Tiger's Improved Firewall (and How to Use It)
Pages: 1, 2
There are Bugs
Best to get this over with. There were bugs in the old firewall and there are bugs in the new firewall. These are new bugs in the new features, and I'm sure that someone is beavering away to get them fixed (some people get all the fun jobs). They affect how we can use the firewall but, at least with the ones that I have found, they do not compromise the firewall.
First, the bug when enabling a set. The problem is that the first command needs to be a disable. So I actually issued the following command:
$ sudo ipfw set disable 12 enable 4
On my computer, set 12 has no rules in it, so I can disable it all I want. That gets around the enable bug. Ugly and annoying yes, but we can live with it.
If you read the man page for the firewall (man ipfw), you'll notice that you should be able to delete sets of rules and move rules in and out of different sets. First let's try and delete a set of rules:
$ sudo ipfw delete set 4
ipfw: rule 4: setsockopt(IP_FW_DEL): Invalid argument
Obviously someone has yet to get round to coding that up, so you can't delete sets. Just disable the set and then delete each rule individually. Inconvenient but not fatal.
However this move is one to avoid:
$ sudo ipfw set move rule 60000 to 13
This should move rule 60000 from its existing set into set 13. No such luck, rule 60000 just disappears. In effect this is a strange syntax for a delete. Avoid this one, as you will lose rules from your firewall if you use it. Now that you know about these bugs, they should not bite you.
Logging Firewall Usage to ipfw.log
In the old firewall, you just had to enable net.inet.ip.fw.verbose and all the rules flagged with a log statement would start writing their output to /var/log/system.log. A quick change in /etc/syslog.conf, and our log lines would be written out to /var/log/ipfw.log. Well, that has all changed, ipfw2 now has its own logger process and the syslog.conf file supplied with Tiger is set up correctly to log to /var/log/ipfw.log.
If you are using the firewall as supplied by Tiger, then the Firewall pane under Sharing in System Preferences now has an Advanced button that will allow you to turn on logging, plus a couple of other small security features. However if we have written our own rules, then the Firewall pane will be unavailable and we will have to turn this on ourselves:
$sudo /usr/libexec/ipfwloggerd$sudo sysctl -w net.inet.ip.fw.verbose=2
To disable logging we just need to set net.inet.ip.fw.verbose to 0. There is no real harm in leaving ipfwloggerd running although you would not really want to have more than one running (which is what will happen if you run the first line repeatedly).
Final Thoughts
ipfw2 improves upon the previous version and introduces some new features, some of which actually work. Sets may not seem a big deal, but they are very useful for managing your firewall. If you go through the man page, you will see many convenient extensions to the rule syntax that make setting up a firewall less verbose. These can make a great deal of difference to how understandable your rules are and therefore how likely you are to notice any mistakes you might have made.
Editor's note: This article is current as of Mac OS X 10.4.2. On the day that I was editing it, Apple released Mac OS X 10.4.3. From what I can tell, there aren't any changes to the Firewall in this update. But if you notice something, please note it in the Talkbacks below to assist other readers. You also might want to read Peter's Exploring the Mac OS X Firewall. It covers the Panther version of the software, but still has some good general info.
Peter Hickman is currently working as a programmer for Semantico, which specializes in online reference works and Access Control Systems. When not programming or reading about programming he can be found sleeping.
Return to the Mac DevCenter
You must be logged in to the O'Reilly Network to post a talkback.
Showing messages 1 through 7 of 7.
-
Tamper resistant ports on OSX Server 10.4.x
2005-11-02 12:41:24 axafluff [Reply | View]
I have tried to close the following ports through Server Admin but it always opens them. Anybody know why and how to do it?
106/tcp open 3com-tsmux
311/tcp open asip-webadmin
625/tcp open dec_dlm
Thanks!
-
Why you need DoorStop X & Who's There Firewall Advisor on Mac OS X
2005-11-02 11:23:46 ak2consulting [Reply | View]
Check out the above tools to make osx firewalls & port access control intelligable
http://www.opendoor.com/doorstop/DoorStopComparison.html
-
Disable firewall for the local network
2005-11-02 08:26:09 helgegrimm [Reply | View]
How do I configure the firewall if I want to disable it for the local network only?
I would like to be able to use the web server, ssh and file sharing from all other computers in the house, but prevent anyone else from connecting to these services. -
Disable firewall for the local network
2005-11-03 08:50:07 salamon [Reply | View]
With ipfw you wouldn't disable the firewall for 'the local network'. Instead you would leave the firewall enabled but write rules that only allowed traffic from the local network. Learning to use ipfw rules syntax is a bit difficult.
Below is a sample of the rules I use, but they're probably not much use if you don't already know how to write them :( In addition once you start writing your own rules you can no longer use the System Preferences pane to manage the firewall. At least that's how it worked pre-Tiger. One more caveat and addendum is that I'm not an expert in this, I just played around with it until I got the behavior I wanted.
These rules would allow anyone on your network to access the web server but block anyone else, if your network used the 192.168.0.x subnet. It would also log any attempts to access it from outside your network.
$oip is your external ip address, probably something like 192.168.0.2, in this example.
ipfw add allow tcp from 192.168.0.0/24 to $oip 80,443 setup
ipfw add deny log tcp from any to $oip 80,443 setup
-
firewall doesn't work with internet sharing
2005-11-01 17:28:37 jdb8167 [Reply | View]
The default rules that are enabled when you turn on internet sharing don't work very well. I installed a second ethernet card in my G4 that I use as a server/router. When I turn on internet sharing the outbound connections from other computers on my local network don't seem to work. The outbound connections seem to lose state information and the return traffic doesn't make it through the firewall. I've been meaning to learn the rules syntax but I haven't had much time recently. What I've done is just open the firewall to inbound traffic on any relevant port such as 80, 25, 110 etc. This isn't a great solution but on OS X it probably isn't too dangerous since there are no services running on those ports by default.
Also, I would love to know how to set up the NAT to allow inbound routing to a machine on my local network. I had the same problem with very dense documentation that might or might not apply to OS X.
I did try an application called Brickhouse but it didn't seem to do any better with either task.
In 10.4 Server the GUI firewall settings being made in Server Admin are only being set of IPv4 addressing. The ip6fw firewall is not set by default.
You can turn off IPv6 networking in the Network control panel. Turn it off for each network interface.