|
|
10.5: Use a custom firewall in 10.5 with ipfw (CAREFUL!)
-rw-r--r-- 1 root admin 507 28 Jul 10:20 /Library/LaunchDaemons/ipfw_firewall.plist
10.5: Use a custom firewall in 10.5 with ipfw (CAREFUL!)
Hi
What good are these permissions when the ipfw_firewall.plist you published in your hint outsources your firewall rules to: Can you explain to me the benefits of having your system's firewall rules trivially in your user space?
Really? To that end, it is obvious that the script ends on the line $IPFW -q /etc/ipfw.conf. If you had also bothered to read the ipfw manpage, you would realise that /sbin/ipfw -q /etc/ipfw.conf tells ipfw to load firewall rules in the configuration file that is in the path /etc/ipfw.conf, which is where you put all the text under the line: - and last but not least the /etc/ipfw.conf file looks like this:It even states: # Load rule set from /etc/ipfw.conf For info, the group ownership for the ipfw_firewall.plist file should really be with wheel, the same as the plists in /System/Library/LaunchDaemons/ and the /etc/ipfw.conf file should be owned by root, and only readable by root, no one else. It would also definitely be better to have the ipfw_firewall.sh somewhere within the /usr/local/ tree (maybe /usr/local/scripts/, or /usr/local/bin). Wait. Nevermind the firewall. You are using LaunchDeamons. Did you just give away root?
What? Or perhaps you would like to clarify to novice users that the /Users/blah account is somehow special (hint: not for daily use)? There is no need for sarcasm, especially when people are trying to help others - it's not nice is it?. Not everyone is as perfect as you seem to think you are, and everyone is hopefully learning something by coming along to Macosxhints. Stop being a smartass. Instead of calling someone out and slamming them for trying to help, consider highlighting issues that you see, adding what you perceive to be corrections, and thereby educating other people that might be reading this post. There is not always one correct way of doing things, and as such, people have differing opinions of achieving the same goal. If you want to flame people, there are a number of discussions at the moment on the OpenBSD Misc list that might suit you down to the ground. For info in the attached file, I notice that there is a rule detailed for: # ip-optionsI believe this has been fixed (see here) and I don't think this is necessary. All that aside, it is interesting that you can now run both ipfw and Apple's application firewall in tandem. This adds an extra layer of security (defence in depth) for those that wish to utilise it. Something to consider for those that are delving more into firewalls and layered security. There is a nice and short read here, though a little dated, on the subject of firewalls and highlights some concepts that are still very true. Bruce Schneier is also very insightful when it comes to security that is not just applicable to the world of IT. Mike
10.5: Use a custom firewall in 10.5 with ipfw (CAREFUL!)
Gibberish.
Let us quote directly from the source:
- in my ~/bin directory the ipfw_firewall.sh looks like this:
#!/bin/sh
#
IPFW=/sbin/ipfw
...
The question was not: "How exactly did he 'give away root'?" (as you put it). The question was: "DID [he] just give away root?" (as I put it). So did he? And did you, if you implemented the hint as originally described (with vague ownership/permissions)? I wouldn't know. That would depend on: all of your daemon script-related ownership and permissions, which the "Sat, Dec 1 '07 10:40PM PST" post here asks to clarify. (And on: what websites he/you may have visited - that's just one possibility.) Since I respect the possibility that you might really be missing something, I will clarify.
NOTE: The issue here is entirely about ownership and permissions related to: ipfw_firewall.sh. It is very bad practice to have a script like this (in a user directory like ~/bin, or some other such vague directory with vague permissions) and have it modifiable possibly by anyone. Why? Because it will run as root (e.g. during boot time, via described launchd plist). If you, or Safari (or whatever) running as user, or anyone can arbitrarily write commands to such a script, then that anything can run as root upon execution of the script. Game over, if you'd like. A daemon script like the one described in this hint, running sysctl and ipfw (or whatever) with root permissions, should itself be modifiable only by root.
REF: tn2083.html
10.5: Use a custom firewall in 10.5 with ipfw (CAREFUL!)
Thanks guys! Having the ipfw_firewall.sh script in ~/bin was too lazy of me.... I tend to keep my scripts in one place to be able to edit them easily... so I've updated the .plist for launchd and the script is now sitting in /usr/local/sbin with root:wheel permissions... |
SearchFrom our Sponsor...Latest Mountain Lion HintsWhat's New:HintsNo new hintsComments last 2 daysLinks last 2 weeksNo recent new linksWhat's New in the Forums?
Hints by TopicNews from Macworld
From Our Sponsors |
|
Copyright © 2014 IDG Consumer & SMB (Privacy Policy) Contact Us All trademarks and copyrights on this page are owned by their respective owners. |
Visit other IDG sites: |
|
|
|
Created this page in 0.05 seconds |
|