Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.5: Use a custom firewall in 10.5 with ipfw Network
In 10.4, if you had a custom firewall config running, the built-in firewall configuration was greyed out in the System Preferences. Now in Leopard this is not the case ... I haven't worked out what happens when you use both configurations, built-in and custom, but here's how you get your custom firewall back:
  1. Set the firewall option in the Security System Preferences panel to "Allow All Incoming Connections," just to make sure that the built-in settings don't conflict / interfere with your custom settings.
  2. Create an entry in /Library/LaunchDaemons, mine is called ipfw_firewall.plist, and it looks like this. Customize to meet your needs.
  3. If you, like me, want your separate firewall log file in /var/log, then you need to modify /etc/syslog.conf like this: With those changes, you get your firewall logs in /var/log/ipfw.log.
The actual scripts and firewall rules here are the result of research I did on ipfw on OS X and BSD, and are the result of other people's work, for instance, Dru Lavigne. I just used their stuff and modified it to fit my requirements.

The result of the above firewall config is this when you run nmap against it: However, nmap on the Mac itself against localhost looks like this: I guess the result is acceptable :).
    •    
  • Currently 2.33 / 5
  You rated: 2 / 5 (6 votes cast)
 
[31,059 views]  

10.5: Use a custom firewall in 10.5 with ipfw | 21 comments | Create New Account
Click here to return to the '10.5: Use a custom firewall in 10.5 with ipfw' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.5: Use a custom firewall in 10.5 with ipfw
Authored by: Axlin on Nov 15, '07 05:09:25PM

Just curious, what's the benefit of using a custom firewall as per these instructions? Is it more secure than the default firewall?



[ Reply to This | # ]
10.5: Use a custom firewall in 10.5 with ipfw
Authored by: Brathahn on Nov 16, '07 03:48:27AM

A couple of things:

- One thing is layered defenses. Two firewalls are better than one.

- The IPFW firewall does exactly what I tell it to do, not more, not less. Since I submitted this hint I learnt a lot more about the Application Firewall that is build in n Leopard. As seen in numerous reviews it leaves services open that it deems necessary for running the system / run as root.

Therefore it overrules my decisions. Something that reminds me on Windows. I don't like to be overruled by my own computer....

- Also it looks like the Application Firewall seems to be more like a proxy firewall. This maybe means that it's more vulnerable to attack since the packet has to travel up the TCP/IP stack before it gets processed by the Application Firewall. IPFW is a simple packet filter that sits on Layer 3 and therefore doesn't interfere with the Application Firewall.



[ Reply to This | # ]
10.5: Use a custom firewall in 10.5 with ipfw
Authored by: Axlin on Nov 16, '07 07:22:40PM

Okay, thanks!



[ Reply to This | # ]
10.5: Use a custom firewall in 10.5 with ipfw
Authored by: ssevenup on Nov 15, '07 06:00:39PM

Presumably this hint constitutes abandoning the Application based firewall in favor of the Tiger like way of doing it?

---
Mark Moorcroft
ELORET Corp. - NASA/Ames RC
Sys. Admin.



[ Reply to This | # ]
10.5: Use a custom firewall in 10.5 with ipfw
Authored by: Brathahn on Nov 16, '07 03:53:18AM

It's up to you. Use the Application Firewall or IPFW or both, or none....

I'm working professionally with Enterprise level firewalls from different vendors for more than 7 years now and I may be a little bit anal about it.... :)

Also initially there was very little information available about how the Application Firewall works and in cases like that I stick to what I know is working.



[ Reply to This | # ]
10.5: Use a custom firewall in 10.5 with ipfw
Authored by: TonyT on Nov 15, '07 06:16:09PM
You can use both ipfw an Apples new Application Firewall:
http://docs.info.apple.com/article.html?artnum=306938
"Earlier ipfw technology is still accessible from the command line (in Terminal) and the Application Firewall does not overrule rules set with ipfw; if ipfw blocks an incoming packet, the Application Firewall will not process it."

So just configure re-use your Tiger ipfw rules, or set new ones (Consider using the WaterRoof gui)



[ Reply to This | # ]
10.5: Use a custom firewall in 10.5 with ipfw
Authored by: SuperCrisp on Aug 20, '09 03:23:09PM

What I suggest is also suggested on Waterroof's website, but in case someone might miss it there: Noobproof provides a very simple ipfw GUI that provides a list of common services for which you can set allow/deny. It also lets you add stuff. I'm comfortable with ipfw and the old firewall, and I still chose Noobproof for a quick and easy tool.

