OSX Firewall on or off on a LAN

Sorry a little of topic, but hopefully someone can comment.

I’m using Easyproject software (to maintain Freeway website projects) which runs a server on one mac to update, another person Mac with the user’s project data.

By default I usually have both Macs running the OSX Firewall. But this program does not work unless the firewall is down on the EasyProject’s Server Mac.

Question is, I already have an 8 port router with firewall running between the LAN and the Internet, so do I really need to worry about having to turn off the OSX Firewalls?

offtopic mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

On Nov 23, 2007, at 10:53 AM, dwn wrote:

Sorry a little of topic, but hopefully someone can comment.

I’m using Easyproject software (to maintain Freeway website
projects) which runs a server on one mac to update, another person
Mac with the user’s project data.

By default I usually have both Macs running the OSX Firewall. But
this program does not work unless the firewall is down on the
EasyProject’s Server Mac.

Question is, I already have an 8 port router with firewall running
between the LAN and the Internet, so do I really need to worry
about having to turn off the OSX Firewalls?

That’s why this forum is called Off Topic!

Security is a matter of more is better, but you are correct, there is
a limit to how much you need in everyday use. Depending on how your
network is configured, you may not need the firewall on any of your
Macs. But if you do go that far, realize that you have removed a
layer of security, and if the one protecting that should fail, you
will be open to all sorts of trouble.

If your network is set up similar to mine, you have a cable or DSL
box connected to an internet sharing appliance, and the rest of your
network to that. The sharing appliance takes your one public IP
address and shares it with your computers using a technique called
Network Address Translation. Each computer on your network has a
“private” IP address, usually in the 192.168 range. These addresses
are non-routable – they will not work anywhere on the public
Internet, and a request for an address in that range or from ad
address in that range will go entirely unanswered. The most you will
see is a terse “no route to host” in the Terminal.

So nobody in the world can “see” your computers from the outside –
it’s as though they don’t exist.

BUT…

Now you have a single point of failure: the appliance.

There are zillions of these things out there, many different brands
and models, and they most usually run an embedded form of Linux. It
would be foolhardy to believe that with that many juicy targets lying
around, and that much to gain from breaching one, that the hackers
aren’t busily trying to find some way around or through them.

If some nefarious villain made it past the cryptic password you set
on your appliance (you did change it from the factory standard
‘admin’, didn’t you?) then they might be able to reprogram the router
to do something other than its intended task, maybe routing all of
your packets through a proxy server somewhere in the Baltic. You’d be
none the wiser, but then there might be that sudden disappearance of
money from your accounts.

Another approach might be for you to figure out which port your
EasyProject communicates over, and add a firewall rule to allow it.
Opening a single hole like this is not as big a deal as dropping
shields entirely.

Walter

offtopic mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Hi Walter

Thanks for the info, it settles a few doubts.

Is there any OSX way of finding out which port the software (EasyProject) Port its using? (without waiting for the developers to respond)

offtopic mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

In the Network Tools application (Applications/Utilities) there is a
Port Scan feature, which should be able to find all open and
listening ports. Turn off the firewall, turn on the EasyProjects, and
then scan your computer (localhost, or 127.0.0.1). The results will
probably be cryptic, but by process of elimination (turn off
EasyProjects and scan again) you should be able to narrow it down.

Walter
On Nov 23, 2007, at 1:17 PM, dwn wrote:

Hi Walter

Thanks for the info, it settles a few doubts.

Is there any OSX way of finding out which port the software
(EasyProject) Port its using? (without waiting for the developers
to respond)

In the Network Utility application (Applications/Utilities) there is
a Port Scan feature, which should be able to find all open and
listening ports. Turn off the firewall, turn on the EasyProjects, and
then scan your computer (localhost, or 127.0.0.1). The results will
probably be cryptic, but by process of elimination (turn off
EasyProjects and scan again) you should be able to narrow it down.

Walter

offtopic mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Thanks I’ll give it a go

offtopic mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

There is a utility with the program to view a debug log, and apart from lots of numbers have the word EPMBounjourServer, does that mean anything to you? (EPM bing EsayProjectManager)

The number in the line are:
root 431 0.0 1.4 140432 11180 ?? S 6:34PM 0:00.25 EPMBounjourServer

offtopic mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

On Nov 23, 2007, at 1:48 PM, dwn wrote:

There is a utility with the program to view a debug log, and apart
from lots of numbers have the word EPMBounjourServer, does that
mean anything to you? (EPM bing EsayProjectManager)

The number in the line are:
root 431 0.0 1.4 140432 11180 ?? S 6:34PM
0:00.25 EPMBounjourServer

Bonjour is Apple’s name for the MDNS standard, which allows services
to find one another without a central authority like a DNS running on
the same network. I think you are on to something with EPM being your
application, and if I am reading this correctly, it’s listening on
port 431.

