John Lockwood

Q: PF Firewall configuring frontends

With Mavericks Apple phased out support for the IPFW firewall and switched to using the PF firewall instead. (Yosemite also uses PF.) Clearly one can configure this firewall by hand editing the pf configuration files but the author of a GUI tool for configuring IPFW has also produced a GUI tool for setting up PF firewall rules as well. The name of the IPFW tool is WaterRoof and the name of the PF tool is IceFloor.

 

I have used or at least experimented with IceFloor before and it does work but I was always slightly concerned about the way it works which is to install a launchd file to cause PF to load a different config file to the standard initial Apple one. My concern was that any Apple updates might break this and this might also make it less compatible with Apple's own firewall settings via Server.app. Of course the advantage is that IceFloor keeps any new rules separate to Apple's rules.

 

There is however a new PF GUI tool now out, I have not yet tried it myself so I am bringing it to the attention of the Apple community to see if anyone has any feedback on it as yet. See MurusFireWall.

Posted on Dec 12, 2014 1:41 AM

Close

Q: PF Firewall configuring frontends

  • All replies
  • Helpful answers

  • by Ivan Robertovich,

    Ivan Robertovich Ivan Robertovich Apr 19, 2015 3:18 PM in response to John Lockwood
    Level 1 (48 points)
    Servers Enterprise
    Apr 19, 2015 3:18 PM in response to John Lockwood

    at least at one time (maybe it has been fixed by now), ice floor would damage your apple conf files and not return them to the usable state afterwards.  see https://codedmemes.com/lib/packet-filter-adaptive-firewall/

  • by Elton Darby Jr.,

    Elton Darby Jr. Elton Darby Jr. Sep 24, 2015 3:23 PM in response to John Lockwood
    Level 1 (65 points)
    Sep 24, 2015 3:23 PM in response to John Lockwood

    I'm using Murus Pro to block 3,500+ nefarious CIDR's (IP subnet ranges) with amazing flexibility and results.  The hack attempts from certain regions are rampant -- far more aggressive than I ever imagined prior to deploying Murus Pro with the Murus Log Visualizer and adaptive/proactive features.  Anyone deploying a 24/7 workstation or server that's open to the internet, relying on OS X's ALF firewall, not using Murus & PF, is taking a huge risk, IMO.

  • by buddyjack2,

    buddyjack2 buddyjack2 Nov 5, 2015 8:15 AM in response to Elton Darby Jr.
    Level 1 (0 points)
    Nov 5, 2015 8:15 AM in response to Elton Darby Jr.

    Hi, I just got Murus Pro yesterday and am curious how you entered 3500+ CIDR's... did you type them manually, or did you import them from a textfile? I've got a smaller list (1300+) of addresses in CIDR notation, but when I import them into a custom group, only the "base" address of each gets imported, not the CIDR part of the item. The only way I can get a CIDR notation to "stick" seems to be by typing it manually, one by one, in the group's window.

     

    And BTW, I agree completely with you about Murus vs. the OS X firewall, especially since I'm configuring our Mac as an OS X Server.

  • by smashr,

    smashr smashr Jun 28, 2016 9:41 AM in response to Elton Darby Jr.
    Level 1 (19 points)
    Notebooks
    Jun 28, 2016 9:41 AM in response to Elton Darby Jr.

    Hi, thanks for your reply and sorry for interfering but I have a question, where do you get the list files for the 3500 CIDRs please ? Thanks !