Is it safe to put a Mac directly on the internet?

6

1

In the past I have always run a NAT router between my Windows PC's and the internet. I'm wondering if I still need this or whether the OSX firewall is good enough to let me put a Mac directly on the internet.

Tony Edgecombe

Posted 2010-02-16T10:31:09.293

Reputation: 223

Answers

7

Though I don't mind hooking up my Mac to any network, I don't have the definitive answer. Still, some notes too long for a comment:

The OS X built-in firewall is an application firewall: accepting incoming connections is granted per application, not per port. Once granted permission, an application could open any port it likes, but I guess that's not an issue for software you trust. Also, it only applies to incoming connections: all outgoing connections are always allowed (but that is true for a NAT-firewall as well). And according to Apple's "Mac OS X 10.5 Leopard: About the Application Firewall":

All applications [..] that have been digitally signed by a Certificate Authority trusted by the system [..] are allowed to receive incoming connections. Every Apple application in Leopard has been signed by Apple and is allowed to receive incoming connections.

In 10.6 the latter is made more explicit (and can be disabled) as "Automatically allow signed software to receive incoming connections. Allows software signed by a valid certificate authority to provide services accessed from the network.":

10.6 firewall

Hence, even when the firewall is active, every server-like Apple application that you have running is, by default, allowed to accept incoming connections. (Or, maybe in 10.6 it even applies to any signed application?) A bug in such software could compromise your computer. I don't know how that affects things like Bonjour and file sharing.

If the firewall is active then any non-Apple software (or at least unsigned software) first needs your permission to accept incoming connections. When such software is updated, it might or might not need your permission again:

A signed application [..] can mathematically prove that it is indeed a new version of the same application from the same vendor that you expressed trust for in the past. The result is an end to dialog boxes asking you to confirm a choice whose safety you have no reasonable way to verify.

Arjan

Posted 2010-02-16T10:31:09.293

Reputation: 29 084

+1 Informative, in-depth answer (compared to my answer, anyway :) – Jonik – 2010-02-16T14:44:56.757

5

Of course one could go on about how in theory nothing is safe, ever, and all that.

But for practical purposes, yes, it's generally safe enough to put your Mac directly on the internet. (Everyone does it – well, most people in any case – and it's very unlikely anything bad will happen to you.) Especially if you do not open any extra services (like httpd, etc) on your machine.

That said, do (let the automatic updater) keep your Mac OS X always up-to-date with latest security fixes, and check that its built-in firewall is enabled.

Jonik

Posted 2010-02-16T10:31:09.293

Reputation: 5 352

2Probably a good idea to make sure the firewall is turned on (it's disabled by default in some versions of OS X). – Paul R – 2010-02-16T11:15:27.407

Everyone does it -- that's definitely not true. – Arjan – 2010-02-16T11:28:02.493

Well, most people, whatever. For practical purposes "everyone". ;) – Jonik – 2010-02-16T12:38:13.557

You also probably want to make sure your firewall, the one built into OSX, is set to stealth mode. – Darren Newton – 2010-02-16T12:41:29.610

Well, I certainly wouldn't. But then, I'm not a Mac user either. – Quandary – 2011-06-24T18:48:34.793

2

It's never secure to connect a computer to the internet, and it's always better to have a router in between.

Since most routers run embedded-Linux, it's most-likely more secure to have them in-between.

Speaking as a Linux-user: Mac OSX has most of the applications from FreeBSD, so make absolutely sure you have ssh and sshfs not installed or running, if you don't need them.

And just having a firewall is not enough. Make sure it's properly configured.

Quandary

Posted 2010-02-16T10:31:09.293

Reputation: 1 433

May I ask: Why the downvote ? – Quandary – 2010-02-21T11:44:59.643

Wondered the same thing ..... ? – JRobert – 2010-06-16T22:44:04.683

1

Who would ever make a router from WinCE? That is crazy talk. OMG. http://www.marvell.com/company/news/pressDetail.do?releaseID=283 people did it.

– nycynik – 2018-01-12T13:47:52.680

I didn't downvote, but I would say that it isn't safer because it runs Linux (which is only as secure as how well configured it is anyway) but because it's a router and that is its function. – Ben Richards – 2011-09-19T06:29:14.283

@sidran32: I disagree. A router needs an operating system, and it's only going to be as secure as the operating system, the weakest link. And if that OS was WindowsCE, then I'd rather not put a router in between. In that sense, the "always better" was probably the reason. – Quandary – 2012-10-30T06:00:33.067

1

Considering you're not be running something like IE6 out of the box (unlike a fresh XP install for example) you should be fine.

