Ipfw in Leopard 10.5.2

I don't get it, it just doesn't work with GUI in System Preferences--Security-Firewall. So, everyone should be at least unix sys admin.
Please give it back all Firewall settings in GUI that MacOS X 10.4 had.
You made 10.5 firewall GUI is easy but it's not functional and it's even worse it doesn't work!
Take a look at your work: http://img301.imageshack.us/img301/9461/ipfwwr3.jpg
10.5.2 is out and you didn't even bother to fix this issue!

Do some Google searches about the Leopard firewall. It operates at a different level than ipfw - though it still uses ipfw for Stealth Mode.
When set to 'Set access for specific services and applications', the firewall will alert you when an application attempts to listen for incoming connections, and you'll be asked if you want to 'allow' or 'block'.
A I said - some people don't like the new firewall. I don't really like it, but it might make sense, since many users are behind NAT firewalls with UPnP enabled by default. I prefer more control - but if I really need more, I can set it up on my WiFi router which is running Linux.

Similar Messages

  • Ipfw in Leopard

    Does anyone have some good references on how to configure ipfw in Leopard?
    I have an app called WaterRoof, and it's good for doing the configuring, but I'd like so guidance on what a good (i.e. very secure) configuration should include.
    Thanks

    I'm not a firewall expert, but that won't stop me from offering suggestions!
    I think these two lines
    $IPFW add XXXX deny ip from 127.0.0.0/8 to any in
    $IPFW add XXXX deny ip from any to 127.0.0.0/8 in
    are a good idea because they block machines pretending to be loopback.
    Using CIDR notation, I also allow traffic on all ports for all the machines on my local subnet. I use something like
    $IPFW add XXXX allow ip from XXX.XXX.XXX.0/24 to any in
    I think this is fairly safe as the block is one of those reserved for LANs but, again, I'm not an expert.
    Next, I have a block for bad Internet citizens such as zombied machines and HTTP suckers. These lines look like (for IP ranges)
    $IPFW add XXXX deny ip from XXX.XXX.XXX.0/3 to any in
    or (for specific machines)
    $IPFW add XXXX deny log ip from XXX.XXX.XXX.XXX to any in
    This bad Internet citizen chunk is followed by these two lines
    $IPFW add XXXX allow tcp from any to any out
    $IPFW add XXXX allow tcp from any to any established
    to allow my machine to talk to the world unfettered and to allow established connections to persist if the firewall is rebooted.
    There is a large section of ports I keep open to tcp for services such as SSH, SMTP, BIND, HTTP, Bonjour and the like. They are of the form (each on a single line)
    $IPFW add XXXX allow tcp from any to any dst-port PORT in #SERVICE
    Where PORT is replaced by the port number for the service commented as SERVICE
    For example
    $IPFW add XXXX allow tcp from any to any dst-port 22 in #SSH
    With the necessary ports open, I finish the firewall with
    $IPFW add XXXX deny log tcp from any to any
    $IPFW add XXXX allow icmp from any to any out
    $IPFW add XXXX allow icmp from any to any in icmptypes 0, 8
    These lines, in order, 1) block tcp traffic on all other ports (not opened in the allowed-service block above it), 2) allow icmp traffic to go out to anywhere on the Internet, and 3) allow the rest of the world to ping my server as safely as I know how to set up.
    As a disclaimer, I have spent maybe a dozen hours or so trying to understand IPFW best practices and, to be honest, I'm much in the dark. Internet security is a big issue and doing it right is more than a full time job. However, I do think there are minimal IPFW configurations and I have done my best to put something together that meets these requirements while being workable.
    I have no illusions that this is an extremely secure setup and will let this stand as its own warning.
    To answer your question, I don't have any ready references because I cobbled my firewall rules over time and modified those rules whenever I, for example, came across a Slashdot post complaining about bad IPFW configurations.
    However, a quick google reveals this as a resource for getting started with IPFW which seems a clearly written introduction to IPFW.
    hth,
    Johnnie Wilcox
    aka mistersquid

