Hot Diggety! Peter Loron was rumored to have written: > Inquiring minds want to know. I don't run OS X as a server, per se, > but I do have several OS X boxes and I try to keep battened down...
I haven't touched MacOS X Server since I was given the original in 1999 (1.0, Rhapsody, a completely different beast) as a thank-you for some emergency consulting work, but saw an interesting post by an experienced Mac consultant who had some less-than-flattering things to say about the MacOS X Server experience from an administrator perspective: http://www.tuaw.com/2009/11/19/working-with-the-new-apple-mac-mini-server-and-snow-leopard-serv/ Didn't go into MacOS X Server security, and not being familiar with the issues there, will leave that to others. More TUAW posts regarding various aspects of the MacOS X Server experience: http://www.tuaw.com/category/mac-os-x-server/ =========================================================================== Regarding MacOS X (desktop), starting with Leopard (10.5), they added a second firewall, the Application Firewall, and deprecated the BSD ipfw. The difference is, ipfw is a SPI (stateful packet inspection) firewall that concerns itself with ports/protos/hosts/networks, while the Application Firewall concerns itself with access control on a per-application basis (generally for inbound services). It's designed such that if ipfw blocks something, it won't even get to hit the Application Firewall. Otherwise, if ipfw lets traffic through, it then *may* continue in the gauntlet to the Application Firewall: http://support.apple.com/kb/HT1810 What I find most unfortunate is that: - ipfw defaults to allow any any -- since ipfw is now depreciated, that's grudingly understandable even though I'm not wild about this choice of defaults. I honestly think it should've defaulted to permit established traffic back in plus a few key protocols (e.g. DNS, NTP) at a bare minimum. Oh well, I don't have an apple.com email address so I don't get to make that call. :-) - Application Firewall defaults to allowing all connections. Maybe fate will smile upon us and that'll be changed in 10.7? So someone earlier who characterized the default out-of-box MacOS X firewall protection as being basically 'naked' (my word) was accurate. Again, I haven't worked with any modern MacOS X Server versions so I don't know what the situation is on the Server side of the house. On my MacBook Pro, I set up ipfw to lock down to a known sane config that won't be disruptive yet will protect me well both at home and on the road, and use Little Snitch (essentially an application firewall) for outbound access control. Most Mac users are essentially unprotected when on the road because of lack of use of ipfw and/or Application Firewall. The only time I had some grief was when I tried to do a 1Password sync with my iPhone with Bonjour blocked by ipfw -- that was *not* obvious. So now I grudingly allow Bonjour via ipfw, even if it's designed to broadcast services. I feel my services are configured appropriately and locked down so I don't worry too much other than to keep an eye out. Apple has a pretty decent 260 page guide on how to lock down a Leopard box -- this is no creampuff manual, and good reading. (Also tells you how you can customize the login banner message you see when selecting user/pass to login with. I altered this on the MBP so people knows where to call for a reward in turning in my laptop if found.) MacOS X: http://images.apple.com/server/macosx/docs/Leopard_Security_Config_2nd_Ed.pdf MacOS X Server: http://images.apple.com/server/macosx/docs/Leopard_Server_Security_Config_v10.5_2nd_Ed.pdf The Snow Leopard version hasn't been published, but lots of the tips for the desktop guide seems to also carry over well to Snow Leopard. -Dan (longtime MacOS and MacOS X LAN administrator on/off the last 17 years) P.S. For Mac IPv6 users, don't forget to lock down v6 via ip6fw, too! IPv6 can also be enabled/disabled on a per-interface basis -- see 'ip6'. _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
