Personal Web Sharing on Mac OS X

Forum Moderators: travelin cat

Message Too Old, No Replies

Personal Web Sharing on Mac OS X

I want the server running but don't want anyone else to have access.

physics

10:38 pm on Jan 5, 2007 (gmt 0)

I'm using Apache on Mac OS X for development. I have to turn on Personal Web Sharing to have access to Apache but then the ports 80, 443 and 427 are opened in the firewall. This isn't desired because I only want to do local development. Trying to edit the firewall rule for the Personal Web Sharing just shows a dialog telling me that I can't do that.
Being tricky doesn't help either. I turned off Personal Web Sharing, went to the Terminal and typed:
sudo apachectl restart
For a moment this seemed to work but the Big Mac is listening and auto-checked the Personal Web Sharing box and opened the Firewall ports.
Suggestions? Maybe a 3rd party firewall?

encyclo

6:18 pm on Jan 6, 2007 (gmt 0)

Why not try a simple Deny rule in httpd.conf or .htaccess:

Order Deny,Allow
Deny from all
Allow from 127.0.0.1

You'd still be able to see the server from the outside, but it would serve a 403 for every non-local request.

GeorgeK

8:39 pm on Jan 6, 2007 (gmt 0)

One solution might be to purchase an inexpensive cable/DSL router, and put your entire local network behind it. Then, your development PC will only be visible to others physically behind the router (i.e. other computers that you own that share the DSL/cable connection), whereas the internet will only see the router, which will act as a firewall for all your networked PCs.

timster

6:24 pm on Jan 8, 2007 (gmt 0)

Above are two good ideas.

You could also change the ports on which your supplied server actually serves pages, by changing the Port and Listen lines in your httpd.conf file.

One other technique would be to install another copy of Apache onto your machine. This is more work, but would allow you to match your development environment to your production environment more closely.

solly

8:23 pm on Jan 8, 2007 (gmt 0)

Another thought...you could require a password to connect to the "site."

coopster

12:17 am on Jan 9, 2007 (gmt 0)

I actually run a combination of these recommendations.

First, the hardware firewall to separate my LAN from the WAN. A must, period. Do yourself a favor and get one that has a VPN feature in case you ever need to setup a tunnel.

Second, I run a

Deny,Allow

as recommended.


  Order Deny,Allow 
  Deny from all 
  # My machine: 
  Allow from localhost 
  Allow from 127.0.0.1 
  # My local network: 
  Allow from 192.168.1

Lastly, I also run a software firewall. I prefer ZoneAlarm Professional because I have setup some "Expert Rules" as they have so named that feature. In the Expert rules I deny access to my local pc and my network.

The main reason for the last two are for when I am either on site and on a different network (be that a client behind their firewall or at the local coffee shop with free wireless), or if I am tunneled into a client site from within my own LAN.

physics

5:59 pm on Jan 9, 2007 (gmt 0)

Thanks for the recommendations, all good ones. I set up the Deny in httpd.conf and feel a little better now. coopster, it's funny that you wrote:

# My local network:
Allow from 192.168.1

Since I actually just did a similar thing so I could view and test pages running on my Mac from my Windows machine.
I do have a firewall built into my cable modem (it's a cable modem/wireless/firewall) and keep it locked down pretty good ... but honestly am not sure of the quality of it.
I'm still in search of a good 3rd party Mac firewall.

coopster

1:41 am on Jan 10, 2007 (gmt 0)

I use a different private class for my LAN but submitted the 192.168.1 since it is so often employed as the 'standard'.

