Expert ipfw configuration?

Brickhouse is a GUI for ipfw. Therefore if you create a few rules using Brickhouse then look at your ipfw list you can work out how the syntax works.

Once you know the syntex then you can add the rules manually.

AFAIK ipfw does not get flushed at reboot.

'Brickhouse is a GUI for ipfw. Therefore if you create a few rules using Brickhouse then look at your ipfw list you can work out how the syntax works.
Once you know the syntex then you can add the rules manually. '

The OP stated he already knows about brickhouse, and understands ipfw syntax.

"AFAIK ipfw does not get flushed at reboot."

It does, but saved settings/rules get 'reloaded.' I understand the OP to be looking for where to add outbound rules so they are 'permanent' without using a third party tool or creating a startup script...as for that answer, I don't know.

I'll try to do my best to combine several of the topics and questions in one reply.

I do agree with chairman rod that the ipfw rules are flushed on shutdown (or soft reboot). They are added back during the boot process. You can easily test this by manually adding a new rule using the Terminal and reboot the computer. Your newly added rule will no longer be listed in the ipfw rules.

where to add outbound rules so they are 'permanent' without using a third party tool or creating a startup script

Konstantin appears to be on the mark in pointing to the com.apple.shring.firewall.plist file as where Apple stores the rules. The rules are not stored as one would expect and are not in a form that ipfw could use without some interpretive process. Some other part of the system, therefore, must read the plist file and interpret it into rules that ipfw understands.

Here's how I confirmed that the plist is where rules are stored.
1. I used File Buddy to take a snapshop of my entire boot partition.
2. Opened System Preferences and turned on the firewall. Closed System Preferences.
3. Used File Buddy to take a second snapshot of my boot partition.
4. Used File Budy to compare the snapshots. The only new or modified item that anything to do with ipfw was the com.apple.sharing.firewall.plist.
5. Opened the com.apple.sharing.firewall.plist with Property List Editor (part of Developer Tools). You can see the outline of the different services in the System Preferences Firewall GUI pane with the various keys set to their appropriate values.
6. I further confirmed this by gong back to System Preferences/Firewall and created a custom rule under "Other". Under this rule, I set TCP and UDP port 8043 for a service I titled "mystuff". I again opened the com.apple.sharing.firewall.plist in Property List Editor and saw a new entry for "mystuff" for port 8043. I then went to the Terminal and ran "sudo ipfw list". The new rule for "mystuff" had been added--

02070 allow tcp from any to any dst-port 8043 in

There does not seem to be any provision in the GUI for making a rule to block outgoing traffic. One would have to know what process interprets the plist and how it works. Then it might be possible to manually enter a rule to the plist that would be interpreted properly for blocking specified outgoing traffic. Good luck in finding the interpretation process and being able to decipher it.

It would certainly seem that using BrickHouse or sunShield as alternate GUIs for ipfw would be the only viable solution. It bears mentioning that when one uses BrickHouse or sunShield to configure ipfw, you cannot use the System Preference GUI. The two will conflict and you will get the oft cited "other software is using the firewall" alert.

"Konstantin appears to be on the mark in pointing to the com.apple.shring.firewall.plist file as where Apple stores the rules. The rules are not stored as one would expect and are not in a form that ipfw could use without some interpretive process. Some other part of the system, therefore, must read the plist file and interpret it into rules that ipfw understands."

First, apologies to Tim, as I misinterpreted his post, and I guess he was saying make rules changes then check the firewall.plist to see how it is added.

Second, firewalltool is what reads the plist. Here is the sorce code, so anyone with the inclination can see what firewalltool is expecting from plist:
http://darwinsource.opendarwin.org/10.4.2/FirewallTool-15/FirewallTool.c

Further searching did not turn up any positive exmples of editing the plist to add rules.

As 'inelegant' or 'hackish' as it may seem, a startup script seems to be the best method, IMHO.

firewalltool is what reads the plist. Here is the sorce code

Well done. Of course one needs to be able to read and understand the code to make sense of it. I can only figure out a very tiny bit of it. There is a big difference between having the Developer Tools installed and being able to read and write code. 🙂

As 'inelegant' or 'hackish' as it may seem, a startup script seems to be the best method, IMHO.

I would agree, although I'm not sure there is anything inelegant or hackish about it. Apple has not provided a GUI interface that satisfies everyone. When the GUI is insufficient, one must learn some of the *nix underpinnings. There was a good thread a while back that may help the OP with startup scripts et al. The thread is IPFW does not run at startup. The starting point for the OP in that thread was an article on firewalls from the MacDevCenter.