Many of you already know that Jaguar, Mac OS X 10.2, comes with a built-in firewall. In an effort to keep things simple, Apple provides the basic ability to configure this firewall via the GUI interface in System Preferences, but otherwise is silent on its extensive benefits and usefulness.
This firewall is called ipfw (Internet Protocol FireWall), which is undoubtedly familiar to Unix and Linux users but completely unfamiliar to
the traditional Mac world. We're going to change this. Don't let the Unix heritage deter you; instead, let it motivate you.
The Unix history is a tremendous asset because it means that ipfw includes a full set of features that have been hardened by computing professionals for years. And all of this value is available to you right now. So resist the urge to buy a personal firewall, because you have a tried and true enterprise-level firewall sitting right under your nose.
To accurately describe where ipfw resides, we'll use the Terminal application to casually browse the file system and issue a few basic commands via the command-line interface. If you need an introduction to Terminal, check out Chris Stone's article "Learning the Terminal in Jaguar, Part 1." The ipfw application lives in a directory called /sbin, where many other commands reside. These can be viewed by starting the Terminal application and typing:
[bullit:~] cochella% ls -al /sbin/ipfwThis will return something like:
-r-xr-xr-x 1 root wheel 42340 Jul 27 21:24 ipfw
Notice that if you leave off the ipfw above you will see a bunch of other commands listed, eliciting all kinds of "What is that ..." excitement. It's worth your time to browse around later, but tread lightly when you do.
To explore the options of the ipfw commands (or any other commands), type the following to bring up the ipfw "man," or manual, pages.
[bullit:~] cochella% man ipfw Again, the juices start flowing with thoughts of "How do I do ..." and "What if ..." Or maybe you begin to think, "There's no way I can use this." If that's the case, worry not; things are going to simplify greatly.
Let's enter one more command to see how ipfw is currently set up. Note that this requires root or admin access via the sudo command. You will be prompted for the root or admin password that you provided when you initially set up the computer. The sudo command lets you temporarily act as administrator for specific command.
[bullit:~] cochella% sudo ipfw list
Password:You will probably see the following output:
65535 allow ip from any to any
A quick glance of this output indicates that your computer will allow ip (Internet Protocol) access from any computer to any computer for all services (Web, FTP, etc.). This is the default, out-of-the-box, firewall setup. The rest of this article will:
ipfw entries like the one above.
Basic features of the Jaguar firewall (ipfw) are available through the System Preferences application. Launch Preferences and select the Sharing icon under Internet & Network. There are three main tabbed sections: Services, Firewall, and Internet, as you can see in Figure 1.
The Services tab lists the services that you can offer from your Macintosh, like Personal File Sharing between Macintosh and Windows computers on your local network. Services like Personal Web Sharing, Remote Login, and FTP Access are Internet services permitting access to your computer from another computer on the Internet, which means from any computer, anywhere. This would be a scary situation except for the fact that you have a firewall at your fingertips!
Figure 1
Let's create a simple scenario that many people might want to use: provide file transfer (FTP, or File Transfer Protocol) from a home computer given the name bullit, from a laptop computer while on the road.
To begin this setup, go to the Services tab (Figure 1) on the home computer, select the FTP Access service, deselect all other services, and then click the Start button. This will start the FTP service and there will be a message saying "Other people can access your FTP server at ftp://your_ip_address." This IP address or hostname is the address that you will connect to while on the road.
Next, click on the Firewall tab like that shown in Figure 2. Notice that FTP Access is selected for you. Because you selected this service in the Services tab, it is now an available service for firewall setup.
Now, click Start in the Firewall tab settings to start the firewall and install your new settings. Your computer will now allow incoming network connections to the selected FTP service. Note that next to the Stop button there is a message saying to "Click Stop to allow incoming network communication to all services and ports." What this means is that if the firewall is stopped, all incoming and outgoing connections will be allowed, just like the output from ipwf list above. We are now allowing only FTP access.
Figure 2
From your mobile computer (which I have named ripple) connected to the Internet, you should be able to open an FTP connection to your home computer (called bullit) using the "your_ip_address" address above (e.g., 64.158.66.245). Type the following command in the Terminal on the computer named ripple:
[ripple:~] cochella% ftp 64.158.66.245
Connected to 64.158.66.245.
220 64.158.66.245 FTP server (lukemftpd 1.1) ready.
You will then be prompted for your username and password. This is your username and password on the home computer called bullit:
Name (64.158.66.245:cochella): cochella
331 Password required for cochella.
Password:
230-
Welcome to Darwin!
230 User cochella logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>The ftp> indicates that you are now connected and can issue remote file transfer commands on the home computer bullit. There are many graphical FTP applications available that are easier to use than the command line, but this is a quick test to see that we have connected. (Tip: you can also review the FTP manual pages with man ftp.)
