Mac & Windows Firewalls

Last month we posted a story explaining how to share files between Macs and Windows based PCs.  Since that time, we’ve received a lot of mail from users who would like to know how to either disable their computer’s firewall, or add a rule to it so they can allow specific types of traffic.  Since different people have different needs when it comes to allowing traffic through the firewall, we’ll take a look at the rules necessary to allow file sharing between Macs and PCs.

The Importance of a Firewall
Before we begin, its important to understand how important a firewall is to a computers wellbeing.  If a computer is connected directly to a broadband internet connection (or any “always on” internet connection for that matter), it is inherently exposed to the world.  In most situations is preferable to have a router between a computer and its internet connection.  In most cases the router is running a NAT (network address translation) service that helps filter out unwanted incoming traffic.  Many people consider the routers NAT service to be a very effective firewall.  It does a good job of keeping the evildoers on the internet from accessing files without permission.  Unfortunately a NAT firewall doesn’t protect a computer from security concerns on the local network.  That’s where OS level software firewalls come it.

Many Mac users don’t even bother to activate the computer’s built-in firewall.  Since the Mac has a much lower attack surface on the internet, this rarely causes an issue.  That being said, there will come a day when Macs will be under attack in much the same way that we see Windows based PCs.  Thankfully, Apple has already added a software firewall to the Mac OS.  And whether needed today, or even active right now, it is good to know this form of powerful protection is there when we need it.

All current versions of Microsoft Windows also come with an OS based software firewall.  In stark contrast to the Mac firewall, Microsoft added theirs because their was a glairing need.  Windows XP Service Pack 2 was the first release of Windows to install with the firewall enabled by default… a decision from Microsoft that was overdue even at the time.  A Windows based PC connected directly to the internet without a router or software firewall is currently compromised within minutes.  A sad fact that has been proven time and time again.  I make the point simply because anyone thinking of deactivating their Windows firewall needs to think long and hard about the consequences.  Happily, this is not the case if the Windows system is located behind a NAT router, as many home users are these days.  But users that have plugged their computer directly into their broadband modem without benefit of the router, be warned.  Deactivating your software firewall will leave the system wide open to infiltration.

All of this boils down to one basic fact, regardless of computer platform.  When there is a choice to be made, it is always better to add a rule to a firewall rather then disabling it entirely.  Adding the necessary rule or rules might be a little more difficult and slightly more time consuming, but it is far and away the safer alternative.

The Mac OS Firewall
As I stated earlier, Apple includes a powerful software firewall in all current version of Mac OS X.  Accessing it is easy.  Simply select System Preferences from the Apple menu, then click on Sharing.  Next select the Firewall tab.  Staring and stopping the firewall is as simple as a single mouse click here.

Adding a new rule to the firewall is almost as easy.  The Mac comes with a series of predefined rules to make things easier.  In our example, we want to allow both Windows users and other Mac user to connect to a file share on the host Macintosh.  We’ll assume the Mac has both Personal File Sharing and Windows Sharing enabled.  If not, just switch over to the Services tab and activate them now.

In the Firewall tab, simply click the New button.  A menu called Port Name has a series of predefined values to make adding a rule easier.  We’ll start by allowing Windows users access to the file share, so we’ll select SMB from the menu.  Since SMB was a predefined option, the OS automatically fills in the necessary TCP ports for the service.  In this case, its port 445 that Windows file sharing uses to access the Mac’s share.  Just click OK and the rule will be added.  Once the rule has been added, make sure the firewall is active and also be sure the checkbox beside SMB is checked.  Your PC should now be able to mount the Mac file share.  For more info on how to do that, checkout this link.

