Configuring IPFW firewalls on OS X
OS X comes with a unix firewall program called IPFW, and thereare a variety of programs you can use to access it from the GUI. Asof 10.2 Apple includes a tool in system preferences to enable thefirewall, but it's a very simple implementation that will onlyenable or disable a port for the entire internet. This isn't thebest use of a firewall--the real strength of a firewall is toenable access to a service for a limited range of ip numbers. As of10.5 the situation is much better, in that the firewall is applicationoriented and you can enable or disable connections based on theapplication used. But I find it useful to be able to manipulate thefirewall directly, and this document covers some of the basics.
Also, this doc covers use of IPFW with the client versions of OSX. If you're using OS X server, the GUI tool provided allows formore customization. But the GUI tool (at least as of 10.3) doesn'tbuild IPFW rules that track state, which makes getting things likeAFS and Kerberos more difficult to work. I've put together somenotes on how the firewall tools with OS Xserver works.
The best tool for managing IPFW out there is Brian Hill's FlyingButtress. In addition to allowing the user to manage the firewall,it willalso help you setup connection sharing and Network AddressTranslation so you can use your Mac as a router. Another good GUIfrontend to IPFW is WaterRoof.So if your needs are simple, those may be good ways to go. But ifyou're able to navigate via the command line and can usea text editor like vi or pico, it's not too difficult to manageyour firewall with IPFW directly.
The long answer is that IPFW has been deprecated from OS X for a while now, in preference for PF, which is the OpenBSD “packet filter” software. This website might be helpful for your root need: PF on Mac OS X - Hyades What exactly do you need to do that specifically requires IPFW? Block all incoming connections. Selecting the option to 'Block all incoming connections' prevents. IPFW is a packet filtering and accounting system which resides in the kernelmode, and has a user-land control utility, ipfw. Together, they allow you to define and query the rules used by the.
Getting Started
The first thing to figure out is whether you need a special firewallset up at all. The first thing to check is whether you have anyservices enabled. Check your System Preferences and look at the Sharingsetup.
In my case, I have ssh (Remote Login) and httpd (Web Sharing)enabled. So these are two services I've set up to allow remote machinesto use to connect. Ssh is pretty secure since it requires a user id andpassword, and has some security built in. And httpd isn't inherentlyinsecure.
Now, if you're running 10.5, check the Security preference pane, andsee that the firewall is enabled. Click on Advanced and you'll likelysee something like this:
Under 10.4 and earlier, the location of these settings is a bitdifferent, and the panes are arranged differently, but the basic setupis similar. Notice that both Remote Sharing and Web Sharing are set toallow all incoming connections. This is the key thing to understandabout the built in firewall--it doesn't offer you the chance to refinewhat machines are allowed to connect over a given protocol and whichare not--it only allow you to open a port to the world, or to close aport to the world.
Let's take ssh as an example. I enable ssh so I can login to mylaptop with a terminal connection, and to mount my laptop's filesystemvia sshfs (eg. MacFusion).I don't need to be able to do this from anywhere on the internet,however. I'm usually very close to my laptop, so these connection aremade at my house or from somewhere on the UNC Chapel Hill campus. Sothere's really no reason that I should enable ssh connection from, say,China or Bulgaria or Indiana. If I restrict ssh connections to my homenetwork and the UNC campus, I'm still in good shape, and I've loweredthe number of IP addresses that can try to connect via ssh to my laptopfrom a billion or so to just several thousand. That reduces my exposureconsiderably. The basic rule is that if you need to enable a service,think about who needs to connect to it, and if you don't need theentire world to have that opportunity, use a more complex firewall ruleto restrict it a bit. If you're not running any services, you're notreally that exposed in the first place, so you don't need to worrynearly so much.