Now that we have verified that we can connect, let's take a look at the list of ipfw entries again by entering the following at the command line:
[bullit:~] cochella% sudo ipfw list
Password:Whoooaaa. Now you see a whole bunch of rules, like:
02000 allow ip from any to any via lo*
02010 deny ip from 127.0.0.0/8 to any in
02020 deny ip from any to 127.0.0.0/8 in
02030 deny ip from 224.0.0.0/3 to any in
02040 deny tcp from any to 224.0.0.0/3 in
02050 allow tcp from any to any out
02060 allow tcp from any to any established
02070 allow tcp from any to any 20-21 in
02080 allow tcp from any 20,21 to any 1024-65535 in
12180 reset tcp from any to any setup
12190 deny tcp from any to any
65535 allow ip from any to any
This is a good time to take a peek under the proverbial technical hood to see what ipfw is actually doing. Even if you never imagine entering the above yourself, it is worthwhile to know what is going on so that you can fix problems or do a little fiddling to create a special configuration for yourself.
|
The ipfw firewall included with Jaguar is called a "stateful" firewall, putting it in the most comprehensive and secure category of firewalls. Once set up properly, users are not aware that anything is going on -- a good place to be.
You may have noticed that next to FTP Access in the Firewall settings tab in Figure 2 above is a list of numbers in parentheses like "20-21 or 1024-65535 from 20-21." These numbers identify ports on your computer through which FTP sends information back and forth between two computers, which, in this case, are your home (bullit) and mobile (ripple) computers. The reason FTP uses so many ports is a boring story; for the time being, just remember that it primarily uses ports 20-21 and a bunch of others.
If "port" is a confusing concept, try thinking about the back of your computer as a colander used for draining spaghetti. Each hole (or port) has a number assigned to it. The various services used by your computer use specific holes. For example, when you browse the Web, hole number 80 is being used. For retrieving POP mail, hole number 110 is used, and so on. No big deal. There are 65535 holes -- this is one big colander.
Firewalls enforce a set of rules that allow or deny information to flow through the holes. Again, a simple concept. In our example above, we primarily opened the FTP holes 20-21. The output from ipfw list above is a list of the rules that were created by our setup in the System Preferences.
Rules are enforced from top to bottom, making the order of the rules important. Rules have the general form:
[rule-number] [restriction, allow or deny] [protocol(usually ip or tcp)]
from [source computer] to [destination computer] [other options]Initially, we allow all access with the following rule:
02000 allow ip from any to any via lo*Then we restrict or deny access by closing the holes we do not want open. Our setup of allowing FTP access is specifically listed in rules 02070 and 02080, where access to ports 20-21 are allowed. This access is extended in rule 02080 to allow ports 20-21 to use a range of other ports, 1024-65535. The other rules are set up to restrict incoming access to your computer on the other ports but continue to allow you to use those ports for outgoing service. For example, we want to deny people the ability to browse Web files on our computer, but we still want to be able to browse other Web sites.
There are a handful of other ipfw commands like ipfw add [rule] to add rules, and ipfw flush to install newly-added rules. In addition, there is an ipfw log file located at /var/log/system.log, where you can browse and search for rejected access attempts.
|
Related Reading 
Mac OS X in a Nutshell |
So far we've seen that allowing access to specific services using specific ports is relatively straightforward with the System Preferences. While this is true, there are situations where we might require a more complicated setup than that allowed by System Preferences.
For example, we might want to allow FTP access to only our computer at work, which has a unique IP address like 165.22.12.123. This would require allowing access for just this address and denying access to everyone else, a slight modification to the above example. By giving this a little thought, I am sure you can dream up many such situations.
The System Preferences does not allow you to make such changes, but ipfw is more than capable of handling the most complicated situations. There are two options available for making these additions: make manual modifications, or use a shareware application that assists you with these changes. If the changes are simple and you are interested in turning the wrenches yourself, then the manual option is for you. We have already mentioned several commands and the manual pages for you to get started. There are also a handful of useful resource links below that describe complicated setup procedures and some scripts that automate this setup for you.
If you're like me and want a good understanding of how things work, there is a great shareware application called BrickHouse by Brian Hall. BrickHouse provides an intuitive, full-featured interface to ipfw while still tapping the industrial-strength firewall and taking advantage of the features available in Jaguar. BrickHouse works very well for basic and advanced configurations. It installs a startup script so that ipfw starts up when your computer does, thus immediately enabling security. BrickHouse also provides a useful interface to the ipfw log files so that you can see who is knocking on your door (or colander ;) ).
A detailed feature description of BrickHouse is beyond the scope of this article, but it is free for evaluation and is a bargain at $25 if you continue using it. In addition to browsing the resources below, a great way to learn about ipfw is to use an application like BrickHouse (or the System Preferences) to configure a set of rules and then look at the ipfw rules as we have done above. This will get you going but satisfy the "need to know."
Jaguar contains a highly functional, time-tested firewall just waiting to be used. Don't let it go to waste. Exploit the underlying power of Jaguar to your advantage by creating a secure environment and providing remote computer-to-computer access that will make your computing life fun and easy. There are countless possible configurations, ranging from using your Mac as a public or private Web server to running your own mail server or remotely controlling your Mac via Secure SHell (SSH) access.
It's important to keep in mind, however, that despite all of the press on firewall security, firewalls do not represent a complete solution. Protecting your computer also involves hiding your username and password from prying eyes while retrieving your email or transferring your files from your laptop while on the road. Yes, just about anyone can peek into the fast-moving river of data going back and forth and grab values that look like:
USER: cochella
PASS: fidoA firewall can't protect you if someone gets ahold of your username and password. Keep your eyes open for future MacDevCenter articles on such topics as SSH which, by the way, is also included with Jaguar.
Chris Cochella currently works as a Internet Programmer and Information Architect for StreamCapture, LLC an Internet Applications and Web Services development company.
Return to the MacDevCenter.com.
Copyright © 2009 O'Reilly Media, Inc.