manually adjust ipfw in 10.2?
 

Maybe I'm particularly obtuse, but I couldn't make this work. Here's my problem: I want to close some UDP ports on my iBook since Office would hang for a couple of minutes sniffing for other computers running the same serial number (and NO, I don't have duplicates running, I'm just on a big network so the check alone would take a long time). The built-in firewall doesn't allow closing UDP, but I knew the ruleset for ipfw. Problem: how do you make it stick? The 10.1 way (with a "firewall" and ".plist"-file in "Library/StartupItems" doesn't seem to work anymore, and if I try to make the script with the rules a LoginHook, the iBook hangs at startup. I assume that's because Apple's IPFirewall (/System/Library/Extensions/IPFirewall.kext) is still loading, and not even removing this file made it stop. Any suggestions?

Use Brickhouse:
http://personalpages.tds.net/~brian_...rickhouse.html
or sunShield:
http://homepage.mac.com/opalliere/shield_man.html
and make two custom rules:Here, the rule numbers (2031,2032) are arbitrary. You should use the next available numbers in your user-added ruleset range.

Either of the GUI interfaces to ipfw mentioned above will allow you to create a StartupItem which runs a ruleset-loading script at boot.

Thanks - I was aware of this solution, but I'd like to understand what's going on and do it from the CLI. Like to get my hands dirty under this famous hood in OS X...

watch and learn
 

Well, what you would have to do under the CLI is create a StartupItem to initialize the firewall rules. The easiest way to see what needs to be done is to use one of the above mentioned apps and then go and look at what they have done. Watch and learn. After using them one time, just go and edit the rules by hand (in the CLI) as you wish.

Well, I downloaded sunshield and tried - it makes my computer crash every time i try to add a rule, and it hangs so badly that not even a "force quit" will help, I have to shut it down the ugly way...

Yes, create a directory in /Library/StartupItems/ an in it place StartupParameters.plist
and a firewall startup script:

You'll notice that I placed firewall.conf in /etc. This is where the rules are. Some sample rules:
To check your current rules:
To flush your current rules:
To restart your ruleset:
I suggest creating some scripts and adding them to /usr/local/bin/ to make life easier starting the firewall.

man ipfw for more infor on the syntax for your rule set.

Nope, doesn't work. That's what it was like in 10.1.5, but apparently, 10.2 broke this functionality. All the files are in place, and I can invoke the Firewall manually via yet when I run sudo ipfw list after starting up normally, all I get is
-- which is the default rule when the built in firewall is switched off. Somehow, it seems to load even after this manual config, but why???

I've been using the same rule set and scripts I created in 10.1.x for all my 10.2.x machines. So there's something else at fault here. What does your rule set look like? What does your Firewall script look like? Do a more of both and post it here please.

If I had to guess, I'd say that your rule set is missing or corrupt, or the Firewall script is pointing at the wrong spot.

OK, here comes (and thanks for your patience, I really appreciate!): At first I tried your setup, with the actual config.-file in /etc. I got a strange error message and figured it'd be easier if I include the actual rules in the /Library/Startup/Firewall/Firewall as well. Here's what I included:
When I run this script, I get an error but after running it, sudo ipfw list shows the correct rules. Strange...

Just off the top of my head, remove the last entry in the add.
By default, ipfw inserts this rule, so you don't need to. This might be what it's hiccupping on.

You're right, after I removed this line, I don't get errors anymore when I run the script. But it still won't work automatically from the StartupItems. And you say it works on your box under 10.2? Something strange is going on here.

Yep works fine. Check the permissions. Make sure the startup script is owned by root, in the admin group and has chmod 770 on it.

For reference, here's the startup script Brickhouse generates (again, calling /etc/firewall.conf, which contains all of the actual rules):and the StartupParamaters.plist file for good measure:

SIGH - I tried everything: permissions set to 700 instead of 755. Moving actual rule list back to /etc/firewall.config and have the firewall read it from there instead of directly from the Firewall file - all to no avail. Could it be that Brickhous & Co. somehow manage to completelt switch off the built-in firewall while I'm too dumb to do that?

Not likely.. I think your next step should be to move/remove that folder in your StartupItems, and start from scratch. Just copy the StartupParameters.plist they either I or gattorparrots posted (they're the same). Chmod it to 770, make sure root is owner, admin is group. Place a new copy of your Firewall script in there as well with the same entries you had above, the same permissions as the .plist and see if that works for you.