  • IPFW on Leopard / Tiger and AIRPORT CARD

    Hi All,
    I am creating a firewall rule using IPFW on my mac machine having an Airport card installed.
    The rule is as below
    ipfw add deny 802.11 from me to any 22
    ipfw add deny 802.11 from me to any 80
    ipfw add deny 802.11 from me to any 22 out
    ipfw add deny 802.11 from me to any 80 out
    But when i try to perform an SSH from another machine to this and vice-versa it works! Ideally it should not work....
    However, if i replace the protocol "802.11" with "tcp". It blocks all the SSH option from and to my machine.....
    My doubt is isn't Airport card belonging to 802.11n/g technology?
    Please explain!!
    Network diagram
    macbook1 ))))) ((((( macbook2
    macbook 1 ---> created a test network (wireless)
    macbook2 ---> joined the test network created in macbook1 wirelessly.
    Many Thanks for your help!!
    reg,

    If you want to block these ports on a per-interface basis then you need to specify 'via en1' for your AirPort card, IIRC:
    ipfw add deny tcp from me to any 22 via en1
    although why you want to block outgoing SSH is beyond me.

  • MySQL port open in Leopard firewall (and in ipfw) but can't access

    Hi There,
    I'm trying to allow MySQL access to a Mac Mini dev server I've setup using MAMP Pro. I've installed OS 10.5 server because I couldn't open a port manually using the Terminal under a Snow Leopard client install.
    *MAMP Pro:*
    - "Allow local access only" is unticked under MySQL
    *Leopard Server Admin:*
    - MySQL port 3306 is open for "any"
    - I can also see it's open if I run this from the terminal "$ sudo ipfw list"
    *Querious Database App:*
    - If I try to connect to the database from a client machine using Querious via 3306 or tunnel via ssh I can't connect
    *Network Utility:*
    - If I do a port scan from my client machine no ports are open on the Mac Mini
    *Other info:*
    - Stealth mode is off
    - The Firewall is the only service which is running in Server Admin
    - I can connect via ssh/terminal from this same client machine
    - I'm just trying to connect on a local network (so not through a router etc)
    Obviously I thought this would be much simpler than it is! Are there other things that need to be configured - do I have to forward the port onto MAMP Pro somehow?
    Not sure how it all works sorry so any help would be much appreciated.
    Cheers
    Ben

    Hi Ben,
    I have done some brief digging on MAMP and it would appear that you're trying to override the inherent features in OS X Server by using MAMP instead. Apache, MySQL and PHP are all inherent parts of OS X Server, minus the unified interface of MAMP. (phpMyAdmin is open-source and can be installed independently.) This may have been necessary on a non-server (client) version of OS X, but not for Server. As Harry pointed out, removing those elements from OS X Server are not simple tasks and you would be far better off using the built-in versions over trying to bypass them to run MAMP.
    3306 is the default port for MySQL, so your pings are reaching the mysql service. You may run into the same problem as I did when trying to establish external connections to mysql from anywhere other than on the host machine (whether that be across a LAN or via the Internet though PHP commands to the mysql service) since requests from anything other than the localhost will be rejected. Working around that with MAMP is not well documented. phpMyAdmin doesn't get under the hood to make the changes needed to allow requests from other hosts.
    The MAMP documentation is also lacking on how one can get under the hood of its mysql service, other than that you can access it through Terminal at:
    /Applications/MAMP/Library/bin/mysql
    in which case all normal mysql commands should work when working in that directory:
    +/Applications/MAMP/Library/bin/mysql --host=localhost -uroot -proot+
    All in all, though, I think it would be far easier to use the built-in versions. OS X Server is configured to work with what is already there and Apple's support documentation is built around that. Trying to get MAMP working means that you're pretty much on your own trying to figure out the whats, hows and whys when things aren't working. The Server Admin application gives you access to all those services (at least at a base level, excluding phpMyAdmin).
    For 10.5 Server, the built-in version of MySQL is 5.0.91; PHP version is 5.2.14; Apache version is 2.2.14, all of which are mostly-current, stable releases.
    I don't have any /mysql/msql directories inside the /var/ directory.
    That is really odd, as they should be there for an installation of Server.
    -Doug

