13 Replies Latest reply: Nov 17, 2006 4:02 AM by Nils C. Anderson
Nils C. Anderson Level 4 Level 4 (3,495 points)
Is anyone aware of a ipfw document/how-to/tutorial?

Thanks.

15in. PowerBook G4, 15in. MacBook Pro, Mac OS X (10.4.8)
  • Michael Conniff Level 7 Level 7 (33,125 points)
    Andy

    You might find some of the links in An Introduction to Mac OS X Security useful.

    And although this is a product, some of the description and readme files could help: Flying Buttress (previously known as BrickHouse).
  • Nils C. Anderson Level 4 Level 4 (3,495 points)
    Michael,

    Do you know if there are any bug/quirks/features with ipfw?

    Thanks,

    Andy
  • Michael Conniff Level 7 Level 7 (33,125 points)
    Do you know if there are any bug/quirks/features with ipfw?
    Sorry, don't know. I just use the GUI interface nowadays. But I do tend to read anything I come across on the subject and hadn't seen anything.

    Duh! Don't know why I missed this link to the FreeBSD Handbook: Firewalls. However the "How to use and configure IPFW" section does say:
    Note: This section is work in progress. The contents might not be accurate at all times.
    Still worth a read I think.
  • Gary Kerbaugh Level 6 Level 6 (18,040 points)
    Hi Andy,
       Please forgive the tardiness of this post: crisis at work. My list of links is old and nowhere near as compete as I'd like. There may be broken links in it but it does contain one gem. Let me mention that the man page is rather extensive and a pretty good reference on the current version of the firewall, ipfw2.

       ipfw is a BSD firewall so many of the better references can be found in BSD docs. Several links are provided below. You asked if there were any quirks and my information on that dates back to early Tiger but at that time dynamic rules caused a system freeze on dual processor machines. I can't imagine that has persisted but I haven't tested it since that time. At that time oddities were also introduced into syslog so that syslog.conf didn't respect some of the things unique to BSD. That broke my method for redirecting the firewall logs to a dedicated file. I think that's still broken.

       Here is my set of very old links. It was started when first got into and while it's been updated some, it mostly still pretty old. However, supplemented with a Google search, you should have a fair amount to read.

       First, the FreeBSD manual:

    FreeBSD Handbook:Chapter 24 Firewalls

    Then the O'Reilly ONLamp articles:

    http://www.onlamp.com/pub/a/bsd/2001/04/25/FreeBSD_Basics.html
    http://www.onlamp.com/pub/a/bsd/2001/05/09/FreeBSD_Basics.html
    http://www.onlamp.com/pub/a/bsd/2001/06/01/FreeBSD_Basics.html
    http://www.onlamp.com/pub/a/bsd/2001/06/21/FreeBSD_Basics.html

    The following sites discusses the Mac firewall.

    Daniel Cote has a good article specific to OS X with a good example, Setting up firewall rules on Mac OS X.

    http://seaotter.berkeley.edu/cab/mac-firewalls/

    More important, the above page has a link to an archive of Stefan Arentz's article, formerly at http://wopr.norad.org/articles/firewall/, that is specific to OS X: Building your own personal firewall, By Stefan Arentz, 2000-10-09. Stefan's article is very old but a classic -- one of my favorites. I was thrilled when an archive turned up because it was so helpful to refer people to it. Unfortunately the URL has http:// in the middle so this stupid discussion software breaks my link. I'll just have to paste in the whole URL, as distasteful as that is:

    http://web.archive.org/web/20020802192015/http://wopr.norad.org/articles/firewal l/

       That's the end of my links page but I'll try to think of more. However for now, the emergency still isn't resolved and I've got to go.
    --
    Gary
    ~~~~
       In the beginning there was nothing. And the Lord said
       "Let There Be Light!" And still there was nothing, but at
       least now you could see it.
  • Bill Scott Level 6 Level 6 (11,445 points)
    Thanks for posting that, Gary. I've been checking this thread each day in hopes that something like this would appear.
  • Bill Scott Level 6 Level 6 (11,445 points)
    Since I have no ability to contribute constructively to this discussion, apart from seconding the Flying buttress nomination, I will instead refer Gary to a referral url:


    http://murl.info/15228


    Which can be encased thusly
  • Nils C. Anderson Level 4 Level 4 (3,495 points)
    Michael/Gary,

    Thanks for the info on the possible quirks. and the "extended" reading list.
    Looks like I've now have plenty to do in the evening.

