Go Back   The macosxhints Forums > OS X Help Requests > UNIX - General



Reply
 
Thread Tools Rating: Thread Rating: 21 votes, 5.00 average. Display Modes
Old 05-13-2003, 03:44 AM   #1
tas
Triple-A Player
 
Join Date: Nov 2002
Location: Frankfurt, Germany
Posts: 167
manually adjust ipfw in 10.2?

Maybe I'm particularly obtuse, but I couldn't make this work. Here's my problem: I want to close some UDP ports on my iBook since Office would hang for a couple of minutes sniffing for other computers running the same serial number (and NO, I don't have duplicates running, I'm just on a big network so the check alone would take a long time). The built-in firewall doesn't allow closing UDP, but I knew the ruleset for ipfw. Problem: how do you make it stick? The 10.1 way (with a "firewall" and ".plist"-file in "Library/StartupItems" doesn't seem to work anymore, and if I try to make the script with the rules a LoginHook, the iBook hangs at startup. I assume that's because Apple's IPFirewall (/System/Library/Extensions/IPFirewall.kext) is still loading, and not even removing this file made it stop. Any suggestions?
tas is offline   Reply With Quote
Old 05-13-2003, 07:34 AM   #2
gatorparrots
Major Leaguer
 
Join Date: Dec 2002
Posts: 441
Use Brickhouse:
http://personalpages.tds.net/~brian_...rickhouse.html
or sunShield:
http://homepage.mac.com/opalliere/shield_man.html
and make two custom rules:
Code:
#################################################
## Microsoft Office Broadcast
#################################################
add 2031 deny log udp from any to any 2222 out via en0

#################################################
## Microsoft Office Polling
#################################################
add 2032 deny log tcp from any to any 3000-3999 in via en0
Here, the rule numbers (2031,2032) are arbitrary. You should use the next available numbers in your user-added ruleset range.

Either of the GUI interfaces to ipfw mentioned above will allow you to create a StartupItem which runs a ruleset-loading script at boot.
gatorparrots is offline   Reply With Quote
Old 05-13-2003, 08:11 AM   #3
tas
Triple-A Player
 
Join Date: Nov 2002
Location: Frankfurt, Germany
Posts: 167
Thanks - I was aware of this solution, but I'd like to understand what's going on and do it from the CLI. Like to get my hands dirty under this famous hood in OS X...
tas is offline   Reply With Quote
Old 05-13-2003, 08:31 AM   #4
hayne
Site Admin
 
Join Date: Jan 2002
Location: Montreal
Posts: 32,473
watch and learn

Quote:
I was aware of this solution, but I'd like to understand what's going on and do it from the CLI. Like to get my hands dirty under this famous hood in OS X...

Well, what you would have to do under the CLI is create a StartupItem to initialize the firewall rules. The easiest way to see what needs to be done is to use one of the above mentioned apps and then go and look at what they have done. Watch and learn. After using them one time, just go and edit the rules by hand (in the CLI) as you wish.
hayne is offline   Reply With Quote
Old 05-13-2003, 08:51 AM   #5
tas
Triple-A Player
 
Join Date: Nov 2002
Location: Frankfurt, Germany
Posts: 167
Well, I downloaded sunshield and tried - it makes my computer crash every time i try to add a rule, and it hangs so badly that not even a "force quit" will help, I have to shut it down the ugly way...
tas is offline   Reply With Quote
Old 05-13-2003, 08:54 AM   #6
yellow
Moderator
 
Join Date: Jan 2002
Posts: 10,677
Yes, create a directory in /Library/StartupItems/ an in it place StartupParameters.plist
Code:
 <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist SYSTEM "file://localhost/System/Library/DTDs/PropertyList.dtd">
<plist version="0.9">
<dict>
        <key>Description</key>
        <string>firewall</string>
        <key>Messages</key>
        <dict>
                <key>start</key>
                <string>Starting firewall</string>
                <key>stop</key>
                <string>Stopping firewall</string>
        </dict>
        <key>OrderPreference</key>
        <string>Last</string>
        <key>Provides</key>
        <array>
                <string>Firewall</string>
        </array>
        <key>Requires</key>
        <array>
                <string>Resolver</string>
        </array>
</dict>
</plist>
and a firewall startup script:

