Home » Questions » Computers [ Ask a new question ]

Is it safe to put a Mac directly on the internet?

Is it safe to put a Mac directly on the internet?

In the past I have always run a NAT router between my Windows PC's and the internet. I'm wondering if I still need this or whether the OSX firewall is good enough to let me put a Mac directly on the internet.

Asked by: Guest | Views: 125
Total answers/comments: 3
Guest [Entry]

"Though I don't mind hooking up my Mac to any network, I don't have the definitive answer. Still, some notes too long for a comment:

The OS X built-in firewall is an application firewall: accepting incoming connections is granted per application, not per port. Once granted permission, an application could open any port it likes, but I guess that's not an issue for software you trust. Also, it only applies to incoming connections: all outgoing connections are always allowed (but that is true for a NAT-firewall as well). And according to Apple's ""Mac OS X 10.5 Leopard: About the Application Firewall"":

All applications [..] that have been digitally signed by a Certificate Authority trusted by the system [..] are allowed to receive incoming connections. Every Apple application in Leopard has been signed by Apple and is allowed to receive incoming connections.

In 10.6 the latter is made more explicit (and can be disabled) as ""Automatically allow signed software to receive incoming connections. Allows software signed by a valid certificate authority to provide services accessed from the network."":

Hence, even when the firewall is active, every server-like Apple application that you have running is, by default, allowed to accept incoming connections. (Or, maybe in 10.6 it even applies to any signed application?) A bug in such software could compromise your computer. I don't know how that affects things like Bonjour and file sharing.

If the firewall is active then any non-Apple software (or at least unsigned software) first needs your permission to accept incoming connections. When such software is updated, it might or might not need your permission again:

A signed application [..] can mathematically prove that it is indeed a new version of the same application from the same vendor that you expressed trust for in the past. The result is an end to dialog boxes asking you to confirm a choice whose safety you have no reasonable way to verify."
Guest [Entry]

"It's never secure to connect a computer to the internet, and it's always better to have a router in between.

Since most routers run embedded-Linux, it's most-likely more secure to have them in-between.

Speaking as a Linux-user: Mac OSX has most of the applications from FreeBSD, so make absolutely sure you have ssh and sshfs not installed or running, if you don't need them.

And just having a firewall is not enough. Make sure it's properly configured."
Guest [Entry]

"It is not safe to put anything on the internet. Having said that, nowadays most people connect to the internet behind a router, which also tend to implement firwalls and whatever else, so you could be using win95 without a hitch.

It all depends on what you do with that computer and if you are only browsing the internet or are serving content. Can't answer anything more specific without further details."