Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: rharder
rharder Author
User level: Level 1
16 points

UNSAFE - VPN ignores ipfw firewall

It appears to me that when connecting with a VPN, Snow Leopard ignores the ipfw firewall, letting all traffic in.


The situation is this. I'm connecting to a commercial VPN provider, and I am given a public IP address. Suddenly my Mac, which was otherwise protected behind a NAT router, is exposed to the Internet. All my services that I want available on the LAN are exposed to the public. I only want port 22 (ssh) exposed on that interface (ppp0).


The firewall ipfw should accomplish this for me, but it seems that traffic over ppp0 doesn't get processed through ipfw. I've reduced my ruleset to one "deny" rule to verify that the firewall is active and illustrate the problem. For testing I'm blocking port 80 instead of 22.


deny log logamount 65535 tcp from any to any dst-port 80 setup in


If I try curl 10._._.104 from another computer (the local IP address), I properly get no response, but if I try curl 68._._.181 (the public IP address from the VPN), I get a response, which I shouldn't.


I can't find any information on this. Is there a reason why the VPN traffic over interface ppp0 would bypass ipfw?


If I configure the application firewall in System Preferences to "Block all incoming connections," then ppp0 traffic is blocked. That's great, but I only want to block ppp0, not en0 or en1.


What is this? Bug? Misconfiguration?


-Rob



ifconfig:


lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384

inet6 ::1 prefixlen 128

inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1

inet 127.0.0.1 netmask 0xff000000

gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280

stf0: flags=0<> mtu 1280

en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500

ether 10:9a:dd:53:d5:1a

media: autoselect (none)

status: inactive

fw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 4078

lladdr 70:cd:60:ff:fe:21:fe:24

media: autoselect <full-duplex>

status: inactive

en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500

ether 10:9a:dd:ad:f7:fb

inet6 fe80::129a:ddff:fead:f7fb%en1 prefixlen 64 scopeid 0x6

inet 10.42.23.104 netmask 0xffffff00 broadcast 10.42.23.255

media: autoselect

status: active

vmnet1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500

ether 00:50:56:c0:00:01

inet 192.168.246.1 netmask 0xffffff00 broadcast 192.168.246.255

vmnet8: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500

ether 00:50:56:c0:00:08

inet 192.168.251.1 netmask 0xffffff00 broadcast 192.168.251.255

ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280

inet 68.68.40.181 --> 68.68.40.129 netmask 0xff000000


ipfw list:


02009 deny log logamount 65535 tcp from any to any dst-port 80 setup in

65535 allow ip from any to any


sysctl net.inet.ip.fw:


net.inet.ip.fw.enable: 1

net.inet.ip.fw.autoinc_step: 100

net.inet.ip.fw.one_pass: 0

net.inet.ip.fw.debug: 0

net.inet.ip.fw.verbose: 2

net.inet.ip.fw.verbose_limit: 65535

net.inet.ip.fw.dyn_buckets: 256

net.inet.ip.fw.curr_dyn_buckets: 256

net.inet.ip.fw.dyn_count: 0

net.inet.ip.fw.dyn_max: 4096

net.inet.ip.fw.static_count: 3

net.inet.ip.fw.dyn_ack_lifetime: 300

net.inet.ip.fw.dyn_syn_lifetime: 20

net.inet.ip.fw.dyn_fin_lifetime: 1

net.inet.ip.fw.dyn_rst_lifetime: 1

net.inet.ip.fw.dyn_udp_lifetime: 10

net.inet.ip.fw.dyn_short_lifetime: 5

net.inet.ip.fw.dyn_keepalive: 1

Posted on Jul 19, 2011 11:17 PM

Reply
1 reply

UNSAFE - VPN ignores ipfw firewall

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up