Who's There? User's Guide

Who's There? Firewall Advisor
User's Guide

Appendices

Mac OS X's built-in firewall (12)

Mac OS X 10.4 and later include logging capabilities with their built-in firewall user interface, accessible through the System Preferences window. The Leopard log file contains insufficient information to be useful to Who's There? in any way, and Snow Leopard's log file is in a non-standard format; neither of these built-in firewalls is supported. The Tiger log file is supported with the following significant caveat:

SECURITY WARNING: In Tiger, the firewall log only includes denied connection attempts. If any access attempts to your machine (desired or otherwise) are successful, these attempts will not be included in the log. Due to its lack of logging of successful access attempts, Open Door recommends against use of Tiger's built-in firewall user interface.

An additional, although much less severe, problem with logging in Tiger's built-in firewall user interface is that Mac OS X archives and resets the log file every 7 days, and deletes old archived logs after approximately a month. Thus, in addition to not being able to analyze successful access attempts at all, Who's There? can only analyze at most the last week's worth of denied access attempts through Tiger's built-in logging.

If you choose to use Tiger's built-in firewall, go to System Preferences and choose Sharing. In the Sharing window, click on the Firewall tab to display firewall settings (Figure 1).

Figure 1. Firewall settings

Choose the services, if any, for which you want to allow access, and then click the Start button. Next, confirm that firewall logging is enabled by clicking the Advanced ... button and check Enable Firewall Logging (Figure 2).

Figure 2. Firewall advanced settings

TCP and UDP Port Numbers Commonly Used by Macintosh Services (6, Port Numbers)

For the latest information on port numbers, see the list on our Web site.

Who's There? and routers (15, Home Routers)

Home routers, including wireless access points like the Airport Base Station, are used more and more in small networks as a way to share an Internet connection. By their nature, such routers provide some protection from access attempts from the Internet. In fact, unless a home router is specifically configured to do otherwise, no attempts from the Internet to access services on machines behind a router will succeed. This brings up a number of points:

Firewall logs on machines behind a home router may contain no access attempt lines, or very few.
Logging and analyzing allowed accesses on such a machine is as important as denied attempts. Generally, such accesses should only be from the network behind the router. Successful accesses from outside your local network should be examined carefully.
Despite the protection offered by home routers, a firewall on each machine behind the router is still a good idea. Home routers can be configured to allow access from the Internet to certain specific services on specific machines behind the router. If you configure your home router to do this, a firewall is definitely important, but even if you don't, a firewall is still a good idea, in case your router is configured without your knowledge (by you or by someone else). Also, especially on wireless networks, it's possible that someone could have obtained physical access to your home network without your knowledge.

Log File Formats (12, Features)

To be processed by Who's There?, your firewall's log file must be written in one of the three supported formats. These formats are:

OS X system log format -- Used by the Macintosh's ipfw firewall technology, which is built into Mac OS X. Firewalls using ipfw and logging in this format include Open Door's DoorStop X, the built-in firewall in Mac OS X 10.4 (but not 10.5 or later), OS X Server, and Flying Buttress.
NOTE: Not all ipfw firewalls create a log file. The firewalls built into Mac OS X prior to 10.4 are examples, and are not supported by Who's There?.
Extended WebSTAR log format -- A tab-delimited text format used by firewalls such as NetBarrier. This format is based on that used by the WebSTAR Web server.
NPF 3 log format -- An extended WebSTAR format used by Norton Personal Firewall 3.0 and later.

Mac OS X ipfw log format (system.log, WhosThere.log and ipfw.log)

Fields are space-delimited.

MONTH
- month of access attempt (see log file for how the year is determined)
DAY
- day of access attempt
TIME
- time of access attempt
HOST
- not used by Who's There?
LMODULE
- not used by Who's There?
IPFW
- Who's There? only processes lines where this field is "ipfw"
CODE
- not used by Who's There?
ACTION
- the action taken by the firewall ("accept" or "deny")
METHOD
- the protocol used in the access attempt - ICMP packets also show the ICMP type here; e.g., "ICMP:8.0" means ICMP type 8
SOURCE
- the IP address from where the access attempt originated - for TCP and UDP packets, also the originating port number; e.g. "192.168.0.2:49161" means IP address 192.168.0.2, port 49161
DEST
- the IP address to which the access attempt was made - for TCP and UDP packets, also the destination port number; e.g. "239.255.255.253:548" means IP address 239.255.255.253, port 548
IN_OUT
- Whether the access was coming to the firewall machine, or going out.

