Personal firewall software for the Mac OS
This document provides a list of selected personal
firewall software products for the Mac OS. These products
can protect your computer from many types of network attacks
initiated from other computers.
This document also briefly describes two types of
hardware-based products - hardware routers and firewall
appliances - which can serve as alternative methods for
protecting Macintoshes on home networks.
Finally, this document provides links to selected Web-based resources which can help you
learn how to configure and use firewall products (both
software and hardware) with your Macintosh.
Contents
By blocking selected types of network connections to
your computer, personal firewall software can protect
your Macintosh against many types of attacks coming from other
computers on the Internet. Most such software is pre-configured
to block incoming connections initiated from other computers to
all - or nearly all - of the "network ports" on your Macintosh.
Firewall software can also typically be configured so that certain
types of outgoing connections, such as those that
might be initiated by viruses, worms, or trojans that have made their
way onto your computer, might also be blocked.
Certain firewall software products offer additional
configuration options and features. Some common examples include:
-
The ability to allow only selected computers
to establish connections to your computer; and
-
Logging of successful or failed connection attempts.
Personal (or "host-based") firewall software runs
directly on your Macintosh and is generally intended to protect just
your own computer. This is in contrast with
firewalls that your organization may be running elsewhere on your
network, which can protect multiple computers. These two types of
firewalls are often complementary; each may be able to prevent
certain types of attacks that the other cannot.
A firewall is only a piece of the security
puzzle, as it can only can protect your computer
against certain types of attacks.
A firewall should never be your computer's only
protection. You always should combine a well-configured firewall
with up-to-date anti-virus software and
good system administration practices, such as:
-
Turning off any unnecessary services your computer might be
offering on the Internet;
-
Setting up hard-to-guess passwords for each of the user accounts
on your computer; and
-
Regularly installing security updates from Apple and
third-party software vendors.
In combination, security measures such as these
can help keep your computer from being taken over
by an intruder via the Internet, and can help protect your
data from being destroyed, altered, or exposed.
For excellent, in-depth guides which cover many techniques
for securing Macintoshes running Mac OS X from attack, please see
Stephen de Vries' white
papers at Corsaire's website, or Apple Inc.'s
Mac OS X Security Guides.
If you have a Macintosh at home with an
always-on, high-speed (DSL, cable modem ...) connection to the
Internet, you can also block many types of network attacks in
another way: by purchasing a hardware router
and placing it between your Macintosh and the DSL or cable modem
which connects your computer to the Internet.
The primary purpose of these devices is to allow you to share a
high-speed Internet connection amongst multiple computers on
your home network. However, adding a hardware router can be
useful even if you have only a single computer at home. That's
because nearly all of these devices include Network Address
Translation (NAT) functionality which offers protection roughly
comparable to that of personal firewall software, at least
against direct attacks over the Internet that are initiated by
other computers against your computer.
The Firewall Guide provides links to
reviews of many
popular hardware routers. When choosing a hardware router, keep
in mind that some routers require that you use a PC running Microsoft
Windows, rather than a Macintosh, when changing their settings or
updating their on-board software ("firmware"). To identify which
routers provide full support for Macintoshes, you can check vendor Web
sites, search for online product reviews, or contact vendors'
customer support staff.
If you should need even greater control over what network
traffic goes into and out of your home Macintosh and other
computers on your home network, another type of hardware device
called a firewall appliance might be worth
investigating. Firewall appliances typically include all of the
features of hardware routers, and add a highly configurable
firewall. Some of these products also come with such features
as virus scanning and Internet content filtering. However,
firewall appliances also may be considerably more expensive and
potentially more complicated to set up than hardware routers,
and are often oriented toward business use, rather than personal
use. The Talisker Firewalls website offers a list of some
firewall
appliances aimed at small offices and home offices (abbreviated
on that page as "SOHO").
Whether you are using a hardware router or firewall appliance to
connect your home network to the Internet, it is important that
you change the
default administration password - the password that is
provided by the manufacturer, and that is first used when you
take the device out of the box - to a strong password of you
own choosing. There already is "proof of concept"
code that demonstrates that a
web page with a malicious script can
break into your home router or firewall if that device is still
using the default manufacturer's password. Once having done so,
a miscreant can redirect your web browsing to fake websites, to
steal your passwords and identification numbers.
Finally, you may wish to run personal firewall software on each
of your home computers, even in conjunction with a hardware
router or firewall appliance. That way, if an intruder breaks
into one of the computers on your home network and thus
establishes a presence behind your hardware router or firewall
appliance, the other computers on your home network will still
be protected by their personal firewall software.
