Hi friends, here at home, I normally connect to the internet via a router, which I have set up to block malicious and random traffic. I’m currently testing a 3-month trail of a 10GB fiber ($55/month) connection to see how it compares to my 1GB ($69/month), and have it directly connected to my 2023 MacBook Pro via ethernet. I’m running Little Snitch, and it’s crazy to see the number of random attempted connections that I’m getting to Launchd, Control Center, kdc, smbd, and the like.
I’m curious, for those that aren’t using a router (which probably isn’t many) other than running Apple’s Firewall how else are protecting your computer from internet connections and attacks? Using Little Snitch, I’m able to deny all of the connections that I’m receiving, but for those that aren’t using Little Snitch or a router, what are you using?
These two things are very different. macOS firewall is about blocking incoming connections. Regardless of what apps you use, you can be subjected to these and this firewall, which BTW has an excellent reputation, protects against that.
LittleSnitch is usually used to control outgoing connections. These are initiated by the OS or your apps. If we assume that you can trust macOS (or at least, you agree with the connections it’s opening), this basically boils down to giving you a tool to monitor the apps you use (or those you are running without being aware), and block connections they might attempt to open up that you disagree with (eg. “phoning home”).
These are two very different things and not at all mutually exclusive or in competition with one another.
Routers used by people at home to connect to the internet usually have a firewall that attempts to do the former. Some can also be configured to do the latter, but this is not very common. You might want to have your router block, in addition to macOS’ built-in firewall, because you for example use that router to connect devices that aren’t Macs or iPhones which have such nice built-in protection. Most routers will offer some kind of NAT which is actually a means (among others) to allow a LAN device to open up a direct two-way channel to a WAN device. This can be very dangerous (but for some services, eg. remote ssh, absolutely required) which is why the default is often to block such attempts unless initiated by a specific LAN client for a specific service (port). But this is not at all to be confused with what Little Snitch would do on such a LAN Mac, since NAT is more concerned with the answer the LAN Mac will get when it sends to a WAN device, while LittleSnitch will get in the way of that request even before it makes it beyond the LAN Mac. This is a huge topic, so too much ground to cover in just a single post…
Yep, I understand all about NATing, inbound and outbound traffic. In this instance, however, Little Snitch is stopping inbound traffic, which is why I asked about Firewalls. These are connections that Apple’s Firewall deemed appropriate and accessible because of the type of Service that is being attempted. Macs do phenomenally well on their own in the DMZ, but I’m also curious what other means people are using to protect their devices when not behind a router.
Is that a BlockBlock pop-up for an incoming connection?
Little Snitch looks a bit different.
Anyway, BlockBlock is an option for some additional protection.
Have you possibly perhaps maybe given thought to the idea of giving up?
As you say, and it’s true, Macs are fine directly exposed to the public Internet. Just don’t do anything obviously stupid, like using weak passwords, running unauthenticated services you don’t use, and most important of all, not patching against vulnerabilities, and you’ll be all right.
For myself, I am behind NAT on IPv4, of necessity, which gives me a modicum of protection, as these things do. (NAT is not about security, but address conservation; any protection it affords is incidental.) But on IPv6 I explicitly roam free and naked. This is mostly because the convenience features of receiving inbound connections don’t really exist in IPv6 (UPnP for v6 can’t be used in practice due to interoperability issues, PCP was never really implemented, ALGs in firewalls usually aren’t under one’s control, etc). Also, the IPv6 address space is much, much larger than the IPv4 address space, so one does not in practice see the constant hammering one does on IPv4. You might say that this position is somewhat easier to take than for IPv4, and I’d agree, but I stand by what I just said–the real problem, and the one you should most concern yourself with, is the security of individual devices on your networks, and this is true regardless of whether a firewall is in place or not. The attack surface does not magically increase in magnitude just because the firewall isn’t there, unless you are doing it wrong. That having been said, running unprotected translates into responsibilities for you to think much more carefully about the services you choose to use, because they will be publicly exposed if you enable them. Accidents happen when you are careless and assume a firewall is in place, e.g. you have enabled unauthenticated file sharing or FTP service because nobody else can use them …
Good luck on your FTTP travels! I expect you’ll enjoy it.
This is the critical point. With IPv4, your ISP’s entire customer-facing address block can be port-scanned in a few hours. So attackers routinely scan everything. They compile databases of which IP addresses have which ports open and they use (or sell) that database for subsequent attacks.
With IPv6, however, the available address space is orders of magnitude larger. My home (using Comcast XFinity) gets a “/64” address prefix. That is, I’ve been assigned a 64-bit address block all for myself. I may have a lot of devices on my LAN (several dozen), but that’s completely dwarfed by the fact that these come from a pool of 1.8 x 1019 (that’s 18 quintillion) addresses. An attacker somehow capable of scanning a billion addresses per second would still require over 580 years to scan the entire address block. Multiplying this by the fact that every one of Comcast’s customers has a block this size and you can see that a brute-force port scan for IPv6 vulnerabilities is pretty much pointless.
When combined with the fact that IPv6 hosts don’t generate their addresses sequentially, but pick random addresses within the assigned block and periodically change these addresses, the odds of being attacked via a random port scan is so low that it’s probably not worth considering.
Of course, a remote service you connect to will get your address. So if you connect to a malicious server (or to a legitimate server via a compromised router), then the bad guys will learn your address directly. They could port-scan that address, find a vulnerability and use that for an attack. But the fact that most hosts today use temporary IPv6 addresses (see also RFC 4941) means that any discovered address will need to be attacked pretty quickly, because it will go away soon (probably in less than a day).
So for most people (who are running IPv6 clients, not Internet-facing servers, where the address must be stable and accessible via DNS), a basic firewall, like the one built-in to most modern operating systems is probably sufficient.
related to this, I have a media server that I share with a couple friends.
I also use iDrive for cloud back-up, so iDrive has to be able to find me.
I occasionally use NoMachine to remote in as well from a MBA.
There is also a cMP3,1 on the LAN via an unmanaged switch.
Each Mac has 1 port forward for NoMa.
The drives are mounted in the cMP, but the server is on a '18 mini.
What should I be doing for safety, other than Monterey Firewall on and Router firewall IPv4 set for medium?
I don’t mean to be fear mongering but even with using the Apple Firewall and Little Snitch (both great products), putting your computer directly on the internet is really not a great idea. It’s going to require constant monitoring of your setting and ensuring nothing slips through. A network device (such as a good router) made to be internet facing is really a safer & saner approach.
Macs are not immune to malware.
Sure, but the question is if/how to properly punch a hole in that router. For certain services (eg. 22 for remote ssh access and/or tunneling) that is required. Other examples are people who perhaps want to control or monitor their systems remotely, eg. Screen Sharing. There is a lot of good advice to be given on how to do that going beyond just setting up a solid and totally locked down router between your home devices and the WAN.
Sure, I didn’t mean to imply that your router should be a brick wall. You do have to work at what connections to allow in and that’s tricky. But as you say, there are good examples to be had.