  • Snow Leopard & IPFW logging

    Hello,
    Just wondering if IPFW logging is broken in 10.6. I'm using my own IPFW firewall since 10.5 and I noticed that after the 10.6 upgrade, IPFW is still working but doesn't log anything anymore. I noticed that the /etc/syslog seems to have changed at some point. Here's an extract from the backed up one that was working on 10.5:
    install.* /var/log/install.log
    install.* @127.0.0.1:32376
    local0.* /var/log/ipfw.log
    Now in 10.6 this looks like this:
    install.* /var/log/install.log
    install.* @127.0.0.1:32376
    local0.* /var/log/appfirewall.log
    local1.* /var/log/ipfw.log
    And I haven't changed that because then I would have backed it up. So for instance my SSH rule looks like this:
    # Allow SSH inbound
    add 00700 set 3 count log tcp from any to any dst-port 22 in setup
    add 00701 set 3 allow tcp from any to any dst-port 22 in setup keep-state
    But my ipfw.log is exactly 0 bytes long and empty... and I definitely get hits on the rules. Here an extract form 'ipfw show':
    00700 2 104 count log logamount 100 tcp from any to any dst-port 22 in setup
    00701 1888 250506 allow tcp from any to any dst-port 22 in setup keep-state
    And yes, the appfirewall.log is also empty which seems to have now taken over the local0 log facility... (the App firewall is not enabled)
    Any help is appreciated.
    Thanks!
    Frank

    piknyc wrote:
    I had the same problem and can't remember exactly what I did to fix it but I think this was it.
    I added the below to /etc/syslog.conf and restarted:
    put this at the top
    !ipfw
    this at the bottom
    \. /var/log/ipfw.log
    This had strange effects in snow leopard. It had no effect on the output of appfirewall.log, but now ipfw.log fills up with everything.
    All i want is a clean logfile with my ipfw logs not spammed by the appfirewall. I've tried changing /usr/libexec/ApplicationFirewall/com.apple.alf.plist loggingenabled key to 0 and restarting but it had no effect.

  • PIX logging to syslog on Mac OS X leopard Client - how to make it work?

    We just cant seem to make the log entires show up in the syslog or router.log!!!
    We have enabled remote logging on the PIX firewall.
    On Leopard, we have enabled Stealth Mode. So we get the following message:
    +Stealth Mode connection attempt to UDP 192.168.1.22:514 from 192.168.1.11:514+
    Which means the Mac (w/leopard 10.5.1) is getting the logging messages. This was separately confirmed with tcpdump too. We think it is either:
    a) syslogd config. issue (where UDP/514 messages are not accepted)
    b) Or it is a leopard firewall issue. We have set the Firewall to All all incoming connections. But that didnt help.
    So we think it is a syslogd issue. So we modified the /System/Library/LaunchDaemons/com.apple.syslogd.plist.
    Tried the following:
    1. -n -a srchost_ip/32 - +to limit entires from one specific host+
    2. -udp_in 1 - +saw this in specific version of the syslogd man page+
    Also added entries via ipfw.
    00100 allow udp from 192.168.1.22 to any dst-port 514
    33300 deny icmp from any to me in icmptypes 8
    65535 allow ip from any to any
    We also modified the syslog.conf. And tested entries using logger. That worked.
    But we simply haven't been able to log messages from another box/device (cisco pix firewall in this case).
    What are we doing wrong? Can anyone help?
    Thanks!
    --sp
    Message was edited by: sp2007

    I just noticed some of my messages from a remote device are showing up in ipfw.log - not as stealth notifications or any other type of error message, mind you, but the actual full syslog message just as I would expect. No matter what I do to /etc/syslog.conf, remote message show up there.

