Osx firewall vs ipfw

Similar Messages

• I am not reachable, but forwarded the port in AE & OSX Firewall

  hi,
  i forwarded the port 49500 for my bittorrent client, using with macgamefiles for example, in my osx firewall and my airport admin tool.
  49500 … 10.0.1.2 … 49500
  my torrent client is running, when i check it at www.canyouseeme.org i get an error: Error: I could not see your service on 85.xx.xxx.xxx on port (49500)
  - why?
  - which port can i test at www.canyouseeme.org, to see if my powerbook is reachable at all?
  - why is my private IP 10.0.1.2, as listet in the airport port forward, cause when i open airport admin tool it shows: 10.0.1.1
  - how can i access my airport from browser? (safari)
  - what is DMZ? someone told me to do that
  thanks

  thanks for the link
  thats a bit hard to understand for a network novice as me.....
  in the network prefs, i have this IP: 10.0.1.3
  so i change it on the router also..
  actually , the funny thing is, that i am not aware at all what i am doing here, i play trial and error, but have no insight....
  maybe it will work....thanks

• How to setup osx Firewall to allow incoming access to nginx?

  Hello!
  How to setup osx Firewall to allow incoming access to nginx (any port)?
  Local access is all fine, but when I trying to open http://<myip>:<port> from outside (other device in same network) there are no answer.
  If I turn off Firewall all works fine, but I want to keep my safety.
  Adding "nginx" binary file to Firewall  list doesn't help.

            "Victor" <[email protected]> wrote:
            >
            >Hi,
            >
            >I need to limit access on one JSP to a user. All the
            >other JSP's
            >should be available to averyone all the time. The following
            Victor,
            two ideas:
            1. Once you've seen where jspservlet compiles the jsp to, try adding
            an explicit servlet registration (then an acl for that servlet)
            I'm not sure if it would work, never tried.
            2. If it doesn't, well, you have a servlet class available from
            the jspservlet/jspc process. Move it to servletclasses (or wherever
            you keep other servlets) and register/acl it normally
            

• Need to use OSX firewall?

  As I understand it, currently there are no virus or worms out there which will infect Macs. So I haven't bothered to use the OSX firewall, but is it worth having on? And if so, what are the best settings to use?

  Hi Robin, you're confusing viruses and worms (there are none for OS X) with hackers/crackers looking for a target. While it is unlikely that your Mac would get hacked, using the firewall gives you some cover as Karl explains. If you have a router in addtion to your modem then you are already behind a hardware firewall and may not want to/need to enable OS X built-in one.
  -mj
  [email protected]

• Netbarrier and OSX firewall

  Hi
  Does the above utility offer any benefits that OSX firewall doesn't. I tested my setup and everything is in stealth but my IP is visible . Net-barrier offers many other options based on web surfing but I am always looking to keep my system as safe as possible without unnecessary wasting money.
  Also what is the stability of this utility with tiger..or any adverse conditions
  thanks

  It should function properly under Snowie. The two won't clash because net barrier uses a different
  firewall technology than SL or leopard. It uses stateful packet filtering as opposed to Snowie's
  active application (program) filtering.
  Now whether or not it adds anything useful to the mix may be questionable. If you're on a laptop in
  a wi-fi cafe, sure, you need all the help you can get. If you are at home behind a router that has
  a properly configured hardware firewall, it is probably just consuming cpu cycles.
  The little bit of testing I have done on Snowie's firewall, shows it to be a good one. It remains
  completely stealthed when bombarded with various port scanners. It stops unauthorized traffic
  real well and reports it in the logs.
  Kj ♘

• OSX firewall vs. 3rd party

  I am new to Macs (just just 5 months).  Since I am Comcast customer, I get Norton security at no additional cost.  I have installed that on my MBP without any apparent downside that I can see.  I was curious, though, about opinions of the firewall built into Lion vs. the Norton Firewall.  Does the Lion firewall receive more timely or better updates than Norton?  For instance, I saw that the Lion firewall had an option to automatically update the safe download list, but obviously I can't do that if the OSX firewall is disabled, becuase I have the Norton firewall installed.  Any opinions about the range of functionality or customization between the two?  I do use a router, which also has a firewall. 
  Thanks for your help,
  Dave

  There's really no immediate need for anti-virus software on the Mac since there are no extant viruses affecting OS X. As for the firewall if you have a hardware router as part of your local network then there's little need for firewall protection beyond what is provided in OS X or by your router.
  My suggestion is that your computer will have fewer potential problems if you uninstall the Norton software.

