oreilly.comSafari Books Online.Conferences.


AddThis Social Bookmark Button

Configuring Jaguar's Firewall
Pages: 1, 2

Under the Hood

The ipfw firewall included with Jaguar is called a "stateful" firewall, putting it in the most comprehensive and secure category of firewalls. Once set up properly, users are not aware that anything is going on -- a good place to be.

You may have noticed that next to FTP Access in the Firewall settings tab in Figure 2 above is a list of numbers in parentheses like "20-21 or 1024-65535 from 20-21." These numbers identify ports on your computer through which FTP sends information back and forth between two computers, which, in this case, are your home (bullit) and mobile (ripple) computers. The reason FTP uses so many ports is a boring story; for the time being, just remember that it primarily uses ports 20-21 and a bunch of others.

If "port" is a confusing concept, try thinking about the back of your computer as a colander used for draining spaghetti. Each hole (or port) has a number assigned to it. The various services used by your computer use specific holes. For example, when you browse the Web, hole number 80 is being used. For retrieving POP mail, hole number 110 is used, and so on. No big deal. There are 65535 holes -- this is one big colander.

Firewalls enforce a set of rules that allow or deny information to flow through the holes. Again, a simple concept. In our example above, we primarily opened the FTP holes 20-21. The output from ipfw list above is a list of the rules that were created by our setup in the System Preferences.

Rules are enforced from top to bottom, making the order of the rules important. Rules have the general form:

[rule-number] [restriction, allow or deny] [protocol(usually ip or tcp)] 
from [source computer] to [destination computer] [other options]

Initially, we allow all access with the following rule:

02000 allow ip from any to any via lo*

Then we restrict or deny access by closing the holes we do not want open. Our setup of allowing FTP access is specifically listed in rules 02070 and 02080, where access to ports 20-21 are allowed. This access is extended in rule 02080 to allow ports 20-21 to use a range of other ports, 1024-65535. The other rules are set up to restrict incoming access to your computer on the other ports but continue to allow you to use those ports for outgoing service. For example, we want to deny people the ability to browse Web files on our computer, but we still want to be able to browse other Web sites.

There are a handful of other ipfw commands like ipfw add [rule] to add rules, and ipfw flush to install newly-added rules. In addition, there is an ipfw log file located at /var/log/system.log, where you can browse and search for rejected access attempts.

Related Reading

Mac OS X in a Nutshell
A Desktop Quick Reference
By Jason McIntosh, Chuck Toporek, Chris Stone

Advanced Configurations

So far we've seen that allowing access to specific services using specific ports is relatively straightforward with the System Preferences. While this is true, there are situations where we might require a more complicated setup than that allowed by System Preferences.

For example, we might want to allow FTP access to only our computer at work, which has a unique IP address like This would require allowing access for just this address and denying access to everyone else, a slight modification to the above example. By giving this a little thought, I am sure you can dream up many such situations.

The System Preferences does not allow you to make such changes, but ipfw is more than capable of handling the most complicated situations. There are two options available for making these additions: make manual modifications, or use a shareware application that assists you with these changes. If the changes are simple and you are interested in turning the wrenches yourself, then the manual option is for you. We have already mentioned several commands and the manual pages for you to get started. There are also a handful of useful resource links below that describe complicated setup procedures and some scripts that automate this setup for you.

If you're like me and want a good understanding of how things work, there is a great shareware application called BrickHouse by Brian Hall. BrickHouse provides an intuitive, full-featured interface to ipfw while still tapping the industrial-strength firewall and taking advantage of the features available in Jaguar. BrickHouse works very well for basic and advanced configurations. It installs a startup script so that ipfw starts up when your computer does, thus immediately enabling security. BrickHouse also provides a useful interface to the ipfw log files so that you can see who is knocking on your door (or colander ;) ).

A detailed feature description of BrickHouse is beyond the scope of this article, but it is free for evaluation and is a bargain at $25 if you continue using it. In addition to browsing the resources below, a great way to learn about ipfw is to use an application like BrickHouse (or the System Preferences) to configure a set of rules and then look at the ipfw rules as we have done above. This will get you going but satisfy the "need to know."

Final Thoughts

Jaguar contains a highly functional, time-tested firewall just waiting to be used. Don't let it go to waste. Exploit the underlying power of Jaguar to your advantage by creating a secure environment and providing remote computer-to-computer access that will make your computing life fun and easy. There are countless possible configurations, ranging from using your Mac as a public or private Web server to running your own mail server or remotely controlling your Mac via Secure SHell (SSH) access.

It's important to keep in mind, however, that despite all of the press on firewall security, firewalls do not represent a complete solution. Protecting your computer also involves hiding your username and password from prying eyes while retrieving your email or transferring your files from your laptop while on the road. Yes, just about anyone can peek into the fast-moving river of data going back and forth and grab values that look like:

USER: cochella
PASS: fido

A firewall can't protect you if someone gets ahold of your username and password. Keep your eyes open for future MacDevCenter articles on such topics as SSH which, by the way, is also included with Jaguar.


Chris Cochella currently works as a Internet Programmer and Information Architect for StreamCapture, LLC an Internet Applications and Web Services development company.

Return to the