Hardware routers and firewall appliances are suggested here
only for home use, and should never be used on the UC Berkeley campus network.
(Listed alphabetically, except for Apple's ipfw. All prices
below are as of late May 2002, in USD, except as noted
otherwise.)
|
Name & vendor
|
Notes
|
ipfw
Apple Inc.
|
-
Included with Mac OS X. (In Mac OS X 10.5 Leopard, Apple may
have provided a different, default firewall, although ipfw is still included.)
-
Briefly described in the "On-the-box Firewalling" section on Apple's
An Introduction to Mac OS X Security.
-
A GUI configuration interface for ipfw was first
included with Mac OS X 10.2 ("Jaguar"). In Mac OS X 10.3 ("Panther"),
its interface is described in
this sample page adapted from the book, Mac OS X Panther All-in-One Desk Reference for Dummies.
-
Under pre-Jaguar versions of Mac OS X, ipfw must be configured via the Unix command-line and configuration files,
or via a third-party GUI configuration utility, such as BrickHouse,
FireWalk X (version 1.x only), or Impasse.
-
For advanced users,
Daniel Côté's
Setting up firewall rules on Mac OS X and
Stefan Arentz's
Building your own personal firewall
(archived copy of Arentz's article as of August 2002, courtesy of the Internet Archive Wayback Machine)
are representative of several articles which describe how to manually configure ipfw.
|
Flying Buttress (formerly BrickHouse)
Brian Hill
|
-
Shareware ($25). Can be fully evaluated for a limited period of time at no cost.
-
Application for configuring Apple's integral Mac OS X firewall.
Offers a broad set of configuration and logging options,
going well beyond Apple's interface.
-
Version 1.3 requires Mac OS X ("Panther") or later.
Earlier versions work with Mac OS X 10.1 and 10.2 ("Jaguar").
|
DoorStop X Firewall
OpenDoor Networks
|
-
Commercial ($49 retail price).
-
Firewall application which features an easy to use configuration
interface, while allowing you to restrict access to services
based on IP address ranges
and adding enhanced logging, features which are not (yet)
present in Apple's interface to its integral Mac OS X firewall.
-
Requires Mac OS X 10.3 ("Panther") or Mac OS X 10.4 ("Tiger").
|
Firewalk X
Pliris (Mike Vannorsdel)
|
-
Shareware ($34.99, as of late October 2003). Downloadable version for evaluation can be used for up to
two hours after each system reboot.
-
Starting with version 2.x, now includes its own firewall.
-
Version 1.x of FireWalk X was an application for configuring
Apple's integral ipfw firewall. Version 1.4.2 is still available for
downloading from the vendor's website.
-
The current version 2 release requires Mac OS X 10.2 ("Jaguar")
or Mac OS X 10.3 ("Panther"). An earlier release of version 2
works with Mac OS X 10.1.
|
Impasse
Glucose Development Corporation
|
-
Note: this product no longer appears to be supported,
although it is still available for downloading
from major Macintosh download sites.
-
Shareware ($10).
Can be fully evaluated for a limited period of time at no cost.
-
System preference panel for configuring Apple's integral ipfw firewall.
-
Works with Mac OS X 10.1 and 10.2 ("Jaguar").
|
IPNetSentryX
Sustainable Softworks
|
-
Commercial ($40 retail price).
-
A faceless background application which "watches for suspicious behavior,
and when triggered, invokes a ... filter which completely bans the
potential intruder from your Macintosh." Comes with a set of pre-configured
triggers, to which users can add custom triggers.
|
InterGate
Vicomsoft
|
-
Commercial ($99 for a five-user license, as of late October 2003).
-
Software Internet gateway (router) product which includes a network firewall.
|
Little Snitch
Objective Development
|
-
Shareware ($24.95). Demo version can be used for up to three hours at a time.
-
An "application supervisor" which monitors outgoing network connections.
When an application tries to access the network, displays a dialog permitting
the user to allow or deny the connection and asks whether to set up a permanent or temporary
access rule for future connections of that type.
Rules can also be edited via a System Preferences panel.
-
Requires Mac OS X 10.2 ("Jaguar"), 10.3 ("Panther"), or 10.4 ("Tiger").
|
NetBarrier X4
Intego
|
-
Commercial ($69.95 retail price). Also sold in various
bundles with other Intego products as Intego Security Barrier.
-
Includes additional features:
"Antivandal" (e.g. detecting incorrect access passwords
and protecting against denial of service attacks),
"Internet Filter" (scanning outbound packets for personal
data such as credit card numbers and passwords), and
"Internet Privacy" (controlling cookies and ad banners,
protecting against hostile Java applets and browser
plug-ins).
