MacOS – What’s the “built-in” firewall in OS X 10.9

firewallmacos

By "built-in" I mean the backend of the System firewall (System Preference->Security&Privacy->Firewall). Is it ipfw or pf? (I know that ipfw was the backend for previous versions of OS X).

And, what are the commands/logs that I can use to determine which firewall is running?

Best Answer

The firewall in OS X 10.9 is now "pf".

It is controlled by the tool pfctl which can also give you a lot of status about the firewall itself. Try sudo pfctl -s all and you will get a huge dump of info. If you want a lot of information you can add one or two -v to the front of the options for even more info - sudo pfctl -v -v -s all

Related Solutions

MacOS – How does Application Level Firewall work

ALF uses a process called Firewall. The rules list you are looking for exists under: /usr/libexec/ApplicationFirewall/com.apple.alf.plist

Additionally, any changes made on a per user basis, is made to ~/Library/Preferences/com.apple.alf.plist.

If you navigate to /usr/libexec/ApplicationFirewall/, you will also see the Firewall and socketfilterfw processes, which supply the backend and configuration manager (respectively) for ALF.

You can read more about Apple's in-house firewall here: http://krypted.com/tag/socketfilterfw/

How does one lock down OS X Server using the PF firewall

You should:

understand pf basics - here is many guides on the Internet, you can safely read any Open/Free BSD guide. You must understand a few basic things:
- with PF, last rule wins (opposite of IPFW's "first rule wins")
- logging is in the pflog device if the 'tcpdump' format
- check the pfctl command using man pfctl
- also check man pf.conf
- you can create many simple text files that contains IP addresses (called tables) and using them in the filtering rules - see the example below.
AFTER this you can use two GUI frontends
- IceFloor (instead of the WaterRoof)
- Firewall builder (cross platform)

PF is not too hard if you have some knowledge about how firewalling works in general.

Fragment of pf.conf for table based filtering:

interface = "en0"
allowed_ports = "{ 80, 443 }"
table <badips> persist
table <noroute> const { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }
block in on $interface from { <noroute>, <badips> } to any
pass in on $interface inet proto tcp from <badips> to $interface port $allowed_ports

The above example contains:

some basic definitions, like your interface name and some ports
definition for two tables, noroute for nonroutable addresses (RFC 1918) and the second badips that can contain your Geo IP based IP addresses
filtering rule - blocking anything from these tables
allowing ports 80 and 443 from badips (last rule wins)

Best Answer

Related Solutions

MacOS – How does Application Level Firewall work

How does one lock down OS X Server using the PF firewall

Related Question