  • Airport Express & Leopard Firewall

    I have 2 AEXs connected to my wireless network (Linksys WRT54GS). They work fine when my Leopard firewall is set to allow all incoming connections, but don't show up in either iTunes or Airport Utility when the firewall is on, despite me still being able to access my router & the internet. I have set Airport Utility to accept incoming connections in the firewall settings.
    I didn't have this problem with Tiger. Any ideas what's going on? Is there a way that I can have the firewall on & still connect with my Airport Expresses?
    Thanks.

    Sorry my friend, by the firewall is the problem. When it is switched on AirTunes does not stream and when it is switched off it works fine. I, and it seems others on this forum, have checked this a number of times - I did at least a dozen of times or so. Firewalls are not just on the border of the network as you seem suggesting, but they can also protect an individual machine and each comes with its own application and/or ipfw firewall.
    There is no question about the fact that the *OS X Server* Firewall/AirTunes have an incompatibility, the question is how to resolve it...
    Thanks for trying anyway.

  • Sudo ipfw list open port?

    So i did a "sudo ipfw list" in the terminal window and i got an open 63353 port. Naturally, I assumed that since my P2P software was just opened, and I said yes to the Leopard app firewall, it was this port number that was assigned to the P2P app.
    Now, I went into my router and also opened up the same corresponding number there (both tcp & udp).
    Still I'm getting a message saying the port is stealth.
    Am I correct in assuming that the Leo app firewall did open 63353 for P2P or does it conceal open ports from a sudo list command?
    Also, is the app firewall stealthing its open ports too? This would mean that if the router is set to stealth and app firewall is stealth, I get a double stealth port? huh does this make sense? I have never had to remove the "stealth ports" from the router before. There has been no prob on that end.
    Any help from apple would be greatly appreciated.

    I only enable my firewall on my laptop as it moves around and joins many different networks. That being said I have locked it down using the Application Firewall and IPFW.
    However my desktop computers in my office rely on the firewall my router provides. I use little snitch to firewall my outgoing connections and that is enough security for me.
    I will turn it off completely and just run the firewall on the router and hope it works like it use to. thx all.
    If you turn it off you can also flush out any IPFW rules with the command
    sudo ipfw flush

  • Problem with Interner Sharing using Leopard

    Hello,
    After upgrading to Leopard (10.5.1) the internet sharing feature stopped working.
    I used to share my 3G modem connection over the Airport. But now, the devices I connect to my MacBook using “Internet Sharing” won’t access the Net.
    I noticed two things (perhaps unrelated); first, upon activation of the Internet sharing, the natd process goes to 99% and stays there.
    Second, although I can always ping the gateway from the other devices (after they get ip, gateway and dns using DHCP), I can only ping the connected devices form the gateway for about 5 seconds, after that, any device connected to my Mac won’t respond to ping.
    During those 5 seconds all other devices are able to access the internet, after that, I have to restart the Internet sharing to let other devices connect for another 5 seconds.
    The gateway is a Macbook running 10.5.1 and the clients are an iMac intel and an iPhone.
    This is the error I found on the console:
    +12/14/07 10:06:35 PM com.apple.launchd[1] (com.apple.InternetSharing) Unknown key: SHAuthorizationRight+
    Everything was working until I upgraded from 10.4 to 10.5 any hints on how to solve the problem will be appreciated.