Another consideration is whether you are using a Public IP addressor a Private IP address. Most home users are connected via a cablemodem or DSL connection that has a Network Address Translation (NAT)router. If you're not familiar with these terms, don't worry, it'spretty simple. A NAT router supports multiple computers in your home oroffice, and it does that by handing out Private IP addresses to thosemachines. These addresses are, according to networking conventions, notroutable on the internet. That just means that someone out there on theinternet cannot attempt to directly connect to your machines in yourhouse--in effect, the NAT acts as a firewall for you. Pretty muchall home connections, and connections in coffee houses and the like useprivate addresses. Now this doesn't mean that no one can try to connectto your machine--if someone knows what they are doing and they are inthe same coffee house as you, they can try to connect to your laptopfrom there. But again, the number of folks who can try this is reallysmall compared to the total number of users on the internet. So ifyou're a laptop user, and you're not running services, and you connectonly from your home and a couple of other locations, setting up acomplex firewall isn't going to help you much.
Private addresses all fall in the following ranges:
- 10.0.0.0-10.255.255.255
- 172.16.0.0-172.31.255.255
- 192.168.0.0-192.168.255.255
For more information see the Wikipedia articleon Private Addresses.
On the other hand, if you're using a public IP address, you're theworld's oyster and anyone on the internet can try to talk to yourmachine. So keeping the shell closed to a narrow range makes sense.Public addresses are in wide use, for example, at universities andcolleges in the USA. So if you have a desktop computer in your dormroom, and you don't use an address in the ranges above, and you enablesome services like File Sharing, or Screen Sharing, or Remote Login,you definitely should look into using a more selective firewall thanwhat's provided by the operating system out of the box.
The Rules
The first thing to do is to play with looking at the firewallfrom the command line. Open the System Preferences, and underSharing, enable the firewall. Then open a terminal session, andtype:
In 10.4 and prior, you might get back something like this if youhave services running like Remote Login and Web Sharing:
In this case, my configuration is set up to allow personal fileand web sharing, remote login, and windows filesharing. Your listmay well vary. Compare the output from the list command to theentries in the firewall configuration of the Sharingpreferences.
Now how this works is that packets both inbound and outbound arecompared to the list of rules in order, and if a match is found,that action is taken. For example, in the list above, rule 02050 isprocessed first, and it allows any tcp packets that are outbound,so your machine can try to contact any other machine, so outboundpackets are allowed out before rule 12190 is processed.
In 10.5, you'll probably get a single rule back, since the firewallis oriented to the applications.
Ipfw For Mac Download
Getting your feet wet
WARNING! We're going to be playingwith a fairly deep and archane portion of the OS, so you may renderyour machine unusable on the internet for a while. Do not do any ofthis unless you're sitting in front of the machine and have somespare time. The first part of this is pretty safe since all you have todo to get back to 'normal' is to reboot and check your sharing settings.
If you run the Probe My Ports option from Gibson's Shield's Up , you can seewhat your machine looks like from the internet with your firewallon (assuming, of course, that you aren't behind another firewall ornat--for example, if you're on the UNC campus, the NetBios portsalways show as Stealth since access to those is blocked by the maincampus router).
The first thing we're going to do is enable Web Sharing in theSystem Preferences, under Sharing. Just click that checkbox, and savethe changes. Then use your browser to connect to http://127.0.0.1/. A web page shouldload, the default page for the OS X web server. (Just so you'll know ifyou don't already, 127.0.0.1 means 'ME!' in networking, so allconnections of any kind to 127.0.0.1 stay on your local machine.
Now, use your browser to do to Gibson's Shield's Up, the shields up linkis down about halfway on that page. Click on that link, and then clickon the Proceed button, and on the next page, click on the Common Portslink. This will scan your machine and see what ports are open. If port80, HTTP, shows as 'stealth', it's likely you're on a Private IPaddress and protected by a NAT. If that's the case, there's not muchelse you can do here. But if port 80, http is marked as open, thenyou're on a Public IP addressand anyone on the internet can connect to your web service.
To play with the firewall settings, you'll use the command linein a terminal window. First, we'll clear all of the rules. In theterminal window, run:
And then reenter:
again to list the rules. Go back and reload the Probe MyPorts page, so you can see the effect of disabling the firewall.
Now type
This will should have the effect of blocking access to the webserver, which runs on port 80. Even if you're not running a webserver, you can see the effect of the command by running Probe MyPorts on the Shield's Up site again--the port should go from Closed toStealth.