-
Works with Mac OS X 10.1, 10.2 ("Jaguar"), 10.3 ("Panther"), and 10.4 ("Tiger").
|
NoobProof
Hany El Imam
|
-
Freeware, open source.
-
Simplified version of the author's WaterRoof utility (below)
for basic configuration of ipwf, Apple's integral Mac OS X firewall.
-
Requires Mac OS X 10.4 Tiger or later.
|
Norton Personal Firewall for Macintosh
Symantec Corporation
|
-
Commercial ($69.95 retail price).
-
Application for configuring Apple's integral ipfw firewall
and extending the feature set of that firewall through kernel extensions.
Can be purchased by itself or in a bundle with
several other products, including Norton AntiVirus, in Symantec's
Norton Internet Security
for Macintosh product ($99.95 retail price).
-
An earlier version, version 2.x, came bundled with
OpenDoor Networks' "Who's There? Firewall Advisor" product.
-
Works with Mac OS X 10.1, 10.2 ("Jaguar"), and 10.3 ("Panther").
Via an update to version 3.0.3 or later, this product is also compatible
with Mac OS X 10.4 ("Tiger").
|
sunShield
sunProtectingFactory (formerly sunBurst)
|
-
Freeware.
-
System preference panel for configuring Apple's integral ipfw firewall.
Works with Mac OS X 10.1, 10.2 ("Jaguar"), and 10.3 ("Panther").
As of September 2005,
a beta version had been released for compatibility with Mac OS X 10.4 ("Tiger").
|
WaterRoof
Hany El Imam
|
-
Freeware, open source.
-
Application for configuring ipwf, Apple's integral Mac OS X firewall.
Offers a set of configuration and logging options that go
well beyond Apple's interface.
-
Requires Mac OS X 10.4 Tiger or later.
|
Who's There? Firewall Advisor for Mac OS X
OpenDoor Networks
|
-
Commercial ($49 retail price).
-
Not a firewall or firewall configuration utility. Rather, this
product is a "firewall advisor," providing tools for analyzing
and responding to the network attacks detected by a firewall.
-
Works with Open Door's DoorStop X, Symantec's
Norton Personal Firewall for Macintosh, BrickHouse,
and "and any other firewall that uses Mac OS X's built-in firewall logging capabilities."
-
Came bundled with version 2.x of Norton Personal Firewall.
-
Requires Mac OS X 10.2.8 or later.
|
(Listed alphabetically. All prices below are as of late May 2002, in USD, except
as noted otherwise.)
|
Name & vendor
|
Notes
|
DoorStop Server Edition
OpenDoor Networks
|
|
InterGate
Vicomsoft
|
-
Commercial ($99 for a five-user license, as of late October 2003).
-
Software Internet gateway (router) product which includes a network firewall.
The Mac OS 8 & 9 version of this software does
not contain all of the features of the Mac OS X version.
(See also "SurfDoubler.")
|
IPNetSentry
Sustainable Softworks
|
-
Commercial ($35 retail price).
-
A faceless background application which "watches for suspicious behavior,
and when triggered, invokes a ... filter which completely bans the
potential intruder from your Macintosh." Comes with a set of pre-configured
triggers, to which users can add custom triggers.
|
NetBarrier
Intego
|
-
Commercial ($59.95 retail price).
-
Also can be purchased bundled with
several other products in Intego's
Internet Security Barrier product
($89.95 retail price).
-
Includes additional features:
"Antivandal" (e.g. detecting incorrect access passwords
and protecting against denial of service attacks),
"Internet Filter" (scanning outbound packets for personal
data such as credit card numbers and passwords), and
"Internet Privacy" (controlling cookies and ad banners,
protecting against hostile Java applets and browser
plug-ins).
|
Norton Personal Firewall for Macintosh
Symantec Corporation
|
-
Commercial ($69.95 retail price).
-
Also can be purchased bundled with
several other products, including Norton AntiVirus, in Symantec's
Norton Internet Security
for Macintosh product ($99.95 retail price).
-
Version 2.x comes bundled with
OpenDoor Networks' "Who's There? Firewall Advisor" product.
|
SurfDoubler
Vicomsoft
|
-
Commercial ($54.99 retail price).
-
Software Internet gateway product which includes a network firewall.
A simplified version of "Internet Gateway," supporting 1-3 users.
|
Who's There? Firewall Advisor
OpenDoor Networks
|
-
Commercial ($39 retail price).
