I have some sensitive info on my Macbook Pro's desktop in stickies. Would encryption via file vault protect it? Or by encrypting the hard drive via control click and choose the encrypt feature?

Also, if I keep my password in the keychain, couldn't someone get that anyway by going to the keychain?

My concern is about hackers, not real time people.

Thanks.

Rita

Hackers as in someone getting access to your Mac over the Internet?

Yes.

You can encrypt your hard drive, but it's unlikely to be anything more than a placebo. It's unlikely anyone will "hack into" your Mac, but if they do, they'll do it by tricking you into downloading malicious software that lets them in. And if you do that, encrypting your hard drive won't help, because they can only get in when your Mac is up and running...and the hard drive is not encrypted because you've entered the password! (Encrypting the hard drive is designed to protect from someone stealing your computer.)

If you want to protect yourself from people hacking into your computer, don't download malware, and connect your computer to the Internet through a firewall (like a router, for instance).

Thanks, Tacit. I have a router so I guess I'm set. I order a lot of stuff off of the internet and I have had identity theft three times. I thought maybe they got into my computer, but they probably were working for one of the companies I buy from, I guess. Not sure.

Thanks again.

Rita

Hi, Rita,

Just to be certain, navigate to /Apps/SysPrefs > Security > Firewall (That's the path in 10.6.8, anyhow.) and make sure your firewall is turned on.

It's generally not a good idea to run a router's firewall together with the one built into Mac OS X. The two firewalls tend to interfere with each other and that may cause problems. While it's easy enough to switch Mac OS X's software firewall on or off via the Security prefpanel (System Prefs), that's a bit more convoluted with the hardware firewall found in routers. Personally, I prefer a router's hardware firewall over the software version offered by Mac OS X.

That said, a utility like WaterRoof (freeware) provides a user frontend for MacO OS X's firewall, allowing easier access to a variety of settings. It's important in this context to realize that firewalls focus primarily on monitoring and controlling incoming connections. To monitor and control outgoing connections, Little Snitch (commercial) is recommended.

Useful, helpful post... Thanks!

I was unaware that there may be a conflict between the two firewalls.

I've run Little Snitch for years, and I'll now check out WaterRoof (Thanks for the link.) to supplement OS X's firewall. (Any particular reason you prefer a router's firewall over OS X's, which I've been led to believe is pretty robust?)

Back to business, though, will Rita's router's reinforced, robuster ( ) firewall be automatically turned on, or does she need to check her settings to ensure that she's not being mistakenly complacent?

Edit: I just d/l'ed WaterRoof (via MacUpdate), and I must say that the screenshot posted by its dev is among the most daunting I've ever seen.

Also, WR is donationware. (PayPal & Bitcoins)

Artie, thanks! My firewall was off! All the stuff Alternaut said just confused me (thanks for responding, though Alternaut). I have my router and I turned on my OS firewall. If I have any problems, I will revisit this post.

Thanks again.

Rita

- Hardware firewalls are OS-independent, not vulnerable to malicious attacks, and faster due to their dedicated hardware, while software firewalls aren't. On the down side, hardware firewalls are more expensive and subject to 'single point of failure' disruption of your internet connection. For details, see Firewalls – Overview and Best Practices.

- Most (if not all) routers come with their (hardware) firewalls ON by default. Software firewalls, like those provided by the OS, tend to be OFF by default (this may be related to the ubiquitousness of routers and their hardware firewalls). I consider this difference a minor point.

alternaut's posts suggest that your router's firewall is turned on, and that your having turned on your OS X firewall in addition may cause you problems.

I suggest that you go into your router's settings and check to see if its firewall is on, and if it is, turn one of the two off...your call, based on your take on alternaut's posts.

> If I have any problems, I will revisit this post.

If you have any problems, it will be too late to revisit this thread.

LOL! That made me laugh! Not because it's not true.

How do I check my router's settings?

Rita

> If I have any problems, I will revisit this post.

