Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Here is what I have now.' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Here is what I have now.
Authored by: ppatoray on Sep 04, '03 03:22:33PM

Matt,

Thanks for the help!

I believe that I took rule 2005 directly from apple's original firewall setup that I had setup through sys. prefs. Allowing ftp access via the ftp checkbox seemed to add both this rule, as well as my rule 2008. I tried taking it out, but it seemed to slow down our web host when I tried connecting. I'll play around with turning it off and try passive mode and see if it makes a difference.

So if I understand you correctly, the drop command is better to use than the deny command (52010 vs 52030)?

Thanks for catching 2004, and the explaination on ICMP.

Here's my new configuration, incorporating the new changes. Let me know what you think. I'm going to try it out and see if I see any problems over the next few days:

Thanks again!

Patrick

#!/bin/sh

# Firewall Configuration
############################################################
#/usr/sbin/sysctl -w net.inet.ip.fw.verbose=1

# Clear The Rulebase
flush

# Allow Loopback
add 1000 allow ip from any to any via lo*

# Some General Housecleaning
add 1001 deny ip from 127.0.0.0/8 to any
add 1002 deny ip from any to 127.0.0.0/8
add 1003 deny ip from 224.0.0.0/3 to any
add 1004 deny tcp from any to 224.0.0.0/3

# Check Dynamic Rules Table
add 1005 check-state

# Allow packets from existing connections
add 1006 allow tcp from any to any established
add 1007 allow all from any to any frag

# Allow Essential ICMP Traffic
#add 1008 allow icmp from any to any icmptype 3,4,11,12

## ICMP traffic
## Allow path-mtu and source quench
add 1090 allow icmp from any to any icmptypes 3,4

## Allow me to run traceroute
add 1091 allow icmp from any to any icmptypes 11 in

## Allow me to ping out and receive response
add 1092 allow icmp from any to any icmptypes 8 out
add 1093 allow icmp from any to any icmptypes 0 in


#################################################
## Rules for the en0 interface
#################################################
## Allow DHCP/BOOTP
add 2000 allow udp from any 67-68 to any 67-68 via en0

## Allow Broadcast (for DHCP)
add 2001 allow udp from any to 255.255.255.255 67-68 via en0

## Deny Source Routed Packets
add 2002 unreach host log ip from any to any ipopt ssrr,lsrr via en0

## Allow Network Time (NTP)
add 2003 allow udp from any 123 to any 1024-65535,123 via en0

## Reset incoming identd lookups
add 2004 reset tcp from any to any 113

## Allow FTP-Data port
##add 2005 allow tcp from any 20-21 to any 1024-65535 in via en0

## Allow DNS
##add 2006 allow udp from any 1024-65535 to any 53 keep-state out via en0
##add 2006 allow udp from any 53 to any 1024-65535 keep-state in via en0
add 2006 allow udp from any to any 53 out keep-state

## World Wide Web
add 2007 allow tcp from any to any 80 setup keep-state in via en0

## File Transfer (FTP)
add 2008 allow tcp from any to any 20-21 setup keep-state in via en0

## Mail (SMTP, IMAP)
add 2008 allow tcp from any to any 25,110,143,993 setup keep-state in via en0

## Snapperhead (2000)
## add 2009 allow tcp from any to any 2000 setup keep-state in via en0

## MP3 Sushi (8010,8888)
## add 2010 allow tcp from any to any 8010,8888 setup keep-state in via en0

## Rendezvous
## add 1160 allow tcp from any to any 5298 keep-state

## iTunes streaming
## add 1170 allow tcp from any to any 3689 keep-state

## No Office PID check
add 2020 deny udp from any 2222 to any
add 2021 deny udp from any to any 2222

## Shut my PC up!
add 2022 deny UDP from any to any 137,138

#################################################
## * * * Default Filter Policies * * *
#################################################
## Allow All Outgoing Services
add 52009 allow all from any to any keep-state out

## Deny All Incoming Services
add 52010 drop log all from any to any



[ Reply to This | # ]
Here is what I have now.
Authored by: Another osX User on Sep 04, '03 05:28:45PM

Drop does not send a reply to the remote host attempting the connection. Deny sends a ICMP 'unreachable' packet back to the remote host.

Drop is preferred to Deny, because with Drop the remote host doesn't know you exist. Deny tells the remote host that there is a machine at the IP that it is trying to connect to (yours), and may cause the remote host to try other means of connecting (or worse, a DOS attack).



[ Reply to This | # ]
Drop vs. Deny
Authored by: Anonymous on Sep 04, '03 05:50:35PM

Actually, when I do an "ipfw show" in Terminal, all my "drop"s are converted to "deny"s... drop and deny seem to be synonyms for the same thing. The man page for ipfw confirms that they're "aliases" on one another, so feel free to use whichever you find more pleasing to the eye!



[ Reply to This | # ]
Just a few more questions
Authored by: ppatoray on Sep 04, '03 05:55:43PM

Thanks, You guys are a wealth of information.

