Summersault Weblog

When Mac OS X Leopard was released in October 2007, there was significant outcry about a number of changes made to the built-in firewall. One security consultant even went so far as to call the firewall “a mess…so simple as to be nearly useless”. Apple soon released a few security updates that fixed a number of complaints about the firewall, but for me, a general sense of brokenness and distrust prevailed. Now we’ve upgraded some of our Macs in the office to Leopard, and recently my negative perception of the new firewall has changed.

At Summersault, we use the Amanda backup system to manage data storage and recovery for all of our machines, and when we upgraded to Leopard I knew there would need to be a little tweaking to get Amanda working again. Mostly, I was expecting to have to recover the Amanda client binaries out of the Previous Systems/ archive. Then I remembered the hassles we’d had in the past trying to get Amanda to work with firewalls on some of the other machines we wanted to back up. That involved making certain port exceptions in the firewall to allow UDP and TCP traffic from the Amanda server through to the Amanda client being backed up. Amanda does have options to specify port ranges that it will limit itself to using, which makes creating the firewall port exceptions easier. Unfortunately, we would’ve needed to recompile the Amanda client in order to use or change these --with-udpportrange and --with-tcpportrange options, and that seemed like an unnecessary hassle. Couple that with the scuttlebutt I’d heard about how Leopard’s firewall was weird and hard to manage, and I was worried this was going to become big project.

Fortunately, Leopard’s new firewall actually made the task very easy and intuitive. This was due to the firewall’s application-level control, an extremely handy feature whose usefulness I’d overlooked when I read all the doom and gloom back in October. Once I got the Amanda binaries working again after the upgrade, I knew we’d need to make an exception in the firewall to allow the sendbackup process to access the Amanda client machine. Just as a test, I went ahead and tried a back-up test from the Amanda server, knowing the client machine’s firewall would block the connection. As expected, the back-up check failed as the Amanda server was not able to connect to the client machine. However, when I checked Leopard’s firewall panel, I was very pleased to see that it had automatically detected the connection attempt, and allowing the sendbackup process through the firewall was as simple as toggling the menu from Block incoming connections to Allow incoming connections. That was it! No need to enter port ranges in the firewall and recompile the Amanda client software to force it to use only ports in those ranges. I just let the firewall notice the application trying to connect, and then in one click allowed the process through—nice, simple, and intuitive.

So, consider that a big thumbs up for application-level control in Leopard’s new firewall.

This entry was posted on Tuesday, February 5th, 2008 at 11:05 am and is filed under Desktop Software, Sysadmin / Hosting, Internet / Networking. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.