10.5: Use a custom firewall in 10.5 with ipfw

Nov 15, '07 02:30:00PM

Contributed by: Brathahn

In 10.4, if you had a custom firewall config running, the built-in firewall configuration was greyed out in the System Preferences. Now in Leopard this is not the case ... I haven't worked out what happens when you use both configurations, built-in and custom, but here's how you get your custom firewall back:

  1. Set the firewall option in the Security System Preferences panel to "Allow All Incoming Connections," just to make sure that the built-in settings don't conflict / interfere with your custom settings.
  2. Create an entry in /Library/LaunchDaemons, mine is called ipfw_firewall.plist, and it looks like this. Customize to meet your needs.
  3. If you, like me, want your separate firewall log file in /var/log, then you need to modify /etc/syslog.conf like this:
    *.err;kern.*;auth.notice;authpriv,remoteauth,install.none;mail.crit		/dev/console
    *.notice;authpriv,remoteauth,ftp,install.none;kern.debug;mail.crit	/var/log/system.log
    
    # Send messages normally sent to the console also to the serial port.
    # To stop messages from being sent out the serial port, comment out this line.
    #*.err;kern.*;auth.notice;authpriv,remoteauth.none;mail.crit		/dev/tty.serial
    
    # The authpriv log file should be restricted access; these
    # messages shouldn't go to terminals or publically-readable
    # files.
    auth,authpriv.*;remoteauth.crit				/var/log/secure.log
    
    lpr.info						/var/log/lpr.log
    mail.*							/var/log/mail.log
    ftp.*							/var/log/ftp.log
    netinfo.err						/var/log/netinfo.log
    install.*						/var/log/install.log
    install.*						@127.0.0.1:32376
    local0.*						/var/log/ipfw.log
    
    *.emerg							*
    With those changes, you get your firewall logs in /var/log/ipfw.log.
The actual scripts and firewall rules here are the result of research I did on ipfw on OS X and BSD, and are the result of other people's work, for instance, Dru Lavigne. I just used their stuff and modified it to fit my requirements.

The result of the above firewall config is this when you run nmap against it:

~ $ nmap 192.168.1.16

Starting Nmap 4.20 ( http://insecure.org ) at 2007-11-02 22:08 GMT
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
Nmap finished: 1 IP address (0 hosts up) scanned in 4.085 seconds
~ $ nmap 192.168.1.16 -P0

Starting Nmap 4.20 ( http://insecure.org ) at 2007-11-02 22:08 GMT
Interesting ports on 192.168.1.16:
Not shown: 1696 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh

Nmap finished: 1 IP address (1 host up) scanned in 68.911 seconds
However, nmap on the Mac itself against localhost looks like this:
$ nmap 127.0.0.1

Starting Nmap 4.20 ( http://insecure.org ) at 2007-11-02 22:12 GMT
Interesting ports on localhost (127.0.0.1):
Not shown: 1616 closed ports, 73 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
110/tcp  open  pop3
143/tcp  open  imap
631/tcp  open  ipp
993/tcp  open  imaps
995/tcp  open  pop3s
5900/tcp open  vnc

Nmap finished: 1 IP address (1 host up) scanned in 9.974 seconds
I guess the result is acceptable :).

Comments (21)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20071102151607110