    Hello mreckhof
    My firewall settings are:
    Allow any incoming connections
    the ipfw list shows:
    65535 allow ip from any to any
    The strange thing is that the connection works for about 5 seconds as soon as I enable internet sharing, after that, the devices stop accessing the net. The ping shows connectivity from the gateway to one of the devices but only for 5 seconds,
    Here is the system.log
    +Dec 15 11:48:46 SebKe com.apple.launchd[1] (com.apple.InternetSharing): Unknown key: SHAuthorizationRight+*<-- this looks suspicious---*
    +Dec 15 11:48:47 SebKe named[1170]: starting BIND 9.4.1-P1 -c /etc/com.apple.named.conf.proxy -f+
    +Dec 15 11:48:47 SebKe named[1170]: running+
    +Dec 15 11:48:48 SebKe mDNSResponder[15]: getifaddrs ifa_netmask for vmnet8(7) Flags 8863 Family 2 192.168.94.1 has different family: 0+
    +Dec 15 11:48:48 SebKe mDNSResponder[15]: getifaddrs ifa_netmask for vmnet1(8) Flags 8863 Family 2 192.168.200.1 has different family: 0+
    +Dec 15 11:48:48 SebKe mDNSResponder[15]: Note: Frequent transitions for interface en1 (10.0.2.1); network traffic reduction measures in effect+
    +Dec 15 11:48:48 SebKe mDNSResponder[15]: SetupAddr invalid sa_family 0+
    +Dec 15 11:48:49 SebKe mDNSResponder[15]: getifaddrs ifa_netmask for vmnet8(7) Flags 8863 Family 2 192.168.94.1 has different family: 0+
    +Dec 15 11:48:49 SebKe mDNSResponder[15]: getifaddrs ifa_netmask for vmnet1(8) Flags 8863 Family 2 192.168.200.1 has different family: 0+
    +Dec 15 11:48:49 SebKe mDNSResponder[15]: Note: Frequent transitions for interface en1 (FE80:0000:0000:0000:0219:E3FF:FE00:B5A1); network traffic reduction measures in effect+ *<-- Could this be the problem?*
    +Dec 15 11:48:49 SebKe mDNSResponder[15]: SetupAddr invalid sa_family 0+
    +Dec 15 11:48:53 SebKe mDNSResponder[15]: getifaddrs ifa_netmask for vmnet8(7) Flags 8863 Family 2 192.168.94.1 has different family: 0+
    +Dec 15 11:48:53 SebKe mDNSResponder[15]: getifaddrs ifa_netmask for vmnet1(8) Flags 8863 Family 2 192.168.200.1 has different family: 0+
    +Dec 15 11:48:53 SebKe mDNSResponder[15]: SetupAddr invalid sa_family 0+
    +Dec 15 11:49:23: --- last message repeated 1 time ---+
    +Dec 15 11:49:28 SebKe kernel[0]: ath_newassoc:mac=00:1c:b3:3c:ee:b5 Caplag=0x0 Flags: SHORTGI+
    +Dec 15 11:49:28 SebKe bootpd[1169]: can't open /etc/bootptab+
    +Dec 15 11:49:28 SebKe bootpd[1169]: server name SebKe.local+
    +Dec 15 11:49:28 SebKe bootpd[1169]: interface en1: ip 10.0.2.1 mask 255.255.255.0+
    +Dec 15 11:49:28 SebKe bootpd[1169]: interface en1: ip 169.254.169.251 mask 255.255.0.0+
    +Dec 15 11:49:28 SebKe bootpd[1169]: interface vmnet8: ip 192.168.94.1 mask 255.255.255.0+
    +Dec 15 11:49:28 SebKe bootpd[1169]: interface vmnet1: ip 192.168.200.1 mask 255.255.255.0+
    +Dec 15 11:49:28 SebKe bootpd[1169]: interface ppp0: ip 170.51.166.249 mask 255.255.0.0+
    +Dec 15 11:49:28 SebKe bootpd[1169]: DHCP REQUEST [en1]: 1,0:1c:b3:3c:ee:b5 <iSebke>+
    +Dec 15 11:49:30 SebKe named[1170]: client 10.0.2.7#5353: RFC 1918 response from Internet for 7.2.0.10.in-addr.arpa+
    After this, the ping will stop reaching the other device.
    The gateway ip is 10.0.2.1
    +64 bytes from 10.0.2.7: icmp_seq=47 ttl=64 time=1.581 ms+
    +64 bytes from 10.0.2.7: icmp_seq=48 ttl=64 time=1.687 ms+
    +64 bytes from 10.0.2.7: icmp_seq=49 ttl=64 time=1.631 ms+
    +64 bytes from 10.0.2.7: icmp_seq=50 ttl=64 time=1.684 ms+
    +64 bytes from 10.0.2.7: icmp_seq=51 ttl=64 time=1.671 ms+
    +64 bytes from 10.0.2.7: icmp_seq=52 ttl=64 time=1.656 ms+
    +64 bytes from 10.0.2.7: icmp_seq=53 ttl=64 time=6.849 ms+ <-- After here it just stops responding
    the time is also pretty bad
    Message was edited by: sebke

  • Mac OS X Leopard Firewall/default open ports rpcbind?

