manually adjust ipfw in 10.2?

[tas]

Maybe I'm particularly obtuse, but I couldn't make this work. Here's my problem: I want to close some UDP ports on my iBook since Office would hang for a couple of minutes sniffing for other computers running the same serial number (and NO, I don't have duplicates running, I'm just on a big network so the check alone would take a long time). The built-in firewall doesn't allow closing UDP, but I knew the ruleset for ipfw. Problem: how do you make it stick? The 10.1 way (with a "firewall" and ".plist"-file in "Library/StartupItems" doesn't seem to work anymore, and if I try to make the script with the rules a LoginHook, the iBook hangs at startup. I assume that's because Apple's IPFirewall (/System/Library/Extensions/IPFirewall.kext) is still loading, and not even removing this file made it stop. Any suggestions?

[gatorparrots]

Use Brickhouse:
http://personalpages.tds.net/~brian_...rickhouse.html
or sunShield:
http://homepage.mac.com/opalliere/shield_man.html
and make two custom rules:

Code:

#################################################
## Microsoft Office Broadcast
#################################################
add 2031 deny log udp from any to any 2222 out via en0

#################################################
## Microsoft Office Polling
#################################################
add 2032 deny log tcp from any to any 3000-3999 in via en0

Here, the rule numbers (2031,2032) are arbitrary. You should use the next available numbers in your user-added ruleset range.

Either of the GUI interfaces to ipfw mentioned above will allow you to create a StartupItem which runs a ruleset-loading script at boot.

[tas]

Thanks - I was aware of this solution, but I'd like to understand what's going on and do it from the CLI. Like to get my hands dirty under this famous hood in OS X...

[hayne]

Quote: I was aware of this solution, but I'd like to understand what's going on and do it from the CLI. Like to get my hands dirty under this famous hood in OS X...

Well, what you would have to do under the CLI is create a StartupItem to initialize the firewall rules. The easiest way to see what needs to be done is to use one of the above mentioned apps and then go and look at what they have done. Watch and learn. After using them one time, just go and edit the rules by hand (in the CLI) as you wish.

[tas]

Well, I downloaded sunshield and tried - it makes my computer crash every time i try to add a rule, and it hangs so badly that not even a "force quit" will help, I have to shut it down the ugly way...

[yellow]

Yes, create a directory in /Library/StartupItems/ an in it place StartupParameters.plist

Code:

 <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist SYSTEM "file://localhost/System/Library/DTDs/PropertyList.dtd">
<plist version="0.9">
<dict>
        <key>Description</key>
        <string>firewall</string>
        <key>Messages</key>
        <dict>
                <key>start</key>
                <string>Starting firewall</string>
                <key>stop</key>
                <string>Stopping firewall</string>
        </dict>
        <key>OrderPreference</key>
        <string>Last</string>
        <key>Provides</key>
        <array>
                <string>Firewall</string>
        </array>
        <key>Requires</key>
        <array>
                <string>Resolver</string>
        </array>
</dict>
</plist>

and a firewall startup script:

Code:

#!/bin/sh
/usr/sbin/sysctl -w net.inet.ip.fw.verbose=1
/usr/sbin/sysctl -w net.inet.ip.fw.verbose_limit=0
/sbin/ipfw -q flush
/sbin/ipfw -q /etc/firewall.conf
/usr/bin/touch /private/var/log/system.log
/bin/kill -1 `cat /var/run/syslog.pid`

You'll notice that I placed firewall.conf in /etc. This is where the rules are. Some sample rules:

Code:

add 900 allow ip from any to any via lo*
add 901 deny log ip from 127.0.0.0/8 to any in
add 902 deny log ip from any to 127.0.0.0/8 in
add 903 deny log ip from 224.0.0.0/3 to any in
add 904 deny log tcp from any to 224.0.0/3 in
add 910 allow tcp from any to any 427 in
add 911 allow tcp from any to any out
add 912 allow tcp from any to any established
add 1010 allow tcp from 152.16.0.0/16 to any 22 in
add 1011 allow tcp from 152.3.0.0/16 to any 22 in
add 1020 allow tcp from 152.16.0.0/16 to any 407 in
add 1021 allow tcp from 152.3.0.0/16 to any 407 in
add 1040 deny log tcp from any to any in
add 1042 deny udp from any to any in
add 1043 deny icmp from any to any in

To check your current rules:

Code:

sudo ipfw show

To flush your current rules:

Code:

sudo ipfw flush

To restart your ruleset:

Code:

sudo /Library/StartupItems/firewallfoldername/firewallscript

I suggest creating some scripts and adding them to /usr/local/bin/ to make life easier starting the firewall.

man ipfw for more infor on the syntax for your rule set.

