Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Add firewall rules via the Terminal Network
In an effort to automate the addition of a firewall exception for the latest version of Apple Remote Desktop, I found a way to use the defaults write command in the Terminal to create the rule without using the System Preferences panel. Below is an example of the command I used; in this case to add the ARD exceptions.
defaults write /Library/Preferences/com.apple.sharing.firewall 
firewall -dict-add 'Apple Remote Desktop' '<dict><key>editable</key>
<integer>0</integer><key>enable</key><integer>1</integer><key>port</key>
<array><string>5900-5902</string><string>3283</string></array></dict>'
The only problem I encountered with this method is that the defaults command tends to change the ownership of the com.apple.sharing.firewall file from -rw-r--r-- root admin, which also disables the firewall. Changing the permissions back and rebooting will reactivate the built-in firewall.

[robg adds: To make the above command presentable, I broke it onto multiple rows. There's a space at the end of the first row, then all the remaining rows should be joined into one with no additional spaces.]
    •    
  • Currently 2.33 / 5
  You rated: 5 / 5 (6 votes cast)
 
[22,168 views]  

Add firewall rules via the Terminal | 13 comments | Create New Account
Click here to return to the 'Add firewall rules via the Terminal' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Add firewall rules via `defaults write`
Authored by: babbage on Apr 07, '05 05:43:31PM

Of course, the other way to do this is to learn how to use the BSD derived ipfw tool directly, and dispense with managing the firewall in the GUI. To learn about this approach, read the manpage for ipfw, or do a Google search for it; to see your current settings, just do a `ipfw list`.

The nice thing about the manual ipfw approach is that you get a lot more control over how the firewall is configured (for example, separate management of TCP and UDP traffic, and of incoming and outgoing traffic);the downside to this approach is that the GUI settings no longer work, so it's all or nothing this way.

The nice thing about this hint is that it's a compromise. You can do coarse-grained command line firewall management on the command line -- which is great for managing basic setup of remote computers (e.g. with ARD or ssh) -- but you don't break the ability to control the firewall under Sharing preferences. Very useful -- thanks for the idea!

---

--
DO NOT LEAVE IT IS NOT REAL



[ Reply to This | # ]
Add firewall rules via `defaults write`
Authored by: Cameroon on Apr 07, '05 09:10:43PM

Or you could use a GUI that actually encompasses all of the power of the ipfw ruleset (clunky as ipfw and its syntax are, they are very powerful).

That's why I'm building such an app. I don't use the Apple firewall tool and the other GUI tools just don't cut it. I've got most of the rule features covered, but not the checkstate and a number of the other advanced options. And yes, it can read the existing rules (and export the whole thing as something that can be fed to ipfw).

My goal is to get all the options in and make the GUI comfortable to use (it's already more convenient to me than the command line).



[ Reply to This | # ]
Add firewall rules via `defaults write`
Authored by: babbage on Apr 08, '05 07:04:29AM
Or you could use a GUI that actually encompasses all of the power of the ipfw ruleset (clunky as ipfw and its syntax are, they are very powerful).

Ah, yes, good point. In that case, you'll want to take a look at BrickHouse. It may be a bit outdated at this point -- the last update seems to have been in October 2001, when it was rebuild for OSX 10.1 -- but the fundamentals really haven't changed since then and as far as I can tell it should still work just fine.

---

--
DO NOT LEAVE IT IS NOT REAL

[ Reply to This | # ]

Add firewall rules via `defaults write`
Authored by: Cameroon on Apr 08, '05 07:57:08AM

Brickhouse was one of my reasons for building my own. It has some good features, but it has some glaring omissions.

You can't build divert, tee or forward rules or "import" the existing ipfw rules to be edited via it's UI. It does provide an Expert mode, but that's just editing a text file -- why use Brickhouse if you have to use it's Expert mode?

It also feels clunky to me; the viewing area for the rules is too small and it takes a sheet and another window to get to some additional ipfw features.

Don't get me wrong, I think Brickhouse is a good tool, but I think Brickhouse is aimed at a different audience than mine. I imagine, in the end, my software will feel more comfortable to users who don't want to use the CLI or edit text files, but want the features of a GUI also powerful rule editing.

sunShield, mentioned in another comment (and one I'd never heard of before), is more my "competition" than Brickhouse.



[ Reply to This | # ]
sunshield
Authored by: kholburn on Apr 07, '05 09:41:30PM
I use sunshield Preference Pane. It shows the current ipfw stuff and allows you to add lines sort of GUI.


[ Reply to This | # ]
sunshield
Authored by: Cameroon on Apr 07, '05 11:02:45PM

That seems to work pretty well and look pretty good.

Guess I know where the competition is, heh ;)



[ Reply to This | # ]
sunshield correct url
Authored by: kholburn on Apr 07, '05 09:43:50PM
Add firewall rules via `defaults write`
Authored by: JohnnyMnemonic on Apr 08, '05 10:03:56PM

Actually, I haven't been able to find ipfw.conf in OS X client, although I've been using it in Server. I presume it's there somewhere, but it must be cloaked.

Which file do you use to manually add firewall rules, if not ipfw.conf? Or, if you have it, why don't I? I do have a functioning firewall.



[ Reply to This | # ]
Add firewall rules via the Terminal
Authored by: overrider on Apr 09, '05 04:32:27AM

to add firewall rules via the terminal i use this command:
add 0 deny udp from any to any 5900 or
add 0 allow tcp from any to any 5900

the problem with this is that you get a bad message that other firewall software is running already when opening the system preferences. you can get around this by just placing all your rules in above syntax into the /etc/ipfw.conf file. if it doesnt exists, create it, and all your rules from there as well as from the control panel will be honored.



