Firewalling Tiger (II)
Here is the script I'm running right now, it assumes that your DNS server is on the IP 192.168.2.2, and that you are not running any service on your Os x box, except for an sshd server (Remote Login) and Samba, if you want to share files with a Windows box, the '# Allow SMB/CIFS' line, if you aren't you might delete those.
Anyway, the services are only opened for the network (private, hopefully) that you define on the 'LAN' variable, the other open bit are DHCP, to get an IP address from the server, as well as ping, so you can make basic connectivity tests to the Os X box.
On the outgoing rules, you might want to add either a POP3 or IMAP (or the secure version of POP3) if that is what you are using for email.
I have used the firewall script here: Locking down the Os X firewall, as the template to write this one, which is an excellent resource, but it doesn't allow anything coming to the Os X box.
To use the script, copy it, save it, say as 'rc.firewall', on your Desktop, and then:
sudo cp ~/Desktop/rc.firewall /etc/rc.firewall
sudo chmod +x /etc/rc.firewall
To begin using it:
sudo sh /etc/rc.firewall
If you want to to stop and clear the rules, allowing everything once again:
sudo ipfw -f flush
If you want to see the rules in use, type:
sudo ipfw list
#!/bin/sh
# Variables to simplify maintenance
ipf="/sbin/ipfw"
# LAN MyLAN
LAN="192.168.2.0/24"
# You can add more servers, these are comma delimited
DNS_SERVERS="192.168.2.2"
## ------------------------------------
# Enable firewall logging
/usr/sbin/sysctl -w net.inet.ip.fw.verbose=1
# Flush existing rules
${ipf} -f flush
# If the rule was added to the dynamic rule table, let it in
${ipf} add check-state
# Allow traffic to flow on the loopback interface
${ipf} add allow all from any to any via lo0
# Allow established connections
${ipf} add allow tcp from any to any established
## ------------------------------------
## Incoming connections
## ------------------------------------
# Allow ICMP traffic
${ipf} add allow icmp from ${LAN} to me icmptype 0,8
# Allow SSH connections
${ipf} add allow tcp from ${LAN} to me 22 keep-state
# Allow DHCP
${ipf} add allow udp from ${LAN} 67-68 to me 67-68
# Allow SMB/CIFS
${ipf} add allow tcp from ${LAN} to me 139 keep-state
## ------------------------------------
## Outgoing connections
## ------------------------------------
# Allow SSH connections
${ipf} add allow tcp from me to any 22 keep-state
# Allow SMTP connections
${ipf} add allow tcp from me to any 25 keep-state
# Allow non-secure web traffic
${ipf} add allow tcp from me to any 80 keep-state
# Allow secure web traffic
${ipf} add allow tcp from me to any 443 keep-state
# Allow IMAPS traffic
${ipf} add allow tcp from me to any 993 keep-state
# Allow Messenger traffic
${ipf} add allow tcp from me to any 1863 keep-state
# Allow query to DNS servers
${ipf} add allow udp from me to ${DNS_SERVERS} 53 keep-state
# Allow ICMP traffic out (Ping anything on the internet)
${ipf} add allow icmp from me to any out keep-state
## ------------------------------------
## Close down
${ipf} add deny log ip from any to any
# EoF #
Anyway, the services are only opened for the network (private, hopefully) that you define on the 'LAN' variable, the other open bit are DHCP, to get an IP address from the server, as well as ping, so you can make basic connectivity tests to the Os X box.
On the outgoing rules, you might want to add either a POP3 or IMAP (or the secure version of POP3) if that is what you are using for email.
I have used the firewall script here: Locking down the Os X firewall, as the template to write this one, which is an excellent resource, but it doesn't allow anything coming to the Os X box.
To use the script, copy it, save it, say as 'rc.firewall', on your Desktop, and then:
sudo cp ~/Desktop/rc.firewall /etc/rc.firewall
sudo chmod +x /etc/rc.firewall
To begin using it:
sudo sh /etc/rc.firewall
If you want to to stop and clear the rules, allowing everything once again:
sudo ipfw -f flush
If you want to see the rules in use, type:
sudo ipfw list
#!/bin/sh
# Variables to simplify maintenance
ipf="/sbin/ipfw"
# LAN MyLAN
LAN="192.168.2.0/24"
# You can add more servers, these are comma delimited
DNS_SERVERS="192.168.2.2"
## ------------------------------------
# Enable firewall logging
/usr/sbin/sysctl -w net.inet.ip.fw.verbose=1
# Flush existing rules
${ipf} -f flush
# If the rule was added to the dynamic rule table, let it in
${ipf} add check-state
# Allow traffic to flow on the loopback interface
${ipf} add allow all from any to any via lo0
# Allow established connections
${ipf} add allow tcp from any to any established
## ------------------------------------
## Incoming connections
## ------------------------------------
# Allow ICMP traffic
${ipf} add allow icmp from ${LAN} to me icmptype 0,8
# Allow SSH connections
${ipf} add allow tcp from ${LAN} to me 22 keep-state
# Allow DHCP
${ipf} add allow udp from ${LAN} 67-68 to me 67-68
# Allow SMB/CIFS
${ipf} add allow tcp from ${LAN} to me 139 keep-state
## ------------------------------------
## Outgoing connections
## ------------------------------------
# Allow SSH connections
${ipf} add allow tcp from me to any 22 keep-state
# Allow SMTP connections
${ipf} add allow tcp from me to any 25 keep-state
# Allow non-secure web traffic
${ipf} add allow tcp from me to any 80 keep-state
# Allow secure web traffic
${ipf} add allow tcp from me to any 443 keep-state
# Allow IMAPS traffic
${ipf} add allow tcp from me to any 993 keep-state
# Allow Messenger traffic
${ipf} add allow tcp from me to any 1863 keep-state
# Allow query to DNS servers
${ipf} add allow udp from me to ${DNS_SERVERS} 53 keep-state
# Allow ICMP traffic out (Ping anything on the internet)
${ipf} add allow icmp from me to any out keep-state
## ------------------------------------
## Close down
${ipf} add deny log ip from any to any
# EoF #
Labels: Apple, IPFW Firewall, Os X, Scripts, Security
posted by hictio at 2:17 PM
0 Comments:
Post a Comment
<< Home