ipfw

[bbolin]

Available firewall rules are to open for me. Would like to have more control. Something like below -

02000 2578 433874 allow ip from any to any via lo*
02010 0 0 deny ip from 127.0.0.0/8 to any in
02020 0 0 deny ip from any to 127.0.0.0/8 in
02030 0 0 deny ip from 224.0.0.0/3 to any in
02040 0 0 deny tcp from any to 224.0.0.0/3 in
02050 2537 1056382 allow tcp from any to any out
02060 4517 326688 allow tcp from any to any established
02065 1 48 allow tcp from trusted.public.ip.address to me dst-port 22
02066 2 120 deny log tcp from any to me dst-port 22
12190 0 0 deny log tcp from any to any
65535 143 24019 allow ip from any to any

I could turn off the current firewall from preferences, sharing firewall and start it up manually.

Where would the best place be to do this ?
/etc/rc.local ?

 

[lurk]

I would suggest making it a startup item myself, the rc scripts are really not the Mac way. In days of old I had created just such thing I put on this board a link to is at http://www.macosx.com/forums/showpost.php?p=253649&postcount=8

One thing though I might point out is that the rules you have posed as your example of "improved" rules are somewhat broken and inefficient. I just hope you know what you are doing and don't end up making things worse.

Good Luck!

 

[bbolin]

What's broken ?

These are stock rules created by mac osx with the addition of allow 22 from a specific IP address and then deny from all others.

No divert, no keep-state. Actually quite simple and elegant.

Now if they could only port pf to mac osx

I downloaded your link. Will give it the mac way.

 

[lurk]

One of "broken" comments was due to a misreading on my part sorry about that. But the fact that your last rule, the catchall, is to accept is not the right thing in my mind. It is only letting UDP & ICMP through but still one should default to deny. Your aversion to using stateful rules explains some of this because without state you really cannot tighten up UDP very well. But hey, you don't need to allow any and all UDP traffic from almost anywhere.

Similarly, you allow all ICMP traffic. Again you really should default to deny on all unmatched packets.

Now to be fair I understand that there are based on the default rules but really they are not very tight. This makes sense from a marketing perspective since it would be hard to explain to a someone why something like Real Player is not working or any number of other applications. Just when you start talking about doing something significantly better you kind of have to assess the assumptions that went into the foundation you building upon.

Hope that helps,
-Eric

P.S. In case you were wondering my misread issue was with trusted.public.ip.address, I read that as trusted.host.example.com. That can be problematic because of what it means for you to have DNS running while setting up the firewall.

 

[bbolin]

Forgot to mention this mac-mini is behind a netgear router/firewall. I'm only forwarding port 22 on the router to my internal rfc1918 address.

I did clean up the ruleset a little bit. Here is the content of MyFirewall
#!/bin/sh

##
# Network Aliases
##

. /etc/rc.common

StartService ()
{

ConsoleMessage "Adding Firewall Rules"
ipfw add 100 allow ip from any to any via lo*
ipfw add 500 allow tcp from any to any out
ipfw add 600 allow tcp from any to any established
ipfw add 700 allow tcp from x.x.x.x to me 22
ipfw add 800 deny log tcp from any to any
return 0;
}

StopService ()
{
ConsoleMessage "Removing Firewall Rules"
ipfw flush
return 0;
}

RestartService ()
{
return 0;
}

RunService "$1"

Did chmod 755 on /Library/StartupItems/Myfirewall

The zip file has .DS_Store

What is that and is it needed ?

 

[lurk]

If you are behind a normal consumer nat box/firewall then you will have problems with your ssh rule. The problem is that the nat box will rewrite the traffic as it comes through and your Mac will see the ssh connection coming from the Nat and not the trusted external IP. To make this work you will need to set the Netgear Router up to only forward connection to port 22 from the trusted host and I have to admit that I don't know if that is possible, you could always try.

You can ignore the .DS_store file. It just stores finder information like the icons for files and their locations.

Let me know if you can get that working it has been a little while since I did it myself. I don't have to run the VPN I needed it for anymore.

 

[bbolin]

No that's not true. The remote address is my public address at work.

Hey, it worked. Added one thing to the ruleset
/usr/libexec/ipfwloggerd

Pulled the trigger(reboot)

It came up fine.

The main reason I wanted the firewall up were dictionary attacks that I could see in the log files.

The crazy version of sshd logging on Darwin don't show the remote IP address of the attempts. Now ipfw stops them and tells me where there doing it from.

Thanks for your help.

 

[lurk]

I am happy that it is working for you, just color me a bit puzzled that the Netgear box is not running as a NAT and you can see an outside connection as coming from its real address. That just does not make sense, but hey if it is working I would not fiddle with it.

 

[bbolin]

The netgear is running as a nat router. Your thinking is backwards. All internal systems behind the router nat or masquerade as the public IP of the netgear.

All systems from the net to internal are there real addresses. How else could a firewall act as a firewall ?

Found a lot of things broken when I implemented the firewall rules I told you. Went back to statefull rules -

00100 0 0 check-state
00200 20607 3048154 allow ip from any to any via lo*
00300 10413 4602993 allow ip from me to any keep-state
00500 48027 10699190 allow ip from x.x.x.x to me keep-state
00600 480 234369 deny log ip from any to any
65535 1324 216293 allow ip from any to any

Also found some things under the hood that you don't know are happening when you do it from GUI interface.

net.inet.ip.fw.verbose: 2

Interesting to note when this entry is put in /etc/sysctl.conf it is ignored.

The actual syntax in this file should be
net.inet.ip.fw.verbose=2

Ended up putting it in the MyFirewall startup script

sysctl -w net.inet.ip.fw.verbose=2

btb

 

[lurk]

Oh, I am always a little bit confused about everything, keeps me on my toes.

What I think we are arguing about it the way the NAT does port forwarding. The problem is that when you connect from the outside you connect to the external IP of the router as nothing else is visible. That then gets forwarded inside. Now this can rewrite the incoming packets to make them look like they came from the router's internal IP or the original external IP. Now I had forgotten that normal sane people just rewrite the "to part" of the packets. (In my defense my default route to the internet was not through the NAT box so the packets had to be rewritten, remember that old VPN I mentioned... and yes ssh would squawk about man in the middle attacks )

Happy to hear that it is working for you!