    Hi,
    I'm looking into hardening/securing mac os x leopard and noticed that port 111 rpcbind is open. Is rpcbind open by default? What are leopards default open ports on a fresh install?
    Also is there any way to run openbsd/freebsd PF firewall?
    Thanks!

    This is what nmap reports:
    Starting Nmap 4.76 ( http://nmap.org ) at 2009-03-02 12:28 EST
    Warning: Unable to open interface vmnet8 -- skipping it.
    Warning: Unable to open interface vmnet1 -- skipping it.
    Interesting ports on localhost (127.0.0.1):
    Not shown: 993 closed ports
    PORT STATE SERVICE
    111/tcp open rpcbind
    631/tcp open ipp
    1021/tcp open unknown
    1022/tcp open unknown
    1023/tcp open netvenuechat
    2049/tcp open nfs
    49152/tcp open unknown
    Nmap done: 1 IP address (1 host up) scanned in 10.55 seconds
    nestat -a | grep LISTEN confirms:
    tcp6 0 0 localhost.ipp . LISTEN
    tcp4 0 0 *.49152 . LISTEN
    tcp4 0 0 *.1021 . LISTEN
    tcp4 0 0 *.1022 . LISTEN
    tcp4 0 0 *.sunrpc . LISTEN
    tcp4 0 0 *.nfsd . LISTEN
    tcp4 0 0 *.1023 . LISTEN
    tcp4 0 0 localhost.ipp . LISTEN
    tcp6 0 0 localhost.ipp . LISTEN
    Not too sure what netvenuechat is and I have no idea why NFS is open/running. I'm not connecting to any NFS shares. How do I lock everything down?
    Any suggested IPFW rules?
    Here is what 'ipfw show' returns:
    3300 36 2160 deny icmp from any to me in icmptypes 8
    65535 866558 351141790 allow ip from any to any
    Thanks,
    Juan

  • Firewall, Internet Sharing, and Leopard

    Hi guys,
    Here is my scenario: I use my Macbook to connect to a public wifi network in my apartment complex. I use my Macbook for internet sharing (wifi to ethernet) and have a Win!@#s machine which I use for gaming hooked up to the ethernet port. In Tiger, I was allowed to let the game (World of Warcraft) through the firewall by adding the tcp ports it used. But in Leopard I am not given the option to enable certain ports, only applications. The problem is, the application actually runs on the Windows machine, so I can't just select it.
    I've been reading a bit and it appears Apple did away with the port filter method and has adopted this new application only method. I find it frustrating and the developers should have known better than to disable this feature. It has severely limited the security in the operating system and has cast away power users like myself.
    Is there anyway to work around this issue? Either with 3rd party software or some other way?
    Message was edited by: Frank Cabrera

    I agree, Apple really blew it by trying to re-invent the firewall.
    Not having the ability to open or block traffic by port and IP address was a terrible idea.
    Limiting it to Applications only makes the firewall almost useless.
    I would like this idea if I was also allowed to choose for myself.
    This is a technological step backwards!
    Many many people feel the same way and some are now relying on the still built in ipfw which is a commonly used and quite robust firewall. Unfortunately it is very difficult to configure unless you really know what you are doing. I am sure this was one of the primary reasons why Apple made this decision.
    Search around this forum for ipfw and you will find a bunch of info. Just beware it is not exactly user friendly even with some nice GUI apps that help you configure it.
    Send feedback to Apple about this or it will never get fixed.

