PLEASE, Help me setting up mac os x firewall !!

Zeus · #1 June 20th, 2002, 01:22 PM

I' all,
please help me 'cause i'm going grazy with that supid built in mac os x firewall (ipfw).
Now, my mac is connected to the internet via a DSL line.
This machine works as a router (with geeRoute) and this service appear to give me no problems,
then, there is the ftpd, and sshd daemon active.

Due to the fact that this mac is a router i 'd like to set up the firewall in this way.
ALLOW any connection from MY ROUTER TO THE INTERNET
DENY any coonection from THE INTERNET TO MY ROUTER
ALLOW ftp connection from THE INTERNET TO MY ROUTER
ALLOW ssh coonection from THE INTERNET to MY ROUTER
DENY afpovertcp coonection from THE INTERNET TO MY ROUTER

(this last rule because i access the ftp accounts via Apple Talk and NONE out of the lan must use this protocol to connect to my machine)

I've tryed to do this using BrickHouse ... but it doesn't work (the 548 - afpovertcp - port remain opened and accept connection from the internet)

here is reported the script made up by Brickhouse (it leave the 548 port open... very strange!!!)

Quote:

#################################################
# Allow Loopback
#################################################
add 1000 allow ip from any to any via lo0

#################################################
# Allow packets from existing connections
#################################################
add 1002 allow tcp from any to any established
add 1003 allow all from any to any frag

#################################################
# Allow Essential ICMP Traffic
#################################################
add 1004 allow icmp from any to any icmptype 3,4,11,12

#################################################
## Rules for the ppp0 interface
#################################################

#################################################
## Allow DHCP/BOOTP
#################################################
add 3000 allow udp from any 67-68 to any 67-68 via ppp0

#################################################
## Allow Broadcast (for DHCP, etc)
#################################################
add 3001 allow ip from any to 255.255.255.255 via ppp0

#################################################
## Deny Source Routed Packets
#################################################
add 3002 unreach host log ip from any to any ipopt ssrr,lsrr via ppp0

#################################################
## Allow Network Time (NTP)
#################################################
add 3003 allow udp from any 123 to any 1024-65535 via ppp0

#################################################
## Allow All ICMP Packets
#################################################
add 3004 allow icmp from any to any via ppp0

#################################################
## Allow FTP-Data port
#################################################
add 3005 allow tcp from any 20-21 to any 1024-65535 in via ppp0

#################################################
## Allow DNS
#################################################
add 3006 allow udp from any 1024-65535 to any 53 out via ppp0
add 3007 allow udp from any 53 to any 1024-65535 in via ppp0

#################################################
## * * * User Filter Policies * * *
#################################################

#################################################
## File Transfer (FTP)
#################################################
add 3008 allow tcp from any to any 20-21 in via ppp0
add 3008 allow tcp from any 20-21 to any out via ppp0

#################################################
## Remote Login (SSH)
#################################################
add 3009 allow tcp from any to any 22 in via ppp0
add 3009 allow tcp from any 22 to any out via ppp0

#################################################
## AppleShare IP/iDisk
#################################################
add 3010 deny log tcp from any to any 548 in via ppp0

#################################################
## * * * Default Filter Policies * * *
#################################################

#################################################
## Allow All Outgoing Services
#################################################
add 53011 allow all from any to any out via ppp0

#################################################
## Deny All Incoming Services
#################################################
add 53012 deny log all from any to any in via ppp0

Now, PLEASE, is there any one can help me do this by posting the step by step instruction to do this via terminal ???

THANKS, THANKS, IN ADVANCE A MILLION !!!

xaqintosh · #2 June 20th, 2002, 01:42 PM

I don't know much terminal stuff, but look on versiontracker under firewall and they have lots of guis to do it easily

theed · #3 June 20th, 2002, 06:57 PM

I am thinking that what you say is not really what you want. You say that you want traffic out to the internet, but no traffic in. ... that would mean that you couldn't view web pages, as you would try to request them, and they answer would never be allowed back in.

I think you might want to do something along these lines, and for an explanation, the man pages for ipfw and natd are pretty sweet.

as root issue:
natd -interface ppp0 -deny_incoming
ipfw -f flush
ipfw add divert natd all from any to any via ppp0

Zeus · #4 June 20th, 2002, 09:47 PM

Excuse me is i was not too comprensible... i'm speak english wery well (as you can see ;-))))

I want to access to my router and ftp server (the same machine) from the local area network using Apple Share ... and then ... i want to deny all the ftp users (that have access from the internet) the Apple Share protocol.

So i think i have to 'close' the 548 port from incoming connections.

Is this correct ???

Thanks

theed · #5 June 21st, 2002, 01:00 AM

natd -interface ppp0 -deny_incoming
ipfw -f flush
ipfw add allow tcp from any to any 20-22 in
ipfw add divert natd all from any to any via ppp0

this allows incoming ftp and ssh connections on any interface (ethernet card or DSL)

this will allow you to hold any connection that you initiate (natd) but will ignore any connection that you did not initiate (deny_incoming) if it goes through your DSL (ppp0)

all internal traffic is allowed.

this makes for a relatively tight, but fairly usable box. Unless you're running servers, running natd so that it denies all is a great solution to a LOT of hack in attempts.

to JUST deny outside tcp connections to your appleshare stuff, you would just type:

ipfw -f flush
ipfw add deny tcp from any to any 548 in via ppp0

Zeus · #6 June 25th, 2002, 09:48 AM

It worked!!

thanks a lot !!!

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
A bit of nostalgia: A Salute to Mac OS X	simX	Apple News, Rumors & Discussion	31	March 24th, 2005 07:45 AM
HP Photosmart 1315 and USB Print Sharing	zwheeloc	Mac Classic System & Software	12	February 6th, 2003 09:20 PM
apps list	Mac Osxtopus	Mac OS X System & Mac Software	7	May 29th, 2002 12:31 PM
Apple: Forget XP, try the Mac	tagliatelle	Bob's Place	1	November 25th, 2001 07:12 AM
Netscape 6.1 Profile Transfer from Mac OS 9.2.1 to Mac OS X	chemistry_geek	Apple News, Rumors & Discussion	0	October 12th, 2001 06:42 PM