Code:
#!/bin/sh
/usr/sbin/sysctl -w net.inet.ip.fw.verbose=1
/usr/sbin/sysctl -w net.inet.ip.fw.verbose_limit=0
/sbin/ipfw -q flush
/sbin/ipfw -q /etc/firewall.conf
/usr/bin/touch /private/var/log/system.log
/bin/kill -1 `cat /var/run/syslog.pid`
You'll notice that I placed firewall.conf in /etc. This is where the rules are. Some sample rules:
Code:
add 900 allow ip from any to any via lo*
add 901 deny log ip from 127.0.0.0/8 to any in
add 902 deny log ip from any to 127.0.0.0/8 in
add 903 deny log ip from 224.0.0.0/3 to any in
add 904 deny log tcp from any to 224.0.0/3 in
add 910 allow tcp from any to any 427 in
add 911 allow tcp from any to any out
add 912 allow tcp from any to any established
add 1010 allow tcp from 152.16.0.0/16 to any 22 in
add 1011 allow tcp from 152.3.0.0/16 to any 22 in
add 1020 allow tcp from 152.16.0.0/16 to any 407 in
add 1021 allow tcp from 152.3.0.0/16 to any 407 in
add 1040 deny log tcp from any to any in
add 1042 deny udp from any to any in
add 1043 deny icmp from any to any in
To check your current rules:
Code:
sudo ipfw show
To flush your current rules:
Code:
sudo ipfw flush
To restart your ruleset:
Code:
sudo /Library/StartupItems/firewallfoldername/firewallscript
I suggest creating some scripts and adding them to /usr/local/bin/ to make life easier starting the firewall.

man ipfw for more infor on the syntax for your rule set.
yellow is offline   Reply With Quote
Old 05-13-2003, 10:08 AM   #7
tas
Triple-A Player
 
Join Date: Nov 2002
Location: Frankfurt, Germany
Posts: 167
Nope, doesn't work. That's what it was like in 10.1.5, but apparently, 10.2 broke this functionality. All the files are in place, and I can invoke the Firewall manually via
Code:
 sudo sh /Library/StartupItems/Firewall/Firewall
yet when I run sudo ipfw list after starting up normally, all I get is
Code:
 65535 allow ip from any to any
-- which is the default rule when the built in firewall is switched off. Somehow, it seems to load even after this manual config, but why???

Last edited by tas; 05-13-2003 at 10:24 AM.
tas is offline   Reply With Quote
Old 05-13-2003, 10:40 AM   #8
yellow
Moderator
 
Join Date: Jan 2002
Posts: 10,677
I've been using the same rule set and scripts I created in 10.1.x for all my 10.2.x machines. So there's something else at fault here. What does your rule set look like? What does your Firewall script look like? Do a more of both and post it here please.

If I had to guess, I'd say that your rule set is missing or corrupt, or the Firewall script is pointing at the wrong spot.

Last edited by yellow; 05-13-2003 at 10:45 AM.
yellow is offline   Reply With Quote
Old 05-13-2003, 11:14 AM   #9
tas
Triple-A Player
 
Join Date: Nov 2002
Location: Frankfurt, Germany
Posts: 167
OK, here comes (and thanks for your patience, I really appreciate!): At first I tried your setup, with the actual config.-file in /etc. I got a strange error message and figured it'd be easier if I include the actual rules in the /Library/Startup/Firewall/Firewall as well. Here's what I included:
Code:
#!/bin/sh

/usr/sbin/sysctl -w net.inet.ip.fw.verbose=1
/usr/sbin/sysctl -w net.inet.ip.fw.verbose_limit=0
/sbin/ipfw -q flush
/sbin/ipfw -q add 02000 allow ip from any to any via lo*
/sbin/ipfw -q add 02010 deny ip from 127.0.0.0/8 to any in
/sbin/ipfw -q add 02020 deny ip from any to 127.0.0.0/8 in
/sbin/ipfw -q add 02030 deny ip from 224.0.0.0/3 to any in
/sbin/ipfw -q add 02040 deny tcp from any to 224.0.0.0/3 in
/sbin/ipfw -q add 02050 allow tcp from any to any out
/sbin/ipfw -q add 02060 allow tcp from any to any established
/sbin/ipfw -q add 02070 allow tcp from any to any 113 in
/sbin/ipfw -q add 02080 allow tcp from any to any 548 in
/sbin/ipfw -q add 02090 allow tcp from any to any 427 in
/sbin/ipfw -q add 02100 allow tcp from any to any 22 in
/sbin/ipfw -q add 12190 deny tcp from any to any
/sbin/ipfw -q add 12200 deny udp from any to any 2222 out
/sbin/ipfw -q add 65535 allow ip from any to any
/usr/bin/touch /private/var/log/system.log
/bin/kill -1 `cat /var/run/syslog.pid`
When I run this script, I get an error
Code:
/sbin/ipfw: getsocketopt(IP_FW_ADD): invalid argument
but after running it, sudo ipfw list shows the correct rules. Strange...
tas is offline   Reply With Quote
Old 05-13-2003, 11:38 AM   #10
yellow
Moderator
 
