Configuring Jaguar's Firewall
Pages: 1, 2
Under the Hood
The ipfw firewall included with Jaguar is called a "stateful" firewall, putting it in the most comprehensive and secure category of firewalls. Once set up properly, users are not aware that anything is going on -- a good place to be.
You may have noticed that next to FTP Access in the Firewall settings tab in Figure 2 above is a list of numbers in parentheses like "20-21 or 1024-65535 from 20-21." These numbers identify ports on your computer through which FTP sends information back and forth between two computers, which, in this case, are your home (bullit) and mobile (ripple) computers. The reason FTP uses so many ports is a boring story; for the time being, just remember that it primarily uses ports 20-21 and a bunch of others.
If "port" is a confusing concept, try thinking about the back of your computer as a colander used for draining spaghetti. Each hole (or port) has a number assigned to it. The various services used by your computer use specific holes. For example, when you browse the Web, hole number 80 is being used. For retrieving POP mail, hole number 110 is used, and so on. No big deal. There are 65535 holes -- this is one big colander.
Firewalls enforce a set of rules that allow or deny information to flow through the holes. Again, a simple concept. In our example above, we primarily opened the FTP holes 20-21. The output from ipfw list above is a list of the rules that were created by our setup in the System Preferences.
Rules are enforced from top to bottom, making the order of the rules important. Rules have the general form:
[rule-number] [restriction, allow or deny] [protocol(usually ip or tcp)]
from [source computer] to [destination computer] [other options]Initially, we allow all access with the following rule:
02000 allow ip from any to any via lo*Then we restrict or deny access by closing the holes we do not want open. Our setup of allowing FTP access is specifically listed in rules 02070 and 02080, where access to ports 20-21 are allowed. This access is extended in rule 02080 to allow ports 20-21 to use a range of other ports, 1024-65535. The other rules are set up to restrict incoming access to your computer on the other ports but continue to allow you to use those ports for outgoing service. For example, we want to deny people the ability to browse Web files on our computer, but we still want to be able to browse other Web sites.
There are a handful of other ipfw commands like ipfw add [rule] to add rules, and ipfw flush to install newly-added rules. In addition, there is an ipfw log file located at /var/log/system.log, where you can browse and search for rejected access attempts.
|
Related Reading 
Mac OS X in a Nutshell |
Advanced Configurations
So far we've seen that allowing access to specific services using specific ports is relatively straightforward with the System Preferences. While this is true, there are situations where we might require a more complicated setup than that allowed by System Preferences.
For example, we might want to allow FTP access to only our computer at work, which has a unique IP address like 165.22.12.123. This would require allowing access for just this address and denying access to everyone else, a slight modification to the above example. By giving this a little thought, I am sure you can dream up many such situations.
The System Preferences does not allow you to make such changes, but ipfw is more than capable of handling the most complicated situations. There are two options available for making these additions: make manual modifications, or use a shareware application that assists you with these changes. If the changes are simple and you are interested in turning the wrenches yourself, then the manual option is for you. We have already mentioned several commands and the manual pages for you to get started. There are also a handful of useful resource links below that describe complicated setup procedures and some scripts that automate this setup for you.
If you're like me and want a good understanding of how things work, there is a great shareware application called BrickHouse by Brian Hall. BrickHouse provides an intuitive, full-featured interface to ipfw while still tapping the industrial-strength firewall and taking advantage of the features available in Jaguar. BrickHouse works very well for basic and advanced configurations. It installs a startup script so that ipfw starts up when your computer does, thus immediately enabling security. BrickHouse also provides a useful interface to the ipfw log files so that you can see who is knocking on your door (or colander ;) ).
A detailed feature description of BrickHouse is beyond the scope of this article, but it is free for evaluation and is a bargain at $25 if you continue using it. In addition to browsing the resources below, a great way to learn about ipfw is to use an application like BrickHouse (or the System Preferences) to configure a set of rules and then look at the ipfw rules as we have done above. This will get you going but satisfy the "need to know."
Final Thoughts
Jaguar contains a highly functional, time-tested firewall just waiting to be used. Don't let it go to waste. Exploit the underlying power of Jaguar to your advantage by creating a secure environment and providing remote computer-to-computer access that will make your computing life fun and easy. There are countless possible configurations, ranging from using your Mac as a public or private Web server to running your own mail server or remotely controlling your Mac via Secure SHell (SSH) access.