-
Not a firewall or firewall configuration utility. Rather, this
product is a "firewall advisor," providing tools for analyzing
and responding to the network attacks detected by a firewall.
-
Bundled with version 2.x of Norton Personal Firewall.
-
Works with Open Door's DoorStop, Symantec's
Norton Personal Firewall for Macintosh,
and Sustainable Softwork's IPNetSentry.
|
Recommended books and articles for learning about personal firewall products, including
how to configure and use them on your Macintosh:
-
Alan B. Oppenheimer and Charles H. Whitaker,
Internet Security for Your Macintosh: A Guide for the Rest of Us
Second edition (2005-6),
available electronically from Open Door Networks
First edition (2001),
available as a printed book published by Peachpit Press
Find copies of this book for sale online via
Best Book Buys or
BookFinder.com (ISBN 0-201-74969-6)
-
Major portions of this highly-recommended book
discuss personal firewall products, both generally and in the context of the Mac OS:
-
Chapter 12 describes how personal firewalls work, identifies
their major features, and provides an overview of how to configure them.
-
Chapter 13 covers how to troubleshoot networking problems
that firewalls may cause, as well as how to interpret firewall logs or
notifications and use them to identify and report potential attacks.
-
A portion of chapter 17 (in the first edition printed book) contrasts 'network global' firewalls
with personal firewalls and describes how they complement each other
to provide more complete protection.
-
A portion of chapter 18 (in the first edition printed book) discusses Mac OS X firewall products.
-
Robin D. H. Walker,
Cable Modem Troubleshooting Tips: Firewall Security
-
Common-sense tips on using and configuring personal firewall software, both
generally and specifically with several operating systems, including the Classic Mac OS
(but not Mac OS X).
This advice is oriented toward home users of cable modem Internet access services,
and is part of a larger guide for customers of such services.
-
Robert Graham's
FAQ: Firewall Forensics (What am I seeing?)
-
Provides details that can be helpful when interpreting the access log entries generated by your personal firewall software or firewall
appliance. These log entries identify when and how other computers have tried to access your computer over the Internet.
Recommended introductory articles for learning about what firewalls can do - and can't do - as
well as how they work:
-
Uzi Paz's
Personal Firewalls - What They Can, and What They Cannot Do - A Non Technical Overview
-
Colloquially describes the major capabilities and limitations of personal firewall software, as well as debunking some
"false statements you might have seen" - in the author's view, at least - about these products.
-
Lisa Yeo's
Choosing a Personal Firewall
-
Despite its title, this article is primarily an introduction to some of the key technical features of
personal firewall software and how these features are implemented. If you've wondered what such
firewall-related terms as "Network Address Translation (NAT)," "stateful inspection of network packets,"
or "signature-based intrusion detection" mean, this article is a fine place to start learning. The article is apparently
a sample chapter of Ms. Yeo's book,
Personal Firewalls for Administrators and Remote Users.
The following lists identify some of the network ports on your Macintosh that your
firewall might selectively need to open (unblock)
so that particular network services you use will work properly:
-
Apple Inc.'s
"Well Known" TCP and UDP Ports Used By Apple Software Products
-
Identifies which network ports are used by the Mac OS and
other Apple-provided applications and services.
-
Open Door Networks'
DoorStop Port List
-
Seeks to be "as complete a list as possible of port numbers used by Macintosh applications."
Includes links to the original vendor technotes for many of these applications.
-
Practically Networked's
Special Application Port List
-
A list of ports used by special applications, such as messaging and conferencing
products, peer-to-peer network applications for sharing audio and video, and multiplayer
games. Also included is detailed
information about how to use this port list, although some of the instructions provided are oriented toward
configuring hardware routers, rather than personal firewall software. Certain of these special
applications require you to open large ranges of ports, thus opening up sizeable holes in your firewall
which can leave your Macintosh more vulnerable to network attacks.
-
NCSA's
Kerberos and SSH through Firewalls and NATs
-
Advice on establishing secure connections through a firewall to other computers using SSH and Kerberos,
including lists of the ports used by these protocols.
-
Robert Graham's
FAQ: Firewall Forensics (What am I seeing?)
-
Question 1 of this Frequently Asked Questions document,
"What does destination port number ZZZZ mean?",
provides links to six lists of network ports, including IANA's (below). Some of these lists include
descriptions of known "exploits" (attacks) which use various port numbers.
-
IANA's
Port Numbers list
-
An extensive list of network ports used by many different types of computer systems,
from the organization which registers port assignments.
Last updated by Aron Roberts on 2008-01-29.
