Firewall and Blocking [More] Traffic

0

1

I have a MacBook Pro with the firewall on. I'm trying to run a Wireshark trace and the noise bleeding through Apple's firewall is very distracting. According to the image below, most of this noise is supposed to be blocked.

enter image description here

In practice, I'm finding a lot of Bonjour/mDNS/uPNP traffic getting through. I'd like to shut it down too.

Apple's docs don't really list anything useful for controlling the firewall. For example, there is no firewall(8) and ipfirewall(4) is a programming interface:

$ man -k firewall
ip6fw(8)                 - controlling utility for IPv6 firewall (DEPRECATED)
ipfirewall(4)            - IP packet filter and traffic accounting
ipfw(8)                  - IP firewall and traffic shaper control program (DEPRECATED)

How does one block all uninitiated inbound traffic, including promiscuous protocols like Bonjour? (I probably need to block outbound traffic too, but I can probably figure it out once I learn how to work with the firewall).

jww

Posted 2013-10-23T10:58:03.297

Reputation: 1

Answers

1

As of 10.7, Apple have switched to the OpenBSD project's Packet Filter (PF).

Packet filtering with PF is documented by the OpenBSD project.

PF's ability to keep state is intended to do precisely what you want: allow traffic initiated by the host to pass, while blocking the rest. "By storing information about each connection in a state table, PF is able to quickly determine if a packet passing through the firewall belongs to an already established connection. If it does, it is passed through the firewall without going through ruleset evaluation."

So you can likely start with a ruleset like

block all
pass out from any to any

so that everything but outbound traffic is banned. State entries get created for outbound traffic, which allows return traffic along that connection in, since it gets to skip the ruleset entirely.

Jeremy W. Sherman

Posted 2013-10-23T10:58:03.297

Reputation: 606

This just made my radar (I'm not sure how I missed it). Where does the ruleset go on Apple systems? Also, I'd like to allow SSH only since I need to SSH into it on occasion. I'd like it to be in effect upon system start. – jww – 2016-08-08T03:39:22.060

Looks like there's a lot of great detail here: https://pleiades.ucsc.edu/hyades/PF_on_Mac_OS_X You might also look into a GUI for PF config like IceFloor http://www.hanynet.com/icefloor/index.html or Murus (linked therefrom).

– Jeremy W. Sherman – 2016-08-08T13:20:24.950

Asked: 2013-10-23T10:58:03.297

Viewed: 1 764 times

Active: 2013-12-15T16:24:40.700