  • Latest EyeTV doesn't work with remote after installing latest candelair, 1.20 no option in preferences to activate snow leopard?

    After upgrading to Snow Leopard my mac remote no longer works with EyeTV. Have checked EyeTV is the latest version, have also installed the latest Candelair which other users have advised needs to have snow leopard activated in the preferences but on my version there is no mention of this in the preferences pane.
    Just lists...
    Driver version 1.20 installed
    The remote control infrared receiver is enabled
    This computer only works with the remote with ID 27 (after I paired it)
    Issues with your remote?
    Can anyone advise?
    Thanks

    So, I figured it out myself. Way back in time I had set up some ipfw rules that I had completely forgotten about, which included this:
    01000 allow ip from 192.168.0.0/16 to me dst-port 5900 in
    Since I switched to the AEBS, of course the IP range changed to 10.0.1.x, so ipfw was blocking it. Problem solved.
    Now I just need to figure out why my AEBS keeps crashing..

  • Leopard Firewall Security

    I am concerned about the security holes in Leopard mentioned in this Article:
    http://www.eweek.com/article2/0,1895,2209676,00.asp?kc=EWKNLBOE110307STR1
    http://tinyurl.com/35mb6q
    I would have expected Leopard to be more secure. If it is not then Apple will have a real problem. The preference settings for the firewall seem to offer less functionality then in Tiger. It is not 100% clear what if anything the firewall is doing. Apple is usually good at simplifying setup, but still enabling finer control of settings if necessary. They may have done that but it is not clear from the preference screens.
    At this point I'm not sure if my system is more or less secure than it was prior to my upgrade to Leopard.
    Thanks,
    Dana

    See my post
    http://discussions.apple.com/thread.jspa?messageID=5742612#5742612
    If you are behind a (wireless) router then it will have a firewall built in and you should be fine.
    If you are not - if you are totally exposed to the Internet - then with Leopard firewall turned on you should be OK. But if you are directly connected to the Internet you may wish to use a better front-end config program for the OS X firewall:
    http://www.hanynet.com/waterroof/
    The operating system firewall built into OS X - IPFW - is actually very capable and very robust. But it has to be configured. The Leopard GUI front-end only creates a very basic config, WaterRoof and software like it can make the computer very secure including controlling what is allowed out as well as what is allowed in.

