Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Create a set of stronger firewall rules' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Create a set of stronger firewall rules
Authored by: TigerKR on Sep 09, '03 11:20:22PM

I figured out why the

add deny log tcp from any to any in recv en0 established

wasn't working. I needed to keep-state traffic on en1 as well as en0.

Also, I've tweaked the list order so that the more common rules are hit sooner (the sooner a rule is hit, the less CPU goes into the process) without compromising security. I still have kinks to work out and improvements to make.

You can view the updated firewall.conf file here:

http://www.tigerkr.com/ars/firewall09_09.conf



[ Reply to This | # ]
we have a winner
Authored by: TigerKR on Sep 11, '03 04:32:34AM

This firewall.conf is a winner. Its been error tested and optimized for security, speed, and measured accessibility. I recommend that you also install Little Snitch on your LAN clients (that way, you're able to block attacks from outside, and within).

firewall.conf

I found that I was running out of dynamic rules, so I also had to alter the Firewall startup item created by brickhouse (which is located at /Library/StartupItems/Firewall/Firewall ) so that more dynamic rules could be accommodated. It now looks like this:

#!/bin/sh
# Firewall Boot Script
# Generated by BrickHouse
# Altered by TigerKR


#===========================================================
# Enable IP Sharing
#===========================================================
# Enable IP Forwarding in the kernel
/usr/sbin/sysctl -w net.inet.ip.forwarding=1

# Start the natd server
/usr/sbin/natd -f /etc/natd.conf

# Add additional gateway IP addresses and routes
/sbin/ifconfig en1 inet 192.168.0.1 netmask 255.255.255.0 alias up
/sbin/route add -host 192.168.0.1 -interface 127.0.0.1


#===========================================================
# Enable IP Firewall Logging
#===========================================================
/usr/sbin/sysctl -w net.inet.ip.fw.verbose=1

# Put a limit on each rule's logging
/usr/sbin/sysctl -w net.inet.ip.fw.verbose_limit=500


#===========================================================
# Double the number of possible dynamic rules
#===========================================================
/usr/sbin/sysctl -w net.inet.ip.fw.dyn_buckets=512
/usr/sbin/sysctl -w net.inet.ip.fw.dyn_max=2000


#===========================================================
# Process Firewall Rules File
#===========================================================
/sbin/ipfw -q /etc/firewall.conf


I hope that this is helpful for someone. It took a long time for me to find out what the everything was and what it did. And then there was the error checking and optimizing ;)



[ Reply to This | # ]