If you have any problems, it will be too late to revisit this thread. [/quote]

I have no preference. I know nothing about firewalls. And I probably won't read up on them because it will make my eyes cross. Just needed a simple answer. Thanks.

Rita

[quote=alternaut][quote=artie505]- Any particular reason you prefer a router's firewall over OS X's ... ?

[citation needed]

(I've never heard of that)

In your opinion, which is the best way to go?

Rita

FWIW, the first link I provided in post # 24928 above gives you Bob LeVitus opinion on the matter, albeit without explanation. I'll post more if I find something relevant.

Apart from opinions, the main reason not to run two firewalls in sequence is that both firewalls can have different and conflicting rule sets enabled. In the best case (both with default settings), likely nothing untoward will happen, other than that the software firewall is entirely superfluous, wasting CPU cycles and slowing data passage in the process.
When the issue is blocking certain access, two firewalls may duplicate each other, with the 2nd one effectively idled by the first, or the second one filters what the first one wasn't set to do.
When allowing special access, port forwarding etc., both firewalls need to be exactly in tune, or the access is disabled. When such an access issue is encountered, it pays to see if both firewalls are enabled, and to check if turning one off changes the dynamic.

The main reason to use both kinds of firewall in tandem is that you could then set different rules between computers within a network that uses a common router/hardware firewall to protect the entire network's access to the Internet. But this is not standard procedure for a small, private network, while the hardware firewalls that are used for this purpose often have more options and capabilities than a router for home use.
A reason a home user might have both firewalls enabled is when, for example, the router is harder (or impossible) to configure for a specific purpose than the OS firewall, allowing a special config to be handled by the OS (assuming it can do that). In the latter case, a good front end to the OS firewall would help, as software firewalls tend to be hard to configure.
In the end, however, even hardware firewalls rely on software, but their advantage comes from the dedicated hardware it runs on, and the fact that it's OS independent. Of course, if any of the software involved is flaky, all bets are off.

The IPFW type firewall used by Mac OS X thru Snow Leopard has been deprecated for the IP type used in Lion and Mountain Lion. Despite this, both types can still be used in Lion and Mountain Lion. The WaterRoof front end is intended for the older IPFW firewall. A simpler version is provided by NoobProof. A front end for the newer IP firewall is provided by IceFloor. As you noted, the utilities listed here are donationware.

> FWIW, the first link I provided in post # 24928 above gives you Bob LeVitus opinion on the matter, albeit without explanation.

Does the fact that your linked doc was written 5-7 years ago affect its current relevance?

That depends on the make/model router you've got. If you'll let us know we can provide some more info.

A doc about Mountain Lion written 5-7 years ago? LeVitus must have been clairvoyant...

It's a Belkin. But if it means I have to deal with that unit or hook my computer up to it, forget it. It's in a high-up, awkward place and I don't want to deal with it.

Rita

I don't think we speak the same language. Rita

My mistake... I blew past the #24928 ref and looked at the doc linked in #24934, which is years old:

Your Mac is already connected with your router, or it wouldn't do you any good, would it? However, many routers need to be connected with an ethernet cable to be configured, even when you intend to use it as a wireless router, so that may be an issue.

Routers are usually configured via built-in setup pages, which you can access with a web browser on your Mac. You do that by entering the setup page address in your browser's address bar, the same way you would surf to a web site by typing in its web address. Belkin routers use http://192.168.2.1 as address. That will bring you to the login screen. By default, there is no password, so you can just hit Return to proceed, but you can set one (recommended). You may find more detailed instructions for the various configuration options (and where to find them) via this Belkin Support page.

Yes, it's connected to the router wirelessly but I meant physically I don't want to bother. I will click on that link you gave me. Thanks a lot.

Rita

BTW, the router link didn't work. The Belkin page did, but not the funny address you gave me before that.

Rita

That's probably because you need an ethernet connection between Mac and router to access the setup pages.
Btw, did you manage to get the setup info for your router via that Belkin support page?

