MacSmoke

Q: Blocking ICMP Ping INBOUND +Firewall Rules for IPFW

WaterRoof and NoobProof are two firewall configuration tool's available for Mac OS X.

 

Mac OS X 10.4 and 10.5 come with a integrated kernel level network firewall called "ipfw" version 2. It is the same firewall as in FreeBSD 6.

In Mac OS X 10.4 the firewall preference pane is very poor.

In Mac OS X 10.5 the firewall preference pane is related to "Appfirewall" and not "ipfw".

 

Appfirewall is the new application firewall in Leopard.

In Mac OS X 10.5 the "ipfw" network firewall is still there and is the same as "ipfw" in Mac OS X 10.4.

Mac OS X 10.6 and Mac OS X 10.5 use the same firewall.

 

There are other post's on this forum with people asking basic questions like "How do I block my Ping reply!"

 

None of the other answers looked total or complete so I decided I would help anyone else out that wants to learn how, by showing you my IPFW firewall configuration.

 

-------- BELOW THIS LINE --------

 

add 01000 allow ip from any to any via lo*

add 01100 deny ip from 127.0.0.0/8 to any in

add 01200 deny ip from any to 127.0.0.0/8 in

add 01300 deny ip from 224.0.0.0/3 to any in

add 01400 deny tcp from any to 224.0.0.0/3 in

add 01500 allow tcp from any to any out

add 01600 allow tcp from any to any established

add 01700 allow icmp from any to any icmptypes 0,3,8,11

add 01800 deny icmp from any to any

add 01900 deny tcp from any to any tcpflags syn,fin

add 01910 deny tcp from any to any tcpflags syn,rst

add 01920 deny tcp from any 0 to any

add 01930 deny tcp from any to any dst-port 0

add 01940 deny udp from any 0 to any

add 01950 deny udp from any to any dst-port 0

add 01960 deny ip from 224.0.0.0/4 to any in

add 01970 deny ip from 0.0.0.0/8 to any

add 33300 deny icmp from any to me in icmptypes 8

add 65534 deny tcp from any to any

add 65535 allow ip from any to any

 

-------- ABOVE THIS LINE --------

 

Simply copy and paste the above into a Text files in your my Documents folder. This can then be imported directly into WaterRoof

 

WaterRoof is a very complex and powerful tool, which allows you to configure almost every aspect and option of "ipfw". And more, you can list/manage active connections or network files, do graphics log analisys, configure your mac as a router with bandwidth management with stateful rules and tons of other options. You need a good knowledge of "what a firewall is", and you should also have at least a basic ipfw knowledge. WaterRoof is a tool for experienced network  administrators and is available as OpenSource.

 

The connection that Blocks Ping reply's is listed as (33300) deny icmp from any to me in icmptypes 8

 

This has the same effect as going into System Preferances - Security - Firewall - Advanced and clicking "Enable Stealth Mode"

 

Only some of these Firewall Rules are a little bit more in Depth than that!

MacBook, Mac OS X (10.5.8)

Posted on Feb 8, 2014 3:21 PM

Close

Q: Blocking ICMP Ping INBOUND +Firewall Rules for IPFW

  • All replies
  • Helpful answers

  • by MacSmoke,

    MacSmoke MacSmoke Feb 8, 2014 3:55 PM in response to MacSmoke
    Level 1 (0 points)
    Feb 8, 2014 3:55 PM in response to MacSmoke

    I see some really bloated rule sets out there and I am left shaking my head going "no!" the only rules you need to stop nasties are the ones I currently have. Do not add random block's to "UDP" on service ports like 53 which is for DNS (Domain Name Service) or you will turn your internet off!

     

     

     

    It's easier to just click stealth mode enabled, fire up WaterRoof click clear all previous rules and import the rule's from text and apply the rules.

     

    Then as an added preferance if you dont want 120mb of disk space to be chewed up everytime your firewall blocks something and log's it you can just disable the log-file...

     

    Firewall's on BSD & Linux are very much Configure & Forget!

     

    You really dont have to sit there watching them like a "Hawk!"

     

     

     

    An if its already setup to block the bad stuff, by watching the blocked stuff, that just leads to Paranoia!

     

    Then you end up blocking random stuff, that you actually need.

     

    Caution when messing with firewall settings!