As always, it's what you DO on the internet which ultimately effects the security of your system. If you're downloading lots of files from lots of sources and clicking every link that comes your way then you're at a higher risk (of course, if you take the right security precautions you'll be right)

As the others have said, nothing on the internet is technically 100% safe. Mac's are less vulnerable... but by no means invulnerable.

Ganesh Shankar

Posted 2010-02-16T10:31:09.293

Reputation: 161

Note that Safari is not any better than IE6 when it comes to security. Well actually, Safari is worse... – Quandary – 2011-06-24T18:49:59.083

1

I have a NAT ADSL connection at home and a 3G service for away. While on 3G I have noticed ssh login attempts which you would not normally see behind a NAT firewall.

Have a look to see what services you are running.

netstat

or

netstat -f inet


Active Internet connections
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
udp4       0      0  *.ipp                  *.*                    
udp4       0      0  172.16.250.1.kerberos  *.*                    
udp4       0      0  192.168.144.1.kerberos *.*                    
udp4       0      0  *.*                    *.*                    
udp4       0      0  localhost.ntp          *.*                    
udp4       0      0  *.ntp                  *.*                    
udp4       0      0  *.snmp                 *.*                    
udp4       0      0  *.*                    *.*                    
udp4       0      0  *.mdns                 *.*                    
udp4       0      0  *.*                    *.*                    
udp4       0      0  *.syslog               *.*                    
icm4       0      0  *.*                    *.*

This is an abbreviated list of what I am running. You can see snmp and a syslog server which you probably would not have.

Most services are listening on all interfaces (*.). In my case I should fixup my snmp and syslog to only listed on my local network.

Install nmap http://nmap.org/dist/nmap-5.21.dmg. nmap has lots of different ways to see if a service or port is listening - try out some on your machine, but not on other machines unless you know what you are doing (I certainly don't).

nmap 127.0.0.1

Starting Nmap 4.85BETA6 ( http://nmap.org ) at 2010-06-17 00:09 EST
Interesting ports on localhost (127.0.0.1): 
Not shown: 960 closed ports, 32 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
88/tcp   open  kerberos-sec
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
548/tcp  open  afp
625/tcp  open  apple-xsrvr-admin
631/tcp  open  ipp
5900/tcp open  vnc

Nmap done: 1 IP address (1 host up) scanned in 6.28 seconds

Try nmap from another machine as well - you will have to install it there as well. Windows and Linux versions are available.

Are there services you don't want running?

In my case, i'm not sure why I am sharing files via samba (139/445) so I'll turn that off. I can't see how to turn off ipp (631). This is for printer sharing which is turned off. If I go online and nmap my pppd IP address, the ipp port is closed. This is good and matched the cupsd config file. I don't need AFP running all the time so I'll turn that off. I don't need ssh or screen sharing running so I'll turn that off as well.

I now just have these running.

88/tcp   open  kerberos-sec
625/tcp  open  apple-xsrvr-admin
631/tcp  open  ipp

Someone mentioned that most people are behind a NAT firewall. This is probably true if you have a router, but check that NAT is turned on.

But on a 3G service you are directly connected so you should be careful. I haven't been, so this was a good question to make me review my settings.

Other things to do.

  1. Review your appfirewall.log file
  2. If you are technical, try adding some ipfw rules.

Remember, if a service is not running, no one can get in. So the fewer ports that are opened the better.

philcolbourn

Posted 2010-02-16T10:31:09.293

Reputation: 173

0

It is not safe to put anything on the internet. Having said that, nowadays most people connect to the internet behind a router, which also tend to implement firwalls and whatever else, so you could be using win95 without a hitch.

It all depends on what you do with that computer and if you are only browsing the internet or are serving content. Can't answer anything more specific without further details.

Grzegorz Adam Hankiewicz

Posted 2010-02-16T10:31:09.293

Reputation: 1 029

Asked: 2010-02-16T10:31:09.293

Viewed: 2 133 times

Active: 2011-09-19T05:30:41.043