading to a version of the application which is signed by its developer.