 |
| application firewall |
To enable it, go to System Preferences -> Security & Privacy -> Firewall
You can choose a few firewall options. The most secure or restricted option is block all incoming connections. With this option selected, hackers on the wild can not connect to your computer, they can not even discover your existance.
However, if you have malware already installed on your computer, such as a keylogger, Adware, backdoor, (in practice, this kind of malware is rare on Mac OS X, but there is no guarantee the landscape won't change in the future), even blocking all incoming connections won't help here. The keylogger/adware/backdoor will initialize an outcoming connection to give away your sensitive data, which the firewall won't block. These out bounding traffic are generally small, easy to hide in normal traffic such as your web browsing traffic.
Installing an expensive IDS/IPS/UTM device in your home network is the ultimate solution. However, if you have some experience with stateful firewall, you can detect the suspicious outbound traffic by reviewing and searching firewall logs on both the end-point and the gateway (some oddness can easily stand out, like mid-night traffic.). IDS/IPS/UTM in essence are collection of searching and matching actions in automation.
By default, the firewall log on Mac Os High Sierra is empty, this is because even after you turns on firewall which enables log, the firewall log option is throttled. You have to change the default settings from throttle to detail or brief.
/usr/libexec/ApplicationFirewall/socketfilterfw --getloggingopt
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingopt detail
Once the default settings are changed, you can view the firewall logs either from command line
tail -F /var/log/appfirewall.log
 |
| application firewall log |
or from Finder -> Application -> Utilities -> Console.
No comments:
Post a Comment