One other note: if you're behind your own router, you can probably choose Allow All in the Leopard firewall. On the road you can go for the Allow selected or whatever the 3rd option is called. It's annoying that 3rd option, asking you for permission each time you launch something.

But then again, I've sat and watched the logs on my server as someone from Russia knocked on my door #22 all morning. So it never hurts to be safe.



[ Reply to This | # ]
10.5: Use a custom firewall in 10.5 with ipfw
Authored by: jsalbre on Nov 15, '07 10:53:51PM
Your script references /usr/libexec/ipfwloggerd, but this program no longer exists. The closest I could find was /usr/libexec/ApplicationFirewall/appfwloggerd, but I'm not sure if it functions exactly the same. Actually, I get logging from ipfw rule actions even without running this program, but the format is different from standard ipfw logs.

[ Reply to This | # ]
10.5: Use a custom firewall in 10.5 with ipfw
Authored by: Brathahn on Nov 16, '07 03:37:58AM

Good point, there's no /usr/libexec/ipfwloggerd anymore.... Didn't notice at all since my logging is working as it always has.. I assume that it may now be solely done via syslog because sometimes I get messages in the ipfw.log like "--- last message repeated 9 times ---" ? Any other suggestions?



[ Reply to This | # ]
10.5: Use a custom firewall in 10.5 with ipfw
Authored by: eagle on Nov 16, '07 06:01:22AM
I just create a script called /etc/rc.firewall, and call /etc/rc.firewall from /etc/rc.local.

/etc/rc.local looks like this:
#!/bin/sh

/usr/local/sbin/synergys -f
sh /etc/rc.firewall


/etc/rc.firewall looks like this:
#!/bin/sh

IPFW='/sbin/ipfw -q'

$IPFW -f flush

# first set up some basic rules
$IPFW add 2000 allow ip from any to any via lo*
$IPFW add 2050 allow log tcp from any to any out
$IPFW add 2060 allow log tcp from any to any established
...



[ Reply to This | # ]
10.5: Use a custom firewall in 10.5 with ipfw
Authored by: dlgraves on Nov 16, '07 07:16:09AM

Hi,

For those of us not so familiar with launchd, could you go through the installation in a little more detail please? I can just stick the .plist in the /Library/LaunchDaemons folder, saved as ASCII? (Having broken of the subsections into their respective directories, of course.)

thanks
lucas



[ Reply to This | # ]
10.5: Use a custom firewall in 10.5 with ipfw
Authored by: Brathahn on Nov 16, '07 12:19:20PM

Yep, you just stick the .plist into /Library/LaunchDaemons/

Here are the permission on my MBP

-rw-r--r-- 1 root admin 507 28 Jul 10:20 /Library/LaunchDaemons/ipfw_firewall.plist

You are supposed to run afterwards the following to activate it:

/bin/launchctl load /Library/LaunchDaemons/ipfw_firewall.plist

see "man launchctl" for details. I said "supposed to" because I have seen occasions where stuff just works without the "launchctl" bit... but officially you should run it.



[ Reply to This | # ]
10.5: Use a custom firewall in 10.5 with ipfw
Authored by: gakhular on Nov 27, '07 09:53:59PM

I've been trying in my spare time for the last couple of days to get your original hints to work. I dragged ipfwloggerd over from my Tiger system and it seems to work. After I run the firewall startup script in the terminal, entries start showing up in the firewall log.

To make the script automatic I put a plist entry in /Library/LaunchDaemons patterned after yours, but modified for my file locations. syslog seems to indicate that the commands are executed OK, but the firewall logger dies for some reason:

Nov 27 20:42:35 iGlenn com.apple.launchd[1] (glenn.ipfw[1579]): Stray process with PGID equal to this dead job: PID 1581 PPID 1 ipfwloggerd

Any ideas?

Glenn



[ Reply to This | # ]
10.5: Use a custom firewall in 10.5 with ipfw (CAREFUL!)
Authored by: el.tyde on Dec 01, '07 10:40:33PM

-rw-r--r-- 1 root admin 507 28 Jul 10:20 /Library/LaunchDaemons/ipfw_firewall.plist

...

