This is the start of a two part series looking at Mac OS X and Internet firewall protection. With Internet security being one of the top areas of discussion of late, many Mac users want to know how to work with firewalls in Mac OS X. Hopefully, this series will help get you down that path.

According to Brent Chapman, a firewall is defined as:

An Internet firewall is a security mechanism that allows limited access to your site from the Internet, allowing approved traffic in and out according to a thought-out plan. This lets you select the services appropriate to your business needs, while barring others which may have significant security holes.

For a long time, firewalls were limited to the realm of power users and server administrators, but that is clearly no longer the case. The propagation of 'always on' broadband connections, such as cable and DSL, has brought the idea of Internet security to the average computer user.

Just as firewall use was largely limited to more advanced users, it was also something that most Mac users could avoid or ignore. Many of the Internet viruses, including the one that has likely made the activity light on your cable or DSL modem blink for the last few days, are written to 'infect' Windows machines. The most recent virus, the one spurring various conversations on the Web is the Code Red virus. While Code Red has no impact on Mac or Mac OS X users (it targets only those running Microsoft's IIS server), the amount of Net activity it has generated has brought the need for a personal firewall for all users to the forefront. Fortunately for OS X users, there are a number of fairly simple, and affordable, firewall options.

This article is going to take a look at the basics for four firewall options for OS X users. The first three actually take advantage of the firewall built in to the X operating system. The fourth is a commercial package, but one that members of The Mac Observer staff have found to be very useful and effective.

OS X's Built In Firwall

Mac OS X, and its Unix core, actually comes with a firewall built into the operating system waiting for you to configure and use. There are a number of ways to configure the OS X firewall. For the power users out there, the first way is via the command line interface (CLI). By opening the terminal and using the 'man' command to view the manual pages about the built-in firewall, users can learn what the firewall does and how to configure it. Type 'man ipfw' without the quotation marks.

While there are a number of users out there that are comfortable using the CLI to configure and maintain their system's firewall, those users are probably not reading this article. Traditional Mac users are largely uncomfortable, justifiably or not, with using the CLI. For those such users there are two different 'graphical wrappers' for configuring OS X's powerful firewall.

BrickHouse was the first of the GUI based firewall configuration utility, and has actually been available in some version or another since the days of OS X Public Beta. BrickHouse (US$25) provides users with a fairly simple interface for allowing and denying access to different 'ports' on their system.

.
Click the image for a larger, readable version

BrickHouse provides a comprehensive list of ports and services and allows users to restrict or allow access to some, none, or all of the systems ports. BrickHouse also provides a simple way to restrict access for certain services to specified IP addresses. For example if you want to share a file with a friend using OS X's built in FTP functionality, but did not want to allow your system to be accessed by anybody other than your friend's computer, the Filter tool provides a simple way to do that.

Click the image for a larger, readable version

BrickHouse also provides a comprehensive log of any incoming or outgoing network activity. If somebody tries to access any service on your system, whether they were successful or not, BrickHouse will log the attempt. In the picture below notice the number of denied access attempt to Port 80 (Web Sharing) which is the port that the Code Red virus uses.

Click the image for a larger, readable version

Firewalk X is another program providing a graphical interface to the OS X firewall. Like BrickHouse, Firewalk X provides a more simple way to configure and maintain the OS X firewall when compared to the CLI. Firewalk X allows users to set rules or filters for specific ports or services, but does not provide nearly as much hand holding as BrickHouse.

Click the image for a larger, readable version

Where BrickHouse provides users with a list of 'plain English' labels for ports and services, Firewalk X counts on previous user knowledge of such information. Firewalk X also provides logging functionality, but only if you pay the shareware registration fee. We find it unfortunate that users are not even able to get a taste of what the logging features are like (perhaps the limited version would only log the last 5 access attempts, or use some other limitation) without paying the reasonable shareware registration fee. However, with options like BrickHouse, the CLI, and Norton Personal Firewall, getting little taste of the full array of features would be nice.

