1

I'd like to fine tune the firewall rules in my Mac OS X, without a GUI I mean.

I came from Linux world and I'm used to manually fine tune my firewalls, having full control on every rule, adding filtering rules on a per-IP or per-MAC basis and so on ...

Is it possible (of course, I hope) and how it is possible to fulfill this need in Mac OS X?

I'd like to find something similar to the very very powerful and reliable "Shorewall" scripts I had in Linux

Thanks in advance to everyone would give me a tip.

drAlberT
  • 10,871
  • 7
  • 38
  • 52

3 Answers3

2

I recommend checking out this related question for discussion of ipfw and, even though you say you don't want a GUI tool, it maybe worth investigating WaterRoof as a free config utility for it.

avstrallen
  • 816
  • 7
  • 9
  • Ok, thanks for the answer adamvs ... read the other 3d and looked at WaterRoof. It seems a good tool, I'll try it... but I'm also interested in the right way to supersede the Apple GUI. Say, let suppose I want to hand write my ipfw rules and I know what i'm doind... what it the right place to put them in order to not pollute my Mac with tons of custom scripts make things that works, but that are out of the philosofy of my machine? Thanks – drAlberT Aug 03 '09 at 11:19
2

Mac OS X v10.5 actually has two firewalls, ipfw (a packet-filtering firewall like you're probably used to), and AppFirewall (aka alf, which filters programs attempting to listen for incoming traffic). AppFirewall is new in v10.5, and is the only one the GUI deals with at all (except on OS X Server running in advanced mode -- that has a GUI for ipfw). AppFirewall isn't terribly configurable, it basically has lists of programs and whether they're allowed to listen for connections. If you want to look at its config, use

defaults read /Library/Preferences/com.apple.alf

editing can be done with sudo defaults write or any other plist editor you happen to prefer (or a text editor, as long as the file is in text/xml format; if not, use `plutil -convert xml1' to convert it).

However, it sounds like what you really want is a packet-filtering firewall. No problem, both can run in parallel (well, series actually -- traffic only gets in after going through both firewalls). So you can go ahead and configure ipfw however you want (use WaterRoof, or build your own script to configure it and use launchd to fire it off, or whatever) and not worry about interfering with the regular firewall.

BTW, it occurred to me that there's an exception to what I said about the GUI not touching ipfw: if you turn on Internet Sharing (in the Sharing pane in System Preferences), it activates ipfw to divert packets through the address translator. If you want to use this feature, I'm not sure how to make it and a manual ipfw config coexist peaceably; its setup is not at all configurable.

Gordon Davisson
  • 11,036
  • 3
  • 27
  • 33
2

Maybe have a look at this example ipfw ruleset to get started with finetuning ipfw:

http://codesnippets.joyent.com/posts/show/1267