[tas]

Nope, doesn't work. That's what it was like in 10.1.5, but apparently, 10.2 broke this functionality. All the files are in place, and I can invoke the Firewall manually via

Code:

 sudo sh /Library/StartupItems/Firewall/Firewall

yet when I run sudo ipfw list after starting up normally, all I get is

Code:

 65535 allow ip from any to any

-- which is the default rule when the built in firewall is switched off. Somehow, it seems to load even after this manual config, but why???

[yellow]

I've been using the same rule set and scripts I created in 10.1.x for all my 10.2.x machines. So there's something else at fault here. What does your rule set look like? What does your Firewall script look like? Do a more of both and post it here please.

If I had to guess, I'd say that your rule set is missing or corrupt, or the Firewall script is pointing at the wrong spot.

[tas]

OK, here comes (and thanks for your patience, I really appreciate!): At first I tried your setup, with the actual config.-file in /etc. I got a strange error message and figured it'd be easier if I include the actual rules in the /Library/Startup/Firewall/Firewall as well. Here's what I included:

Code:

#!/bin/sh

/usr/sbin/sysctl -w net.inet.ip.fw.verbose=1
/usr/sbin/sysctl -w net.inet.ip.fw.verbose_limit=0
/sbin/ipfw -q flush
/sbin/ipfw -q add 02000 allow ip from any to any via lo*
/sbin/ipfw -q add 02010 deny ip from 127.0.0.0/8 to any in
/sbin/ipfw -q add 02020 deny ip from any to 127.0.0.0/8 in
/sbin/ipfw -q add 02030 deny ip from 224.0.0.0/3 to any in
/sbin/ipfw -q add 02040 deny tcp from any to 224.0.0.0/3 in
/sbin/ipfw -q add 02050 allow tcp from any to any out
/sbin/ipfw -q add 02060 allow tcp from any to any established
/sbin/ipfw -q add 02070 allow tcp from any to any 113 in
/sbin/ipfw -q add 02080 allow tcp from any to any 548 in
/sbin/ipfw -q add 02090 allow tcp from any to any 427 in
/sbin/ipfw -q add 02100 allow tcp from any to any 22 in
/sbin/ipfw -q add 12190 deny tcp from any to any
/sbin/ipfw -q add 12200 deny udp from any to any 2222 out
/sbin/ipfw -q add 65535 allow ip from any to any
/usr/bin/touch /private/var/log/system.log
/bin/kill -1 `cat /var/run/syslog.pid`

When I run this script, I get an error

Code:

/sbin/ipfw: getsocketopt(IP_FW_ADD): invalid argument

but after running it, sudo ipfw list shows the correct rules. Strange...

[yellow]

Just off the top of my head, remove the last entry in the add.

Code:

/sbin/ipfw -q add 65535 allow ip from any to any

By default, ipfw inserts this rule, so you don't need to. This might be what it's hiccupping on.

[tas]

You're right, after I removed this line, I don't get errors anymore when I run the script. But it still won't work automatically from the StartupItems. And you say it works on your box under 10.2? Something strange is going on here.

[yellow]

Yep works fine. Check the permissions. Make sure the startup script is owned by root, in the admin group and has chmod 770 on it.

[gatorparrots]

For reference, here's the startup script Brickhouse generates (again, calling /etc/firewall.conf, which contains all of the actual rules):

Code:

#!/bin/sh
# Firewall Boot Script
# Generated by BrickHouse

#===========================================================
# Process Firewall Rules File
#===========================================================
/sbin/ipfw -q /etc/firewall.conf

and the StartupParamaters.plist file for good measure:

Code:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist SYSTEM "file://localhost/System/Library/DTDs/PropertyList.dtd">
<plist version="0.9">
<dict>
        <key>Description</key>
        <string>firewall</string>
        <key>Messages</key>
        <dict>
                <key>start</key>
                <string>Starting firewall</string>
                <key>stop</key>
                <string>Stopping firewall</string>
        </dict>
        <key>OrderPreference</key>
        <string>Last</string>
        <key>Provides</key>
        <array>
                <string>Firewall</string>
        </array>
        <key>Requires</key>
        <array>
                <string>Resolver</string>
        </array>
</dict>
</plist>

[tas]

SIGH - I tried everything: permissions set to 700 instead of 755. Moving actual rule list back to /etc/firewall.config and have the firewall read it from there instead of directly from the Firewall file - all to no avail. Could it be that Brickhous & Co. somehow manage to completelt switch off the built-in firewall while I'm too dumb to do that?

[yellow]

Not likely.. I think your next step should be to move/remove that folder in your StartupItems, and start from scratch. Just copy the StartupParameters.plist they either I or gattorparrots posted (they're the same). Chmod it to 770, make sure root is owner, admin is group. Place a new copy of your Firewall script in there as well with the same entries you had above, the same permissions as the .plist and see if that works for you.

