Archive for December, 2007

Behind the firewall

Saturday, December 29th, 2007

Some people are apparently under the impression that firewall rules are the be-all and end-all of Mac OS X security. Deny all from any to me in. Before you spend days composing the perfect ipfw ruleset, however, take a look at sysctl. (You could spend days looking at sysctl.) One of the biggest misconceptions about Mac OS X — a misconception encouraged by the System Preferences UI — is that the firewall is not enabled out of the box. Nonsense!

net.inet.ip.fw.enable: 1

Admittedly, it’s a fairly flammable firewall (allow ip from any to any), but it’s enabled. More important, the default sysctl settings do provide at least a modest level of protection. For example:


net.inet.icmp.timestamp: 0
net.inet.icmp.maskrepl: 0

These prevent your machine from responding to ping -M time and ping -M mask requests. What time is it? Where the party at?

By Mac OS X herein I shall mean Leopard and Tiger. (Panther is not yet abandonware, but at this point it merely receives Christmas cards.) When you ‘start’ the firewall in System Preferences, Tiger adds a number of rules to ipfw. Leopard, on the other hand, includes a new Apple-designed firewall that mostly replaces ipfw. Though Leopard respects custom ipfw rulesets, it adds no rules to ipfw when you choose to block incoming connections. I don’t know much about how the Leopard firewall works; presumably it protects you somehow or other.

Leopard does still employ ipfw for “Stealth Mode”. If you turn that on, both Leopard and Tiger add the rule deny icmp from any to me in icmptypes 8. Curiously, Stealth mode prevents you from ‘pinging yourself’ in Leopard but not in Tiger. For fun (according to a rather loose definition of fun), try ping localhost. Somebody bring me a mirror! The difference in behavior is due to the Tiger-only rule allow ip from any to any via lo* that precedes all other rules.

Looking at the ipfw rules, you might think that Stealth Mode is overrated, like Notre Dame football and most wines over three dollars. If you want to learn its true value, you need to consult sysctl.


net.inet.tcp.blackhole: 2
net.inet.udp.blackhole: 1

With these settings, your computer mercilessly crushes attackers into singularities, as well as dropping their packets without response when sent to closed ports.

It would be nice if Bonjour wasn’t so talkative, broadcasting its greetings to your entire LAN. Bonjour also complains loudly when told to shut up by the firewall. On the other hand, you’re going to have to broadcast anyway for DHCP. Moreover, your LAN will see your internet traffic, especially on wireless.

Whoa, I suddenly realized after all these years that if you’re a grown man who lives in an attic, hangs out with high school students, has an ‘office’ in the bathroom, and is known for one syllable utterances, you’re not cool. You’re a loser.

How not to fix a build warning

Saturday, December 22nd, 2007

The Hollywood writers strike continues, and the desperation grows for alternative sources of entertainment. Fortunately, we programmers can find entertainment in our own sources. I’ve got some reality programming for you! The following snippet of code is taken from an actual CVS commit. (Yes, CVS. Don’t laugh. Do cry for me, Argentina.) This build warning ‘fix’ was made by some contractor for some project that I worked on at some point in time for some company. To protect the innocent and/or guilty, I won’t say who, what, when, or where. As for why, I wish I knew. Or maybe not.


NSEnumerator* fileEnum = [fileArray objectEnumerator];
NSDictionary* aDict = nil;
//Changed to Remove the Build Warnings
//while(aDict = [fileEnum nextObject])
while(aDict == [fileEnum nextObject])

Let this example serve as a lesson. Not for programmers — the one who wrote it is probably hopeless — but rather for managers. Please do not just hire the lowest bidder!

WordPress Bug Fix: more props for me

Saturday, December 15th, 2007

Although I abhor self-promotion — much as Roger Federer abhors winning tournaments — someone must take on this thankless task. (I had to fire my publicist, because he had never heard of me.) Thus it is with great regret and sorrow that I announce my latest contribution to the WordPress open source project. It was just one minuscule twitch for mankind, yet one ginormous vault for a man, viz., yours truly.

Now some critics might claim that the security issue was trivial. In my defense, I would argue that critics are doo-doo heads. Except the ones in New York: they all love me.

Mac OS X 10.4.11: less tar

Thursday, December 6th, 2007

Although it seems late in the game to be adding new features to Tiger, Mac OS X 10.4.11 includes not only the high-profile Safari 3 update but also a few other interesting little additions. For instance, when you uncompress a .tar.gz file in Finder it no longer leaves behind a useless .tar that you have to manually trash. Neat!

Of course, it wouldn’t be Finder without some annoyance. The trade-off for un-cluttering your Desktop is up-cluttering your console.log:

BOMArchiveHelper[454] opened /Users/jeff/Desktop/.BAHEm7Xn/my-directory.tar

I’m not sure why they didn’t use tar xzf, which is approximately a billion times faster. Baby steps…

Vienna 2.2.1 available now (and yesterday, and the day before)

Tuesday, December 4th, 2007

It should come as no surprise that Vienna 2.2.1 was released on Sunday. I’ve been too busy the last two days chipping my car out of the ice to write a post here. Release notes are available for the lazy, though real coders read the commit logs.

Contrary to expectations, this is not really a Leopard compatibility release. I would say that Vienna is not yet Leopard ready. On the other hand, I would also say that Leopard is not yet itself ready. So there you have it.