Jesus Vigo reviews IceFloor, the graphical user interface for OS X's built-in network firewall.
Computer security is the hotbed topic these days. It seems as though you can't watch the evening news without hearing about the iCloud personal information leak or the coordinated attack against several US banks just last month.
While those attacks focused on services, what about the average user? They too have been hit with reputedly one of the worst viruses in history: CryptoWall. This Trojan has held data ransom on over 600,000 computers and earned its creator(s) over $1 million since its inception less than a year ago.
Common practices to limit exposure to these growing threats include antivirus software, malware scanners, and even modifying browsing habits and not clicking on links sent to you via email. However, one of the most overlooked security practices is implementing a properly configured firewall.
Modern OSs include some form of software-based firewall, which most users merely click on if prompted to enable -- and that's that. They trust the software is doing its job and, for the most part, it does. But what happens if your needs go beyond that of surfing the web and responding to emails?
If you are hosting your own server for your business or are running several critical services, such as communications and the web, then you'll need to have a more robust configuration for your personal firewall to limit your exposure to all the threats posed by a broadband, always-on connection.
As most users know, OS X is UNIX-based and includes a built-in firewall that's turned on by default. What some users do not know is that the personal firewall included in OS X is fully configurable via Terminal commands only, since the previous graphical user interface (GUI) was removed in Server 10.8. IceFloor, however, exists to fill that void. It provides users with a full GUI with which to make modifications to firewall configurations and has an easy-to-use front-end app and wizard for getting started.
To install IceFloor, just drag the IceFloor.app to the Applications folder (Figure A).
When attempting to run IceFloor, GateKeeper will inform you that it is from an unidentified developer and will not run (Figure B).
You may receive a warning that IceFloor is from an unidentified developer.
Depending on your settings, this error may or may not appear. However, if it does, hold down the Option key while right-clicking the app. Select Open, which will prompt a confirmation screen. Click Open again to launch IceFloor (Figure C).
Select Open to launch IceFloor.
Remember that IceFloor is not an app per se -- rather, it's a GUI front end for executing the commands that will configure the firewall settings via Terminal. This requires administrative rights over the machine, and you'll be prompted to enter your credentials prior to loading IceFloor (Figure D).
You'll need admin rights to load IceFloor.
On first launch, a welcome screen will greet you. While it serves as an overview of IceFloor, the main thing to look for is the menu bar installer. This will install an IceFloor Menulet on the menu bar (Figure E), where you can modify settings quickly.
The IceFloor Menulet.
The IceFloor app itself is relatively easy to navigate. It uses a tabbed system, where each tab represents a particular section. Beginning with the Help tab, there are four buttons to choose from:
- The Configuration Wizard provides a wizard to walk you through the initial configuration of IceFloor simply by answering questions.
- The IceFloor User Guide provides a wealth of documentation, covering various the features and functions that may be configured.
- The OpenBSD 4.3 PF Manual is in PDF format, just like the IF User Guide, but it covers everything from beginning to advanced configurations of the personal firewall itself found in UNIX and OS X.
- The Uninstall IceFloor button will completely remove all traces of IceFloor from your Mac.
Additionally, a contact link and donation button are present in the event that you run into trouble, wish to reach out to the developer, or would like to donate for the continued development of future versions of IceFloor (Figure F).
The IceFloor app.
Click on the Firewall tab to bring up the configuration screen (Figure G). Depending on your specific needs, the Lists drop-down will allow you to configure inbound/outbound connections (whitelist), block any form of connections being made to or from servers (blacklist), or even restrict bandwidth settings for both downloads and uploads.
The Firewall tab.
One of the greatest features of IceFloor is the ability to group together settings. If you've ever configured firewall settings or performed user management in Open Directory, you're aware that the process of manually entering data can be cumbersome when many entries are needed. This mechanical process may lead to errors that could be exploited in the future. However, working with groups helps to mitigate much of the repetitive tasks by assigning rules to them as templates and then adding them or removing them from the lists as necessary -- no reconfiguration needed. In fact, IceFloor includes many common services to choose from with the required ports preconfigured (Figure H).