It's important to keep in mind, however, that despite all of the press on firewall security, firewalls do not represent a complete solution. Protecting your computer also involves hiding your username and password from prying eyes while retrieving your email or transferring your files from your laptop while on the road. Yes, just about anyone can peek into the fast-moving river of data going back and forth and grab values that look like:
USER: cochella
PASS: fidoA firewall can't protect you if someone gets ahold of your username and password. Keep your eyes open for future MacDevCenter articles on such topics as SSH which, by the way, is also included with Jaguar.
Resources
- Apple's Internet Developer Article on Security
- "Setting up Firewall Rules on Mac OS X 10.2"
- "Protecting Your Private Network Using FreeBSD"
- Vicomsoft Firewall Q&A
Chris Cochella currently works as a Internet Programmer and Information Architect for StreamCapture, LLC an Internet Applications and Web Services development company.
Return to the MacDevCenter.com.
You must be logged in to the O'Reilly Network to post a talkback.
Showing messages 1 through 19 of 19.
-
MySQL connection etc
2003-03-27 19:58:49 anonymous2 [Reply | View]
What about other IP services that a user might have running on a machine?
Will MySQL connections be allowed on OS X 10.2 if I turn the standard firewall on? If not, how do I go about allowing connections on this specific port too?
Many thanks for an informative article.
-
Where does Jaguar store its FW settings?
2003-01-17 08:18:12 anonymous2 [Reply | View]
I posted the prvious question about where Jagwyre stores its firewall settings.
As guessed it was a plist.
I now have the answer as to where it is:
/Library/Preferences/com.apple.sharing.firewall.plist
Also I forgot to thank the author for his article in my previous question.
Thanks for a great article.
-
Where does Jaguar firewall store config info
2003-01-16 09:29:35 anonymous2 [Reply | View]
I was wondering f you could tell me where Jaguar stores the config info for the firewall setting set inteh Sharing Pane of the system preferences?
I know how to use ipfw, but I'd like to see if its possibel to manually edit the firewall config in the same place as Jaguar stores it.
I was thinking there'd be soem xml someehre, but I ahven't been able to find it.
Any suggestions?
-
Filter packets by MAC addres
2003-01-15 07:32:02 mfuortes [Reply | View]
Nice article!!
I was wandering if you now how a way to filter packets by MAC address. What I'm trying to do is to reproduce the functionality of the Airport base station that allow only specific computer with a certain MAC address to connect.
It seems in some of the man pages of ipfw2 that the MAC option is present but not in Apple ipfw. Could you help?
-
Can Brickhouse help protecting a small network?
2003-01-12 11:31:45 anonymous2 [Reply | View]
Hello everyone,
I have been reading you super article on Firewalls. I liked it very much. However, as newbie as I am in the sys admin arena (not in the engineering arena) I have a scenario where I would to install a firewall. Could you please let me know if it's feasible? Here we go:
I have a bunch of computers at the company which are linked together to the Internet via a router. So far, everything works fine because Mac OS 9 cannot be hacked as easily as other systems. In a couple of weeks, we're moving to Mac OS X, and suddenly the game changes.
I would like to create a firewall to stop potential intruders, and I thought that perhaps BrickHouse could help me here. We don't have many consultants that know what OS X in Barcelona, Spain, so I have to look for help elsewhere.
Could you please let me know what can I do to or how should I put BrickHouse to work in such scenario? I've heard that some people in other OS's use a PC with two NICs and a virtual IP table with a list of allowed IP that have granted access to the protected network. Can BrickHouse simplify this situation? Do you have any suggestions?
Thank you very much. Your help is *amazingly* appreciated.
Regards. -
Can Brickhouse help protecting a small network?
2003-01-15 07:55:20 cochella [Reply | View]
There are multiple scenarios that you might find useful (more than I represent here). I am also assuming that the computers begind the firewall are not offering any network services like FTP, HTTP, etc.
1. One possibility is to configure the firewall on each computer with Brickhouse or otherwise. However, that is a lot of work to configure and maintain many machines.
2. Brickhouse could be used to configure the firewall of one machine that might be acting as a router (separate software) for the other computers on your network that sit "behind" this router/firewall. This computer should probably be dedicated to this task.