[tas]

Sorry, was just away for dinner with the family... Guys, you're great, I'm really grateful for your efforts! OK, so I started from scratch. Hopefully, I'm not a complete idiot. So I give you all the information I got:

Code:

 ll /Library/StartupItems
drwxr-xr-x    4 root     admin         136 May 13 21:14 Firewall

Code:

 ll /Library/StartupItems/Firewall
-rwx------    1 root     admin         954 May 13 21:22 Firewall
-rw-r--r--    1 root     admin         727 May 13 21:14 StartupParameters.plist

Here's my StartupParameters.plist:

Code:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist SYSTEM "file://localhost/System/Library/DTDs/PropertyList.dtd">
<plist version="0.9">
<dict>
        <key>Description</key>
        <string>firewall</string>
        <key>Messages</key>
        <dict>
                <key>start</key>
                <string>Starting firewall</string>
                <key>stop</key>
                <string>Stopping firewall</string>
        </dict>
        <key>OrderPreference</key>
        <string>Last</string>
        <key>Provides</key>
        <array>
                <string>Firewall</string>
        </array>
        <key>Requires</key>
        <array>
                <string>Resolver</string>
        </array>
</dict>
</plist>

Here's my Firewall file:

Code:

#!/bin/sh

/usr/sbin/sysctl -w net.inet.ip.fw.verbose=1
/usr/sbin/sysctl -w net.inet.ip.fw.verbose_limit=0
/sbin/ipfw -q flush
/sbin/ipfw -q add 02000 allow ip from any to any via lo*
/sbin/ipfw -q add 02010 deny ip from 127.0.0.0/8 to any in
/sbin/ipfw -q add 02020 deny ip from any to 127.0.0.0/8 in
/sbin/ipfw -q add 02030 deny ip from 224.0.0.0/3 to any in
/sbin/ipfw -q add 02040 deny tcp from any to 224.0.0.0/3 in
/sbin/ipfw -q add 02050 allow tcp from any to any out
/sbin/ipfw -q add 02060 allow tcp from any to any established
/sbin/ipfw -q add 02070 allow tcp from any to any 113 in
/sbin/ipfw -q add 02080 allow tcp from any to any 548 in
/sbin/ipfw -q add 02090 allow tcp from any to any 427 in
/sbin/ipfw -q add 02100 allow tcp from any to any 22 in
/sbin/ipfw -q add 12190 deny tcp from any to any
/sbin/ipfw -q add 12200 deny udp from any to any 2222 out
/usr/bin/touch /private/var/log/system.log
/bin/kill -1 `cat /var/run/syslog.pid`

I tried to make it refer to firewall.config in /etc, but I always received this error:

Code:

net.inet.ip.fw.verbose: 1 -> 1
net.inet.ip.fw.verbose_limit: 0 -> 0
/sbin/ipfw: error: bad arguments
usage: ipfw [options]
    add [number] rule
    zero [number ...]
    resetlog [number ...]
  rule: [prob <match_probability>] action proto src dst extras...
    action:
      {allow|permit|accept|pass|deny|drop|reject|unreach code|
       reset|count|skipto num|divert port|tee port|fwd ip|
} [log [logamount count]]
    proto: {ip|tcp|udp|icmp|<number>}
    src: from [not] {me|any|ip[{/bits|:mask}]} [{port|port-port},[port],...]
    dst: to [not] {me|any|ip[{/bits|:mask}]} [{port|port-port},[port],...]
  extras:
    uid {user id}
    fragment     (may not be used with ports or tcpflags)
    in
    out
    {xmit|recv|via} {iface|ip|any}
    {established|setup}
    tcpflags [!]{syn|fin|rst|ack|psh|urg},...
    ipoptions [!]{ssrr|lsrr|rr|ts},...
    tcpoptions [!]{mss|window|sack|ts|cc},...
    icmptypes {type[,type]}...

That's why I included the rules in the Firewall file. And here's what I get when I do

Code:

sudo ipfw list
65535 allow ip from any to any

I'm ready to give up and do it manually every time I log in. That can't be true! What's going on here?

[gatorparrots]

Delete everything. Install Brickhouse. Add a rule. Install its StartupItem. Then manually go nuts with your rules, editing /etc/firewall.conf as you desire, including the two rules for Microsoft Office v.X I gave above.

Flush your firewall rules:
sudo ipfw flush

Then run the StartupItem:
sudo /Library/StartupItems/Firewall/Firewall
or
sudo SystemStarter start Firewall

[tas]

You're right - I just wanted to understand, but who said computers are meant to be understood? Sob... Going GUI and installing Brickhouse feels like cheating now, I wanted to beat it fair and square. But as I said: I give up. Maybe a greater hero will come and take revenge (sorry, was just preparing my class on the Iliad).

[mervTormel]

Quote: Originally posted by gatorparrots Delete everything...

yeah, delete everything, get yourself a Big Chief Legal Pad and a box of Ticonderoga #2s ;]

sincerely,

Ignatius J. Reilly

[bassi]

Ahhhh! Another Confederacy fan.