Firewall Allow all traffic on lan

For DHCP you need a rule that allows for traffic in to server (on en1) from 0.0.0.0 (or any) on UDP port 67.


This rule would also allow for any traffic in and any returning traffic back to LAN clients (assuming a 192.168- LAN network):

allow ip from 192.168.0.0/16 to any in via en1 keep-state

If using VPN you might need a more generic rule:

allow ip from 192.168.0.0/16 to any in keep-state

The keep-state creates temporary rules.

Haven't tried Leopard server ipfw firewall yet.
Firewall presets may have changed from Tiger.


You could post your firewall rules here for us to examine.
You get at them by entering: sudo ipfw list

GLank wrote:
Is there a way to make a firewall rule to allow all traffic on en1? I have my ip ranges set to allow all traffic, but I still have to turn the firewall off for DHCP to give IP addresses to new devices on the network.

The easiest way to do this is to go to the advanced tab, copy the first rule (the one that allows all lo0 traffic), then modify it to allow all en1 traffic. NOTE: you should never do this for an untrusted network! This opens up everything coming in on en1!

As you've noticed, rules involving a subnet like 192.168.x.x won't help for broadcast DHCP packets when the client machine doesn't know its address yet.

i'm having a related issue and that is that while i have all 192.168.x.x traffic unblocked, itunes can't connect to any airport express's. airport express's are 192.168.0.5 and 6.

if i turn the firewall off, they connect fine.

the express's are on the other side of the router, but still on the lan side, same as the server.... so...

ummm, am i missing something?

dtich wrote:
i'm having a related issue and that is that while i have all 192.168.x.x traffic unblocked, itunes can't connect to any airport express's. airport express's are 192.168.0.5 and 6.

if i turn the firewall off, they connect fine.

the express's are on the other side of the router, but still on the lan side, same as the server.... so...

ummm, am i missing something?

Hmm, I'm not sure what ports they use, but if you're in the situation where turning the firewall off fixes things, then you should be able to turn on the logging for denied packets, turn the firewall on, do your iTunes thing, and see what packets are getting blocked by looking in your log. It should hopefully become clear what filter needs to be turned on.

However, if you've already opened up en1 and the airports are already on the same subnet, then they should be working fine. Hmm.

thx dean, yes, i had certainly looked at the log, which shows these entries:

Nov 11 21:49:25 north-knoll-server ipfw[8789]: 65534 Deny UDP 169.254.14.242:138 169.254.255.255:138 in via en0

but i have no idea where 169xxx is, nothing on my lan... if the port is 65534, that's an ftp passive port, tried opening that, doesn't solve the problem. if the port is 138, that's netbios, which would be odd, but i tried opening that too. nothing doing. can't figure it out. and the log really isn't helping too much.

traceroute gives me:

traceroute to 169.254.14.242 (169.254.14.242), 64 hops max, 40 byte packets
1 169.254.14.242 (169.254.14.242) 0.593 ms 0.504 ms 0.195 ms

so, i guess that's some internal address that my router uses or something..?? wacky. i'm out of my depth here.

if i allow 169.254.x.x, i still get no joy.



mean anything else to you?

Maybe Bonjour is used...

i do have all three bonjour ports open as well...

but the fact is this is local subnet traffic, or should be, and there's no reason any of the ports need be open on the wan side.

really odd. can't figure this out. there has got to be a reason the firewall is blocking this traffic, i just can't find it.

Message was edited by: dtich

dtich wrote:
thx dean, yes, i had certainly looked at the log, which shows these entries:

Nov 11 21:49:25 north-knoll-server ipfw[8789]: 65534 Deny UDP 169.254.14.242:138 169.254.255.255:138 in via en0

but i have no idea where 169xxx is, nothing on my lan... if the port is 65534, that's an ftp passive port, tried opening that, doesn't solve the problem. if the port is 138, that's netbios, which would be odd, but i tried opening that too. nothing doing. can't figure it out. and the log really isn't helping too much.

traceroute gives me:

traceroute to 169.254.14.242 (169.254.14.242), 64 hops max, 40 byte packets
1 169.254.14.242 (169.254.14.242) 0.593 ms 0.504 ms 0.195 ms

so, i guess that's some internal address that my router uses or something..?? wacky. i'm out of my depth here.

if i allow 169.254.x.x, i still get no joy.



mean anything else to you?

yeah, 169.254.x.x is part of the zeroconf net address range. (See http://en.wikipedia.org/wiki/Zeroconf for more details)

Not sure why the device in particular is trying port 138 unless it's Windows box maybe? Is en0 on your local network or external?

en0's local. behind hw firewall.