Really? One question though. (Please forgive my distrust.) What good are these permissions when the ipfw_firewall.plist you published in your hint outsources your firewall rules to:

/Users/blah/bin/ipfw_firewall.sh
ie. your ~/bin

Can you explain to me the benefits of having your system's firewall rules trivially in your user space? You wouldn't happen to be surfing the web as this user would you?

Wait. Nevermind the firewall. You are using LaunchDeamons. Did you just give away root?:

<array>
<string>/Users/blah/bin/ipfw_firewall.sh</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>UserName</key>
<string>root</string>

Or perhaps you would like to clarify to novice users that the /Users/blah account is somehow special (hint: not for daily use)?

robg: you let this slide?



[ Reply to This | # ]
10.5: Use a custom firewall in 10.5 with ipfw (CAREFUL!)
Authored by: mlott on Jan 10, '08 08:31:57AM
Hi
What good are these permissions when the ipfw_firewall.plist you published in your hint outsources your firewall rules to: Can you explain to me the benefits of having your system's firewall rules trivially in your user space?

Really?
If you had bothered to read the attached file, you would notice that the file (after the XML) starts with #!/bin/sh and, if you are aware of how shell scripts work then you would know that there are no shell commands for add 00100 set 0 allow ip from any to any via lo* (as an example) unless coupled with the command ipfw add which is not the case here.

To that end, it is obvious that the script ends on the line $IPFW -q /etc/ipfw.conf. If you had also bothered to read the ipfw manpage, you would realise that /sbin/ipfw -q /etc/ipfw.conf tells ipfw to load firewall rules in the configuration file that is in the path /etc/ipfw.conf, which is where you put all the text under the line:

- and last but not least the /etc/ipfw.conf file looks like this:
It even states:
# Load rule set from /etc/ipfw.conf

For info, the group ownership for the ipfw_firewall.plist file should really be with wheel, the same as the plists in /System/Library/LaunchDaemons/ and the /etc/ipfw.conf file should be owned by root, and only readable by root, no one else.

It would also definitely be better to have the ipfw_firewall.sh somewhere within the /usr/local/ tree (maybe /usr/local/scripts/, or /usr/local/bin).

Wait. Nevermind the firewall. You are using LaunchDeamons. Did you just give away root?

What?
How exactly did he "give away root"? You are throwing FUD. If you can show evidence of him giving away the root account, then please let us know. I do not claim to be a security expert in any way, so I would sure love to see how you are able to escalate to root privs in this instance (I think that Apple would like to see that too). Launchd took over from init in 10.4 as the number one process, hence it is owned and run by root for obvious reasons (check the permissions of all system binaries in /sbin/), and yes, I do realise root can pass over to a lesser privileged user/group.

Or perhaps you would like to clarify to novice users that the /Users/blah account is somehow special (hint: not for daily use)?

There is no need for sarcasm, especially when people are trying to help others - it's not nice is it?. Not everyone is as perfect as you seem to think you are, and everyone is hopefully learning something by coming along to Macosxhints. Stop being a smartass.

Instead of calling someone out and slamming them for trying to help, consider highlighting issues that you see, adding what you perceive to be corrections, and thereby educating other people that might be reading this post. There is not always one correct way of doing things, and as such, people have differing opinions of achieving the same goal. If you want to flame people, there are a number of discussions at the moment on the OpenBSD Misc list that might suit you down to the ground.

For info in the attached file, I notice that there is a rule detailed for:

# ip-options
# (per FreeBSD Security Advisory: FreeBSD-SA-00:23.ip-options)
I believe this has been fixed (see here) and I don't think this is necessary.

All that aside, it is interesting that you can now run both ipfw and Apple's application firewall in tandem. This adds an extra layer of security (defence in depth) for those that wish to utilise it. Something to consider for those that are delving more into firewalls and layered security. There is a nice and short read here, though a little dated, on the subject of firewalls and highlights some concepts that are still very true. Bruce Schneier is also very insightful when it comes to security that is not just applicable to the world of IT.

Mike

[ Reply to This | # ]
10.5: Use a custom firewall in 10.5 with ipfw (CAREFUL!)
Authored by: el.tyde on Feb 10, '08 04:57:42PM
Gibberish.