Sorry, was just away for dinner with the family... Guys, you're great, I'm really grateful for your efforts! OK, so I started from scratch. Hopefully, I'm not a complete idiot. So I give you all the information I got:

Here's my StartupParameters.plist:
Here's my Firewall file:
I tried to make it refer to firewall.config in /etc, but I always received this error:
That's why I included the rules in the Firewall file. And here's what I get when I do
I'm ready to give up and do it manually every time I log in. That can't be true! What's going on here?

Delete everything. Install Brickhouse. Add a rule. Install its StartupItem. Then manually go nuts with your rules, editing /etc/firewall.conf as you desire, including the two rules for Microsoft Office v.X I gave above.

Flush your firewall rules:
sudo ipfw flush

Then run the StartupItem:
sudo /Library/StartupItems/Firewall/Firewall
or
sudo SystemStarter start Firewall

You're right - I just wanted to understand, but who said computers are meant to be understood? Sob... Going GUI and installing Brickhouse feels like cheating now, I wanted to beat it fair and square. But as I said: I give up. Maybe a greater hero will come and take revenge (sorry, was just preparing my class on the Iliad).

ha!
 

yeah, delete everything, get yourself a Big Chief Legal Pad and a box of Ticonderoga #2s ;]

sincerely,

Ignatius J. Reilly

Ahhhh! Another Confederacy fan.

1) The reason you're getting errors when you try to put a config file in /etc because you're pre-empting it by putting the rules in the Firewall script itself. 2) If you're using a firewall.conf, It looks like it's complaing that you're starting the rules with a 0, don't. Start at 1-9 and go from there.
Decide which style you want. Personally, I put my .conf file elsewhere. But leaving them in the startup script works too. Let me know how you want to proceed, I'll continue to help.

Firewall, firewall.conf (if you use it) & .plist perms should look like this:
root/admin read/write/execute

Thanks, yellow, I'll try that later. But actually, I wasn't THAT stupid: I put the rules in the script AFTER I got errors from the /etc/config file.

Sorry, no offense, but I find it better to err on the side of caution on here when trying to help :)

If worse comes to worse, I created a default set of rules with an scripted installer for all the pieces/parts with some utility scripts. If you're still having trouble I can send you these and you can edit them to your heart's content before installing them to see if they will work for you.

No offense taken, you've been a great help. I reinstalled, once again (all the other forum members must be laughing their heads off at our epic saga), gave the .plist 770 permission (had been 700), removed the 0s at beginning of rules, but after startup, I still don't get any results. And I know that the file is OK: when I do my rules are applied! So the file is there, it's executable, but it isn't executed at startup. Sorry, I really don't wnat to be a PITA, but this is driving me nuts.

Make sure you turn off the built-in firewall in Sharing Sys Prefs
 

The built-in firewall in the Sharing System Prefs will override rules in a StartupItem -- at least a StartupItem in the Local Domain -- in my experience.

If you are also running Internet Sharing -- also in the Sharing System Preferences -- then that will override certain rules, too, as its NAT functions work at least partially through ipfw. Internet Sharing will only override certain rules in ipfw, based on what I've seen -- if you're clever in how you construct your firewall rules (especially how you order them with rule numbers), you can work around it. It does try to put at least one rule in the ruleset very early.

So turn off both of these items, or take some time to understand how they affect your firewall StartupItem.

I wish I knew the exact config file the Internet Sharing uses to set up the firewall and NAT options. I end up calling the InternetSharing executable on my own in my personal firewall script (so that the Internet Sharing comes up at startup), but it would be nice to determine how to configure it.

For one thing, InternetSharing can start up an AirPort card in infrastructure mode, so that it acts just like a hardware base station. But I'd like to be able to turn my wireless connection off and on (such as with a cron job) throughout the day/week. And I'd also like to disable SSID broadcasts.

That's what I suspected all the time. I have stopped Firewall in the Sharing PrefPane, but somehow I suspect that it's not actually switched off, but overrides my own rules with its default "allow everything" rule. I don't have Internet Sharing enabled (nor Cupertino Sharing, for that matter), just ssh and File Sharing. Maybe I'll try and switch them off?

Nope, those won't effect it.