The Script
Ok, so far so good. We'll start with a simple firewall. Open aterminal window and run the following commands:
This simple firewall opens the following ports:
- all connections from 192.168.0.0
- all DHCP connections
- 80, http, to the entire world
- 443, https, to the entire world
- 22, ssh, from 192.168.0.0
- 548, Apple's file sharing, from 192.168.0.0
- 427, Apple's file sharing, from 192.168.0.0
- 3689, iTunes, from 192.168.0.0
- 5353, Bonjour, aka Rendevous, aka mDNS, from 192.168.0.0
In this case, I'm using 192.168.1.100, and my subnet mask is set to255.255.255.0. That means that my local area network consists of all ipnumbers between 192.168.1.0 through 192.168.1.255, or in CIDR notation,192.168.0.0/24. The subnet mask determines how large my computer thinksmy local area network is, and generally speaking, your local areanetwork is considered to be a trusted network space (esp. if it's inyour house).
CIDR notation can be complicated, but the basic rules are these--startwith your IP number:
- If the subnet mask is 255.255.0.0, then your local area networkis x.x.0.0/16, where x.x are the first two number of your IP address.
- If the subnet mask is 255.255.255.0, then your local area networkis x.x.x.0/24, where x.x.x are the first three number of your IPaddress.
- If you have a different subnet mask, generally you're safe forplaying around to use x.x.0.0/16
And change that so that the network matches whatever your network rangeis. Now, save the file and run:
Next, go to Shield's Up and run another test. You'll most likely findthat port 80 is open, port 443 is closed, and the others are marked asstealth. Closed means that the grc site can contact a port, but there'sno service there.
Some examples
Here are some more complex examples, I recommend you play with thefirst one. These files are pretty well commented.Ipfw Mac Sierra
Ipfw For Mac Os
- The current version I use, Firewall
- The firewall version from 2008
- firewall_1: My original version is TCPoriented. It's not bad, but doesn't filter UDP effectively. Ifyou're not running services, this likely won't make muchdifference.
- firewall_2: A revised version, addedUDP and state support. One thing to be aware of with this versionis that if you reload it, existing connections may be broken (sincererunning the script flushes all of the state data). All thatreally means is you may need to restart client applications.
Making A Real Change
Once you have a script that defines a firewall you like, you'll wantto put that script up in such a way that it runs when you start thecomputer. First make a directory named Firewall in a StartupItemslocation:
Then, move one of the sample script files to that subdirectory:These examples are for the 2008 version.
This script is oriented to UNC Chapel Hill, but should be easilyadaptable to other settings. But before you run it, you need tomark it as executable:
Now, try running the script manually:
You should see a list of rules process, and then you can checkthe results with both the ipfw list command and Probe My Ports.Then try to use your machine to see how well things work. You canmake modifications to the script and rerun it to institute thechanges without restarting your machine, but you may have torestart some of the network applications.
Lights, Camera, Action
Once you're happy with the firewall's configuration, you'll wantto set the script up to run each time the machine is started. To dothis, you need to add a StartupParameters.plist file in theFirewall subdirectory, with the following lines:
Ipfw For Macbook Pro
You can either cut and past these lines, or move the file viacommandline thusly:
Also, make sure this file is writeable by root only, you don'twant anyone changing your firewall startup. When you next boot, thesystem may tell you that the setup for these files isn't safe--if thathappens, let the system change the file permissions for you and reboot.
Once this is done, the firewall script should run on boot. Ofcourse, if you're using a custom script, you shouldn't run theSystem Preferences Firewall, as that could mess up your settings(although it won't overwrite your script file).
Dynamic Configuration
Note that you can add firewall rules while the machine isrunning. This opens up some interesting possibilities for dynamicsecurity. For example, there's a patch for ssh called timelox thattracks connection failures by ip number--if threshhold of failuresfrom a single IP is reached, it modifies the firewall to block alltraffic from that IP number. For examples of this with IPFW andIptables, see: http://wwwx.cs.unc.edu/~hays/dev/timelox_and_TheHand/
Acknowledgements
Most of this isn't stuff I came up with on my own, I'm indebtedin particular to the following folks who have provided tools orexamples that went into this page:
- Tommy McNeely -- tommythekid 'at' mac.com
I recommend brian's brickhouse for purchase if you're going todo a lot of firewall configuration, it's a great product.