I meant multicast traffic. If it's "broadcast" on the LAN using the multicast adress range.

Using a rule something like:

allow ip from any to 224.0.0.0/4 via en0 keep-state

It should only be problems for the server if it needs to access the AP Express via iTunes (its' the only machine running ipfw?).


And why having the ipfw firewall running on the server if already behind a HW firewall?


The 169.- address port 138 must be a Windows machine which haven't got an IP (from DHCP)
To serve DHCP to Windows, DHCP settings need a domainname filled in : "example.com"

Message was edited by: Leif Carlsson

no windoze machines here, 🙂

i don't get the port 138 msg, other than that no denies related to this in the log. frustrating.

why i have both hw and sw firewalls is that the hw has to be a little more open than the sw, and i still see port scans and attempted logins, etc, with the sw... yes one solution is turn off the sw, but that isn't what i want to do.

i did allow the 224 range before, but lemme try again.. thx leif.

edit: that's not doing the trick. still no joy on the airtunes. jabber did like that though.

Message was edited by: dtich

can any apple techs out there tell me why ipfw is blocking airtunes on the local net?? we cannot figure out the port or range to open for this.

somebody out there knows the answer.

please....

help me...

tia.

dtich wrote:
can any apple techs out there tell me why ipfw is blocking airtunes on the local net?? we cannot figure out the port or range to open for this.

Do you have "iTunes Music Sharing (port 3689)" enabled in your firewall rules?

If that doesn't work the next thing to try would be to turn off the firewall, then open up a Terminal window and run:
sudo tcpdump -ni en0 host 192.168.0.5 or host 192.168.0.6

then watch the packets fly as you try airtunes. You should be able to see the port number(s) you want in there somewhere.

yes, itunes mx sharing is open.

good call on the tcpdump.

in the terminal i get:

10:51:40.387022 IP 192.168.0.5.5353 > 224.0.0.251.5353: 0 [2q][|domain]
10:51:44.385581 IP 192.168.0.5.5353 > 224.0.0.251.5353: 0 [2q][|domain]
10:52:26.187087 IP 192.168.0.5.5353 > 224.0.0.251.5353: 0*- [0q] 3/0/0[|domain]
10:54:05.189194 IP 192.168.0.5.5353 > 224.0.0.251.5353: 0*- [0q] 3/0/0[|domain]
10:55:40.017766 IP 192.168.0.5.5353 > 224.0.0.251.5353: 0*- [0q] 2/0/0 (Cache flush) AAAA[|domain]
10:55:43.835519 IP 192.168.0.5.5353 > 224.0.0.251.5353: 0*- [0q] 1/0/2 (134)
10:57:19.018324 IP 192.168.0.5.5353 > 224.0.0.251.5353: 0*- [0q] 2/0/0 (Cache flush) AAAA[|domain]
10:57:19.020375 arp who-has 192.168.0.5 tell 192.168.0.1
10:57:22.305977 IP 192.168.0.5.5353 > 224.0.0.251.5353: 0*- [0q] 1/0/2 (134)
10:58:58.019242 IP 192.168.0.5.5353 > 224.0.0.251.5353: 0*- [0q] 3/0/0[|domain]
11:00:32.195802 IP 192.168.0.5.5353 > 224.0.0.251.5353: 0*- [0q] 1/0/0 (Cache flush) A 192.168.0.5 (52)

the first two lines are fw off, then fw on after. 5353 is open of course, packets flow, but no connection still. is this an arp problem?? and if so, how can i solve? arp is not ip layer i thought, so why would ipfw block it??

Oh, I intended that you leave the firewall off and see the output of tcpdump while iTunes sharing was working and when the sharing starts. You need to figure out the packets that are going back and forth in the normal situation in order to figure out the firewall "allow" rules. You're going to have to do some detective work...