Hey so I’ll be getting my first MacBook Pro in a couple weeks, so I’m still learning the details about OS X. I’m coming from a windows / Linux background.
I thought the OS shipped with its own firewall? Would you recommend using a third party firewall despite having its own?
Get little snitch. This is a firewall that dosen't care what apple thinks is useful.
There was some controversy in the previous year because apple tried to deprecate the firewall hooks and allow their junk passed the replacement they offered.
I'm leaving apple for linux as we speak for two reasons, privacy and they can't help but mess with shit every time they release an update.
The most recent, this week they released an update and now their airport service listens on port 5000 making a conflict with running a dev flask service locally.
> I'm leaving apple for linux as we speak for two reasons, privacy and they can't help but mess with shit every time they release an update.
"Mess with shit" was what drove me to Linux by around 2015. It seemed like every major MacOS upgrade torched my Eclipse-based Java dev environment, generally requiring a reinstall.
I mean, you can turn that off. Is changing a port such a showstopper?
I’ve flip flopped for years, (I was using freebsd more than 20 years ago, genuinely ran Solaris 10 with my own build of kde4 on a hp probook, etc) but last time I tried to use Linux for work I got defeated by a conference suite projector at a client and it cost us a big contract. The happy path (for me anyway) is doing all actual dev work on Linux vms and using macOS as your browser/im/terminal client — which it’s great at.
And it works with those stupid little projector dongles at clients when you’re trying to pitch them 6 figures of consulting ;)
> I’ve flip flopped for years, (I was using freebsd more than 20 years ago, genuinely ran Solaris 10 with my own build of kde4 on a hp probook, etc) but last time I tried to use Linux for work I got defeated by a conference suite projector at a client and it cost us a big contract. The happy path (for me anyway) is doing all actual dev work on Linux vms and using macOS as your browser/im/terminal client — which it’s great at.
It takes about one time of "this didn't work and it's your fault for using Linux" in a business context to break one of using Desktop Linux (or BSD, et c.), I think. I doubt similar stories are uncommon. I've got one, certainly.
At least if MacOS or Windows breaks, you're not the asshole. And it doesn't hurt that they in fact do break less often (well, Win10 with its abrupt, unexpected, and slow forced updates was a real problem for a while, but otherwise)
>There was some controversy in the previous year because apple tried to deprecate the firewall hooks and allow their junk passed the replacement they offered.
Funny how framing something that's true (allowing apple software to bypass firewalls) is seen as a controversy. See previous discussion on hn: https://news.ycombinator.com/item?id=24838816
Windows and Linux user for 25 years [EDIT Windows for 25, Linux for 20, to be more precise], heavy macOS user (in addition to those) for the last 10 or so.
If it has a firewall of any kind, I've never noticed nor interacted with it. I've also never installed a third party firewall.
Firewalls can do two things, mainly. Block inbound connections, block outbound connections. The macOS firewall is mainly intended for the former. Many folks want to prevent the latter (e.g. blocking phone home connections).
Mac OS comes with pf installed. This can block inbound and outbound traffic. There is a utility called Murus that manages this with a GUI, https://www.murusfirewall.com
Thanks, forgot about pf! Murus seems the perfect middle-ground for when day-to-day management through commandline tools is too much (I lasted for about a week!), but GUI tools sometimes too restrictive.
Apple ships the pf fireball by default. It's a powerful firewall (same as OpenBSD AFAIK) but the way Apple configures it is very permissive. You can use a utility like Murus to configure it to your liking, although the configuration is rather complicated. It's also a network-level firewall, not an application-level firewall.
If you'd like an application-level firewall, you can check out Lulu or Little Snitch. Back when Little Snitch still(?) installed kernel extensions, it was found to be quite insecure—there were talks at DEFCON about it. Lulu is a lesser-known alternative.
There are multiple firewall options, but it's worth noting that Apple can circumvent them at a kernel-level if they want to phone home. You should think long and hard about how much you trust Apple before switching everything over.
I thought the OS shipped with its own firewall? Would you recommend using a third party firewall despite having its own?