Sometimes the GUI is awesome. Sometimes you just need more control over your conf files that the GUI offers. I wanted to have more specific firewall rules for my computers and servers running Mac OS X Client, more than the default OS X 10.3 built-in firewall configuration that is provided.
First, let’s look at all the files involved with Apple’s default firewall.
- System Preferences: Sharing: Firewall tab.If you want the security of a basic firewall, you can simply “start” the firewall. Using this option, Mac OS X will look at what services you have enabled (ex. Personal File Sharing, FTP, Remote Login, etc) and automatically allow allow traffic to the default ports those services need, while blocking everything else. At home on my iBook, I use the Mac OS X GUI to control my firewall rules because I do not need anything special.
- /Library/Preferences/com.apple.sharing.firewall.plist. This is a basic plist file written in XML. There is not too much to do in this file, and there is not much editting capability to it either.
So, now you know the players in the default firewall configuration, but you want to take advantage of ipfw. Personally, I did not want to use another GUI such as BrickHouse because I have turned the corner and want to learn more about UNIX than about GUIs. Working with UNIX, you always have the command line, but not always have GUI.
First thing is first, browse through the ipfw man pages. (man ipfw). The man pages will help you as you are adding/deleteing/customizing your firewall rules.
Configuring ipfw
- Stop the default Mac OS X firewall in the System Preferences. You no longer will use the GUI. You will now use some basic ipfw commands for adding/deleting rules.
- Create a directory for your StartupItems: /Library/StartupItems/ipfw. You need to create a directory in /Library/StartupItems for your startup script and StartupPerameters.plist file. (
sudo mkdir /Library/StartupItems/ipfw) **More about StartupItmes. - Create a StartupParameters.plist file for ipfw. To create the
StartupPerameters.plistfile:sudo pico /Library/StartupItems/ipfw/StartupParameters.plist.The file should contain: StartupPerameters.plist Make sure this file has the proper permissions:chmod 644 /Library/StartupItems/ipfw/StartupParameters.plist.**More about StartupParameters. - The ipfw startup script
To create the Startup script:sudo pico /Library/StartupItems/ipfw/ipfw. The script is: ipfw You need to create a script to start your service at startup. Make sure this file has the proper permissions:sudo chmod 755 /Library/StartupItems/ipfw/ipfw.And of course, from reading the man pages, you realize that the order matters. - Create the ipfw.conf file for all your ipfw rules.
*I like standards. I did some research on how BSD UNIXs set up and used ipfw in a default install. I then followed the example to create aipfw.conffile in the/etc/directory. (sudo pico /etc/ipfw.conf) - Re-read the man pages. You do not lock yourself out of your computer when adding rules.
- Add rules to ipfw.conf. You can finally specifiy custom rules for your firewall. (Official Port List) Here is my basic configuration (
sudo pico /etc/ipfw.conf): ipfw.conf
These rules are based on my needs. You can add more rules by either using thesudo ipfw add/delete(see man pages for proper syntax) or by editing youripfw.confdirectly. There are a lot of options that I do not even begin to cover, so if you really need an “industrial strength” firewall for your computer…and do not want to use hardware, really examine the man pages and other on-line resources. - Reboot your computer. When you reboot your computer, your rules should be in place. To see if your rules are in place, at your prompt:
sudo ipfw listand hopefully the list of rules you defined show up! If not: look at your system.log, it is very useful, go back to the man pages, or email me.
Sites that helped/frustated me:
