With ipfw, don't be stupid like me


Do not read this sign.
<b>ipfw</b> is the tool for configuring the built-in-but-not-used firewall in OS X. I thought I'd start my rule sets by blocking all traffic and then allowing only what I wanted.

<b>Don't do this:</b>
% <b>sudo ipfw add 65534 deny all from any to any</b>
That effectively stopped all IP traffic including (I don't know why) any future ipfw commands.

Fortunately I just forced a reboot (oh, yes, logging out was messed up too) which wiped the rules. Whooh!

In other news, I see there are two firewall programs out there: Brickhouse and Firewalk X. They're both kinda interesting, but I'm still writing another. I want to be able to manipulate the rules through a sort of table view that I can rearrange.



You have specifically denied all ports to all IPs in the last rule in the set. The last one is one that has precedence (I think - haven't tested it yet) because the rules are applied in order of the order number.

http://wopr.norad.org/articles/firewall/ipfw.html is a great place to look for tips on using ipfw.

Hope that this helps,



Do not read this sign.
Yeah, even adding it as rule 65,534 was pointless since it was the first rule I actually entered at the prompt.