IceFloor includes many common services to choose from.
Speaking of predetermined configurations, the next tab is Presets (Figure I). This tab includes predefined rules sets for communications. Additional presets may be created either manually or by adding multiple services and saving them as a template for future use. This is extremely useful when deploying multiple computers that must have identical configurations or in corporate environments when provisioning devices with specific roles to prevent too little or too much access from causing connectivity issues.
The Presets tab.
What good is a firewall without logging capability? Ultimately none, since you wouldn't be able to pinpoint any internal issues or external factors causing service disruptions. The Logs tab (Figure J) holds access to various forms of logging, from redirection to Apple's built-in Console to a real-time output of logging in Terminal. Additionally, the ability to export logs for later review and analysis round out the important function.
The Logs tab.
Hidden Services, the following tab, employs Port Knocking to hide specified services that are added to the list (Figure K). The ports these services communicate with are considered closed unless a connection attempt is made to a specific set of ports -- three, in the case of IceFloor. Though relying on security through obscurity as the means of hiding the specified services, unless the knock sequence is compromised, this form of security provides a good means of protection against port scanning and brute force attempts against a system.
The Hidden Services tab.
One size does not always fit all, especially when it comes to technology and, to a greater extent, security. For some, the modular use of rules grouped together seems like a boon. For others, the specific needs of their environment require a bit more subtlety. Custom Rules can provide exactly that form of granular control over specific services, servers, IPs, or a combination of all of the above (Figure L).
The Custom Rules tab.
The ability to be firm yet flexible is one of the basic tenants of a firewall. Being able to deny or allow traffic is only part of its function. The ability for a firewall to redirect traffic, force certain protocols, or even provide connectivity through a specific interface is part of what custom rules can do in IceFloor (Figure M).
You can add new Custom Rules.
The Interfaces tab helps you keep an eye on the individual connections of your node and monitor the traffic that passes through each (Figure N). Clicking the Update button will populate the Network Interfaces grid with all the necessary information. By clicking the interface itself, say en0 that is assigned to the Ethernet port, a full breakdown of the traffic that has passed through the interface will be listed in an easy to read report.
The Interfaces tab.
A similar grid exists for listing connections established by applications, connected hosts, or sockets actively listening for communications. Grid lists information for each connection made by an app, protocol, source, and target IPs, plus the ports they're connected to/from, and current status (Figure O). For additional security, you can terminate connections at will from the list or ban IP addresses to prevent future connections from taking place.
Grid of application connections.
Finally, the Browser tab allows you to load a PF rule and review the ruleset for inconsistencies or to obtain statistical information on the rule being used (Figure P). Such information, available at a glance, includes packet loss bandwidth -- both incoming and outgoing. Whitelisted or blacklisted IPs, with relevant details in transmission rates for those connections, is also included. Lastly, the Network Services List button details many common and not so common services for both UNIX and OS X. This information is quite helpful when troubleshooting an issue with a rule that needs to be modified due to incorrect port assignments or to prevent clashing with another offered service.
The Browser tab.
IceFloor may appear to be not for the faint of heart, but it truly is an easy-to-use front end for a very powerful program. With the wizard to get you started and plenty of documentation that provides a wealth of information every step of the way, you'll have a basic configuration of IceFloor running in no time.
That being said, IceFloor aesthetically leaves a lot to be desired, since it's not up to Apple's typical design standards. But form over functionality aside, the benefits of IceFloor far outweigh the few nit picks it may have visually. IceFloor is built for OS X and runs flawlessly as an overlay for the Terminal-only firewall settings. It will ultimately provide enhanced security and protection to all devices configured to provide network services.
Do you use IceFloor or another GUI for Apple's built-in firewall? Share your experience in the discussion thread below.