[ Reply to This | # ]
oops...typos
Authored by: overrider on Apr 09, '05 04:36:08AM

to add a rule via cli the exact command is
sudo ipfw add 0 deny udp from any to any 5900

to add a rule into /etc/ipfw.conf the syntax is
add 0 deny udp from any to any 5900



[ Reply to This | # ]
configure ipfw
Authored by: macosxphile on Apr 09, '05 04:55:30PM
ipfw is located in /sbin. If you want to configure ipfw using the terminal, you can do the following:

- stop the built-in firewall in system prefs. if you have it running.
- create the folder /Library/StartupItems/ipfw
- copy ipfw into that folder using this command in the terminal:
cp /sbin/ipfw /Library/StartupItems/ipfw
- using the terminal, we'll create "StartupParameters.plist" in the folder /Library/StartupItems/ipfw so type the following:
sudo pico /Library/StartupItems/ipfw/StartupParameters.plist
- now paste in the following:

{
  Description   = "ipfw firewall";
  Provides      = ("Firewall");
  Requires      = ("Super Server");
  OrderPreference = "None";
  Messages =
  {
    start = "Starting ipfw firewall";
    stop  = "Stopping ipfw firewall";
  };
}
- save it and exit pico
- from the terminal, you will add your firewall rules to the file /etc/ipfw.conf To open pico in the terminal, and create the ipfw.conf file, type this:
sudo pico /etc/ipfw.conf
- Now add your firewall rules. Here is a very basic example:

add 02000 allow ip from any to any via lo*
add 02010 deny ip from 127.0.0.0/8 to any in
add 02020 deny ip from any to 127.0.0.0/8 in
add 02030 deny ip from 224.0.0.0/3 to any in
add 02040 deny tcp from any to 224.0.0.0/3 in
add 02050 allow tcp from any to any out
add 02060 allow tcp from any to any established
add 04000 deny ICMP from any to any in
add 12100 deny log tcp from any to any in
add 12180 reset tcp from any to any setup
add 12190 deny tcp from any to any
- when you're finished adding all your rules, save the file and exit pico.
- if you want firewall logging to be routed into the ipfw.log, you'll need to edit the /etc/syslog.conf, because by default, ipfw logging will show up in the system.log
- to enable logging to the ipfw.log, type this in the terminal:
sudo pico /etc/syslog.conf
- then add this to replace the existing ipfw.log info:

# Route all ipfw log entries into ipfw.log
!ipfw
*.*                                                 /var/log/ipfw.log
!*
- since ipfw is already running you'll need to stop it, and start it again to activate your rules.
- to disable, and then enable ipfw, type this in the terminal:

sudo sysctl -w net.inet.ip.fw.enable=0
sudo sysctl -w net.inet.ip.fw.enable=1
- to verify your current firewall rules, type this from terminal:
sudo ipfw list
- this should show the rules that you just entered into /etc/ipfw.conf
- to see the parameters that apply to ipfw, type this in terminal:
sudo sysctl net.inet.ip.fw
- it should show enable=1, and if you want verbose logging (if it doesn't show verbose=1) type this in terminal:
sudo sysctl -w net.inet.ip.fw.verbose=1
- you can also set a limit on the number of log entries (provided that you added "log" to any of your ipfw rules) by setting verbose_limit to the maximum number of log entries that you choose, for example:
sudo sysctl -w net.inet.ip.fw.verbose_limit=300
- this is good if you know that you're going to have people pounding on your firewall, so you don't have a ton of log entries, otherwise you don't really need to set it.

And that's basically all there is to it. Users who are new to the terminal, or who aren't familiar with firewall rules, and what they do, should read up on it, or ask someone for help. The man page for ipfw is a place to start. If you're sharing things from your machine, you'll want to create rules to allow these functions. If you find that something doesn't work anymore after enabling ipfw, that's the first place you should start looking.

[ Reply to This | # ]
Add firewall rules via the Terminal
Authored by: robleach on Jan 18, '06 05:13:36PM
I thought that the purpose of the "0" was to make the rule being added the top rule, however all the rules I try to add with the 0 are tacked onto the END of my ruleset whether I use the 0 or not. What the heck? Am I missing something? I'm running 10.3.9.

For example:

>sudo ipfw 0 add deny ip from 1.1.1.1 to any
12290 deny ip from 1.1.1.1 to any


Why does it get stuck as rule 12290 (the last rule barring 65535)?

Rob

[ Reply to This | # ]
SunShield Preference Pane 2.0.3.l on Mac OS X10.6
Authored by: bobouches on Jun 14, '11 08:44:09PM

SunShield Preference Pane 2.0.3.1 crashing every time when I try to open it
here is pop-up which I getting: System Preferences quit unexpectedly while using the sunShield plug-in.
this system dump:
Process: System Preferences [2833]
Path: /Applications/System Preferences.app/Contents/MacOS/System Preferences
Identifier: com.apple.systempreferences
Version: 7.0 (7.0)
Build Info: SystemPrefsApp-1750100~19
Code Type: X86 (Native)
Parent Process: ??? [1]

PlugIn Path: /Library/PreferencePanes/sunShield.prefPane/Contents/MacOS/sunShield
PlugIn Identifier: org.spf.sunShield
PlugIn Version: 2.0.3 (2.0.3)
...

If you need entire dump drop me a PM and I will send it to you.

any suggestions?
Do you planing to release version for 10.7 or 10.6 with 64-bit support



[ Reply to This | # ]