MacOSX Leopard’s Firewall is not flawed

It seems that MacOSX 10.5 (leopard)’s firewall is not flawed as stated by Heise Security. Robert Mogul has done some testing, and found out that the firewall does work, the problem is the way Heise Security tested, and the lack of documentation.
There are a few important points about the new firewall:

• - It seems that Apple’s netcat (nc) is a “trusted” application, that doesn’t get intercepted by the firewall, so it will always create a socket, no matter what. I tried using netcat from macports, and guess what:

• - Applications run as root don’t get validated (services, daemons, or binaries/apps run from a sudo session), even if the apps are not “trusted” by the firewall. i.e., root totally bypasses the firewall checks;

The OS keeps track of “trusted” applications, some out of the box (like netcat, and I’d guess others). When adding an application to the firewall (block or accept), OSX generates some kind of signature for that app, and adds it to the “trusted apps” database, so if that application is changed somehow, the firewall will not allow it to create the listing socket, since it’s no longer the app the user trusted. This is the reason why Skype only runs once on Leopard…Skype changes itself.

A problem I do see with this firewall implementation, is with interpreted languages. For instance, if a user wants to run some application written in python (for example), and it requires listening on a socket (like a local webserver that listens on the loopback address) and the user allows that application on the firewall, any python script in the future may create listening sockets on any address and any port. Let me repeat this: when allowing an interpreter to create a listing socket, you allow any application/script run by that interpreter to create listening sockets. The problem is, MacOSX is trusting the interpreter and not the application/script it runs, so, since the interpreter doesn’t change (although the “real” application does), the firewall won’t complain.

So, be very careful when permiting “incoming network connections” to interpreters…