Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Using the built-in firewall software (ipfw) UNIX
Mac OS X contains built-in firewall software, known as ipfw. You can use this to protect your machine from outside entry, but it's not trivial nor GUI-friendly. If you want that, go get Brickhouse from Versiontracker.

If you'd prefer to work directly with UNIX, Daniel Cote has published his ipfw configuration file, along with some tips on how to use ipfw in Mac OS X - you can read the article right here.

NOTE: You should really understand exactly what it is you're doing before you going mucking about with the firewall software! For a more simplistic approach, try Brickhouse or any of the hardware routers.
    •    
  • Currently 3.67 / 5
  You rated: 1 / 5 (3 votes cast)
 
[6,240 views]  

Using the built-in firewall software (ipfw) | 3 comments | Create New Account
Click here to return to the 'Using the built-in firewall software (ipfw)' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
dns failures on local addresses
Authored by: fmr on May 17, '01 07:56:23PM

I followed the instructions, and then heavily modified my config for my local setup.
It all works beatifully, although my rules need a little more tuning, apart from the following.

When adding the rules for RFC1918 addresses, and probably the draft-manning ones as well, ipfw appears to be asking NetInfo for ip to hostname lookups. Of course these fail. Normal lookups work fine.

The symptoms are that the relevant ipfw command appears to hang, and the following appears in /var/log/system/log:

May 18 00:47:49 yaffle sudo: martin : TTY=ttyp3 ; PWD=/Users/martin ; USER=root ; COMMAND=/sbin/ipfw add deny log ip from 192.168.0.0/16 to any in via ppp0
May 18 00:47:54 yaffle lookupd[3631]: DNSAgent: dns_send_query_server - timeout for 194.72.9.34
May 18 00:48:04 yaffle last message repeated 2 times
May 18 00:48:04 yaffle lookupd[3631]: DNSAgent: dns_fqdn_query_server - query failed for 194.72.9.34

Is there any easy way to avoid this. I have lookupd configured to use the following search order:

CacheAgent, FFAgent, NIAgent, DNSAgent, NILAgent











[ Reply to This | # ]
alternate ipfw logfile
Authored by: LouieNet on Aug 19, '01 07:06:12PM
I don't suppose anyone has any suggestion on getting ipfw to log to a file other than /var/log/system? The only suggestion I've found is for FreeBSD, but doesn't work for Mac OS X / Darwin. It is to put the following lines in /etc/syslog.conf:
!ipfw
*.*                                                     /var/log/ipfw.log
I did a "touch /var/log/ipfw.log", made sure it's writable, then kill -HUP'ed the syslogd process.

Any ideas?

Louie

[ Reply to This | # ]

alternate ipfw logfile
Authored by: robh on Aug 20, '01 07:45:55PM

It doesn't look like it's possible to redirect just the ipfw output into a separate log in 10.0.*.
Looking at the output of 'syslogd -d', the ipfw output is tagged as 'kern level 2', so this new line in /etc/syslog.conf does the trick.

kern.2 /var/log/ipfw.log

You'll need to monitor the log to see if there are any unwanted side-effects.

You're probably better off grep'ing the ipfw info out of /var/log/system.log e.g.

grep ipfw /var/log/system.log

or

tail -f /var/log/system.log | grep ipfw


My ipfw logging shows that most of the attempts to abuse my machine are scans on the nntp port.



[ Reply to This | # ]