Yes, sorry about the ZoneAlarm note. I completely forgot I was in the Mac forum and luckily wasn't submitted to public castration. Thank you to all those souls that kindly overlooked my err. What is a comparable product for the Mac? I'm serious because I am finally on the verge of grabbing myself a piece of the Apple. Anybody have recommendations for the personal firewall? Is there a built-in and is it decent? If not, what is the preferred 3rd party product? Hopefully I'm not pushing beyond the Terms of Service in my inquiry here ...

physics

1:58 am on Jan 10, 2007 (gmt 0)

There is a built in firewall but, as you noticed it isn't very customizeable. Also, as far as I know it does not catch outbound attempts like ZoneAlarm does. Note that one of the advantages of having a Mac is that you probably have to worry about this less, but if you're serious about security you should still worry. Many *nix geeks no doubt work around these issues by using a *nix firewall on their Mac OS X box but even I want a nice gui for the firewall on my laptop. One program I've used a few times is little snitch ... it's pretty good really but I was just fishing for other suggestions.
Oh and coopster: come one in, the water's fine ;)

coopster

2:37 am on Jan 10, 2007 (gmt 0)

LOL! Thanks physics.

but even I want a nice gui for the firewall on my laptop.

WHOA! Never thought I'd hear that from you ;)

timster

2:15 pm on Jan 10, 2007 (gmt 0)

I know some folks who use Norton Personal Firewall. The marketing for it seems to be squarely aimed at the consumer crowd, but it does have a slick and pretty little GUI.

luckily wasn't submitted to public castration

Good timing on your part, with all the cool gadgets and other good news coming from Apple, this forum isn't in that kind of mood.

physics

11:26 pm on Jan 11, 2007 (gmt 0)

I just found a (shareware but unlimited free use) program called Flying Buttress which acts as a GUI controller/front end/log viewer for the native Mac OS X firewall. Only used for a bit but recommend it based on what I'm seeing.

Here's the page for it:
[personalpages.tds.net...]

And a write up on Mac firewalls:
[macwrite.com...]

Might seem like overkill to some but I guess you'd call me a 'belt and suspenders' type guy ... but if you're reading this you must be too ;)

cmarshall

11:43 pm on Jan 25, 2007 (gmt 0)

I use Little Snitch to catch outbound (Mac version of ZoneAlarm).

Works EXTREMELY well.

I never want my computer to be accessible outside of localhost, so encyclo's localhost thingy is all I need.

John_Keates

12:13 am on Jan 29, 2007 (gmt 0)

Why would you want a firewall on your mac?

1. Mac!= Mass so no mass attacks for you.
2. Firewall = Configure everything all the time when using internet apps (bad)
3. My PowerMac is behind a router, however I put it in the DMZ (all routing direct to it) and shut the firewall off. No problems, never. 13 Open ports since 2001... Nothing...

In other words: don't worry about the 3 open ports.

(However, when you do worry, and would really like to have them closed...)
Do not rely on a gui. Put some ipfw rules in place and you're done.

To get a list of current rules, put the following in terminal:

sudo ipfw list

My current rule is:
65535 allow ip from any to any
(Or: firewall down)

What you'd want is to make a rule which allows only local traffic for 80, and have another to deny all externally incoming port 80 traffic.
The same for the other ports.

However I don't know much about ipfw rule building, and I just have a server which services are set-up the right way and updated,
that has always worked for me.

[edited by: John_Keates at 12:32 am (utc) on Jan. 29, 2007]

physics

1:31 am on Jan 30, 2007 (gmt 0)

John_Keates, I agree that a Mac machine has less need of a firewall than a Windows machine but I think it's still a good idea to have one (if only to protect against specifically targeted attacks).
Also, in certain settings (government for example) the network admins will run port scans and kick you off if you don't have a firewall blocking certain ports.

John_Keates

1:34 am on Jan 31, 2007 (gmt 0)

Yeah, had that in de back of my mind while typing...

appi2

1:42 am on Jan 31, 2007 (gmt 0)

If you have an old spare pc lying around you could try Smoothwall [smoothwall.org].
Don't have to be a linux God to use it.

tstaheli

8:29 am on Jan 31, 2007 (gmt 0)

Have you thought about using MAMP? Because you can start and stop servers and easily assign port numbers through a GUI. I like it for those features.