Managing the Leopard Firewall with WaterRoof
This is the last Leopard firewall post for a while…
Over the last week or two of Leopard firewall discussions across the web, quite a bit of info has come out about how the Leopard firewall works, and what’s going on ‘under the hood’ when you change the options under System Preferences.
The firewall used by OS X is ipfw, the FreeBSD sponsored open source firewall package. Contrary to the limited configuration options presented in the System Preferences Security section, ipfw is extremely configurable and sophisticated. Whole books could be written about configuring ipfw, but the man page for it is a good place to start.
Let’s look at a few simple things to start. From a Terminal:
- sudo su
- ipfw show
This will show what rules are currently set on your system. As an example, this is what my Macbook Pro shows:
33300 0 0 deny icmp from any to me in icmptypes 8
65535 309194 202763184 allow ip from any to any
We’ll start at the end. The second line is what’s called the default rule (it always has a rule number of 65535) and it always has to match all packets. The scope of how to make the various rules, rule sets, and specific configurations are covered better in other places - but for now this will suffice. This particular system only has two Static Rules at this point.
Which brings us to WaterRoof. WaterRoof is a graphical front-end to ipfw for OS X. To be clear — if you don’t understand the basics of how ipfw works (or firewalls in general), WaterRoof isn’t going to get you very far. Once installed, if you go to “Static Rules”, you should see the same rules that you saw from the command-line. It has configuration options for Static and Dynamic rules, Logging, NAT, and even a Wizard that can lead you through the steps of configuring ipfw from scratch.
One of the best things about WaterRoof is that it allows you to easily import and export your rule sets, so if you decide that you want to experiment, you can backup you rules and keep them around to restore them without needing to know all of the command-line options.
There has been talk on some of the other blogs and forums about coming up with an ‘ideal’ set of ipfw rules for use on Leopard systems — if you familiarize yourself with WaterRoof now, putting those rules into practice shouldn’t be hard. For now the rules I’m doing testing with are for when I’m on ‘hostile’ networks. I’ll probably keep a copy of these around for when I need to know that I’m blocking everything possible. A sample output of ‘ipfw show’ would look something like this:
00001 388 17858 deny ip from any to me
00002 0 0 deny tcp from any to me
00003 0 0 deny udp from any to me
33400 0 0 deny icmp from any to me
65535 325675 210533693 allow ip from any to any
WaterRoof gets you a much more detailed set of controls than anything built into OS X. Not everyone needs it, but it’s good to know the basics at least. Just as a note - you can absolutely set settings in ipfw that will prevent your system from being able to access the internet. If you’re the experimental type, make sure you save a copy of your rules before tinkering.
Loading...