• AEBS Firewall - OSX Firewall

  Through my SysPrefs/Sharing I currently have the OSX (10.3.8) software firewall turned OFF. My cable modem is connected to the AEBS WAN port and the G5 is connected to the LAN, the iBook has the Airport Extreme card.
  It was my understanding that because the AEBS has a hardware firewall, the use of the OSX software firewall wasn't necessary and can cause conflicts if used with the AEBS firewall.
  In the SysPrefs/Sharing of both the iBook and G5, under the Services & Firewall tabs, Personal File Sharing is the only option I have checked. I don't have any entries in the Port Mapping section of the AEBS' configuration.
  The only file sharing I really care about is between my G5 and my iBook, allowing others access to public folders is not a concern and I'd just as soon not allow it if I can still have my G5 & iBook sharing files.
  I'm not really clear on the proper uses/functions of the Services and Firewall sections under the Sharing preferences, can someone set me straight and let me know if I should have it configured differently for the way I'd like it to work?
  Thanks.
  Patrick

  The AEBS has NAT or Network AddressTranslation which hides the Internet Protocol address of each computer behind the router while still allowing all these machines to send and receive data from the Internet.
  NAT is integral to safe computing, but it's not a firewall -- it can't prevent a malicious code on your machine from "phoning home" to another site.
  Many consumer wireless routers now offer a hardwall firewall in the form of
  Stateful Packet Inspection Firewall (SPI). SPI monitors both incoming and outgoing packets and will block either that are not in response to a specific request.
  SPI adds additional security but must be customized for each set up and if done incorrectly makes you less secure.

• OSX Firewall Settings

  In my new iMac (Intel) OS 10.4.8 - the sites I managewith DW
  will connect but not LIST . If I turn the Firewall off, the files
  will LIST - Firewall on - they won't. I can access and LIST all
  sites fine on my PC (Windows XP) - just not with the Firewall in OS
  10.4.8. Tried both passive/active FTP options but neither work.
  Anybody got an idea how to solve it?

  Hi Ian,
  Go to http://www.apple.com/server/documentation/ and download the NetworkServices_Adminv10.5.pdf manual. Information on the Firewall and its configuration are in there. Most everything you need to know about running Leopard OS X Server is on that page. The rest is in these forums and at http://www.afp548.com and http://osx.topicdesk.com for starters.
  Good luck with your new server software.
  Larry

• Resetting the OSX Firewall

  I was having some network issues and in the course of it I tried specifically stating an app could have access through the firewall.
  Now nothing seems to get through but web browsing. No Yahoo (even though i added it as an App), No Apple Update, No FrontRow, No Connecting to my Airport Router, nothing.
  I added Front Row, Yahoo messenger, AIM, etc, as specific applications even with permissions for both directions but that didn't help. I see the response coming back from the app's servers in the Firewall log even.
  Other than selecting Allow All Incoming Connections, what can I do to reset everything so it can redetermine what to allow and not allow?
  Christopher

  Answer never found in forums.

• OSX Firewall

  Hello All,
  I would like to know is the MacOSX firewall really necessary? I thought I read some conflicting views. I feel
  like I've been conditioned to turn it on for all eternity. One other thing if you'll indulge me, is Little Snitch a good
  idea? and does it affect the performance of MacOSX? Sorry if these questions seem elementary, but they've
  be burning for awhile. Thanks!
  Joseph

  MacJoseph wrote:
   I would like to know is the MacOSX firewall really necessary?
  It's a added security layer. It should be on. It's only a incoming Firewall.
  MacJoseph wrote:
   is Little Snitch a good idea? and does it affect the performance of MacOSX?
  OS X's performance isn't bothered by Little Snitch.
  Little Snitch is a outgoing Firewall that catches the behind the scenes action going on behind your back.
  So lets say you downloaded this program and it calls out over the internet 20 times a day, that shoudl raise a flag because if it's just checking for updates, why 20 times a day?
  Apple's Addressbook used to contact Apple's servers, which was a bit strange, until it was found out it was part of the .Mac and syncing contacts. It doesn't do that anymore.
  So LittleSnitch keeps honest people honest.
  Now when you visit a webpage sometimes ports get opened up and strange connections are going on, Little Snitch will warn you of those and you can stop the connection.
  If you get malware on your system unawares, Little Snitch will catch the "phoning home" before it starts, just keeping you in the loop.
  Most "Standard users" don't need to do anything but use their computers, it's for those those who just like to keep taps on things.

