oreilly.comSafari Books Online.Conferences.


AddThis Social Bookmark Button

Tiger's Improved Firewall (and How to Use It)
Pages: 1, 2

There are Bugs

Best to get this over with. There were bugs in the old firewall and there are bugs in the new firewall. These are new bugs in the new features, and I'm sure that someone is beavering away to get them fixed (some people get all the fun jobs). They affect how we can use the firewall but, at least with the ones that I have found, they do not compromise the firewall.

First, the bug when enabling a set. The problem is that the first command needs to be a disable. So I actually issued the following command:

$ sudo ipfw set disable 12 enable 4

On my computer, set 12 has no rules in it, so I can disable it all I want. That gets around the enable bug. Ugly and annoying yes, but we can live with it.

If you read the man page for the firewall (man ipfw), you'll notice that you should be able to delete sets of rules and move rules in and out of different sets. First let's try and delete a set of rules:

$ sudo ipfw delete set 4
ipfw: rule 4: setsockopt(IP_FW_DEL): Invalid argument

Obviously someone has yet to get round to coding that up, so you can't delete sets. Just disable the set and then delete each rule individually. Inconvenient but not fatal.

However this move is one to avoid:

$ sudo ipfw set move rule 60000 to 13

This should move rule 60000 from its existing set into set 13. No such luck, rule 60000 just disappears. In effect this is a strange syntax for a delete. Avoid this one, as you will lose rules from your firewall if you use it. Now that you know about these bugs, they should not bite you.

Logging Firewall Usage to ipfw.log

In the old firewall, you just had to enable net.inet.ip.fw.verbose and all the rules flagged with a log statement would start writing their output to /var/log/system.log. A quick change in /etc/syslog.conf, and our log lines would be written out to /var/log/ipfw.log. Well, that has all changed, ipfw2 now has its own logger process and the syslog.conf file supplied with Tiger is set up correctly to log to /var/log/ipfw.log.

If you are using the firewall as supplied by Tiger, then the Firewall pane under Sharing in System Preferences now has an Advanced button that will allow you to turn on logging, plus a couple of other small security features. However if we have written our own rules, then the Firewall pane will be unavailable and we will have to turn this on ourselves:

$ sudo /usr/libexec/ipfwloggerd
$ sudo sysctl -w net.inet.ip.fw.verbose=2

To disable logging we just need to set net.inet.ip.fw.verbose to 0. There is no real harm in leaving ipfwloggerd running although you would not really want to have more than one running (which is what will happen if you run the first line repeatedly).

Final Thoughts

ipfw2 improves upon the previous version and introduces some new features, some of which actually work. Sets may not seem a big deal, but they are very useful for managing your firewall. If you go through the man page, you will see many convenient extensions to the rule syntax that make setting up a firewall less verbose. These can make a great deal of difference to how understandable your rules are and therefore how likely you are to notice any mistakes you might have made.

Editor's note: This article is current as of Mac OS X 10.4.2. On the day that I was editing it, Apple released Mac OS X 10.4.3. From what I can tell, there aren't any changes to the Firewall in this update. But if you notice something, please note it in the Talkbacks below to assist other readers. You also might want to read Peter's Exploring the Mac OS X Firewall. It covers the Panther version of the software, but still has some good general info.

Peter Hickman is currently working as a programmer for Semantico, which specializes in online reference works and Access Control Systems. When not programming or reading about programming he can be found sleeping.

Return to the Mac DevCenter