Oh, okay.

I've d/l'ed and given both WaterRoof and NoobProof look-sees...and trashed both.

Not to say that I ran into any issues with either, just that both presented me with too many options that I don't know how to address...don't even know that I particularly need to implement.

OS X's basic firewall has served me just fine for years, and I'll stick with it, "out of the box," until I run into a situation that demands (I dunno what) than I've already got.

Thanks for both links, though.

If you're happy and satisfied with your current setup, by all means, leave it as it is. The utilities I linked to give you (extra) options in case you need them, that's all.

That also applies to having both a hardware (router) and software (OS-based) firewall in place: if you're happy, fine. If not, it gives you options that might help alleviate any issues. And now my wife is preparing for a trip overseas a final comment on this topic I left out of an earlier post above: since she won't be behind the family router when gone, she'll have to activate the OS firewall. Given that this might easily be forgotten, hers is a circumstance that resembles that of many travelers, and one that warrants to have the OS firewall switched ON by default, even at home behind the router. As long as that doesn't noticeably interfere with her regular computing activities (default settings), there's no problem with that. Should she need custom configurations at a later date, it's important to take the presence of a double firewall into account to avoid problems. We'll see to that if and when it happens.

Well, I guess I have to assume my router firewall did interfere with my OS firewall yesterday after I turned it on. My webpages started looking wonky. Little patches of text would show up here and there. Another time, a page loaded up but was completely grayed out. So, I turned off the software in my MBP. I'll ask the guy who set up our router, etc. if the firewall is, indeed, turned on.

Thanks again.

Rita

Just to shed some light (or maybe further cloud) the ideas here:

A firewall prevents a program running on your computer from receiving connections from the outside world. In essence, if a program on your computer starts listening for someone to connect from the outside, the firewall will prevent any connection from being made from someone else's computer somewhere on the Internet.

Routers use something called "NAT". It stands for "Network Address Translation." It means that your computer is given an IP address that is not accessible from the Internet (for example, 192.168.1.100), which is different from the IP address that your Internet service provider gives you. This is done so that your ISP can give you just one IP address (for example, 71.56.138.45), and many computers in your home can share that single IP address. Each computer in your home gets a different IP address (192.168.1.100, 192.168.1.101, 192.168.1.102, and so on), and the router "routes" all of them to share the IP address your ISP gave you.

A side effect of this is that outsiders can't see your computers. An outsider who tries to connect to the IP address that your ISP gave you--say, 71.56.138.45--but can't "see" past the router, because your computers are using private IP addresses.

A "software firewall" is a computer program that runs on your computer and blocks other programs from accessing the Internet without permission.

There are a couple of gotchas with hardware and software firewalls.

Hardware firewalls and software firewalls can conflict with each other if you WANT to allow people to access your computer. For example, say you are running a Web server on your computer. If you're running a hardware and a software firewall, you would have to configure BOTH of them to allow other people to access your Web server. If you didn't, you could spend hours tearing your hair out trying to figure out why it isn't working.

Many modern routers for home use have a feature called "universal plug and play," or "UPnP". This is designed to make it easier to deliberately let other people use your computer. If a program starts running on your computer that "listens" for an outside connection, the router says "Hey, this computer is listening for a connection! It must be a server. I will automatically open a hole in my firewall to allow connections through." This is a good thing if you are running a server (like a Web server) on your computer or if you're hosting a game server or something like that. It's a really bad thing if your computer is infected with malware. Flawed UPnP implementations on home networked devices like media servers, networked hard drives (NAS devices), and the like can also open these devices to attack from the outside, at least in theory. If your router supports UPnP and you're not running a server on your computer, it's probably a good idea to turn it off.

along this line, is there a standard name for a tool that works in the opposite direction, blocking or identifying traffic leaving the computer? Like little snitch does?

A firewall can filter inbound traffic, outbound traffic, or both; I'm not aware of a naming distinction between inbound and outbound firewalls.