Join Date: Jan 2002
Posts: 10,677
Just off the top of my head, remove the last entry in the add.
Code:
/sbin/ipfw -q add 65535 allow ip from any to any
By default, ipfw inserts this rule, so you don't need to. This might be what it's hiccupping on.
yellow is offline   Reply With Quote
Old 05-13-2003, 11:53 AM   #11
tas
Triple-A Player
 
Join Date: Nov 2002
Location: Frankfurt, Germany
Posts: 167
You're right, after I removed this line, I don't get errors anymore when I run the script. But it still won't work automatically from the StartupItems. And you say it works on your box under 10.2? Something strange is going on here.
tas is offline   Reply With Quote
Old 05-13-2003, 12:11 PM   #12
yellow
Moderator
 
Join Date: Jan 2002
Posts: 10,677
Yep works fine. Check the permissions. Make sure the startup script is owned by root, in the admin group and has chmod 770 on it.
yellow is offline   Reply With Quote
Old 05-13-2003, 12:15 PM   #13
gatorparrots
Major Leaguer
 
Join Date: Dec 2002
Posts: 441
For reference, here's the startup script Brickhouse generates (again, calling /etc/firewall.conf, which contains all of the actual rules):
Code:
#!/bin/sh
# Firewall Boot Script
# Generated by BrickHouse

#===========================================================
# Process Firewall Rules File
#===========================================================
/sbin/ipfw -q /etc/firewall.conf
and the StartupParamaters.plist file for good measure:
Code:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist SYSTEM "file://localhost/System/Library/DTDs/PropertyList.dtd">
<plist version="0.9">
<dict>
        <key>Description</key>
        <string>firewall</string>
        <key>Messages</key>
        <dict>
                <key>start</key>
                <string>Starting firewall</string>
                <key>stop</key>
                <string>Stopping firewall</string>
        </dict>
        <key>OrderPreference</key>
        <string>Last</string>
        <key>Provides</key>
        <array>
                <string>Firewall</string>
        </array>
        <key>Requires</key>
        <array>
                <string>Resolver</string>
        </array>
</dict>
</plist>
gatorparrots is offline   Reply With Quote
Old 05-13-2003, 12:32 PM   #14
tas
Triple-A Player
 
Join Date: Nov 2002
Location: Frankfurt, Germany
Posts: 167
SIGH - I tried everything: permissions set to 700 instead of 755. Moving actual rule list back to /etc/firewall.config and have the firewall read it from there instead of directly from the Firewall file - all to no avail. Could it be that Brickhous & Co. somehow manage to completelt switch off the built-in firewall while I'm too dumb to do that?
tas is offline   Reply With Quote
Old 05-13-2003, 12:39 PM   #15
yellow
Moderator
 
Join Date: Jan 2002
Posts: 10,677
Not likely.. I think your next step should be to move/remove that folder in your StartupItems, and start from scratch. Just copy the StartupParameters.plist they either I or gattorparrots posted (they're the same). Chmod it to 770, make sure root is owner, admin is group. Place a new copy of your Firewall script in there as well with the same entries you had above, the same permissions as the .plist and see if that works for you.
yellow is offline   Reply With Quote
Old 05-13-2003, 03:35 PM   #16
tas
Triple-A Player
 
Join Date: Nov 2002
Location: Frankfurt, Germany
Posts: 167
Sorry, was just away for dinner with the family... Guys, you're great, I'm really grateful for your efforts! OK, so I started from scratch. Hopefully, I'm not a complete idiot. So I give you all the information I got:

Code:
 ll /Library/StartupItems
drwxr-xr-x    4 root     admin         136 May 13 21:14 Firewall
Code:
 ll /Library/StartupItems/Firewall
-rwx------    1 root     admin         954 May 13 21:22 Firewall
-rw-r--r--    1 root     admin         727 May 13 21:14 StartupParameters.plist
Here's my StartupParameters.plist:
Code:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist SYSTEM "file://localhost/System/Library/DTDs/PropertyList.dtd">
<plist version="0.9">
<dict>
        <key>Description</key>
        <string>firewall</string>
        <key>Messages</key>
        <dict>
                <key>start</key>
                <string>Starting firewall</string>
                <key>stop</key>
                <string>Stopping firewall</string>
        </dict>
        <key>OrderPreference</key>
        <string>Last</string>
        <key>Provides</key>
        <array>
                <string>Firewall</string>
        </array>
        <key>Requires</key>
        <array>
                <string>Resolver</string>
        </array>
</dict>
</plist>
Here's my Firewall file:
Code:
#!/bin/sh

