Configuring Jaguar's Firewallby Chris Cochella
Many of you already know that Jaguar, Mac OS X 10.2, comes with a built-in firewall. In an effort to keep things simple, Apple provides the basic ability to configure this firewall via the GUI interface in System Preferences, but otherwise is silent on its extensive benefits and usefulness.
This firewall is called
ipfw (Internet Protocol FireWall), which is undoubtedly familiar to Unix and Linux users but completely unfamiliar to
the traditional Mac world. We're going to change this. Don't let the Unix heritage deter you; instead, let it motivate you.
The Unix history is a tremendous asset because it means that
ipfw includes a full set of features that have been hardened by computing professionals for years. And all of this value is available to you right now. So resist the urge to buy a personal firewall, because you have a tried and true enterprise-level firewall sitting right under your nose.
Where Under My Nose?
To accurately describe where
ipfw resides, we'll use the Terminal application to casually browse the file system and issue a few basic commands via the command-line interface. If you need an introduction to Terminal, check out Chris Stone's article "Learning the Terminal in Jaguar, Part 1." The
ipfw application lives in a directory called /sbin, where many other commands reside. These can be viewed by starting the Terminal application and typing:
[bullit:~] cochella% ls -al /sbin/ipfw
This will return something like:
-r-xr-xr-x 1 root wheel 42340 Jul 27 21:24 ipfw
Notice that if you leave off the
ipfw above you will see a bunch of other commands listed, eliciting all kinds of "What is that ..." excitement. It's worth your time to browse around later, but tread lightly when you do.
To explore the options of the
ipfw commands (or any other commands), type the following to bring up the
man," or manual, pages.
[bullit:~] cochella% man ipfw
Again, the juices start flowing with thoughts of "How do I do ..." and "What if ..." Or maybe you begin to think, "There's no way I can use this." If that's the case, worry not; things are going to simplify greatly.
Let's enter one more command to see how
ipfw is currently set up. Note that this requires root or admin access via the
sudo command. You will be prompted for the root or admin password that you provided when you initially set up the computer. The
sudo command lets you temporarily act as administrator for specific command.
[bullit:~] cochella% sudo ipfw list Password:
You will probably see the following output:
65535 allow ip from any to any
A quick glance of this output indicates that your computer will
allow ip (Internet Protocol) access
from any computer
to any computer for all services (Web, FTP, etc.). This is the default, out-of-the-box, firewall setup. The rest of this article will:
- Implement a specific solution in the System Preferences.
- Help you understand a little more about
ipfwentries like the one above.
- Investigate where the System Preferences could use a little help and what to do about it.
Jaguar's System Preferences
Basic features of the Jaguar firewall (
ipfw) are available through the System Preferences application. Launch Preferences and select the Sharing icon under Internet & Network. There are three main tabbed sections: Services, Firewall, and Internet, as you can see in Figure 1.
The Services tab lists the services that you can offer from your Macintosh, like Personal File Sharing between Macintosh and Windows computers on your local network. Services like Personal Web Sharing, Remote Login, and FTP Access are Internet services permitting access to your computer from another computer on the Internet, which means from any computer, anywhere. This would be a scary situation except for the fact that you have a firewall at your fingertips!
Let's create a simple scenario that many people might want to use: provide file transfer (FTP, or File Transfer Protocol) from a home computer given the name
bullit, from a laptop computer while on the road.
To begin this setup, go to the Services tab (Figure 1) on the home computer, select the FTP Access service, deselect all other services, and then click the Start button. This will start the FTP service and there will be a message saying "Other people can access your FTP server at ftp://your_ip_address." This IP address or hostname is the address that you will connect to while on the road.
Next, click on the Firewall tab like that shown in Figure 2. Notice that FTP Access is selected for you. Because you selected this service in the Services tab, it is now an available service for firewall setup.
Now, click Start in the Firewall tab settings to start the firewall and install your new settings. Your computer will now allow incoming network connections to the selected FTP service. Note that next to the Stop button there is a message saying to "Click Stop to allow incoming network communication to all services and ports." What this means is that if the firewall is stopped, all incoming and outgoing connections will be allowed, just like the output from
ipwf list above. We are now allowing only FTP access.
From your mobile computer (which I have named
ripple) connected to the Internet, you should be able to open an FTP connection to your home computer (called
bullit) using the "your_ip_address" address above (e.g.,
18.104.22.168). Type the following command in the Terminal on the computer named
[ripple:~] cochella% ftp 22.214.171.124 Connected to 126.96.36.199. 220 188.8.131.52 FTP server (lukemftpd 1.1) ready.
You will then be prompted for your username and password. This is your username and password on the home computer called
Name (184.108.40.206:cochella): cochella 331 Password required for cochella. Password: 230- Welcome to Darwin! 230 User cochella logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp>
ftp> indicates that you are now connected and can issue remote file transfer commands on the home computer
bullit. There are many graphical FTP applications available that are easier to use than the command line, but this is a quick test to see that we have connected. (Tip: you can also review the FTP manual pages with
Now that we have verified that we can connect, let's take a look at the list of
ipfw entries again by entering the following at the command line:
[bullit:~] cochella% sudo ipfw list Password:
Whoooaaa. Now you see a whole bunch of rules, like:
02000 allow ip from any to any via lo* 02010 deny ip from 127.0.0.0/8 to any in 02020 deny ip from any to 127.0.0.0/8 in 02030 deny ip from 220.127.116.11/3 to any in 02040 deny tcp from any to 18.104.22.168/3 in 02050 allow tcp from any to any out 02060 allow tcp from any to any established 02070 allow tcp from any to any 20-21 in 02080 allow tcp from any 20,21 to any 1024-65535 in 12180 reset tcp from any to any setup 12190 deny tcp from any to any 65535 allow ip from any to any
This is a good time to take a peek under the proverbial technical hood to see what
ipfw is actually doing. Even if you never imagine entering the above yourself, it is worthwhile to know what is going on so that you can fix problems or do a little fiddling to create a special configuration for yourself.
Pages: 1, 2