1 Reply Latest reply: Nov 17, 2008 5:33 AM by mistersquid
Don MacQueen1 Level 4 Level 4
Does anyone have some good references on how to configure ipfw in Leopard?

I have an app called WaterRoof, and it's good for doing the configuring, but I'd like so guidance on what a good (i.e. very secure) configuration should include.

  • mistersquid Level 3 Level 3
    I'm not a firewall expert, but that won't stop me from offering suggestions!

    I think these two lines

    $IPFW add XXXX deny ip from to any in
    $IPFW add XXXX deny ip from any to in

    are a good idea because they block machines pretending to be loopback.

    Using CIDR notation, I also allow traffic on all ports for all the machines on my local subnet. I use something like

    $IPFW add XXXX allow ip from XXX.XXX.XXX.0/24 to any in

    I think this is fairly safe as the block is one of those reserved for LANs but, again, I'm not an expert.

    Next, I have a block for bad Internet citizens such as zombied machines and HTTP suckers. These lines look like (for IP ranges)

    $IPFW add XXXX deny ip from XXX.XXX.XXX.0/3 to any in

    or (for specific machines)

    $IPFW add XXXX deny log ip from XXX.XXX.XXX.XXX to any in

    This bad Internet citizen chunk is followed by these two lines

    $IPFW add XXXX allow tcp from any to any out
    $IPFW add XXXX allow tcp from any to any established

    to allow my machine to talk to the world unfettered and to allow established connections to persist if the firewall is rebooted.

    There is a large section of ports I keep open to tcp for services such as SSH, SMTP, BIND, HTTP, Bonjour and the like. They are of the form (each on a single line)

    $IPFW add XXXX allow tcp from any to any dst-port PORT in #SERVICE

    Where PORT is replaced by the port number for the service commented as SERVICE

    For example

    $IPFW add XXXX allow tcp from any to any dst-port 22 in #SSH

    With the necessary ports open, I finish the firewall with

    $IPFW add XXXX deny log tcp from any to any
    $IPFW add XXXX allow icmp from any to any out
    $IPFW add XXXX allow icmp from any to any in icmptypes 0, 8

    These lines, in order, 1) block tcp traffic on all other ports (not opened in the allowed-service block above it), 2) allow icmp traffic to go out to anywhere on the Internet, and 3) allow the rest of the world to ping my server as safely as I know how to set up.

    As a disclaimer, I have spent maybe a dozen hours or so trying to understand IPFW best practices and, to be honest, I'm much in the dark. Internet security is a big issue and doing it right is more than a full time job. However, I do think there are minimal IPFW configurations and I have done my best to put something together that meets these requirements while being workable.

    I have no illusions that this is an extremely secure setup and will let this stand as its own warning.

    To answer your question, I don't have any ready references because I cobbled my firewall rules over time and modified those rules whenever I, for example, came across a Slashdot post complaining about bad IPFW configurations.

    However, a quick google reveals this as a resource for getting started with IPFW which seems a clearly written introduction to IPFW.


    Johnnie Wilcox
    aka mistersquid