/usr/sbin/sysctl -w net.inet.ip.fw.verbose=1
/usr/sbin/sysctl -w net.inet.ip.fw.verbose_limit=0
/sbin/ipfw -q flush
/sbin/ipfw -q add 02000 allow ip from any to any via lo*
/sbin/ipfw -q add 02010 deny ip from 127.0.0.0/8 to any in
/sbin/ipfw -q add 02020 deny ip from any to 127.0.0.0/8 in
/sbin/ipfw -q add 02030 deny ip from 224.0.0.0/3 to any in
/sbin/ipfw -q add 02040 deny tcp from any to 224.0.0.0/3 in
/sbin/ipfw -q add 02050 allow tcp from any to any out
/sbin/ipfw -q add 02060 allow tcp from any to any established
/sbin/ipfw -q add 02070 allow tcp from any to any 113 in
/sbin/ipfw -q add 02080 allow tcp from any to any 548 in
/sbin/ipfw -q add 02090 allow tcp from any to any 427 in
/sbin/ipfw -q add 02100 allow tcp from any to any 22 in
/sbin/ipfw -q add 12190 deny tcp from any to any
/sbin/ipfw -q add 12200 deny udp from any to any 2222 out
/usr/bin/touch /private/var/log/system.log
/bin/kill -1 `cat /var/run/syslog.pid`
I tried to make it refer to firewall.config in /etc, but I always received this error:
Code:
net.inet.ip.fw.verbose: 1 -> 1
net.inet.ip.fw.verbose_limit: 0 -> 0
/sbin/ipfw: error: bad arguments
usage: ipfw [options]
    add [number] rule
    zero [number ...]
    resetlog [number ...]
  rule: [prob <match_probability>] action proto src dst extras...
    action:
      {allow|permit|accept|pass|deny|drop|reject|unreach code|
       reset|count|skipto num|divert port|tee port|fwd ip|
} [log [logamount count]]
    proto: {ip|tcp|udp|icmp|<number>}
    src: from [not] {me|any|ip[{/bits|:mask}]} [{port|port-port},[port],...]
    dst: to [not] {me|any|ip[{/bits|:mask}]} [{port|port-port},[port],...]
  extras:
    uid {user id}
    fragment     (may not be used with ports or tcpflags)
    in
    out
    {xmit|recv|via} {iface|ip|any}
    {established|setup}
    tcpflags [!]{syn|fin|rst|ack|psh|urg},...
    ipoptions [!]{ssrr|lsrr|rr|ts},...
    tcpoptions [!]{mss|window|sack|ts|cc},...
    icmptypes {type[,type]}...
That's why I included the rules in the Firewall file. And here's what I get when I do
Code:
sudo ipfw list
65535 allow ip from any to any
I'm ready to give up and do it manually every time I log in. That can't be true! What's going on here?
tas is offline   Reply With Quote
Old 05-13-2003, 04:49 PM   #17
gatorparrots
Major Leaguer
 
Join Date: Dec 2002
Posts: 441
Delete everything. Install Brickhouse. Add a rule. Install its StartupItem. Then manually go nuts with your rules, editing /etc/firewall.conf as you desire, including the two rules for Microsoft Office v.X I gave above.

Flush your firewall rules:
sudo ipfw flush

Then run the StartupItem:
sudo /Library/StartupItems/Firewall/Firewall
or
sudo SystemStarter start Firewall
gatorparrots is offline   Reply With Quote
Old 05-13-2003, 05:01 PM   #18
tas
Triple-A Player
 
Join Date: Nov 2002
Location: Frankfurt, Germany
Posts: 167
You're right - I just wanted to understand, but who said computers are meant to be understood? Sob... Going GUI and installing Brickhouse feels like cheating now, I wanted to beat it fair and square. But as I said: I give up. Maybe a greater hero will come and take revenge (sorry, was just preparing my class on the Iliad).
tas is offline   Reply With Quote
Old 05-13-2003, 05:09 PM   #19
mervTormel
League Commissioner
 
Join Date: Jan 2002
Posts: 5,536
ha!

Quote:
Originally posted by gatorparrots
Delete everything...

yeah, delete everything, get yourself a Big Chief Legal Pad and a box of Ticonderoga #2s ;]

sincerely,

Ignatius J. Reilly
__________________
On a clear disk, you can seek forever.
mervTormel is offline   Reply With Quote
Old 05-13-2003, 05:15 PM   #20
bassi
Major Leaguer
 
Join Date: Jan 2002
Location: Paris, France
Posts: 498
Ahhhh! Another Confederacy fan.
bassi is offline   Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump



All times are GMT -5. The time now is 05:48 PM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
Site design © IDG Consumer & SMB; individuals retain copyright of their postings
but consent to the possible use of their material in other areas of IDG Consumer & SMB.