Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.3: Personal ipfw firewall configuration startup items fix Network

I am used to manually configuring the ipfw firewall since 10.1. As reported in various sites on the net, I created an /etc/ipfw.conf file with all the rules I wanted. I also created an ipfw directory under /Library/StartupItems/, in which I placed two files: ipfw, containing these lines:

 #!/bin/sh
 /usr/sbin/sysctl -w net.inet.ip.fw.verbose=1
 /usr/sbin/sysctl -w net.inet.ip.fw.verbose_limit=500
 /sbin/ipfw -q /etc/ipfw.conf
and StartupParameters.plist, containing these lines:
  {
    Description = "ipfw firewall";
    OrderPreference = "None";
    Provides = ("Firewall");
    Requires = ("Resolver");
    Messages =
    {
      start = "Sto avviando il firewall";
      stop = "Sto disattivando il firewall";
    };
  }
In Panther, this configuration stopped working. At the login window, the beach ball started to spin indefinitely and I had to reboot in single user mode and disable the ipfw startup item. Finally, I changed Requires = ("Resolver"); to Requires = ("Super Server");, and now it works again. I tried several reboots without any problems -- I can login and the ipfw rules I defined are active.
    •    
  • Currently 2.00 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (4 votes cast)
 
[21,686 views]  

10.3: Personal ipfw firewall configuration startup items fix | 10 comments | Create New Account
Click here to return to the '10.3: Personal ipfw firewall configuration startup items fix' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.3: Personal ipfw firewall configuration startup items fix
Authored by: pjw on Nov 06, '03 12:36:02PM

What is the "Super Server"? Is it inetd? If so, shouldn't your firewall start *before* inetd starts? I built my own startup item for this and mine requires Network before starting. Anyone have any other thoughts on how this should work?



[ Reply to This | # ]
10.3: Personal ipfw firewall configuration startup items fix
Authored by: fabrizio on Nov 06, '03 03:18:30PM

Super Server is /System/Library/StartupItems/IPServices.
This is what you find in StartupParameters.plist:

Description = "Internet services";
Provides = ("Super Server", "Config Server");
Uses = ("mDNSResponder", "Portmap", "NetworkExtensions");

About ipfw, I also tried to set "Network" in require field. I was able to login, but when I typed "sudo ipfw list" in terminal my rules were not active.



[ Reply to This | # ]
10.3: Personal ipfw firewall configuration startup items fix
Authored by: Jaharmi on Nov 06, '03 02:39:37PM

I didn't have any problems with my IPFW setup upon upgrading to Panther. I'm using it on a computer that acts as the router and AirPort base station for my network, so it's a relatively complex setup. (Not a lot of rules, but a couple different interfaces to worry about.)

I'm requiring "Network" and "Resolver" in my StartupParameters.plist file.



[ Reply to This | # ]
10.3: Personal ipfw firewall configuration startup items fix
Authored by: kirbysdl on Jan 01, '04 05:28:15PM

I am requiring Resolver on an older G4 Powerbook (Ti?) and it has worked up to 10.3.2. I haven't had a chance to install 10.3.3 on the Powerbook yet.

I recently got a iBook G4 and after installing 10.3.3, it stopped working (after logging in, the machine would appear to hang). I changed the requirement of Resolver to Super Server, and it started working again.

To summarize, apparently it works on some systems on some versions of OS 10.3, so don't change anything if it works. But if the problem occurs (after an OS upgrade or otherwise), follow the hint and it should work.



[ Reply to This | # ]
Panther change in StartupItems
Authored by: pjw on Nov 06, '03 03:01:00PM

So I was curious about what Resolver actually is, so I looked through /System/Library/StartupItems for the item that provides it. The item DirectoryServices is the culprit, but if you look closely, this startup item doesn't do anything. The entire script for starting up Directory Services is this:

#!/bin/sh
exit 0

That's it. I didn't find lookupd or netinfod.

Now is a good time to mention that I'm running Panther. So out of curiosity I took a look in my archived system files to see what DirectoryServices did under Jaguar. Bingo! It loaded lookupd.

So I keep investigating and I discover two directories that are new to Panther: /etc/mach_init.d/ and /etc/mach_init_per_user.d/. Apparently the startup process in Panther has changed to include loading all of the commands mentioned in the .plist files in these directories. There is a DirectoryServices command and a lookupd command -- note that they refer to two different daemons.

I'm still investigating, but I thought the power users out there might be interested to see these changes. Plus, if anyone has any information that discusses this change -- like why it was done and what the difference is between loading things from StartupItems versus the mach_init.d directory (which, by the way, doesn't seem to have any kind of ordering information), then I'd love to read more about it.



[ Reply to This | # ]
Panther change in StartupItems
Authored by: pjw on Nov 06, '03 03:31:29PM

I found confirmation of this change. Perhaps this should be listed in a different hint. Apple is phasing out the StartupItems mechanism for loading daemons and services and moving to a "load-on-demand" approach that uses a tool called register_mach_bootstrap_servers. Here's the document that gives the details:

System startup: The Boot Process (Bootstrap Daemons section)

I have no idea how this impacts where the Firewall startup should go.



[ Reply to This | # ]
10.3: Personal ipfw firewall configuration startup items fix
Authored by: klui on Nov 06, '03 05:41:23PM

While I'm not running Panther, you should look at what Panther's IP Firewall's extension requires and use the same thing for your ipfw StartupParameters.plist. For Jaguar, it requires Network and Provides NetworkExtensions under /System/Library/StartupItems/NetworkExtensions.

My setup under Jag is I allow NetworkExtensions and piggyback off the default ipfw rules.



[ Reply to This | # ]
10.3: Personal ipfw firewall configuration startup items fix
Authored by: bluehz on Nov 06, '03 07:42:19PM

My startup IPFW firewall starts up just fine - it actually appears about halfway through the startup process. I know its MY IFPW startup as I have custom text that is displayed. So my IPFW firewall starts and the startup screen continues, and almost at the end I see "Waiting for firewall extension..." (I think thats it), which rather confuses me. I obvisouly don't have the Apple PrefPane Firewall setup since I use my own IPFW firewall - so what is this "Waiting..." that appears later. It usually pauses the startup process by about 20 secs or so - I would really liketo disable if if possible.



[ Reply to This | # ]
10.3: Personal ipfw firewall configuration startup items fix
Authored by: kirbysdl on Dec 14, '03 09:08:08PM
This is actually not a problem. My scripts say the same thing, but try doing a
sudo ipfw -q /etc/ipfw.cfg
(or whatever your config file is). You'll find that your machine sits and spins for a while as it figures out your ruleset. The service starter is actually doing us a favor by letting us know it's working instead of stalled.

[ Reply to This | # ]
10.3: Personal ipfw firewall configuration startup items fix
Authored by: php4u on Feb 19, '04 03:41:53PM

I would like to add a rule to not allows pings. Any suggestions on how? I think I can add it to the "com.apple.sharing.firewall.plist" file....but not really sure how.

I'm running Panther on a G4.

thanks in advance!
Ralph

---
~~~~~~~~~~~~~
Do what ya can...
but behave yourself
~~~~~~~~~~~~~



[ Reply to This | # ]