The ideal parent-safe OS continues to be Mac OS Classic, as it literally has no services exposed for people to attack. But of course Progress Must Continue. OS X 10.4 Tiger at least used the sturdy ipfw firewall, albeit well-hidden from most users under System Preferences... Sharing->Firewall. ipfw is a time-tested and well-understood software firewall that operates at a low system level, filtering network packets.
In Leopard, Apple has introduced a completely new "black box" firewall that no one knows much about, it is an application level firewall, more like an application inbound traffic ZoneAlarm or Little Snitch. The main problem is it simply doesn't work very well.
The first problem with the Leopard firewall is that it's difficult to tell what the Set Access option does. It starts the new application-level firewall and lists in the Sharing pane any services you've opened, but it doesn't indicate if they are allowed or blocked. There's also no option for you to add your own open services or ports anymore. Instead, you can add or remove individual applications, but not network services. Stealth mode is still available in the Advanced settings, but the UDP blocking, useful to stop port scanning and some other attacks, is gone.
Worse yet, when you install Leopard, the firewall is turned off, even if you're upgrading and the firewall was previously enabled. Say what you want about Windows, but the firewall is enabled by default. Finally, the firewall can actually break your applications, which I'll explain more about shortly.
TidBITS Safe Computing: Leopard Firewall Takes One Step Forward, Three Steps Back
Also see:
Apple Support - Mac OS X 10.5: About the Application Firewall
Macintouch Reader Reports - Leopard: Security
Macintouch Leopard FAQ - Security
As an immediate note, if the Leopard application firewall is activated, its code signing currently will break both Skype and World of Warcraft.
In a world where having a better security model and a clean, always on, network-level firewall was an advantage for Apple, this new firewall is a stunningly bad move. They should have just talked to the Little Snitch people, or Zone Alarm, or other application-level firewall experts to create an inbound and outbound application level firewall IN ADDITION to (as an optional layer on top of) the already known and tested ipfw.
Also this emphasis on code signing is shades of Microsoft all over again. "Hey, let's take something that demonstrably hasn't worked in Windows, and add it as yet another 'feature' in Leopard."
UPDATE 2007-11-15: Apple has released a 10.5.1 patch to address some of these issues, and clarify others. What was called "deny all" is now
2. Allow only essential services:
This is the most conservative mode. Mac OS X will block all connections except a limited list of services essential to the operation of your computer.
The system services that are still allowed to receive incoming connections are:
* configd, which implements DHCP and other network configuration services
* mDNSResponder, which implements Bonjour
* racoon, which implements IPSec
http://docs.info.apple.com/article.html?artnum=306938
via Slashdot Apple Fixes 'Misleading' Leopard Firewall Settings /.
In my opinion you should still consider crafting ipfw rules in front of the app firewall, if you're comfortable with that sort of thing.
This is the worst new feature of Leopard for exactly the reasons you listed. Let's hope it gets fixed in some subsequent release.
That said, I've never been a big firewall person myself, so I'm fine not using it. Other than that, and a few minor cosmetic things that I have to get used to, I really like Leopard.
Posted by: Darcy Quesnel | November 10, 2007 at 12:37 AM