Washington Apple Pi

A Community of Apple iPad, iPhone and Mac Users

Personal Firewall for Dummies

by David L. Harris

Washington Apple Pi Journal, reprint information

 Well, it's Norton Personal Firewall 1.0, and it is software meant to protect your computer from attacks originating on the Internet, not to protect you personally. And I am one of the dummies. I know little of what kind of attacks from the Internet are possible, and how much protection Norton Personal Firewall 1.0 really gives against a determined attacker. So this article is written from the point of view of an ordinary computer user who has an Internet connection and wants some peace of mind.

Personal Firewall is part of a package called Norton Internet Security, which consists of Firewall and Norton AntiVirus for Macintosh. Also on the Norton CD is Aladdin iClean, which can be used to remove unwanted files (e.g. cookies) from your hard disk; there is a separate installer for iClean. I was interested only in the firewall part of this package, and will relate my experiences with it here.

Personal Firewall setup.

Norton Internet Security needs a Power PC Mac, CD-ROM drive, 24 MB of RAM, 12 MB free space on your hard disk, at least Mac OS 8.1, Open Transport 1.3 or later, and an Internet connection. It comes on a CD, and is accompanied by a 115 page instruction booklet. Installation from the CD was straightforward.

Personal Firewall is initially set to block all outside access to your computer through TCP/IP connections. (It does not provide protection via AppleTalk connections, and it does not block outgoing transmissions.) Figure 1 shows the Setup window. Three types of services are defined. (You can define others later if you wish.) I already had Web sharing and file sharing turned off, so I really did not need protection against possible intrusions using these services; I left Personal Firewall's Setup to block all such access.

Firewall's third defined service is labeled "All Others." It too is set to block all incoming access by default. I was not sure whether this would mean that I could not access Web pages or contact a mail server, but I soon found that these were mostly unaffected. Firewall sat in the background and was completely unobtrusive. Later I discovered services that I wanted (for instance, telnetting into a remote BBS, or connecting to an ftp server) were sending communications to my Mac that were blocked. I then had to provide a way for Personal Firewall to admit those services, but not others.

Access History.

Firewall is initially set to notify you immediately when access is denied, and to log all access attempts. Access History (Figure 2) is a list of such attempts. Recent ones are shown in bold. The time of the attempt, its nature, and the computer host name are shown. Sometimes the host name is an IP address (a number such as 211.198.140.13). That information is needed to define which computers will be allowed to contact your computer&endash;see the right side of Figure 3.

Allowing some access.

At other times the host name is in the form of a name such as "freenet10.carleton.ca." More information may be obtained about any access attempt by selecting a list item and selecting Get Info&endash;see Figure 4. There an IP address is available. If you wish to allow access from that computer you can add it to the list of allowed addresses. There is also a Find function, when adding a new address that you wish to allow, that finds the IP number if you know the host name. Another way of allowing access is to turn off Firewall's protection temporarily.

Get Info about denied access.

 Tracking blocked access attempts

The Firewall documentation says that it is "normal" to see some denied access attempts. Special attention may be paid to repeated denied attempts from the same IP address, or sequences of port numbers from the same address, indicating a port scan by someone looking for one they can access. (A port seems to be a means of connecting between computers. It is not the same as a physical port such as a modem port.) If you click on the Learn More… button in the Access Information dialog (Figure 4 again), you are taken to a Web page, set up for users of Personal Firewall, which gives more information about the source of an access attempt. In addition to describing the details and origin of the attempt, a description of its nature such as the following is given: "This access attempt was made to see if an application that uses the Remote Procedure Call (RPC) service is running on your Macintosh. RPC is used by a number of Unix applications that are vulnerable to attack, so someone is probably just looking for such a computer." In some cases the page includes this sentence: "If you cannot identify the source of the access attempt using the IP address and host name, you can look up the owner of the IP address using a "whois" database available on the Internet." The words "look up the owner of the IP address" is a hyperlink to the database itself. By putting in the IP address in that database page, more information can be obtained. Here is an example of one such look at a blocked attempt that I experienced:

Asia Pacific Network Information Center (NETBLK-APNIC-CIDR-BLK)
These addresses have been further assigned to Asia-Pacific users.
Contact information can be found in the APNIC database,
at WHOIS.APNIC.NET or http://www.apnic.net/
Please do not send spam complaints to APNIC.
                     
Netname: APNIC-CIDR-BLK2
Netblock: 210.0.0.0 - 211.255.255.255
                     
Coordinator:
Administrator, System (SA90-ARIN) sysadm@APNIC.NET
+61-7-3367-0490
                     
Domain System inverse mapping provided by:
                     
NS.APNIC.NET 203.37.255.97
SVC00.APNIC.NET 202.12.28.131
NS.TELSTRA.NET 203.50.0.137
NS.RIPE.NET 193.0.0.193
                     
Regional Internet Registry for the Asia-Pacific Region.
                     
*** Use whois -h whois.apnic.net ***
                     
*** or see http://www.apnic.net/db/ for database assistance ***
                     
Record last updated on 03-May-2000.
Database last updated on 24-Feb-2001 18:27:42 EDT.

If you know what you are doing this kind of information might be useful, but I usually found it inscrutable.

Advanced mode

If you wish to define additional services that Personal Firewall will protect, you must go into Advanced mode. Then in the setup window (see Figure 1), click on the New button under the list of services on the left. A dialog appears and there is a pop-up list of common services you might want to protect (Figure 5). If you are an advanced user you could probably add your own.

Creating a new service.

With Advanced mode you can also add protection to UDP ("User Datagram Protocol") ports. More information is available in the Access History window than in Basic mode (Figure 2 is in Basic mode)&endash;added are port, access mode, and IP address for the access attempt.

 Experience

I was surprised to find that although I have only a dialup Internet connection (the Pi's Explorer Service) and am not on it most of the time, I got connection attempts periodically&endash;maybe averaging one every hour or two that I was on the Internet. The largest number of these denied connections were of the type "Remote Procedure Call (RPC)" mentioned above, followed by Authentication Server calls as a result of my contacting certain types of Web pages (I think these were automated and non-hostile responses), then "Web Sharing," attempted "telnet" connections, and attempts to see if I were running a DNS server. Explanations of these on the Personal Firewall Web page indicate that these were probes to see if there were vulnerabilities of types not usually found on Macintoshes anyway. So Norton Personal Firewall may not have added much to my security while on the Internet, compared to the time before I had it, and was blissfully ignorant of any such attempts. But it certainly made me aware that such probes are routinely happening.

Norton Personal Firewall ($69.95 separately)
Part of Norton Internet Security for Macintosh, $99.95
Symantec Corp.
20330 Stevens Creek Blvd.
Cupertino, CA 95014
http://www.symantec.com