manually adjust ipfw in 10.2?

[yellow]

1) The reason you're getting errors when you try to put a config file in /etc because you're pre-empting it by putting the rules in the Firewall script itself. 2) If you're using a firewall.conf, It looks like it's complaing that you're starting the rules with a 0, don't. Start at 1-9 and go from there.
Decide which style you want. Personally, I put my .conf file elsewhere. But leaving them in the startup script works too. Let me know how you want to proceed, I'll continue to help.

Firewall, firewall.conf (if you use it) & .plist perms should look like this:

Code:

-rwxrwx---   1 root    admin   288 May  9 17:53 Firewall*
-rwxrwx---   1 root    admin   552 May  9 17:53 StartupParameters.plist*
-rwxrwx---    1 root    admin    2343 May  9 17:53 firewall.conf*

root/admin read/write/execute

[tas]

Thanks, yellow, I'll try that later. But actually, I wasn't THAT stupid: I put the rules in the script AFTER I got errors from the /etc/config file.

[yellow]

Sorry, no offense, but I find it better to err on the side of caution on here when trying to help

If worse comes to worse, I created a default set of rules with an scripted installer for all the pieces/parts with some utility scripts. If you're still having trouble I can send you these and you can edit them to your heart's content before installing them to see if they will work for you.

[tas]

No offense taken, you've been a great help. I reinstalled, once again (all the other forum members must be laughing their heads off at our epic saga), gave the .plist 770 permission (had been 700), removed the 0s at beginning of rules, but after startup, I still don't get any results. And I know that the file is OK: when I do

Code:

 sudo /Library/StartupItems/Firewall/Firewall

my rules are applied! So the file is there, it's executable, but it isn't executed at startup. Sorry, I really don't wnat to be a PITA, but this is driving me nuts.

[Jaharmi]

The built-in firewall in the Sharing System Prefs will override rules in a StartupItem -- at least a StartupItem in the Local Domain -- in my experience.

If you are also running Internet Sharing -- also in the Sharing System Preferences -- then that will override certain rules, too, as its NAT functions work at least partially through ipfw. Internet Sharing will only override certain rules in ipfw, based on what I've seen -- if you're clever in how you construct your firewall rules (especially how you order them with rule numbers), you can work around it. It does try to put at least one rule in the ruleset very early.

So turn off both of these items, or take some time to understand how they affect your firewall StartupItem.

I wish I knew the exact config file the Internet Sharing uses to set up the firewall and NAT options. I end up calling the InternetSharing executable on my own in my personal firewall script (so that the Internet Sharing comes up at startup), but it would be nice to determine how to configure it.

For one thing, InternetSharing can start up an AirPort card in infrastructure mode, so that it acts just like a hardware base station. But I'd like to be able to turn my wireless connection off and on (such as with a cron job) throughout the day/week. And I'd also like to disable SSID broadcasts.

[tas]

That's what I suspected all the time. I have stopped Firewall in the Sharing PrefPane, but somehow I suspect that it's not actually switched off, but overrides my own rules with its default "allow everything" rule. I don't have Internet Sharing enabled (nor Cupertino Sharing, for that matter), just ssh and File Sharing. Maybe I'll try and switch them off?

[yellow]

Nope, those won't effect it.