• With OSX firewall and firewall on router, do you really need Netbarrier?

  With the native firewall and what the router provides do you really need to spend the extra money. I understand the need for anti virus but... do you really need something like Netbarrier from Intego?

  I agree with Roam, but if you are still in doubt, check these out...
  ClamXAV, free Virus scanner...
  http://www.clamxav.com/
  Little Snitch, stops/alerts outgoing stuff...
  http://www.obdev.at/products/littlesnitch/index.html
  HenWen/Snort combo, that is a free MAJOR Firewall...
  http://seiryu.home.comcast.net/henwen.html
  Then the venerable old Brickhoues/Flying Buttress Firewall...
  http://personalpages.tds.net/~brian_hill/downloads.html
  WaterRoof is a firewall management frontend with bandwidth tuning, NAT setup, port redirection, dynamic rules tracking, predefined rule sets, wizard, logs, statistics and other features.
  http://www.macupdate.com/info.php/id/23317

• OSX is blocking ports with firewall turned off...

  I just purchased an iMac last week. I am not new to macs, but this is my first one in a few years so I am new to Leopard. The problem I've been having is strange. It seems that port 5190 is totally unreachable. This makes it impossible to connect to aim and use file transfer. I know i can connect on port 443, but file transfer doesn't work on that port. I also can not connect to certain streaming video websites. Justin.tv is one of them. On that site, the page loads perfectly, but no video loads. Other ports could also be affected but as of now, 5190 is the only one I know for a fact not to be working. I am behind a router, but I have 5 other PCs using the router with no problems. Everything works great on the windows machines. I have also tried to directly connect the mac to my cable modem. That didn't work. The blockage is local to this machine. I have disabled the OSX firewall and that did nothing. I am at a total loss here. If there is anyone that has an idea, i would very much appreciate it.
  thanks

  Just to make sure, by disabled the firewall, you've set it to Allow all incoming connections?
  Can you Ping it on that port? You may need to make sure Stealth mode is turned off in the Advanced button of Firewall System Prefs. While there, enable logging. Try to connect and see what the log produces.

• Tiger kernel compiled for allow any to any ipfw firewall rules?

  Hi everyone,
  I was wondering about the kernel state for firewall connections in ipfw. If you run an ipfw list, you will see the last command as an allow any to any. This appears to be a default open state firewall configuration.
  The man pages for ipfw state the following:
  "An ipfw ruleset always includes a default rule (numbered 65535) which cannot be modified or deleted, and matches all packets. The action associated with the default rule can be either deny or allow depending on how the kernel is configured."
  Is there a way to implement a default closed firewall with ipfw in the kernel in Tiger? Default allow any to any appears to be a bit of a security hole.
  Thanks for your input, I greatly appreciate it!
  -Allen

  Ok, perhaps this is silly, for me to reply to my own thread, but I think the following will work:
  in the firewall.conf, add a deny any to any before the default allow any to any... something like:
  add 5400 deny log all from any to any in via en0
  kudos goes to a user on macosxhints for suggesting this. Since ipfw rules will be run in order, this line will run before the default allow, and should trap all ip traffic not explicitly allowed in the firewall list already.
  Hope this helps someone!
  -Allen