Log lines in OS X ipfw log format look like this:

Jan 30 17:28:45 localhost mach_kernel: ipfw: 303 Deny ICMP:8.0 192.168.0.1 192.168.0.2 in via en0

Jan 30 17:28:48 localhost mach_kernel: ipfw: 10001 Deny UDP 192.168.0.2:49161 239.255.255.253:548 in via en0

Notes:

WhosThere.log and ipfw.log may contain ipfw lines that are not related to access attempts, but have to do with ipfw internal administration. These lines look nothing like the lines described above, but are normal.
The first line of any WhosThere.log created by DoorStop X 1.1 or later is a special line containing the current year. This is for use in future versions of Who's There?

Extended WebSTAR log format

Operations are logged using the following tokens (which are included in the !!LOG_FORMAT line whenever your firewall starts up or a new log file is written):

DATE, TIME
- date and time of access, in WebSTAR standard format
RESULT
- OK for an allowed access
- ERR! for a denied access
HOSTNAME
- IP address of the client attempting access to the given port
SERVER_PORT
- the port to which access is attempted by the accessor
METHOD
- the protocol used by the access attempt (TCP, UDP or ICMP)

Actions related to the firewall itself are logged using the standard WebSTAR comment format:

!!LOG_FORMAT DATE TIME RESULT HOSTNAME SERVER_PORT METHOD
!!ENABLE_LOGGING 05/19/00 16:34:07
!!DISABLE_LOGGING 05/19/00 16:34:15
!!ENABLE_FILTERING 05/19/00 16:34:24
!!DISABLE_FILTERING 05/19/00 16:34:23

Log lines in extended WebStar format look like this:

!!LOG_FORMAT DATE TIME RESULT HOSTNAME SERVER_PORT METHOD

05/19/05 16:52:19 ERR! 192.0.0.2 21 TCP

05/19/05 16:52:39 OK 192.0.0.2 21 TCP

05/19/05 16:52:39 OK 192.0.0.2 2051 UDP

NPF 3 log format

Operations are logged using the following tokens (which are included in the !!LOG_FORMAT line whenever your firewall starts up or a new log file is written):

DATE
- date, time and GMT offset of access
RESULT
- OK for an allowed access
- ERR! for a denied access
HOSTNAME
- IP address of the client attempting access to the given port
SERVER_PORT
- the port to which access is attempted by the accessor
METHOD
- the protocol used by the access attempt (TCP, UDP or ICMP)
DIRECTION
- Whether the access was coming to the firewall machine, or going out. Incoming access attempts represent the greatest risk for Macintosh users; outgoing attempts are typically due to user actions such as Web surfing, or certain system operations, but may also happen sometimes with Trojan Horses or other malicious software.
TYPE - not used by Who's There?

Actions related to the firewall itself are logged using the standard WebSTAR comment format:

!!LOG_FORMAT DATE RESULT HOSTNAME SERVER_PORT METHOD DIRECTION TYPE
!!04/30/2003 11:16:22 -0700 ENABLE_FILTERING
!!05/06/2003 12:08:26 -0700 DISABLE_FILTERING

Log lines in extended NPF 3 format look like this:

!!LOG_FORMAT DATE RESULT HOSTNAME SERVER_PORT METHOD DIRECTION TYPE

05/06/2005 12:06:55 -0700 OK 192.0.0.2 49161 UDP IN User

05/06/2005 12:04:45 -0700 ERR! 192.0.0.2 548 TCP IN User

05/06/2005 11:52:15 -0700 OK 192.0.0.2 8 ICMP IN Stealth Mode

Note that the TYPE token is ignored by Who's There?

Back to Table of Contents
Back to Troubleshooting

Jan	30	17:28:45	localhost	mach_kernel:	ipfw:	303	Deny	ICMP:8.0	192.168.0.1	192.168.0.2	in via en0
Jan	30	17:28:48	localhost	mach_kernel:	ipfw:	10001	Deny	UDP	192.168.0.2:49161	239.255.255.253:548	in via en0

!!LOG_FORMAT DATE TIME RESULT HOSTNAME SERVER_PORT METHOD
05/19/05	16:52:19	ERR!	192.0.0.2	21	TCP
05/19/05	16:52:39	OK	192.0.0.2	21	TCP
05/19/05	16:52:39	OK	192.0.0.2	2051	UDP

!!LOG_FORMAT DATE RESULT HOSTNAME SERVER_PORT METHOD DIRECTION TYPE
05/06/2005 12:06:55 -0700	OK	192.0.0.2	49161	UDP	IN	User
05/06/2005 12:04:45 -0700	ERR!	192.0.0.2	548	TCP	IN	User
05/06/2005 11:52:15 -0700	OK	192.0.0.2	8	ICMP	IN	Stealth Mode