PLEASE, Help me setting up mac os x firewall !!

[Zeus]

I' all,
please help me 'cause i'm going grazy with that supid built in mac os x firewall (ipfw).
Now, my mac is connected to the internet via a DSL line.
This machine works as a router (with geeRoute) and this service appear to give me no problems,
then, there is the ftpd, and sshd daemon active.

Due to the fact that this mac is a router i 'd like to set up the firewall in this way.
ALLOW any connection from MY ROUTER TO THE INTERNET
DENY any coonection from THE INTERNET TO MY ROUTER
ALLOW ftp connection from THE INTERNET TO MY ROUTER
ALLOW ssh coonection from THE INTERNET to MY ROUTER
DENY afpovertcp coonection from THE INTERNET TO MY ROUTER

(this last rule because i access the ftp accounts via Apple Talk and NONE out of the lan must use this protocol to connect to my machine)

I've tryed to do this using BrickHouse ... but it doesn't work (the 548 - afpovertcp - port remain opened and accept connection from the internet)

here is reported the script made up by Brickhouse (it leave the 548 port open... very strange!!!)

#################################################
# Allow Loopback
#################################################
add 1000 allow ip from any to any via lo0

#################################################
# Allow packets from existing connections
#################################################
add 1002 allow tcp from any to any established
add 1003 allow all from any to any frag

#################################################
# Allow Essential ICMP Traffic
#################################################
add 1004 allow icmp from any to any icmptype 3,4,11,12

#################################################
## Rules for the ppp0 interface
#################################################

#################################################
## Allow DHCP/BOOTP
#################################################
add 3000 allow udp from any 67-68 to any 67-68 via ppp0

#################################################
## Allow Broadcast (for DHCP, etc)
#################################################
add 3001 allow ip from any to 255.255.255.255 via ppp0

#################################################
## Deny Source Routed Packets
#################################################
add 3002 unreach host log ip from any to any ipopt ssrr,lsrr via ppp0

#################################################
## Allow Network Time (NTP)
#################################################
add 3003 allow udp from any 123 to any 1024-65535 via ppp0

#################################################
## Allow All ICMP Packets
#################################################
add 3004 allow icmp from any to any via ppp0

#################################################
## Allow FTP-Data port
#################################################
add 3005 allow tcp from any 20-21 to any 1024-65535 in via ppp0

#################################################
## Allow DNS
#################################################
add 3006 allow udp from any 1024-65535 to any 53 out via ppp0
add 3007 allow udp from any 53 to any 1024-65535 in via ppp0

#################################################
## * * * User Filter Policies * * *
#################################################

#################################################
## File Transfer (FTP)
#################################################
add 3008 allow tcp from any to any 20-21 in via ppp0
add 3008 allow tcp from any 20-21 to any out via ppp0

#################################################
## Remote Login (SSH)
#################################################
add 3009 allow tcp from any to any 22 in via ppp0
add 3009 allow tcp from any 22 to any out via ppp0

#################################################
## AppleShare IP/iDisk
#################################################
add 3010 deny log tcp from any to any 548 in via ppp0


#################################################
## * * * Default Filter Policies * * *
#################################################

#################################################
## Allow All Outgoing Services
#################################################
add 53011 allow all from any to any out via ppp0

#################################################
## Deny All Incoming Services
#################################################
add 53012 deny log all from any to any in via ppp0

Now, PLEASE, is there any one can help me do this by posting the step by step instruction to do this via terminal ???


THANKS, THANKS, IN ADVANCE A MILLION !!!

[xaqintosh]

I don't know much terminal stuff, but look on versiontracker under firewall and they have lots of guis to do it easily

[theed]

I am thinking that what you say is not really what you want. You say that you want traffic out to the internet, but no traffic in. ... that would mean that you couldn't view web pages, as you would try to request them, and they answer would never be allowed back in.

I think you might want to do something along these lines, and for an explanation, the man pages for ipfw and natd are pretty sweet.

as root issue:
natd -interface ppp0 -deny_incoming
ipfw -f flush
ipfw add divert natd all from any to any via ppp0

[Zeus]

Excuse me is i was not too comprensible... i'm speak english wery well (as you can see ;-))))

I want to access to my router and ftp server (the same machine) from the local area network using Apple Share ... and then ... i want to deny all the ftp users (that have access from the internet) the Apple Share protocol.

So i think i have to 'close' the 548 port from incoming connections.

Is this correct ???

Thanks

[theed]

natd -interface ppp0 -deny_incoming
ipfw -f flush
ipfw add allow tcp from any to any 20-22 in
ipfw add divert natd all from any to any via ppp0

this allows incoming ftp and ssh connections on any interface (ethernet card or DSL)

this will allow you to hold any connection that you initiate (natd) but will ignore any connection that you did not initiate (deny_incoming) if it goes through your DSL (ppp0)

all internal traffic is allowed.

this makes for a relatively tight, but fairly usable box. Unless you're running servers, running natd so that it denies all is a great solution to a LOT of hack in attempts.

to JUST deny outside tcp connections to your appleshare stuff, you would just type:

ipfw -f flush
ipfw add deny tcp from any to any 548 in via ppp0

[Zeus]

It worked!!

thanks a lot !!!