macdevcenter.com
oreilly.comSafari Books Online.Conferences.

advertisement

AddThis Social Bookmark Button

Configuring Jaguar's Firewall

by Chris Cochella
12/27/2002

Many of you already know that Jaguar, Mac OS X 10.2, comes with a built-in firewall. In an effort to keep things simple, Apple provides the basic ability to configure this firewall via the GUI interface in System Preferences, but otherwise is silent on its extensive benefits and usefulness.

This firewall is called ipfw (Internet Protocol FireWall), which is undoubtedly familiar to Unix and Linux users but completely unfamiliar to the traditional Mac world. We're going to change this. Don't let the Unix heritage deter you; instead, let it motivate you.

The Unix history is a tremendous asset because it means that ipfw includes a full set of features that have been hardened by computing professionals for years. And all of this value is available to you right now. So resist the urge to buy a personal firewall, because you have a tried and true enterprise-level firewall sitting right under your nose.

Where Under My Nose?

To accurately describe where ipfw resides, we'll use the Terminal application to casually browse the file system and issue a few basic commands via the command-line interface. If you need an introduction to Terminal, check out Chris Stone's article "Learning the Terminal in Jaguar, Part 1." The ipfw application lives in a directory called /sbin, where many other commands reside. These can be viewed by starting the Terminal application and typing:

[bullit:~] cochella% ls -al /sbin/ipfw

This will return something like:

-r-xr-xr-x  1 root  wheel  42340 Jul 27 21:24 ipfw

Notice that if you leave off the ipfw above you will see a bunch of other commands listed, eliciting all kinds of "What is that ..." excitement. It's worth your time to browse around later, but tread lightly when you do.

To explore the options of the ipfw commands (or any other commands), type the following to bring up the ipfw "man," or manual, pages.

[bullit:~] cochella% man ipfw 

Again, the juices start flowing with thoughts of "How do I do ..." and "What if ..." Or maybe you begin to think, "There's no way I can use this." If that's the case, worry not; things are going to simplify greatly.

Let's enter one more command to see how ipfw is currently set up. Note that this requires root or admin access via the sudo command. You will be prompted for the root or admin password that you provided when you initially set up the computer. The sudo command lets you temporarily act as administrator for specific command.

[bullit:~] cochella% sudo ipfw list
Password:

You will probably see the following output:

65535 allow ip from any to any

A quick glance of this output indicates that your computer will allow ip (Internet Protocol) access from any computer to any computer for all services (Web, FTP, etc.). This is the default, out-of-the-box, firewall setup. The rest of this article will:

  1. Implement a specific solution in the System Preferences.
  2. Help you understand a little more about ipfw entries like the one above.
  3. Investigate where the System Preferences could use a little help and what to do about it.

Jaguar's System Preferences

Basic features of the Jaguar firewall (ipfw) are available through the System Preferences application. Launch Preferences and select the Sharing icon under Internet & Network. There are three main tabbed sections: Services, Firewall, and Internet, as you can see in Figure 1.

The Services tab lists the services that you can offer from your Macintosh, like Personal File Sharing between Macintosh and Windows computers on your local network. Services like Personal Web Sharing, Remote Login, and FTP Access are Internet services permitting access to your computer from another computer on the Internet, which means from any computer, anywhere. This would be a scary situation except for the fact that you have a firewall at your fingertips!


Figure 1

Let's create a simple scenario that many people might want to use: provide file transfer (FTP, or File Transfer Protocol) from a home computer given the name bullit, from a laptop computer while on the road.

To begin this setup, go to the Services tab (Figure 1) on the home computer, select the FTP Access service, deselect all other services, and then click the Start button. This will start the FTP service and there will be a message saying "Other people can access your FTP server at ftp://your_ip_address." This IP address or hostname is the address that you will connect to while on the road.

Next, click on the Firewall tab like that shown in Figure 2. Notice that FTP Access is selected for you. Because you selected this service in the Services tab, it is now an available service for firewall setup.

Now, click Start in the Firewall tab settings to start the firewall and install your new settings. Your computer will now allow incoming network connections to the selected FTP service. Note that next to the Stop button there is a message saying to "Click Stop to allow incoming network communication to all services and ports." What this means is that if the firewall is stopped, all incoming and outgoing connections will be allowed, just like the output from ipwf list above. We are now allowing only FTP access.


Figure 2

From your mobile computer (which I have named ripple) connected to the Internet, you should be able to open an FTP connection to your home computer (called bullit) using the "your_ip_address" address above (e.g., 64.158.66.245). Type the following command in the Terminal on the computer named ripple:

[ripple:~] cochella% ftp 64.158.66.245
Connected to 64.158.66.245.
220 64.158.66.245 FTP server (lukemftpd 1.1) ready.

You will then be prompted for your username and password. This is your username and password on the home computer called bullit:

Name (64.158.66.245:cochella): cochella
331 Password required for cochella.
Password:
230-
    Welcome to Darwin!
230 User cochella logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

The ftp> indicates that you are now connected and can issue remote file transfer commands on the home computer bullit. There are many graphical FTP applications available that are easier to use than the command line, but this is a quick test to see that we have connected. (Tip: you can also review the FTP manual pages with man ftp.)

Now that we have verified that we can connect, let's take a look at the list of ipfw entries again by entering the following at the command line:

[bullit:~] cochella% sudo ipfw list
Password:

Whoooaaa. Now you see a whole bunch of rules, like:

 02000 allow ip from any to any via lo*
 02010 deny ip from 127.0.0.0/8 to any in
 02020 deny ip from any to 127.0.0.0/8 in
 02030 deny ip from 224.0.0.0/3 to any in
 02040 deny tcp from any to 224.0.0.0/3 in
 02050 allow tcp from any to any out
 02060 allow tcp from any to any established
 02070 allow tcp from any to any 20-21 in
 02080 allow tcp from any 20,21 to any 1024-65535 in
 12180 reset tcp from any to any setup
 12190 deny tcp from any to any
 65535 allow ip from any to any

This is a good time to take a peek under the proverbial technical hood to see what ipfw is actually doing. Even if you never imagine entering the above yourself, it is worthwhile to know what is going on so that you can fix problems or do a little fiddling to create a special configuration for yourself.

Pages: 1, 2

Next Pagearrow