UNSAFE - VPN ignores ipfw firewall (10.6)

rharder

rharder

Do not read this sign.
It appears to me that when connecting with a VPN, Snow Leopard ignores the ipfw firewall, letting all traffic in.

The situation is this. I'm connecting to a commercial VPN provider, and I am given a public IP address. Suddenly my Mac, which was otherwise protected behind a NAT router, is exposed to the Internet. All my services that I want available on the LAN are exposed to the public. I only want port 22 (ssh) exposed on that interface (ppp0).

The firewall ipfw should accomplish this for me, but it seems that traffic over ppp0 doesn't get processed through ipfw. I've reduced my ruleset to one "deny" rule to verify that the firewall is active and illustrate the problem. For testing I'm blocking port 80 instead of 22.

Code: 
deny log logamount 65535 tcp from any to any dst-port 80 setup in

If I try curl 10._._.104 from another computer (the local IP address), I properly get no response, but if I try curl 68._._.181 (the public IP address from the VPN), I get a response, which I shouldn't.

I can't find any information on this. Is there a reason why the VPN traffic over interface ppp0 would bypass ipfw?

If I configure the application firewall in System Preferences to "Block all incoming connections," then ppp0 traffic is blocked. That's great, but I only want to block ppp0, not en0 or en1.

What is this? Bug? Misconfiguration?

-Rob


ifconfig:

Code: 
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
          inet6 ::1 prefixlen 128
          inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
          inet 127.0.0.1 netmask 0xff000000
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
          ether 10:9a:dd:53:d5:1a
          media: autoselect (none)
          status: inactive
fw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 4078
          lladdr 70:cd:60:ff:fe:21:fe:24
          media: autoselect <full-duplex>
          status: inactive
en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
          ether 10:9a:dd:ad:f7:fb
          inet6 fe80::129a:ddff:fead:f7fb%en1 prefixlen 64 scopeid 0x6
          inet 10.42.23.104 netmask 0xffffff00 broadcast 10.42.23.255
          media: autoselect
          status: active
vmnet1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
          ether 00:50:56:c0:00:01
          inet 192.168.246.1 netmask 0xffffff00 broadcast 192.168.246.255
vmnet8: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
          ether 00:50:56:c0:00:08
          inet 192.168.251.1 netmask 0xffffff00 broadcast 192.168.251.255
ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
          inet 68.68.40.181 --> 68.68.40.129 netmask 0xff000000

ipfw list:

Code: 
02009 deny log logamount 65535 tcp from any to any dst-port 80 setup in
65535 allow ip from any to any

sysctl net.inet.ip.fw:

Code: 
net.inet.ip.fw.enable: 1
net.inet.ip.fw.autoinc_step: 100
net.inet.ip.fw.one_pass: 0
net.inet.ip.fw.debug: 0
net.inet.ip.fw.verbose: 2
net.inet.ip.fw.verbose_limit: 65535
net.inet.ip.fw.dyn_buckets: 256
net.inet.ip.fw.curr_dyn_buckets: 256
net.inet.ip.fw.dyn_count: 0
net.inet.ip.fw.dyn_max: 4096
net.inet.ip.fw.static_count: 3
net.inet.ip.fw.dyn_ack_lifetime: 300
net.inet.ip.fw.dyn_syn_lifetime: 20
net.inet.ip.fw.dyn_fin_lifetime: 1
net.inet.ip.fw.dyn_rst_lifetime: 1
net.inet.ip.fw.dyn_udp_lifetime: 10
net.inet.ip.fw.dyn_short_lifetime: 5
net.inet.ip.fw.dyn_keepalive: 1

Posted on Apple forum too, to no avail.
 
You must log in or register to reply here.
Back
Top