Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Click here to return to the 'Create a set of stronger firewall rules' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Create a set of stronger firewall rules
Authored by: TigerKR on Sep 09, '03 11:20:22PM

I figured out why the

add deny log tcp from any to any in recv en0 established

wasn't working. I needed to keep-state traffic on en1 as well as en0.

Also, I've tweaked the list order so that the more common rules are hit sooner (the sooner a rule is hit, the less CPU goes into the process) without compromising security. I still have kinks to work out and improvements to make.

You can view the updated firewall.conf file here:

[ Reply to This | # ]
we have a winner
Authored by: TigerKR on Sep 11, '03 04:32:34AM

This firewall.conf is a winner. Its been error tested and optimized for security, speed, and measured accessibility. I recommend that you also install Little Snitch on your LAN clients (that way, you're able to block attacks from outside, and within).


I found that I was running out of dynamic rules, so I also had to alter the Firewall startup item created by brickhouse (which is located at /Library/StartupItems/Firewall/Firewall ) so that more dynamic rules could be accommodated. It now looks like this:

# Firewall Boot Script
# Generated by BrickHouse
# Altered by TigerKR

# Enable IP Sharing
# Enable IP Forwarding in the kernel
/usr/sbin/sysctl -w net.inet.ip.forwarding=1

# Start the natd server
/usr/sbin/natd -f /etc/natd.conf

# Add additional gateway IP addresses and routes
/sbin/ifconfig en1 inet netmask alias up
/sbin/route add -host -interface

# Enable IP Firewall Logging
/usr/sbin/sysctl -w net.inet.ip.fw.verbose=1

# Put a limit on each rule's logging
/usr/sbin/sysctl -w net.inet.ip.fw.verbose_limit=500

# Double the number of possible dynamic rules
/usr/sbin/sysctl -w net.inet.ip.fw.dyn_buckets=512
/usr/sbin/sysctl -w net.inet.ip.fw.dyn_max=2000

# Process Firewall Rules File
/sbin/ipfw -q /etc/firewall.conf

I hope that this is helpful for someone. It took a long time for me to find out what the everything was and what it did. And then there was the error checking and optimizing ;)

[ Reply to This | # ]