Try adding a new firewall rule, opening port 431, and see if that
allows your application to get through.

There is another possibility here, similar to what happens in FTP.
The main port is for ringing the doorbell, but the real work takes
place on any of a range of other ports. If opening this one port
doesn’t do the trick, then you will have to ask the developers what
ports they need for this to work. Or you could download and try using
Little Snitch, which is a sort of real-time port sniffer. I have no
idea how that would work in this case, but I have heard of other
people using it in this context.

Walter

offtopic mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Thanks I’ll investigate further

offtopic mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Walt,

Yep I think your doorbell theory is working here - as doing a port scan and using the program, there is port activity on a range of unnamed ports (with very high numbers) so perhaps the developers need contacting for help with this. It works OK with the Firewall down (perhaps this is intended?) but as you say, I’d prefer to be doubly secure, with the machine firewall on also.

Perhaps anyone else knows of a low cost app to take care of managing projects (in this case web and design - with sharing (I don’t really want invoicing as that is covered with an accounts package). We use FileMakePro 6 at the moment with a custom made database - but I hear this will break with Leopard - so were looking for other solutions before opting to upgrade to FileMakerPro 9

offtopic mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

With a process of elimination I found the port it was using.

It a very simple clever little program to use - a little rough around the edges but works.

Does, or can anyone recommend anything similar?

offtopic mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

‘dwn’

I’m running my own job progress database in FilemakerPro 7 on Leopard
(Intel iMac) and so far there have been no problems. So, you might be
lucky with v6.x, too. For everything else the change to Leopard was
virtually seamless and the more I use it, the more little touches I
find and the better it gets.

Colin

On 24 Nov 2007, at 14:01, dwn wrote:

Walt,

Yep I think your doorbell theory is working here - as doing a port
scan and using the program, there is port activity on a range of
unnamed ports (with very high numbers) so perhaps the developers
need contacting for help with this. It works OK with the Firewall
down (perhaps this is intended?) but as you say, I’d prefer to be
doubly secure, with the machine firewall on also.

Perhaps anyone else knows of a low cost app to take care of managing
projects (in this case web and design - with sharing (I don’t really
want invoicing as that is covered with an accounts package). We use
FileMakePro 6 at the moment with a custom made database - but I hear
this will break with Leopard - so were looking for other solutions
before opting to upgrade to FileMakerPro 9

---

offtopic mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

offtopic mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Does it work?

I was told it would break FileMaker in the UK Macuser Mag. Maybe it was specifically version 8.x? so perhaps version 6 will keep working?

offtopic mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

On Nov 24, 2007, at 10:09 AM, dwn wrote:

Does it work?

I was told it would break FileMaker in the UK Macuser Mag. Maybe it
was specifically version 8.x? so perhaps version 6 will keep working?

What breaks is the Web service part of Filemaker. I have not heard
anywhere that the application itself would break. Just be sure the
version you are running is not so old that it runs in Classic. That
will definitely not work at all – Classic is completely gone in
Leopard.

Walter

offtopic mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

On Nov 24, 2007, at 10:09 AM, dwn wrote:

Does it work?

I was told it would break FileMaker in the UK Macuser Mag. Maybe it
was specifically version 8.x? so perhaps version 6 will keep working?

I don’t have it here to test with. Try this: find the Filemaker icon
in the Finder, and click once on it and press Apple - I (Get Info).
See if it is a Classic application or not. If it is Classic, then it
just won’t work at all. If it is not, then you have a half a chance.

I have read that Filemaker 8 definitely works as a database under
Leopard. It just won’t share its databases over the Web, which is
probably not a deal-breaker for you.

Perhaps someone else on the list has a copy of Filemaker 6 and can
test for you on Leopard. Apple will tell you that they haven’t tested
it, and don’t recommend it at all – which is true, even if a bit
self-serving. It certainly won’t be supported in any case. But it
might work long enough to get you up the ramp to whatever the latest
version is.

Walter

offtopic mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Its not a Classic application (I don’t run classic anymore) so it should be OK

offtopic mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

On Nov 24, 2007, at 12:39 PM, dwn wrote:

Its not a Classic application (I don’t run classic anymore) so it
should be OK

Um, actually you should be okay to try it. It may not work at all.
But it will attempt to launch.

Walter

offtopic mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options