Mac – How to add a ipfw forward rule to little snitch

firewallmacNetwork

I use the following rules to connect to my nginx server on a vagrant machine:

sudo ipfw add 100 fwd 127.0.0.1,8080 tcp from any to me 80
sudo ipfw add 100 fwd 127.0.0.1,8090 tcp from any to me 443

after installing little snitch, it seems to have made ipfw useless and i can't figure out how to apply a forward rule to little snitch?

Best Answer

Since ipfw is also removed in Yosemite the solution is to use pf

create a file in /etc/pf.anchors/

e.g. com.myapp

rdr pass on lo0 inet proto tcp from any to any port 80 -> 127.0.0.1 port 8080

NOTE: Add a trailing line break. Otherwise pf will say you have a syntax error.

edit /etc/pf.conf add right after rdr-anchor "com.apple/*":

rdr-anchor "myapp"

and after load anchor "com.apple" from "/etc/pf.anchors/com.apple":

load anchor "myap" from "/etc/pf.anchors/com.myapp"

NOTE: Add a trailing line break. Otherwise pf will say you have a syntax error.

Next, reload the rules into pf by running sudo pfctl -f /etc/pf.conf

Finally, enable pf by running sudo pfctl -e

Source: https://github.com/basecamp/pow/issues/452

Related Solutions

Reasons to prefer Little Snitch over the built-in firewall

Little Snitch offers three features that aren't available in MacOS' built-in ipfw firewall. (It does this by loading a custom kernel module.)

Little Snitch allows you to block outgoing connections; the MacOS firewall only blocks incoming connections. Handy if you're running some untrusted program and aren't sure what it's going to do, or if you want to disable a program for updating itself, or if you want to prevent access to a specific resource. Also, I suspect many people use Little Snitch to block pirated software from checking their license.
Little Snitch lets you configure the firewall per application, not just address or port. Ie: you can configure it so one web browser can access a web site but not another.
Little Snitch also monitors network traffic on a per-application basis. It's easy on MacOS to see how much bandwidth you're using but much harder to see which program is using that bandwidth. The Little Snitch shows network usage for each application, albeit in a limited way.

That being said, I don't think Little Snitch is "must have" software; these features are fairly esoteric. There are also several alternatives: TCPBlock and glowworm for the firewall and Rubbernet (now defunct) for the monitoring.

2016 Update: MacOS now has the per-application monitoring built into Activity Monitor.

How to create OS X Server Admin firewall rules using ip address groups by command line

After 12 hours of searching and and not finding any example for ipfilter:ipAddressGroupsWithRules this https://help.apple.com/advancedserveradmin/mac/10.7/#apdA0111C46-F018-4C2C-B8D1-EDAEF73AC27E brought a helpful insight.

The only thing that need to be changed to create a new rule, and not update an existing one, is a first line that creates the rule. For example:

ipfilter:ipAddressGroupsWithRules:_array_id:11-net = create
ipfilter:ipAddressGroupsWithRules:_array_id:11-net:readOnly = no
ipfilter:ipAddressGroupsWithRules:_array_id:11-net:allowAll = no
ipfilter:ipAddressGroupsWithRules:_array_id:11-net:addresses:_array_index:0 = "11.0.0.0/8"
ipfilter:ipAddressGroupsWithRules:_array_id:11-net:name = "11-net"

Now the output of $ sudo serveradmin settings < 10-net.txt is no longer:

ipfilter:ipAddressGroupsWithRules = _empty_array

but:

ipfilter:ipAddressGroupsWithRules:_array_id:11-net:readOnly = no
ipfilter:ipAddressGroupsWithRules:_array_id:11-net:allowAll = no
ipfilter:ipAddressGroupsWithRules:_array_id:11-net:addresses:_array_index:0 = "11.0.0.0/8"
ipfilter:ipAddressGroupsWithRules:_array_id:11-net:rules = _empty_array
ipfilter:ipAddressGroupsWithRules:_array_id:11-net:name = "11-net"

Which is the synonym for that entering the new setting succeeded.

Best Answer

Related Solutions

Reasons to prefer Little Snitch over the built-in firewall

How to create OS X Server Admin firewall rules using ip address groups by command line

Related Question