Now we’ll allow other Macs to connect to the host systems file share.  In most cases, when a service is activated in the Mac’s Sharing preferences, a corresponding firewall rule is added at the same time.  In practice, for me, this has been hit or miss.  Some of my computers fail to automatically add the firewall filter when a service like Personal File Sharing is activated.  Similarly, when I need to add the filter manually, sometimes there is an option in the Port Name menu when I click to add a new rule.  If an option labeled Personal File Sharing isn’t already located in the menu, adding it is easy.  Just select Other from the menu and enter this into the TCP Port Number field: 548, 427.  Then just add a description to the rule, something like Mac File Sharing is descriptive enough.  Just click OK and it should now be possible to connect to the file share from another Mac on the local network.

Other rules can be added to the firewall in the same way.  In the case of more obscure protocols, it might be necessary to spend a minute or two on Google and lookup the TCP/UDP ports necessary for a given service.

Windows XP Firewall
Accessing the Windows firewall is just about as easy.  There are almost a half dozen different ways to get to the Firewall settings.  The most direct way is to select Windows Firewall from the system’s control panel.  Once there, is easy turn the firewall on or off in two clicks.

As stated earlier, its better to add a rule to the firewall rather than deactivate it entirely.  Windows refers to these rules as exceptions.  Simply click the Exceptions tab to continue.  Here, just like on the Mac, there should be a list of some commonly used services.  In this case, all we need to do is check the box beside File and Printer Sharing to allow other computers access to file shares on the XP box.  Once the box is checked, just click OK and the rule is in place.

Just like on the Mac, its possible to add custom rules to the exceptions list.  Windows makes it possible to add an exception based on the program itself, or to apply rules to specific TCP and UDP ports.  Its an interesting idea allowing the user to allow certain .exe files to bypass the firewall.  But with all of the spyware and malware issues common to Windows these days, it also seems dangerous to allow an application access to any port or protocol it wants.

Conclusion
That’s pretty much it.  We have another fairly long winded solution to a relatively simple configuration issue.  Adding a firewall rule is pretty easy on either platform.  Users generally spend most of their time cross-referencing protocols and ports for more obscure services.  Many people get frustrated with the experience and go for the easiest possible solution, disabling the firewall rather than refining it.  In this security conscious age, its far safer to spend a little time and configure the system properly.


Steve

8 Responses to Mac & Windows Firewalls
  1. omonzine Reply

    i need to have this on my system

  2. John Reply

    I get this window when I try to access my Vista Home Premium laptop (mac-authentication.png) which you referred to in the Mac and Windows File Sharing: How to Connect article. The problem is I don’t have a user name or password for the laptop and didn’t need them previously. So how do I access the PC from my Mac

  3. smanke Reply

    John,

    I think you need to go into your User Accounts control panel and give your system a password. I think Windows is smarter than to allow its self to be on a network without some sort of account protection. I may be giving the OS too much credit, but I bet that you’ll be able to login once you assigned a password to your account. Either that, or leave the password blank and just enter you username. I really hope that doesn’t work. :-)

    Let us know!

  4. Cameron Reply

    I don’t understand… when I go to Sharing, this window is not what I see… I don’t see any of the tabs… No firewall tab, services tab, or internet tab. I’m an administrator so what’s going wrong??

  5. smanke Reply

    If you have upgraded to OS X 10.5, it all looks different now. The firewall settings look very different right now and are located in the Security pref pane. Most everything else should be in the Sharing pane.

    I will try and post an update to this explaining how to do it in 10.5. In the mean time, I hope this helps.

  6. Cameron Reply

    Thank you very much. I figured it was since I have 10.5. I’ve looked in the Security area of the Sys Pref area and I’m afriad I don’t know how to add the ports manually like you showed. Thanks a lot – let me know when you have the newer tutorial up. :)

  7. darkejon Reply

    I have disabled my McAfee firewall, and left only the windows firewall active with the exception of ‘file and printer sharing’ checked, but the PC is still not visible – only when I completely disable the firewall does it appear on any other machine (mac or pc)?

    Any idea why this is?

  8. dinadana Reply

    I’m using ProteMac software firewall. It calls NetMine. For me it’s the best.

    No problems in working with! http://www.protemac.com/netmine/

Leave a Reply

Your email address will not be published. Please enter your name, email and a comment.