3. Purchase a router/firewall product. A good product line is Netopia (www.netopia.com; Mac and PC friendly). I have experience with the R9100 series (~$400 new; $200 used) which has a built-in firewall, router and 8 port hub. You can dangle another hub off of that to accomodate more coputers. The firmware is upgradeable. The tech support costs some money but it is good. The product is stable and relatively easy to configure via a terminal or through a Web-page interface. In addition, two netopia R9100s can be remotely linked together to form a virtual private network which is kind of handy if you have two offices.
In my opinion, whatever solution you choose, it should act like an appliance--do one or two tasks and that is it. Therefore, option 3, or something like it would be your most reliable and easiest solution.
Best regards,
Chris
-
rc.firewall ?
2003-01-07 01:39:57 anonymous2 [Reply | View]
is there an /etc/rc.firewall equivalent in macosx? (i.e.: a startup script that brings up the firewall on boot) And if so, is it compatible with a freebsd one? (expecially, does it support stuff like check-state, xmit/recv et al?) I'm considering switching to an apple machine, and discovering that there's ipfw inside was a very nice surprise
thanks -
rc.firewall ?
2003-01-07 07:30:44 cochella [Reply | View]
Yes there is. You can create your own rc.firewall script and set it to startup when you boot the machine. Brickhouse will also create a script and insert the necessary items into the appropriate places for startup.
Rather than rewrite the instructions, please read the following article for a good description of this process:
http://www3.sympatico.ca/dccote/firewall.html#startup
Thanks!
Chris
-
Wrong Title?!
2003-01-06 02:28:52 anonymous2 [Reply | View]
What I expected when I read the title "...Jaguar's Firewall" is a hint for configuring the firewalls plist "/Library/Preferences/com.apple.sharing.firewall.plist". The article is a good explanation for beginners in ipfw but doesn't cover the changes in Jaguar.
BTW: You don't mention that all manual changes are gone it you restart the Mac...
-
Question about firewalls and Sharing
2003-01-04 22:20:18 ishafe [Reply | View]
In the 'Sharing' section of my System Preferences I have all my services turned off in the 'Services' tab and no ports open in the 'Firewall' tab.
When I do a 'ipfw -list' it says '65535 allow ip from any to any'.
When I try to connect to any port (via telnet) I get a connection refused message (which is what I want).
My question is how are these ports blocked? It seems like it's not the firewall, since it says all ports are open from all. -
Question about firewalls and Sharing
2003-01-05 14:11:03 cochella [Reply | View]
You are receiving "Connection refused" because you have the telnet service turned off.
I just went through a test configuration where I turned FTP Access on and the firewall off (only the default rule 65535 was installed). I had no problem connecting. This illustrates that outside access is available!
I then turned the FTP Access off while leaving the firewall off and I was refused connection. The refusal is coming from the FTP service NOT responding.
In a sense, by not allowing any services, there are no services to protect against misuse. However, it would not hurt to turn your firewall on. If you choose to offer no outside access then the configuration is relatively simple. The complications (and fun) come into play when you want to allow outside access for some services but not others and then allow access to certain computers.
I hope this helps.
Best regards,
Chris
-
Configuring Jaguars Firewall
2003-01-02 07:07:15 anonymous2 [Reply | View]
This article was great. The article was especially good at hitting the basics. The author did not gloss over facts that the basic mac user may not be familiar with.
-
"ipfw flush" -- I do not think that means what you think it means
2002-12-30 14:47:15 anonymous2 [Reply | View]
The "flush" command doesn't install new rules, it deletes all installed rules! -
"ipfw flush" -- I do not think that means what you think it means
2003-01-05 14:13:51 cochella [Reply | View]
My use of "ipfw flush" was not clear.
"ipfw flush" deletes all rules except the default. The message I meant to convey was that a user can remove existing rules prior to installation of a new ruleset.
My apologies for any miscommunication.
Best regards,
Chris
-
Brickhouse Firewall
2002-12-28 19:59:41 anonymous2 [Reply | View]
A review of the version tracker listing for Brickhouse indicates that it works with OS 10.1.x or lower. Is there a new version for Jaguar? However, there is a shareware program called The Moose's Apprentice ($15) by Wunder Moosen (www.wundermoosen.com) that works under 10.2.x.
thanks again!
Ralph