Firewall & ipfw

[cupojava]

First time posting.

I have a PowerBook G4 running OS X 10.5 (Leopard).

I am trying to develop an application using SSL (JSSE to be exact). I want to open port 443. Of course, the latest OS X (10.5) has some obscure Firewall GUI which won't allow you to specify a particular port to open. So, I'm trying to use ipfw directly.

Here's what I entered:

% ipfw add allow tcp from any to any 443

Which supposedly did add the rule because this was returned from ipfw list:

% ipfw list
00200 allow tcp from any to any dst-port 443
65535 allow ip from any to any

My application however still gives me a permission denied, and when I nmap my machine (localhost), it shows:

% nmap localhost
Starting Nmap 4.20 ( http://insecure.org ) at 2007-11-29 21:05 EST
Interesting ports on localhost (127.0.0.1):
Not shown: 1694 closed ports
PORT STATE SERVICE
80/tcp open http
631/tcp open ipp
3689/tcp open rendezvous

Alas, no port 443. Does anyone know what I'm doing wrong? Am I misunderstanding something about firewalls? Thanks!

 

[nixgeek]

Try and restart the daemon for ipfw (if it runs as a daemon).

This is just speculation from previous experience with daemons. Usually once a change is made in the config file for a daemon, it has to be restarted.

 

[cupojava]

Ok, so here's an update.

I 'nmap'ed my machine 2 or 3 times just for the heck of it, nothing I hadn't done 2 or 3 time before without success. This time--the 3rd time--nmap returned a HUGE list of opened ports. Strange.

The only good thing is that I noticed a port labeled https-alt (port 8443). Port 443 didn't appear though, go figure.

Anyways, I tried to connect to port 8443 with my the SSL application (which I'm trying to debug) and voila, it accepted the connection! Try using 443 and I still get Connection Refused. Now, I did read somewhere vaguely about OS X not accepting self-signed certificates on certain ports. Anyone know about this? Does it have anything to do with my problem?

I also learned something new. Only if I am actively connected to the port will nmap show that it's in an "opened" state. Otherwise it's seen as closed. But if I try port 443, it just says closed and I get a Connection Refused from my SSL application.

So, I still don't know how to get port 443 to accept friggin' connections!! To make a long story short.

 

[bbolin]

You don't show your complete rules. Either read the man pages for ipfw or Google. Look for "check-state" and keep-state rules. ipfw does stateful inspection. Stateful meaning it will create dynamic rules.

 

[bbolin]

A self signed certificate is completely legitimate, BUT if it was your web site I wouldn't give you my credit card. But if building something like web based mail server and I don't want users passwords exposed, it's perfectly legit.

 

[brandondrew]

Leopard added an application firewall, which works IN ADDITION TO ipfw. Either one can block requests, so opening up one won't guarantee that the other is not blocking something. Fiddling with ipfw til you're blue in the face won't solve your problem if you're being blocked by the app firewall.

Here's a very gentle introduction:
http://www.macworld.com/article/131116/2007/12/firewall.html

 

[WhyCan'tI]

Anyways, I tried to connect to port 8443 with my the SSL application (which I'm trying to debug) and voila, it accepted the connection! Try using 443 and I still get Connection Refused. Now, I did read somewhere vaguely about OS X not accepting self-signed certificates on certain ports. Anyone know about this? Does it have anything to do with my problem?

Ports < 1000 must be opened by root. Try running your application as root and see if it can bind to port 443.

 

[bbolin]

Humm I run bind as user bind and that's tcp/udp 53 . Now granted that's on FreeBSD.

bind is a mortal user. I don't think mac osx is any differrent.

Also run apache as user www on port 80/443 and www is a mortal user.

 

[WhyCan'tI]

Humm I run bind as user bind and that's tcp/udp 53 . Now granted that's on FreeBSD.

bind is a mortal user. I don't think mac osx is any differrent.

Also run apache as user www on port 80/443 and www is a mortal user.

Take a look at your apache executable, it is owned by root. Once it binds to the socket, it changes to user www. This is why you specify the user in the httpd.conf file.

Here's the output from 10.4.11 installation. I don't even use the webserver, so I promise I haven't pulled any tricks.

$ ls -l /usr/sbin/httpd
764 -rwxr-xr-x 1 root wheel 781900 Apr 24 2007 /usr/sbin/httpd*

And here's the poignant excerpt from the out-of-the-box httpd.conf.

#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# . On SCO (ODT 3) use "User nouser" and "Group nogroup".
# . On HPUX you may not be able to use shared memory as nobody, and the
# suggested workaround is to create a user www and use that user.
# NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET)
# when the value of (unsigned)Group is above 60000;
# don't use Group "#-1" on these systems!
#
User www
Group www

Finally, on your Mac, type man bindresvport:

BINDRESVPORT(3) BSD Library Functions Manual BINDRESVPORT(3)

NAME
bindresvport -- bind a socket to a privileged IP port

SYNOPSIS
#include <sys/types.h>
include <netinet/in.h>

int
bindresvport(int sd, struct sockaddr_in **sin);

DESCRIPTION
bindresvport() is used to bind a socket descriptor to a privileged IP
port, that is, a port number in the range 0-1023. The routine returns 0
if it is successful, otherwise -1 is returned and errno set to reflect
the cause of the error.

Only root can bind to a privileged port; this call will fail for any
other users.

If the value of sin->sin_port is non-zero bindresvport() otherwise it
attempts to use the specified port. If that fails, it chooses another
privileged port number automatically.

BSD November 22, 1987 BSD


Since the network subsystem came from BSD, you'll notice all the man pages are from BSD. I promise this page is on your Mac.

And please don't take the quoted sections as me being snotty, I just wanted to backup my claims with real data since I'm new here and you don't know me from Adam and have no reason to trust me.

Hope this helps!

 

[bbolin]

Brandondrew,

Thanks for the insite, I was not aware that an application firewall was implemented in Leopard.

 

[ken_ww]

I just installed Leopard and found my https sites inaccessible. I went through the reconfiguration of the httpd.conf and included files, setting up my virtualhost for port 443 and restarted Web Sharing. When attempting to connect to the https site, Safari shows that it couldn't find the server.

I checked Web Sharing is still on, and it is. I checked firewall.conf and found 443 accepts all on en1. What else do I need to do?