OS X Firewall Not Stealth

By | 2012/04/19

By default, the OS X Lion firewall enabled and stealth actually has a few ports open, despite the System Preferences displaying no services running and no ports open.


A nessus scan will reveal the following UDP ports open and broadcasting information:

  • 5353 / UDP
  • 123 / UDP
  • 127 / UDP

01-firewall-osx
02-firewall-osx
03-firewall-osx
04-firewall-osx
Note: Ignore port 4242 TCP on these screenshots. I am knowingly running Crashplan on this port! 🙂



This occurs even with the following security configurations made as tight as possible by the end user in the System Preferences:

05-firewall-osx

06-firewall-osx 07-firewall-osx
5353 udp is used for mDNS, or Bonjour. Apple has wrapped this service into DNS for OS X, which makes this difficult to disable. It is possible to disable the broadcasting portion of this service with some hackery as noted in this Apple KB article.


123 udp is used for NTP, but for operation of an NTP client this port does not have to be open in the firewall. Again there are no user configurable options to disable this.


127 udp is used for Windows NetBIOS to broadcast the host’s NetBIOS name for compatibility in Windows networks. This is on by default even with no Sharing ‘services’ enabled in the System Preferences. This should be user configurable in the System Preferences to disable broadasting this service.


If you don’t have nessus handy, you can also verify these particular UDP ports on your OS X machine with nmap:

$ sudo nmap -sU -p 123,127,5353 172.16.1.107

Starting Nmap 5.21 ( http://nmap.org ) at 2012-04-19 11:42 EDT
Nmap scan report for 172.16.1.107
Host is up (0.00063s latency).
PORT     STATE         SERVICE
123/udp  open          ntp
127/udp  open|filtered locus-con
5353/udp open|filtered zeroconf
MAC Address: 00:11:22:33:44:55 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 1.40 seconds

Cool!

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.