Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

IP Firewall UNIX
I found this great article on how to create your own firewall, with no software to install.

It is at: http://wopr.norad.org/articles/firewall.

[Sudo Editor's Note: A firewall can be a very important thing, especially if you have a full-time internet connection via DSL or cable modem. Although we have covered Firewalls on MacOSXHints.com before, I felt it worth while posting this article which explains what a firewall is, and how to use OS X's built-in tools to help protect your system. I think it is well worth reading this older article also, before you try to modify your current settings. After all, the security of your machine could be at risk.]
    •    
  • Currently 1.00 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (1 vote cast)
 
[4,197 views]  

IP Firewall | 8 comments | Create New Account
Click here to return to the 'IP Firewall' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Brickhouse makes it all easier
Authored by: roxeteer on Mar 06, '02 02:56:27AM
I think the award-winning Brickhouse (freeware, BTW) is a lot easier than using the terminal. In general, it's just a GUI for the built-in firewall. Takes a while to get used to it, though. For more info, go to VersionTracker, http://www.versiontracker.com/moreinfo.fcgi?id=9103&db=mac or directly to the app's homepage, http://personalpages.tds.net/~brian_hill/brickhouse.html - roxeteer

[ Reply to This | # ]
Brickhouse makes it all easier
Authored by: chellman on Mar 06, '02 03:22:03AM

Just to clarify: Brickhouse is shareware ($25 US), not freeware. If you mess with your firewall a lot, that's money well spent I'm sure.

The only freeware firewall building utility I know of is sunShield, a preference pane. It's not as comprehensive or polished as Brickhouse, but it seems good for what I need it for right now.

http://www.versiontracker.com/moreinfo.fcgi?id=13637&db=mac



[ Reply to This | # ]
Brickhouse makes it all easier
Authored by: bluehz on Mar 06, '02 09:54:47AM

I recently tried Brickhouse and Firewalk X - both GUI utilities for the Firewall. I used Firewalk X with no problems for several weeks then decided to uninstall and try Brickhouse for a while to see which I liked better. Now I am unable to boot with the firewall activated. Whenever I reboot - the boot always hangs at "Starting up firewall". The only way I can startup is by booting into single-user mode and deleting the /Library/StartupItems/Firewall/. Very annoying. I am not necessarily saying that Brickhouse caused this - but it did appear after installing Brickhouse. If anyone has any suggestions on how to fix this it would be greatly appreciated. BTW - static ip so the whole dynIp and firewalls issue does not apply.



[ Reply to This | # ]
Brickhouse makes it all easier
Authored by: cansas on Mar 06, '02 12:51:47PM

Firewalk X actually uses its own firewall scheme seperate from OSX's built-in ipfw. You may make sure that the uninstall of Firewalk removed all traces of Firewalk. You may need to kill the startup items for Firewalk or reinstall and disable Firewalk to use Brickhouse.



[ Reply to This | # ]
Brickhouse makes it all easier
Authored by: bluehz on Mar 06, '02 07:13:59PM

I have disabled and uninstalled both, then reinstalled Brickhouse and still get problem. I am wondering if some permission has been changed somehwere that is affecting the firewall startup.



[ Reply to This | # ]
ipfw doesn't do ip ranges?
Authored by: baba on Mar 08, '02 10:22:45AM

This seems to be what I'm gathering via various bulletin boards. For example, if I want to allow something for all ip addresses beginning with 172.211
There doesn't seem to be any regexp or wildcard ability, as in 172.211*

Is is so that one has to list *every single* ip in the above case? As in
allow tcp from 172.211.1.1 to any via 22 in via en0
allow tcp from 172.211.1.2 to any via 22 in via en0
allow tcp from 172.211.1.3 to any via 22 in via en0
ad infinitum??



[ Reply to This | # ]
ipfw doesn't do ip ranges?
Authored by: Graff on Mar 09, '02 12:07:00PM

I believe you need to do a netmask for that. If you want to use all addresses starting with 172.211 then you need to put the ip address in this form:
172.211.0.0/16
That will give you all ip numbers in the range 172.211.0.1 to 172.211.255.254. So your example would look like this:
allow tcp from 172.211.0.0/16 to any via 22 in via en0
I'm a bit new at this so I may have gotten it a little mixed up, but I'm fairly certain this works just fine There's a decent guide on all of this at this site.



[ Reply to This | # ]
ipfw doesn't do ip ranges?
Authored by: Graff on Mar 09, '02 12:20:33PM

Heh, actually now I'm not sure if that will work. Use this instead, this should work just fine:

172.211.0.0:255.255.0.0

That will give you all ip numbers in the range 172.211.0.1 to 172.211.255.254. So your example would look like this:

allow tcp from 172.211.0.0:255.255.0.0 to any via 22 in via en0

I'm still fuzzy on the differences between 172.211.0.0:255.255.0.0 and 172.211.0.0/16, but the examples I've seen in setting up firewalls seem to use the x.x.x.x:x.x.x.x format. I would stick with that unless someone else steps in and clarifies it better.



[ Reply to This | # ]