Regardless, Firewalk X is probably not for the total firewall newbie, but rather for an advanced user that wants to save a trip to the CLI. Firewalk X costs half the price of BrickHouse, and a fraction of the price of Norton Personal Firewall, but provides proportionally less graphical 'easiness' than the other two. For US$12, though, it is an attractive product.

Norton Personal Firewall (NPF) has come under some criticism from the OS X community for its relatively high price. At around US$70 the product is nearly US$50 more than BrickHouse, and roughly US$60 more than Firewalk X. There are advantages to using 'name brand' products, however, and NPF is no exception. Norton Personal Firewall provides, in our opinion, the cleanest interface for managing and configuring a firewall. Users are presented with pre-specified rules for the major services when the product is first installed and launched, including Web Sharing, File Sharing, FTP, and SSH. Just like the other products, however, NPF allows users to specify very specific rules for each and every port on the machine.

Click the image for a larger, readable version

Specifying a new service in the Advanced Mode simply adds it to the list in the main window. Once a service is added to the main window users are able to set access rules for that particular service, and provides these features from within one simple window.

One of the neat features of NPF is the ability to enter a URL and have the program instantly return the IP address related to that URL. If users know the URL of a machine that they want to allow or deny access to, but do not have the specific IP, entering the URL will generate the appropriate IP. While not a huge deal, it is the small attention to detail that sets Norton Personal Firewall a notch above the rest.

NPF also offers complete logging features, and even allows users to get a plain English definition of what a specific log entry is about. While many users would find such information redundant and unnecessary, newer users may find the level of detail provided by the NPF logs extremely useful. Again notice the number of access attempts to Port 80.

Click the image for a larger, readable version

Click the image for a larger, readable version

Another advantage of Norton Personal Firewall is that the Classic Environment actually needs its own firewall to be protected. OS X's firewall will protect all of the Mac OS X services, but will not protect the Classic Environment when running. The same applies for Virtual PC. Users of Norton Personal Firewall, or OS X's firewall, that are running VPC must install and configure a Windows compatible firewall in their virtual environment. NPF allows both the Classic and OS X environments to be protected at the same time through one product. If you spend a significant amount of time with the Classic Environment open, NPF is perhaps the most comprehensive way to go. If you do not use Classic all that often, that feature is no longer an advantage.

Norton Personal Firewall, BrickHouse, Firewalk X, and even the CLI will provide users with the same amount of protection. The differences in the products or methods is how many 'extra' features are included. For new users, Norton Personal Firewall, and to a slightly lesser extent BrickHouse, provide the easiest way to configure and maintain a firewall. For more advanced users, Firewalk X provides a simple alternative to the CLI, potentially saving users time while minimizing potential errors.

All of these products will do the job, it is simply up to you to decide what features you need and what price you are willing to spend. Whatever you decide, if you have an 'always on' Internet connection, it is our recommendation that you use some sort of firewall. OS X's Unix core provides a whole new world of advantages and problems for Mac users, and increased exposure to Internet hackers is one of them.

Next time we will get into greater detail about ports, services, filters, and the command line interface. Until then have fun making your computing environment a little more safe and secure.

You are encouraged to send Richard your comments, or to post them below.

Most Recent Hot Cocoa Columns

Mac OS X & Firewalls: Part One - The Basics
August 17th

Console Yourself: Understanding Mac OS X Logs
August 3rd

Making NFS Work On Mac OS X
July 23rd

Kyle D'Addario is the assistant editor of The Mac Observer and has logged about as much time on Mac OS X as is humanly possible. Kyle studies Computer-Mediated Communication, whatever that is, at the graduate level, and was a founding member of the original Webintosh team.

Wincent Colaiuta runs Macintosh news and criticism site, wincent.org, and joined The Mac Observer team as a contributor in March 2001. He has worked with computers since 1984, and his interests in that area include Macs, PHP programming and security.