Configuring Jaguar's Firewall
Pages: 1, 2
Under the Hood
ipfw firewall included with Jaguar is called a "stateful" firewall, putting it in the most comprehensive and secure category of firewalls. Once set up properly, users are not aware that anything is going on -- a good place to be.
You may have noticed that next to FTP Access in the Firewall settings tab in Figure 2 above is a list of numbers in parentheses like "20-21 or 1024-65535 from 20-21." These numbers identify ports on your computer through which FTP sends information back and forth between two computers, which, in this case, are your home (
bullit) and mobile (
ripple) computers. The reason FTP uses so many ports is a boring story; for the time being, just remember that it primarily uses ports 20-21 and a bunch of others.
If "port" is a confusing concept, try thinking about the back of your computer as a colander used for draining spaghetti. Each hole (or port) has a number assigned to it. The various services used by your computer use specific holes. For example, when you browse the Web, hole number 80 is being used. For retrieving POP mail, hole number 110 is used, and so on. No big deal. There are 65535 holes -- this is one big colander.
Firewalls enforce a set of rules that
deny information to flow through the holes. Again, a simple concept. In our example above, we primarily opened the FTP holes 20-21. The output from
ipfw list above is a list of the rules that were created by our setup in the System Preferences.
Rules are enforced from top to bottom, making the order of the rules important. Rules have the general form:
[rule-number] [restriction, allow or deny] [protocol(usually ip or tcp)] from [source computer] to [destination computer] [other options]
Initially, we allow all access with the following rule:
02000 allow ip from any to any via lo*
Then we restrict or deny access by closing the holes we do not want open. Our setup of allowing FTP access is specifically listed in rules 02070 and 02080, where access to ports 20-21 are allowed. This access is extended in rule 02080 to allow ports 20-21 to use a range of other ports, 1024-65535. The other rules are set up to restrict incoming access to your computer on the other ports but continue to allow you to use those ports for outgoing service. For example, we want to deny people the ability to browse Web files on our computer, but we still want to be able to browse other Web sites.
There are a handful of other
ipfw commands like
ipfw add [rule] to add rules, and
ipfw flush to install newly-added rules. In addition, there is an
ipfw log file located at /var/log/system.log, where you can browse and search for rejected access attempts.
So far we've seen that allowing access to specific services using specific ports is relatively straightforward with the System Preferences. While this is true, there are situations where we might require a more complicated setup than that allowed by System Preferences.
For example, we might want to allow FTP access to only our computer at work, which has a unique IP address like
188.8.131.52. This would require allowing access for just this address and denying access to everyone else, a slight modification to the above example. By giving this a little thought, I am sure you can dream up many such situations.
The System Preferences does not allow you to make such changes, but
ipfw is more than capable of handling the most complicated situations. There are two options available for making these additions: make manual modifications, or use a shareware application that assists you with these changes. If the changes are simple and you are interested in turning the wrenches yourself, then the manual option is for you. We have already mentioned several commands and the manual pages for you to get started. There are also a handful of useful resource links below that describe complicated setup procedures and some scripts that automate this setup for you.
If you're like me and want a good understanding of how things work, there is a great shareware application called BrickHouse by Brian Hall. BrickHouse provides an intuitive, full-featured interface to
ipfw while still tapping the industrial-strength firewall and taking advantage of the features available in Jaguar. BrickHouse works very well for basic and advanced configurations. It installs a startup script so that ipfw starts up when your computer does, thus immediately enabling security. BrickHouse also provides a useful interface to the
ipfw log files so that you can see who is knocking on your door (or colander ;) ).
A detailed feature description of BrickHouse is beyond the scope of this article, but it is free for evaluation and is a bargain at $25 if you continue using it. In addition to browsing the resources below, a great way to learn about
ipfw is to use an application like BrickHouse (or the System Preferences) to configure a set of rules and then look at the
ipfw rules as we have done above. This will get you going but satisfy the "need to know."
Jaguar contains a highly functional, time-tested firewall just waiting to be used. Don't let it go to waste. Exploit the underlying power of Jaguar to your advantage by creating a secure environment and providing remote computer-to-computer access that will make your computing life fun and easy. There are countless possible configurations, ranging from using your Mac as a public or private Web server to running your own mail server or remotely controlling your Mac via Secure SHell (SSH) access.
It's important to keep in mind, however, that despite all of the press on firewall security, firewalls do not represent a complete solution. Protecting your computer also involves hiding your username and password from prying eyes while retrieving your email or transferring your files from your laptop while on the road. Yes, just about anyone can peek into the fast-moving river of data going back and forth and grab values that look like:
USER: cochella PASS: fido
A firewall can't protect you if someone gets ahold of your username and password. Keep your eyes open for future MacDevCenter articles on such topics as SSH which, by the way, is also included with Jaguar.
- Apple's Internet Developer Article on Security
- "Setting up Firewall Rules on Mac OS X 10.2"
- "Protecting Your Private Network Using FreeBSD"
- Vicomsoft Firewall Q&A
Return to the MacDevCenter.com.
how to add not to respond to ping
2004-02-19 10:13:56 php4u [View]
MySQL connection etc
2003-03-27 19:58:49 anonymous2 [View]
Where does Jaguar store its FW settings?
2003-01-17 08:18:12 anonymous2 [View]
Where does Jaguar firewall store config info
2003-01-16 09:29:35 anonymous2 [View]
Filter packets by MAC addres
2003-01-15 07:32:02 mfuortes [View]
Can Brickhouse help protecting a small network?
2003-01-12 11:31:45 anonymous2 [View]
Can Brickhouse help protecting a small network?
2003-01-15 07:55:20 cochella [View]
2003-01-07 01:39:57 anonymous2 [View]
2003-01-07 07:30:44 cochella [View]
2003-01-06 02:28:52 anonymous2 [View]
2003-01-04 22:20:18 ishafe [View]
Question about firewalls and Sharing
2003-01-05 14:11:03 cochella [View]
2003-01-02 07:07:15 anonymous2 [View]
Configuring Jaguars Firewall
2003-01-03 06:08:55 quietjim [View]
2002-12-30 14:47:15 anonymous2 [View]
"ipfw flush" -- I do not think that means what you think it means
2003-01-05 14:13:51 cochella [View]
2002-12-28 19:59:41 anonymous2 [View]
2002-12-30 14:55:52 cochella [View]
2002-12-28 12:28:38 anonymous2 [View]