    Andy
  • Nils C. Anderson Level 4 Level 4 (3,495 points)
    just adding to your list. But this seems to a look a filters from a Kernel extension point of view.


    Network Kernel Extensions Programming Guide

    See Chapter 4 IP Filters

    more that I need to know, but perhaps someone here will find it of use.

    Andy
  • Gary Kerbaugh Level 6 Level 6 (18,040 points)
    Hi Guys,
       Bill, you have to know that I know how to put a simple URL into an HTML link; I did so for two of them. The problem with my last URL is that there are two http:// protocol or "scheme" strings in the URL. The list software doesn't seem to mess with it if it is preceded by <A HREF=". However, I was shocked to find that it tried to turn everything after the second one into a link, completely breaking the URL. (in two) You'd think that any software that could recognize <A HREF=" would have sense enough to leave everything alone until the close of the quotes but it ain't so in this case. Try it; see if you can put my last URL above into a link and post it. I tried URL encoding it but then the link didn't work.

       Andy if you want to see it, I did save another post of mine where I discussed some firewall strategy, such as making all but the last rule "allow" rules that let in what you need and then ending the ruleset with a blanket denial. Do you have Ethereal installed? If you create a default deny firewall, stuff will fail at first and you have to catch the problem "in the act" of failing. It can be tedious but usually works. Also, be sure to allow everything on lo0. If you block NetInfo, you can only become root in single user mode.

       Continue to post back if you have questions. Even if you just want to run things by us, that would be great. Discussions are always useful in clarifying even things you pretty much understand.
    --
    Gary
    ~~~~
       This is a test of the emergency broadcast system. Had
       there been an actual emergency, then you would no longer
       be here.
  • Gary Kerbaugh Level 6 Level 6 (18,040 points)
    Hi Bill,
       Oops, sorry. I didn't try the link; I just assumed that it was pointing to a web page. I hope you can image my shock to Stefan's page come up. I understand it though. I administer a web server so I could set it up myself if I wanted but doing it from scratch certainly isn't worth that time. I gather that the site you found has scripted the creation of the referral. Thanks for suggesting that. I'd only thought of referrals as a way of dealing with moved websites. You were really thinking "out of the box" with this!
    --
    Gary
    ~~~~
       Why do they call it baby-SITTING when all you do is run after them?
  • Gary Kerbaugh Level 6 Level 6 (18,040 points)
    Hi Andy,
       Thanks for that PDF. I might get into that at some point but my experience with the firewall has been purely configuration. I've done a little programming but never at the kernel level. My job is leading me further in configuration direction so I don't know if I'll ever get to it but I'd like to and I saved it.
    --
    Gary
    ~~~~
       What do you give a man who has everything? Penicillin.
             -- Jerry Lester
  • Bill Scott Level 6 Level 6 (11,445 points)
    http://www.tinyurl.com and http://murl.info are free services for making short referrals to heinously long urls, and also permit obfuscating the original link it your web page. Some sites prevent their clients from connecting, due to the propensity for abuse -- I could have linked you to a porno or neo-nazi page or something like that. I don't know if these guys who offer the service have a way of minimizing that.

    Anyway, if a url is for some reason recalcitrant, it is a handy work-around.
  • Nils C. Anderson Level 4 Level 4 (3,495 points)
    Gary,

    If you still have that post showing strategies for firewalls that would be great.

    Bill,

    Thank for cleaning up that URL.

    Thanks,

    Andy