• Firewall doesn't load ipfw.conf

  This is a repost in the 10.5 forum; it was posted in the 10.4 forum by mistake as http://discussions.apple.com/thread.jspa?messageID=6834128
  PROBLEMS:
  1. Unable to forward port 80 to port 8080 using Apple's Firewall in Server Admin (Firewall => Settings => Advanced). I want to forward port 80 (and 443) so that I can run Tomcat 6 standalone as a non-privileged user).
  2. Apple's firewall documentation states that rules in /etc/ipfilter/ipfw.conf will be loaded after /etc/ipfilter/ipfw.conf.apple is loaded, but upon reboot this does not happen. It does work if Server Admin is used to modify the Firewall rules after booting.
  This is /etc/ipfilter/ipfw.conf.apple -- all standard rules as shipped by Apple except for rule 1010 which should forward port 80 to port 8080. It does not work. However, adding rule 1010 as any rule number < 1000 and it does work (but this can't be done using ServerAdmin; it must be done manually).
  00001 1 74 allow udp from any 626 to any dst-port 626
  01000 2348 573022 allow ip from any to any via lo0
  *01010 0 0 fwd 127.0.0.1,8080 tcp from any to any dst-port 80 in*
  01020 0 0 deny ip from any to 127.0.0.0/8 in
  01030 0 0 deny ip from 224.0.0.0/4 to any in in
  01040 0 0 deny tcp from any to 224.0.0.0/4 in in
  12300 69595 10045552 allow tcp from any to any established
  12301 2 128 allow tcp from any to any out
  12302 0 0 allow tcp from any to any dst-port 22
  12302 0 0 allow udp from any to any dst-port 22
  12303 16 1144 allow udp from any to any out keep-state
  12304 0 0 allow tcp from any to any dst-port 53 out keep-state
  12304 0 0 allow udp from any to any dst-port 53 out keep-state
  12305 0 0 allow udp from any to any in frag
  12306 0 0 allow tcp from any to any dst-port 311
  12307 0 0 allow tcp from any to any dst-port 625
  12308 0 0 allow udp from any to any dst-port 626
  12309 0 0 allow icmp from any to any icmptypes 8
  12310 0 0 allow icmp from any to any icmptypes 0
  12311 0 0 allow igmp from any to any
  12312 0 0 allow tcp from any to any dst-port 80
  12313 0 0 allow tcp from any to any dst-port 8080
  12314 0 0 allow tcp from any to any dst-port 9006,8080,8443
  12315 0 0 allow tcp from any to any dst-port 443
  65534 20 1556 deny ip from any to any
  65535 0 0 allow ip from any to any
  The above rule 1010 does NOT work; no forwarding occurs. However, applying the exact same rule on the command line works perfectly:
  sudo ipfw add 100 fwd 127.0.0.1,8080 tcp from any to any dst-port 80 in
  After the above line is executed, port forwarding works great:
  00001 1 74 allow udp from any 626 to any dst-port 626
  00100 84 8975 fwd 127.0.0.1,8080 tcp from any to any dst-port 80 in
  01000 3629 1853499 allow ip from any to any via lo0
  01010 0 0 fwd 127.0.0.1,8080 tcp from any to any dst-port 80 in
  01020 0 0 deny ip from any to 127.0.0.0/8 in
  01030 0 0 deny ip from 224.0.0.0/4 to any in in
  01040 0 0 deny tcp from any to 224.0.0.0/4 in in
  12300 78059 11439073 allow tcp from any to any established
  12301 5 320 allow tcp from any to any out
  12302 0 0 allow tcp from any to any dst-port 22
  12302 0 0 allow udp from any to any dst-port 22
  12303 27 2304 allow udp from any to any out keep-state
  12304 0 0 allow tcp from any to any dst-port 53 out keep-state
  12304 0 0 allow udp from any to any dst-port 53 out keep-state
  12305 0 0 allow udp from any to any in frag
  12306 0 0 allow tcp from any to any dst-port 311
  12307 0 0 allow tcp from any to any dst-port 625
  12308 0 0 allow udp from any to any dst-port 626
  12309 0 0 allow icmp from any to any icmptypes 8
  12310 0 0 allow icmp from any to any icmptypes 0
  12311 0 0 allow igmp from any to any
  12312 0 0 allow tcp from any to any dst-port 80
  12313 0 0 allow tcp from any to any dst-port 8080
  12314 0 0 allow tcp from any to any dst-port 9006,8080,8443
  12315 0 0 allow tcp from any to any dst-port 443
  65534 29 2270 deny ip from any to any
  65535 0 0 allow ip from any to any
  Of course, rule #100 added via "sudo ipfw..." disappears upon reboot. So I tried adding it to /etc/ipfilter/ipfw.conf because Apple's comments in /etc/ipfilter/ipfw.conf.default state:
  +# Administrators can place custom ipfw rules in ipfw.conf.+
  +# Whenever a change is made to the ipfw rules by the Server Admin application and saved:+
  +# 1. All ipfw rules are flushed+
  +# 2. The rules defined by the Server Admin app (stored as plists) are exported to+
  +# /etc/ipfilter/ipfw.conf.apple and loaded into the firewall via ipfw.+
  +# 3. The rules in /etc/ipfilter/ipfw.conf are loaded into the firewall via ipfw.+
  +# Note that the rules loaded into the firewall are not applied unless the firewall is enabled.+
  But this is not true--upon reboot the rules are not loaded as seen by 'ipfw show'. However, making a change in the Server Admin GUI does add the rules in ipfw.conf! Go figure.
  Workaround
  I created a 'launchd' plist/script just to add the rule I need, and that works OK. But why can't this just work like it's supposed to?
  *The file setup-ipfw.plist in /Library/LaunchDaemons:*
  <?xml version=“1.0” encoding=“UTF-8”?>
  <!DOCTYPE plist PUBLIC “-//Apple Computer//DTD PLIST 1.0//EN” “<a class="jive-link-external-small" href="http://www.apple.com/DTDs/PropertyList-1.0.dtd”>">http://www.apple.com/DT Ds/PropertyList-1.0.dtd”>
  <plist version=“1.0”>
  <dict>
  <key>Disabled</key> <false/>
  <key>LaunchOnlyOnce</key><true/>
  <key>EnvironmentVariables</key>
  <dict>
  <key>DIGLLOYD_WEB</key><string>/web</string>
  </dict>
  <key>Label</key><string>DIGLLOYD Firewall Setup</string>
  <key>OnDemand</key><false/>
  <key>ProgramArguments</key>
  <array>
  <string>/web/scripts/setup-ipfw.sh</string>
  </array>
  <key>RunAtLoad</key><true/>
  <key>ServiceDescription</key><string>DIGLLOYD map ports</string>
  <key>UserName</key><string>root</string>
  </dict>
  </plist>
  *The script (mangled in part by this forum):*
  DIGLLOYD-INC-Server:~ lloyd$ cat /web/scripts/setup-ipfw.sh
  export RULE_NUM=101
  function shutdown()
  ipfw delete $RULE_NUM
  ipfw add $RULE_NUM fwd 127.0.0.1,8080 tcp from any to any 80 in
  echo DIGLLOYD: added 'ipfw' rule for mapping port 80 to 8080

