Canadian Mac Forums at ehMac banner
1 - 19 of 19 Posts

·
Premium Member
Joined
·
9,103 Posts
Discussion Starter · #1 ·
Anyone ever heard of a leak test for the Mac to test the firewall?

Seems to be a discussion point for some PC firewall vendors, but I found nothing related to the Mac or even a "leak test" that will run on the Mac.
 

·
Left The Building
Joined
·
8,381 Posts
Interesting link, thanks. I use only the OS X firewall; I ran the 1056 port scan and my results were:

Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system wisely remained silent in every way. Very nice.
:clap:

I think I'll try this on my WinXP Dell at work on Monday.
 

·
Premium Member
Joined
·
9,103 Posts
Discussion Starter · #4 ·
Go to GRC.com

GRC | Gibson Research Corporation Home Page  

scroll down to SheildsUp! and test your level of 'stealth' :cool:

Cheers!
Thanks - but I have been using ShieldsUp for a while now.

It doesn't test for "Leaks" from your Mac and the "Leaktest" that is just below is an .exe file.

I also just read that the ShieldsUp test does not actually cover all the ports that show up in this pretty picture with all the green squares - so supposedly, it may give you a false pass.
 

·
Tritium Glow
Joined
·
7,141 Posts
Try this site: AuditMyPC.

Very customizable, can scan all 65,000 ports in ranges.

Also checks your anonymity, you'll be surprised how accurate and how much personal info it can detect.

Very useful site.
 

·
Registered
Joined
·
835 Posts
When I use ShieldsUp and do the 1056 port scan it always tells me that stealth fails because port 113, although closed, replied to their Ping. OSX firewall is on. How did you get the firewall to stealth port 113 The Doug?
 

·
Left The Building
Joined
·
8,381 Posts
I didn't do anything special - I have file and other forms of sharing off, and the Firewall on. I just scanned port 113 and got the same result as above (which was for the 1 to 2500 ports scan). Ditto for 2500 to 5000, and 5000 to 7500. I'll try the rest of the ranges when I have a few minutes. For now it seems that my G5 is pretty tight-lipped, which is just fine with me.
 

·
Tritium Glow
Joined
·
7,141 Posts
Any of you try the Anonymity test?

The map it showed during my test came very, very close, but didn't show my street. It also found my internal IP, the IP set by my router.

Do it with Java on and then off.
 

·
Premium Member
Joined
·
9,103 Posts
Discussion Starter · #11 ·
Any of you try the Anonymity test?

The map it showed during my test came very, very close, but didn't show my street. It also found my internal IP, the IP set by my router.

Do it with Java on and then off.
I did.

The map just shows your ISP location, not your own.
I'm with KOS (Kingston-on-Line), so the map didn't even get the city right - it showed Kingston (where the ISP head office is) instead of Belleville (were I am).

To actually physically find you, someone would have to go to the ISP and have them match the IP address and time to figure out who was using that IP address at the time in question. My IP address on DSL does not stay the same - it changes from time-to-time.

I thought the anonymity test would also show which computer you're on and which browser you are using.
 

·
Tritium Glow
Joined
·
7,141 Posts
I did.

The map just shows your ISP location, not your own.
I'm with KOS (Kingston-on-Line), so the map didn't even get the city right - it showed Kingston (where the ISP head office is) instead of Belleville (were I am).

To actually physically find you, someone would have to go to the ISP and have them match the IP address and time to figure out who was using that IP address at the time in question. My IP address on DSL does not stay the same - it changes from time-to-time.

I thought the anonymity test would also show which computer you're on and which browser you are using.
I realise all that, the point was to consider not running java on your browser to minimise issues with privacy. With DSL, the map will be more accurate.
 

·
Left The Building
Joined
·
8,381 Posts
The Doug - Are you behind a router?
No. But the Firewall's built-in stealth mode is enabled. Seems effective, eh?

Here are a few lines from the Console log, from when I ran the scans earlier today. I've removed my name & IP address.


