Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'configure ipfw' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
configure ipfw
Authored by: macosxphile on Apr 09, '05 04:55:30PM
ipfw is located in /sbin. If you want to configure ipfw using the terminal, you can do the following:

- stop the built-in firewall in system prefs. if you have it running.
- create the folder /Library/StartupItems/ipfw
- copy ipfw into that folder using this command in the terminal:
cp /sbin/ipfw /Library/StartupItems/ipfw
- using the terminal, we'll create "StartupParameters.plist" in the folder /Library/StartupItems/ipfw so type the following:
sudo pico /Library/StartupItems/ipfw/StartupParameters.plist
- now paste in the following:

{
  Description   = "ipfw firewall";
  Provides      = ("Firewall");
  Requires      = ("Super Server");
  OrderPreference = "None";
  Messages =
  {
    start = "Starting ipfw firewall";
    stop  = "Stopping ipfw firewall";
  };
}
- save it and exit pico
- from the terminal, you will add your firewall rules to the file /etc/ipfw.conf To open pico in the terminal, and create the ipfw.conf file, type this:
sudo pico /etc/ipfw.conf
- Now add your firewall rules. Here is a very basic example:

add 02000 allow ip from any to any via lo*
add 02010 deny ip from 127.0.0.0/8 to any in
add 02020 deny ip from any to 127.0.0.0/8 in
add 02030 deny ip from 224.0.0.0/3 to any in
add 02040 deny tcp from any to 224.0.0.0/3 in
add 02050 allow tcp from any to any out
add 02060 allow tcp from any to any established
add 04000 deny ICMP from any to any in
add 12100 deny log tcp from any to any in
add 12180 reset tcp from any to any setup
add 12190 deny tcp from any to any
- when you're finished adding all your rules, save the file and exit pico.
- if you want firewall logging to be routed into the ipfw.log, you'll need to edit the /etc/syslog.conf, because by default, ipfw logging will show up in the system.log
- to enable logging to the ipfw.log, type this in the terminal:
sudo pico /etc/syslog.conf
- then add this to replace the existing ipfw.log info:

# Route all ipfw log entries into ipfw.log
!ipfw
*.*                                                 /var/log/ipfw.log
!*
- since ipfw is already running you'll need to stop it, and start it again to activate your rules.
- to disable, and then enable ipfw, type this in the terminal:

sudo sysctl -w net.inet.ip.fw.enable=0
sudo sysctl -w net.inet.ip.fw.enable=1
- to verify your current firewall rules, type this from terminal:
sudo ipfw list
- this should show the rules that you just entered into /etc/ipfw.conf
- to see the parameters that apply to ipfw, type this in terminal:
sudo sysctl net.inet.ip.fw
- it should show enable=1, and if you want verbose logging (if it doesn't show verbose=1) type this in terminal:
sudo sysctl -w net.inet.ip.fw.verbose=1
- you can also set a limit on the number of log entries (provided that you added "log" to any of your ipfw rules) by setting verbose_limit to the maximum number of log entries that you choose, for example:
sudo sysctl -w net.inet.ip.fw.verbose_limit=300
- this is good if you know that you're going to have people pounding on your firewall, so you don't have a ton of log entries, otherwise you don't really need to set it.

And that's basically all there is to it. Users who are new to the terminal, or who aren't familiar with firewall rules, and what they do, should read up on it, or ask someone for help. The man page for ipfw is a place to start. If you're sharing things from your machine, you'll want to create rules to allow these functions. If you find that something doesn't work anymore after enabling ipfw, that's the first place you should start looking.

[ Reply to This | # ]