In Tiger, it's possible to change firewall settings in the Sharing preference pane, where you'll find a list of services that you can allow through when the firewall is enabled. In Leopard, this works very differently. The firewall settings are now part of the Security pref pane, and there are three options:
- Allow all incoming connections (this is the default)Block all incoming connectionsSet access for specific services and applications
When the last two options are selected, it's possible to add applications to a list and select "block" or "allow incoming connections" for that application. I played around a bit with these settings, but I couldn't figure out which combination of global and per-application settings are supposed to do what, let alone try it out and see if it worked. The thing is, most incoming connections are handled by system level "daemons" rather than applications. And the few applications that can answer incoming connections, such as iTunes or iPhoto, usually only do so on a local network rather than over the Internet.
Apparently the people at Heise Security figured it out, but they weren't happy with the results. Unsurprisingly for a security web site, they lambast Apple for leaving the firewall disabled in the first place. To add insult to injury, Leopard does in fact run a few services out of the box. Heise found multicast DNS (for Bonjour), NTP (to synchronize the clock over the network), and NetBIOS name resolution (for looking up Windows share names). It turns out that setting the firewall to "block all incoming connections" doesn't block these services. So basically, turning on the firewall doesn't do squat. Heise goes on to discuss the possible security implications of this, which I'll summarize as "bad things can happen if there are exploitable bugs in the daemons that provide these services."
I don't think Heise Security is necessarily incorrect in what it says, but it looks like it don't understand what Apple is trying to do here. To me, it seems that Apple wants to avoid the situation where a user runs a program, then enables the firewall, and is surprised when that program doesn't work (iChat, anyone?). So instead, the new firewall works on applications rather than TCP and UDP port numbers. I think this is makes a lot of sense, except that it leaves the
paranoid security-conscious user with few tools to limit access to system services or block outgoing connections by suspect programs.