  grep EE /var/log/Xorg.0.log while booted from Arch CD
  Current Operating System: Linux apollo 2.6.22-ARCH #1 SMP PREEMPT Wed Sep 26 20:57:40 CEST 2007 i686
  (WW) warning, (EE) error, (NI) not implemented, (??) unknown.
  (II) Loading extension MIT-SCREEN-SAVER
  (EE) RADEON(0): [dri] RADEONDRIGetVersion failed to open the DRM
  grep EE /var/log/Xorg.0.log after switching to regular boot and removing hash from marked comments in xorg.conf
  Current Operating System: Linux apollo 2.6.23-ARCH #1 SMP PREEMPT Sun Nov 18 07:43:05 UTC 2007 i686
  (WW) warning, (EE) error, (NI) not implemented, (??) unknown.
  (II) Loading extension MIT-SCREEN-SAVER
  Yeah, not a whole lot.
  Last edited by ghyspran (2007-12-05 05:14:06)

• Ipfw vesus apple firewall.

  Are apple firewall and ipfw the same? If not, what is the difference disregarding ease of use! Thanks for the help!
  Alex

  Apple's firewall in the System Preferences is really just a GUI (graphical user interface) for ipfw. In OS X, ipfw is always running unless you take specific actions for it not to start when you boot your computer. If the "Apple Firewall" is turned off, ipfw still is running, but it has only one rule -- allow anything in and out. That is not quite as bad as it sounds. Even though you allow all internet traffic into your computer, all services such as Personal File Sharing are turned off by default. There will be no response from these services. Your computer will respond that a certain port exists on your computer, but that it is closed. No entry allowed. When you turn on the firewall in System Preferences you add other rules to ipfw to specifically block any response about a port being present, or you may open certain ports by turning on the service.
  There are other GUIs for ipfw such as BrickHouse. These third party GUIs can help the user make more sophisticated rules that aren't available through Apple's GUI.
  Mac Mini; B&W G3/300
  Mac Mini; B&W G3/300