MacOS – Configure ipfw to filter by ip range

firewallipfwmacosserver.app

I am a Linux user and very new to OSX. I have an OSX 10.7.5 "Lion" server that I am configuring as a webserver. I only have shell access.

I am tryin to configure the firewall, but ipfw is quite different from iptables. Currently, all ports are open to the world. I would like to add the following rules:

port 80/443: allow incoming connections from any IP address.
anything else: only allow incoming connections from within current subnet.

How would I accomplish this with ipfw?

Best Answer

Although you seem fine handling the command line, on OS X it is best to use the Server Admin Tools (like @lupincho suggested). But how can you use the Server Admin Tools GUI when you only have terminal acces?

You can run the Server Admin Tools app from another mac, this will allow you to login on a remote server and change it's settings. If you do not have a spare mac with the Server Admin Tools installed, you can do the following:

SSH into your remote OS X machine with an administrator’s log in and password.
Enable Remote Desktop (a.k.a. Screen Sharing, a.k.a. VNC) with this command:

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -clientopts -setvnclegacy -vnclegacy yes -clientopts -setvncpw -vncpw mypasswd -restart -agent -privs -all

3) Login using a VNC client (such as TightVNC). Your password is "mypasswd" (see the -vncpw flag in the above command; you can — and should — change this).

Now you can open the Server Admin Tools and do your thing.

4) When you are done, turn of screen sharing using your SSH session:

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -configure -access -off

Related Solutions

How does one lock down OS X Server using the PF firewall

You should:

understand pf basics - here is many guides on the Internet, you can safely read any Open/Free BSD guide. You must understand a few basic things:
- with PF, last rule wins (opposite of IPFW's "first rule wins")
- logging is in the pflog device if the 'tcpdump' format
- check the pfctl command using man pfctl
- also check man pf.conf
- you can create many simple text files that contains IP addresses (called tables) and using them in the filtering rules - see the example below.
AFTER this you can use two GUI frontends
- IceFloor (instead of the WaterRoof)
- Firewall builder (cross platform)

PF is not too hard if you have some knowledge about how firewalling works in general.

Fragment of pf.conf for table based filtering:

interface = "en0"
allowed_ports = "{ 80, 443 }"
table <badips> persist
table <noroute> const { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }
block in on $interface from { <noroute>, <badips> } to any
pass in on $interface inet proto tcp from <badips> to $interface port $allowed_ports

The above example contains:

some basic definitions, like your interface name and some ports
definition for two tables, noroute for nonroutable addresses (RFC 1918) and the second badips that can contain your Geo IP based IP addresses
filtering rule - blocking anything from these tables
allowing ports 80 and 443 from badips (last rule wins)

MacOS – How to exclude certain ports from the firewall notifications

The dialog is not coming from ipfw but from socketfilterfw, the OS X Application based firewall. That one is not port based, like ipfw but based on processes. If an application/script wants to bind a port the application firewall checks it's ruleset and subsequently asks the user if that should be allowed which is what you already see. If you allow this, the binary in question gets signed and is allowed access in the future without user interaction. If the binary changes, you get asked again.

The only way to prevent getting asked is to turn off the app firewall which I do not recommend. Alternatively you could start signing each change of your python files which is likely to become annoying.

Sidenote: If you need a port based firewall as well you should be using pf (pf.conf(5), pfctl(8)) on Mountain-Lion as ipfw is deprecated.

Best Answer

Related Solutions

How does one lock down OS X Server using the PF firewall

MacOS – How to exclude certain ports from the firewall notifications

Related Question