Let us quote directly from the source:
http://www.macosxhints.com/dlfiles/custom_ipfw_105.txt

- in my ~/bin directory the ipfw_firewall.sh looks like this:

#!/bin/sh
## Boot Script for firewall

#
# CONSTANTS
#

IPFW=/sbin/ipfw
SYSCTL=/usr/sbin/sysctl

...

The question was not: "How exactly did he 'give away root'?" (as you put it). The question was: "DID [he] just give away root?" (as I put it). So did he? And did you, if you implemented the hint as originally described (with vague ownership/permissions)?

I wouldn't know. That would depend on: all of your daemon script-related ownership and permissions, which the "Sat, Dec 1 '07 10:40PM PST" post here asks to clarify. (And on: what websites he/you may have visited - that's just one possibility.)

Since I respect the possibility that you might really be missing something, I will clarify.

NOTE: The issue here is entirely about ownership and permissions related to: ipfw_firewall.sh. It is very bad practice to have a script like this (in a user directory like ~/bin, or some other such vague directory with vague permissions) and have it modifiable possibly by anyone. Why? Because it will run as root (e.g. during boot time, via described launchd plist). If you, or Safari (or whatever) running as user, or anyone can arbitrarily write commands to such a script, then that anything can run as root upon execution of the script. Game over, if you'd like. A daemon script like the one described in this hint, running sysctl and ipfw (or whatever) with root permissions, should itself be modifiable only by root.

REF: tn2083.html

[ Reply to This | # ]

10.5: Use a custom firewall in 10.5 with ipfw (CAREFUL!)
Authored by: Brathahn on Mar 03, '08 02:28:26AM

Thanks guys! Having the ipfw_firewall.sh script in ~/bin was too lazy of me.... I tend to keep my scripts in one place to be able to edit them easily... so I've updated the .plist for launchd and the script is now sitting in /usr/local/sbin with root:wheel permissions...

And NO, I don't use my "blah" account for admin stuff. So it always goes like "su admin" and then "sudo -s"....


Thanks for all the feedback, unfortunately I don't check back too often and there's no option to receive email alerts if something gets added in a threat / topic started by me (or at least I didn't find the checkbox for it...)



[ Reply to This | # ]
10.5: Use a custom firewall in 10.5 with ipfw
Authored by: zo219 on Feb 11, '08 03:49:18AM

I realize the topic is a custom firewall, but I'd like to know why configuring firewall has gotten so bloody confusing. Look at LittleSnitch. Look back at DoorStop.

We may be experienced users--we may also not want to study up on IPFW all day, and how on earth does this align with Apple's bloody over-regulation of downloaded files. As only one example.

Or is this a hobby site. The word Hint implies to me, An easier way to get things done. Which is exactly what this invaluable site does-when it isn't leaping to the terminal to move - to plain old move - a file.




[ Reply to This | # ]
10.5: Use a custom firewall in 10.5 with ipfw
Authored by: chiggsy on Feb 11, '08 09:18:03AM

you dont need the custom firewall. You can be less secure if you want, up to you. OS X is unix, you'll have to accept that though. Terminal commands are handy. Some things can only be so simple though, and packet filtering is one of them.



[ Reply to This | # ]
10.5: Use a custom firewall in 10.5 with ipfw
Authored by: fortepianissimo on Feb 07, '10 12:12:06PM

A question guys: using the rules posted in this hint, I'm seeing a lot of deny messages outbound from my port 22!

Feb 7 14:34:41 localhost Firewall[17960]: 302 Deny TCP 10.0.1.2:22 117.21.241.10:43048 out via en1
Feb 7 14:34:44 localhost Firewall[17960]: 302 Deny TCP 10.0.1.2:22 117.21.241.10:43048 out via en1
Feb 7 14:34:49 localhost Firewall[17960]: 302 Deny TCP 10.0.1.2:22 117.21.241.10:43048 out via en1
...

the IP address was from China. Should I worry?

Edited on Feb 07, '10 12:15:08PM by fortepianissimo



[ Reply to This | # ]
10.5: Use a custom firewall in 10.5 with ipfw
Authored by: fortepianissimo on Feb 07, '10 01:15:11PM

Mystery solved: some SOB was doing a dictionary attack on my port 22. Now I turned off password login.



[ Reply to This | # ]