I had changed it from 'deny' to 'drop' a couple of hours ago, when I last posted. Since then, this is what my 'sudo ipfw show' shows me:

01000 8136 1130846 allow ip from any to any via lo*
01001 0 0 deny ip from 127.0.0.0/8 to any
01002 0 0 deny ip from any to 127.0.0.0/8
01003 0 0 deny ip from 224.0.0.0/3 to any
01004 0 0 deny tcp from any to 224.0.0.0/3
01005 0 0 check-state
01006 33 7920 allow tcp from any to any established
01007 0 0 allow ip from any to any frag
01090 0 0 allow icmp from any to any icmptype 3,4
01091 0 0 allow icmp from any to any in icmptype 11
01092 0 0 allow icmp from any to any out icmptype 8
01093 0 0 allow icmp from any to any in icmptype 0
02000 371 126658 allow udp from any 67-68 to any 67-68 via en0
02001 0 0 allow udp from any to 255.255.255.255 67-68 via en0
02002 0 0 unreach host log ip from any to any via en0 ipopt ssrr,lsrr
02003 0 0 allow udp from any 123 to any 1024-65535,123 via en0
02004 1 60 reset tcp from any to any 113
02006 100 15002 allow udp from any to any 53 keep-state out
02007 46 28840 allow tcp from any to any 80 keep-state in recv en0 setup
02008 9 552 allow tcp from any to any 20-21 keep-state in recv en0 setup
02008 0 0 allow tcp from any to any 25,110,143,993 keep-state in recv en0 setup
02020 0 0 deny udp from any 2222 to any
02021 70 8540 deny udp from any to any 2222
02022 210 19651 deny udp from any to any 137,138
52009 21909 11309907 allow ip from any to any keep-state out
52010 13 3444 deny log ip from any to any
65535 744 99863 allow ip from any to any

The way I read this, it looks like my 52010 rule, which is in my ipfw.rules as 'drop', is being rewritten as deny. Any ideas as to why?

Also, I dont understand exactly what rule 65535 is for. I don't have it in my rules, so I am assuming that it is some sort of default. I had done a search on google for this rule at one point and came across some text referring to rebuilding the kernel on a unix box to change this rule from allow to deny.

I would expect for the count for rule 65535 to be zero, instead of showing logged traffic? Shouldn't rule 52010 deny this traffic before rule 65535 kicks in?



[ Reply to This | # ]
Just a few more questions
Authored by: yellow on Sep 04, '03 06:25:04PM

It is indeed a default rule built into ipfw. Don't worry about it.



[ Reply to This | # ]
Just a few more questions
Authored by: Anonymous on Sep 04, '03 06:35:36PM

Patrick,

Read my post a few minutes ago about drop vs deny.. they're the same thing. Whichever one you right, they come out as "deny".. the man page for ipfw says so, too.

Rule 65535 is compiled into the kernel by default... think about it this way, if you don't configure your firewall, it's still enabled and running-- so rule 65535 means that every packet will pass through unless you say otherwise.

Rule 65535 has a non-zero count because packets go through your system (especially on the loopback interface) before you load your firewall rules.. if you want to zero it out, go to Terminal and type "ipfw zero 65535".

Hope that helps!

Best of luck,
Matt



[ Reply to This | # ]
Just a few more questions
Authored by: bluehz on Sep 06, '03 12:53:14AM

I tried this ruleset and it cutoff access to the other macs via AppleShare on my LAN. Watching the log I could see it was the last two rules. I had to disable these two rules to get access again.

#################################################
## * * * Default Filter Policies * * *
#################################################
## Allow All Outgoing Services
#add 52009 allow all from any to any keep-state out

## Deny All Incoming Services
#add 52010 drop log all from any to any

Disabled those and my AppleShare worked again. Thats not right is it? Also followed the directions for setting up a StartupItem but it never startsup.



[ Reply to This | # ]
Just a few more questions
Authored by: bluehz on Sep 06, '03 10:08:47AM

Few more questions:

* I like to use LittleSnitch to notify me of outgoing connections and create rules - will using this IPFW method affect LittleSnitch

* I would like to send the firewall log info to a seperate firewall.log so I followed instructions listed here and added this to my syslog.conf

authpriv,remoteauth,ftp.none;kern.debug /var/log/firewall.log

but it doesn't seem to be loggin any info to firewall.log. How can I set this up to log to a seperate firewall.log.

* how do I fix the AppleShare problem, noted above



[ Reply to This | # ]
Just a few more questions
Authored by: ppatoray on Sep 08, '03 08:31:06AM

Instead of removing the blanket rules, you should figure out what port your network needs to be allowed on and then add a rule allowing that port access. I don't use appleshare, so my rules probably don't allow for the traffic.



[ Reply to This | # ]
Rule 52010 vs 52030
Authored by: Anonymous on Sep 04, '03 05:54:07PM

Patrick,

Actually, the reason "drop log all from any to any" was a stronger rule is because your other rule only denied incoming packets.. this one denies everything in *and* out, unless otherwise specified. Always best to lock both sides down!

Looks great + happy to help,
Matt



[ Reply to This | # ]