I don't want others on the same network (or any network!) to be able to access my machine at port 80, where I have dev websites.
I've tried adding this rule to ipfw:
deny tcp from any to any dst-port 80 in
which works, but it also stops me from being able to access my web root whenever I get a new IP (switching to a new wireless network, for example) until I refresh my network interface.
Is there a rule that I can add into ipfw or (since it's apparently deprecated) into pfctl that disallows any external traffic to port 80?
Edit: bmike's answer is just perfect. Here's what I've done, for others to see:
sudo ipfw add 00100 allow ip from any to any via lo0
sudo ipfw add 90100 deny tcp from any to any dst-port 80 in
sudo ipfw add 90100 deny tcp from any to any dst-port 443 in
sudo ipfw add 90100 deny tcp from any to any dst-port 3306 in
This allows all ports locally, but disallows any incoming connection to 80 (Apache), 443 (https), and 3306 (MySQL, which I already have restricted to localhost, but I still added this just to ensure it).
Best Answer
You'll want to be sure you have an allow rule with a lower number than the deny rule.
So perhaps:
This puts the allow very low (make sure you don't have any deny rules in the 0-99 rule number range) and puts the general deny rule at a very high number (presumably you won't be allowing anything on port 80 higher than 90101).
If you are not defining a rule file to load all the commands in one shot, have a look at this answer for a slightly different take on restricting ports: How do I use ipfw to allow LAN access but deny Internet access?