Want to highlight a helpful answer? Upvote!

Did someone help you, or did an answer or User Tip resolve your issue? Upvote by selecting the upvote arrow. Your feedback helps others! Learn more about when to upvote >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Don MacQueen1
Don MacQueen1 Author
User level: Level 4
2,483 points

ipfw in Leopard

Does anyone have some good references on how to configure ipfw in Leopard?

I have an app called WaterRoof, and it's good for doing the configuring, but I'd like so guidance on what a good (i.e. very secure) configuration should include.

Thanks

Posted on Nov 16, 2008 9:32 PM

Reply
1 reply
User profile for user: mistersquid
mistersquid
User level: Level 3
809 points

Nov 17, 2008 5:33 AM in response to Don MacQueen1

I'm not a firewall expert, but that won't stop me from offering suggestions!

I think these two lines

$IPFW add XXXX deny ip from 127.0.0.0/8 to any in
$IPFW add XXXX deny ip from any to 127.0.0.0/8 in


are a good idea because they block machines pretending to be loopback.

Using CIDR notation, I also allow traffic on all ports for all the machines on my local subnet. I use something like

$IPFW add XXXX allow ip from XXX.XXX.XXX.0/24 to any in


I think this is fairly safe as the block is one of those reserved for LANs but, again, I'm not an expert.

Next, I have a block for bad Internet citizens such as zombied machines and HTTP suckers. These lines look like (for IP ranges)

$IPFW add XXXX deny ip from XXX.XXX.XXX.0/3 to any in


or (for specific machines)

$IPFW add XXXX deny log ip from XXX.XXX.XXX.XXX to any in


This bad Internet citizen chunk is followed by these two lines

$IPFW add XXXX allow tcp from any to any out
$IPFW add XXXX allow tcp from any to any established


to allow my machine to talk to the world unfettered and to allow established connections to persist if the firewall is rebooted.

There is a large section of ports I keep open to tcp for services such as SSH, SMTP, BIND, HTTP, Bonjour and the like. They are of the form (each on a single line)

$IPFW add XXXX allow tcp from any to any dst-port PORT in #SERVICE


Where PORT is replaced by the port number for the service commented as SERVICE

For example

$IPFW add XXXX allow tcp from any to any dst-port 22 in #SSH


With the necessary ports open, I finish the firewall with

$IPFW add XXXX deny log tcp from any to any
$IPFW add XXXX allow icmp from any to any out
$IPFW add XXXX allow icmp from any to any in icmptypes 0, 8


These lines, in order, 1) block tcp traffic on all other ports (not opened in the allowed-service block above it), 2) allow icmp traffic to go out to anywhere on the Internet, and 3) allow the rest of the world to ping my server as safely as I know how to set up.

As a disclaimer, I have spent maybe a dozen hours or so trying to understand IPFW best practices and, to be honest, I'm much in the dark. Internet security is a big issue and doing it right is more than a full time job. However, I do think there are minimal IPFW configurations and I have done my best to put something together that meets these requirements while being workable.

I have no illusions that this is an extremely secure setup and will let this stand as its own warning.

To answer your question, I don't have any ready references because I cobbled my firewall rules over time and modified those rules whenever I, for example, came across a Slashdot post complaining about bad IPFW configurations.

However, a quick google reveals this as a resource for getting started with IPFW which seems a clearly written introduction to IPFW.

hth,

Johnnie Wilcox
aka mistersquid
Reply

ipfw in Leopard

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up