  • UNSAFE - VPN ignores ipfw firewall

    It appears to me that when connecting with a VPN, Snow Leopard ignores the ipfw firewall, letting all traffic in.
    The situation is this. I'm connecting to a commercial VPN provider, and I am given a public IP address. Suddenly my Mac, which was otherwise protected behind a NAT router, is exposed to the Internet. All my services that I want available on the LAN are exposed to the public. I only want port 22 (ssh) exposed on that interface (ppp0).
    The firewall ipfw should accomplish this for me, but it seems that traffic over ppp0 doesn't get processed through ipfw. I've reduced my ruleset to one "deny" rule to verify that the firewall is active and illustrate the problem. For testing I'm blocking port 80 instead of 22.
    deny log logamount 65535 tcp from any to any dst-port 80 setup in
    If I try curl 10._._.104 from another computer (the local IP address), I properly get no response, but if I try curl 68._._.181 (the public IP address from the VPN), I get a response, which I shouldn't.
    I can't find any information on this. Is there a reason why the VPN traffic over interface ppp0 would bypass ipfw?
    If I configure the application firewall in System Preferences to "Block all incoming connections," then ppp0 traffic is blocked. That's great, but I only want to block ppp0, not en0 or en1.
    What is this? Bug? Misconfiguration?
    -Rob
    ifconfig:
    lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
              inet6 ::1 prefixlen 128
              inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
              inet 127.0.0.1 netmask 0xff000000
    gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
    stf0: flags=0<> mtu 1280
    en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
              ether 10:9a:dd:53:d5:1a
              media: autoselect (none)
              status: inactive
    fw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 4078
              lladdr 70:cd:60:ff:fe:21:fe:24
              media: autoselect <full-duplex>
              status: inactive
    en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
              ether 10:9a:dd:ad:f7:fb
              inet6 fe80::129a:ddff:fead:f7fb%en1 prefixlen 64 scopeid 0x6
              inet 10.42.23.104 netmask 0xffffff00 broadcast 10.42.23.255
              media: autoselect
              status: active
    vmnet1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
              ether 00:50:56:c0:00:01
              inet 192.168.246.1 netmask 0xffffff00 broadcast 192.168.246.255
    vmnet8: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
              ether 00:50:56:c0:00:08
              inet 192.168.251.1 netmask 0xffffff00 broadcast 192.168.251.255
    ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
              inet 68.68.40.181 --> 68.68.40.129 netmask 0xff000000
    ipfw list:
    02009 deny log logamount 65535 tcp from any to any dst-port 80 setup in
    65535 allow ip from any to any
    sysctl net.inet.ip.fw:
    net.inet.ip.fw.enable: 1
    net.inet.ip.fw.autoinc_step: 100
    net.inet.ip.fw.one_pass: 0
    net.inet.ip.fw.debug: 0
    net.inet.ip.fw.verbose: 2
    net.inet.ip.fw.verbose_limit: 65535
    net.inet.ip.fw.dyn_buckets: 256
    net.inet.ip.fw.curr_dyn_buckets: 256
    net.inet.ip.fw.dyn_count: 0
    net.inet.ip.fw.dyn_max: 4096
    net.inet.ip.fw.static_count: 3
    net.inet.ip.fw.dyn_ack_lifetime: 300
    net.inet.ip.fw.dyn_syn_lifetime: 20
    net.inet.ip.fw.dyn_fin_lifetime: 1
    net.inet.ip.fw.dyn_rst_lifetime: 1
    net.inet.ip.fw.dyn_udp_lifetime: 10
    net.inet.ip.fw.dyn_short_lifetime: 5
    net.inet.ip.fw.dyn_keepalive: 1

    I've confirmed this behavior with Lion too. The VPN bypasses the ipfw firewall entirely but not the app firewall. The ipfw firewall is completely impotent with a VPN.
    -Rob

  • "Shields UP! Leopard Firewall Test"

    I have been testing my firewall here. http://www.grc.com/x/ne.dll?rh1dkyd2
    These are the results I am experiencing.
    Shields Up test results are the same for me on all 3 firewall settings, with stealth enabled.
    Allow all incoming connections
    Block all incoming connections
    Set access for specific services and applications.
    On all 3 settings ports 136, 137, 139, and 445 are stealth. Ports 53 and 23 are open, and all others are closed. My computer fails the "solicited TCP Packets" and "Ping reply" tests, and passes the unsolicited packets test. No matter which of the 3 firewall settings I use, the test results are the same.
    Can anyone explain to me why all the results are the same regardless of the setting?

    Ferd,
    I actually don't know yet. I read the server link from a google ("leopard macosx server firewall"), http://www.heise-security.co.uk/articles/98120. If you want to know the truth, I got out my New Rider's "Linux Firewalls" by Robert Ziegler, second edition, and was starting to read through it. It does give ipfw examples, but admittedly I have not implemented them yet and was only really considering using them for my MacOSX server which I mentioned in my prior post. It is behind a Linksys router. So, it is somewhat secure, but it is my second line of defense. ipfw looks to be a PITA however.
    As far as I know, no one has broken into my Mac Book Pro under Tiger with all services off but web-sharing and I have never done a port scan on it. (I use web-sharing for a localhost website that I have restricted to just localhost via apache.)
    The article mentioned above looks to be valid and I will be doing port scans on Leopard server when I get it installed to see if any holes exist.
    Anyway, that is where my post came from and it was only a suggestion. Hope that helps.
    An Inconvenient Carbon Credit,
    I would suggest that you submit your findings to http://www.apple.com/feedback/macosx.html so that Apple will know about it and I would specifically state how you preformed the tests. HTH
    Message was edited by: Bob White

Maybe you are looking for