macOS – Equivalent Command to ‘iptables’ in Mac OS X 10.8

macososx-server

I want to reject some traffic in Mac OS X 10.8(Server) like using:

iptables -t filter -I INPUT 4 -s xxx.xxx.xxx.0/20 -p tcp –dport 1723
-j REJECT

Is there the equivalent command for Mac OS X?

Best Answer

With OS X 10.7, Apple deprecated use of FreeBSD's ipfw and switched to OpenBSD's pf.

The control command for pf is pfctl(8).

You will find a brief discussion as of 10.7 here. This is useful for highlighting a couple ways OS X's PF differs from the stock BSD version.

Documentation on PF is widely available, including Hansteen's The Book of PF. The author also wrote a freely available tutorial, and the OpenBSD documentation is also freely available.

Note: If your machine is also running OS X Server under 10.8, you might need to fix a config error that Apple made before PF starts working.

Installing a package manager approach

Follow the instructions on these websites to install Homebrew, MacPorts, or Fink. Do not install more than one package manager at the same time!

Follow the prompt for whichever you installed.

For Homebrew: brew install tree

For MacPorts: sudo port install tree

For Fink: fink install tree

Installing from source approach

Install the Xcode command line tools by running xcode-select --install.
Download the tree source
Change the Makefile to get it to work, which is also explained in @apuche's answer below. Commenting out the Linux options and uncommenting the macOS options should be enough.
Then, run ./configure, then make.
Now you have to move the tree binary file to a location that's in your executable path. For example:
```
 sudo mkdir -p /usr/local/bin
 sudo cp tree /usr/local/bin/tree
```
Now edit ~/.bash_profile to include:
```
 export PATH="/usr/local/bin:$PATH"
```
Reload the shell, and now which tree should point to /usr/local/bin/tree.

Windows – Mac equivalent of `netstat -b -n`

OS X has a netstat command, but it doesn't display information about the programs associated with the network connections. If you want to see that, you need to use lsof instead. Note that it must be run as root (i.e. with sudo) in order to see other users' programs:

sudo lsof -i

lsof also has many options for controlling what's displayed:

sudo lsof -i tcp -nP   # show TCP unly (no UDP), and don't translate IP addrs and ports numbers to names
sudo lsof -i 6tcp -stcp:listen   # show only IPv6 TCP ports in the listen state
sudo lsof -i @10.11.12.13   # show only connections to/from 10.11.12.13

...see the man page for more.

Best Answer

Related Solutions

macos – Mac OS X Equivalent of the Ubuntu ‘Tree’ Command

Installing a package manager approach

Installing from source approach

Windows – Mac equivalent of `netstat -b -n`

Related Question