IPFW Configuration

evoangelist

Registered
After reading through the ipfw man pages provided with Mac OS X and other documentation (including the FreeBSD handbook and various articles at cert.org) I set about compiling a firewall to fit my needs. At the moment I have a 'Firewall' file containing all my rules, located in /Library/StartupItems/Firewall, along with a StartupParameters.plist file to automatically execute these rules on startup. Logging has also been enabled to provide me with useful information. I am by no means a guru when it comes to setting up firewalls, and would like to know a few things that I've yet to master. You will find a copy of the rules I'm using below:

#!/bin/sh

. /etc/rc.common

ConsoleMessaage "Configuring firewall"

IPFW=/sbin/ipfw

${IPFW} -f flush

${IPFW} add 1000 allow ip from any to any via lo0
${IPFW} add 1050 deny log all from any to 127.0.0.0/8

${IPFW} add 1100 allow tcp from any to any established
${IPFW} add 1200 allow all from any to any frag

${IPFW} add 1300 allow icmp from any to any icmptype 3,4,11,12

${IPFW} add 1500 allow icmp from any to any via ppp0

${IPFW} add 1600 allow udp from any to (primary dns ip) 53 out via ppp0
${IPFW} add 1700 allow udp from (primary dns ip) 53 to any in via ppp0
${IPFW} add 1800 allow udp from any to (secondary dns ip) 53 out via ppp0
${IPFW} add 1900 allow udp from (secondary dns ip) 53 to any in via ppp0

${IPFW} add 2000 deny log tcp from any to any 1-1023 in via ppp0
${IPFW} add 2100 deny log udp from any to any 1-1023 in via ppp0

${IPFW} add 50000 allow all from any to any out via ppp0
${IPFW} add 51000 deny log all from any to any in via ppp0

This seems to be adequate enough to fit the setup I am currently using. However I'm having trouble setting up a rule to filter out source routed packets (to give some protection against ip spoofing), could someone provide me with some help getting this set up with my dynamic ip ppp connection.

It would be helpful if those of you with more experience configuring firewalls could comment on the above rules and whether or not I've left anything important out, and how much security I should expect using this setup.
 
I found I had to add

# Allow DHCP traffic
${IPFW} add 00403 allow udp from any to any out
${IPFW} add 00501 allow udp from any 67 to any 68 in via en0

403 may not be the tightest, but I figure its from me out, so....(?)

Otherwise I found that after ~6 hours, I'd lose my IP addr and it would default to something wacky.

For reference, I'm on a cable modem. I found that most of the IPFW examples online didn't deal well with this.

Mike
 
Back
Top