May 5 10:06:47 (none of your beeswax)-Computer ipfw: 12190 Deny TCP 130.94.69.111:20 (none of your beeswax):7027 in via en0
May 5 10:06:47 (none of your beeswax)-Computer ipfw: 12190 Deny TCP 130.94.69.111:20 (none of your beeswax):6817 in via en0
May 5 10:06:47 (none of your beeswax)-Computer ipfw: 12190 Deny TCP 130.94.69.111:20 (none of your beeswax):7455 in via en0
May 5 10:06:47 (none of your beeswax)-Computer ipfw: 12190 Deny TCP 130.94.69.111:20 (none of your beeswax):5280 in via en0
May 5 10:06:47 (none of your beeswax)-Computer ipfw: 12190 Deny TCP 130.94.69.111:20 (none of your beeswax):5557 in via en0
May 5 10:06:47 (none of your beeswax)-Computer ipfw: 12190 Deny TCP 130.94.69.111:20 (none of your beeswax):6224 in via en0
May 5 10:06:47 (none of your beeswax)-Computer ipfw: 12190 Deny TCP 130.94.69.111:20 (none of your beeswax):5369 in via en0
May 5 10:06:47 (none of your beeswax)-Computer ipfw: 12190 Deny TCP 130.94.69.111:20 (none of your beeswax):7002 in via en0
May 5 10:06:47 (none of your beeswax)-Computer ipfw: 12190 Deny TCP 130.94.69.111:20 (none of your beeswax):6410 in via en0
May 5 10:06:47 (none of your beeswax)-Computer ipfw: 12190 Deny TCP 130.94.69.111:20 (none of your beeswax):6124 in via en0
May 5 10:06:47 (none of your beeswax)-Computer ipfw: 12190 Deny TCP 130.94.69.111:20 (none of your beeswax):7204 in via en0
May 5 10:06:47 (none of your beeswax)-Computer ipfw: 12190 Deny TCP 130.94.69.111:20 (none of your beeswax):5542 in via en0
 

·
Premium Member
Joined
·
9,103 Posts
Discussion Starter · #14 ·
I realise all that, the point was to consider not running java on your browser to minimise issues with privacy. With DSL, the map will be more accurate.
Sorry - I totally lost you.

In your first post you commented that my test came very, very close, but didn't show my street., so it sounded as if you expected them to find your actual location where the computer is, and now your saying with DSL, the map will be more accurate.

More accurate than what?
Even if your on cable or radio or satellite - the map will just show the address of the ISP. I'm on DSL and the location shown is about 70 kms from me, that's not exactly close.

I also don't understand how running Java (or not) will affect "privacy"
 

·
Premium Member
Joined
·
9,103 Posts
Discussion Starter · #15 ·
No. But the Firewall's built-in stealth mode is enabled. Seems effective, eh?
My log only shows UDP connections denied (whatever UDP is), no TCP and then it shows all the "stealth mode connection attempts"

I actually find that sort of strange because I am behind a router and I thought the router itself provides the firewall function, so why does the Mac firewall even see these attempts?
 

·
Tritium Glow
Joined
·
7,141 Posts
Sorry - I totally lost you.

In your first post you commented that my test came very, very close, but didn't show my street., so it sounded as if you expected them to find your actual location where the computer is, and now your saying with DSL, the map will be more accurate.

More accurate than what?
Even if your on cable or radio or satellite - the map will just show the address of the ISP. I'm on DSL and the location shown is about 70 kms from me, that's not exactly close.

I also don't understand how running Java (or not) will affect "privacy"
With DSL, your physical location has to be within a certain distance from the central station. With cable it's different. The test showed a map where the central station is located and all I said was that it's very close. Realistically it should have showed my street, but it didn't. It showed the general area where the central station is located.

They used a Java applet to find my internal IP (the actual IP of my computer) on my private WiFi LAN. If you turn off Java in the browser options, the applet will not run.
There is nothing you can do to not show your assigned IP that your ISP's DHCP server assigns you.
 

·
Premium Member
Joined
·
9,103 Posts
Discussion Starter · #18 ·
With DSL, your physical location has to be within a certain distance from the central station. With cable it's different. The test showed a map where the central station is located and all I said was that it's very close. Realistically it should have showed my street, but it didn't. It showed the general area where the central station is located.
That is not true at all.
I'm on DSL and I'm about 70 kilometers from the location that was identified.

First of all, the information that one can gather from the IP address has nothing to do with the location of the Central Office (not central station btw). All that can be picked up is the ISP and their listed address which could be miles from the CO that's actually serving you.
And DSL is also not limited in distance from the CO, in my case I'm way beyond the wire-loop DSL limit even in Belleville - I'm miles out of town, quite a distance from the CO. This works because the DMS switches (that's the actual switch in the CO) have remote capabilities where the DSL wire-loop goes to the remote which is in a small box on the side of the road and from there, there is a high speed T-1 or T-3 connection to the CO.

If the location identified was close to where you live, that was purely by chance. For anyone who lives in Belleville and uses KOS, the same Kingston location would show up as for me.
 

·
Tritium Glow
Joined
·
7,141 Posts
Then the technology changed since 2001. I ordered DSL the minute it became available in central Toronto. I remember the issue was distance from central "whatever it's called", when I went on the waiting list with Sympatico. That was right after the @HOME fiasco, yet I still see this being discussed as a limitation of ADSL even today.

It's good to know you can get DSL in the 'boonies', as one day I want to move out of the city. ;)
 
1 - 19 of 19 Posts
Top