Q: Blocking ICMP Ping INBOUND +Firewall Rules for IPFW
WaterRoof and NoobProof are two firewall configuration tool's available for Mac OS X.
Mac OS X 10.4 and 10.5 come with a integrated kernel level network firewall called "ipfw" version 2. It is the same firewall as in FreeBSD 6.
In Mac OS X 10.4 the firewall preference pane is very poor.
In Mac OS X 10.5 the firewall preference pane is related to "Appfirewall" and not "ipfw".
Appfirewall is the new application firewall in Leopard.
In Mac OS X 10.5 the "ipfw" network firewall is still there and is the same as "ipfw" in Mac OS X 10.4.
Mac OS X 10.6 and Mac OS X 10.5 use the same firewall.
There are other post's on this forum with people asking basic questions like "How do I block my Ping reply!"
None of the other answers looked total or complete so I decided I would help anyone else out that wants to learn how, by showing you my IPFW firewall configuration.
-------- BELOW THIS LINE --------
add 01000 allow ip from any to any via lo*
add 01100 deny ip from 127.0.0.0/8 to any in
add 01200 deny ip from any to 127.0.0.0/8 in
add 01300 deny ip from 224.0.0.0/3 to any in
add 01400 deny tcp from any to 224.0.0.0/3 in
add 01500 allow tcp from any to any out
add 01600 allow tcp from any to any established
add 01700 allow icmp from any to any icmptypes 0,3,8,11
add 01800 deny icmp from any to any
add 01900 deny tcp from any to any tcpflags syn,fin
add 01910 deny tcp from any to any tcpflags syn,rst
add 01920 deny tcp from any 0 to any
add 01930 deny tcp from any to any dst-port 0
add 01940 deny udp from any 0 to any
add 01950 deny udp from any to any dst-port 0
add 01960 deny ip from 224.0.0.0/4 to any in
add 01970 deny ip from 0.0.0.0/8 to any
add 33300 deny icmp from any to me in icmptypes 8
add 65534 deny tcp from any to any
add 65535 allow ip from any to any
-------- ABOVE THIS LINE --------
Simply copy and paste the above into a Text files in your my Documents folder. This can then be imported directly into WaterRoof
WaterRoof is a very complex and powerful tool, which allows you to configure almost every aspect and option of "ipfw". And more, you can list/manage active connections or network files, do graphics log analisys, configure your mac as a router with bandwidth management with stateful rules and tons of other options. You need a good knowledge of "what a firewall is", and you should also have at least a basic ipfw knowledge. WaterRoof is a tool for experienced network administrators and is available as OpenSource.
The connection that Blocks Ping reply's is listed as (33300) deny icmp from any to me in icmptypes 8
This has the same effect as going into System Preferances - Security - Firewall - Advanced and clicking "Enable Stealth Mode"
Only some of these Firewall Rules are a little bit more in Depth than that!
MacBook, Mac OS X (10.5.8)
Posted on Feb 8, 2014 3:21 PM