[[APi]TheMan]

I'm trying to figure out how to use ipfw in Mac OS X and I'm already stumped by what seems should be the easiest part. I'm trying to create a filter to deny certain hosts to my server but the syntax is starting to frustrate me. Some services will be using TCP wrappers, but some will not, I'd rather have multiple lines of defense anyways. If I try to create a filter to deny any traffic coming in from a certain host , but it fails to actually deny traffic:

Code:
ipfw add deny all from 12.3.4 to me in

Where 1.2.3.4 is a real IP. Of course I'm testing this from the host which I am banning from the server (and I am still able to successfully connect to the server).

What's the trick? I'm aware that ipfw isn't the most advanced of firewalls, though the man page says it can do some nifty stuff, but shouldn't this be about as easy as it gets?

[Curios Meerkat]

You gotta give a number to that rule - You decide the number based on your policy: a default installation looks something like:

# ipfw list
[...]
02050 allow tcp from any to any out
02060 allow tcp from any to any established
02200 allow tcp from any to any 80 in
12190 deny tcp from any to any
[...]

which means: let everything out, allow already established connections, allow http traffic, deny everything else in that order

assuming that, based on the above rules, you want to deny access to host 1.2.3.4, your rule has to have a number between 02200 and 12190, like:

# ipfw add 12000 deny all from 12.3.4 to me in

if you then need to clear that rule, you reference it by number again:

# ipfw zero 12000 [edit: this is wrong!!! use ipfw delete instead]

hth

[[APi]TheMan]

Thanks, CurlosMeerkat. I don't know what I was doing the last few weeks, but everything works finally. Even the example I posted in post #1 of this thread seems to work now.

You mentioned ipfw zero for use with clearing rules. The "zero" command is actually used to clear counters for the specified rule number. You can see the totals of the counters for each rule with the command ipfw -a list. Deleting a rule is actually done like this: ipfw delete <rule number>.

Things I noted while I was reading man pages and googling for help:

• The default rule on BSD systems with ipfw is to deny all. Apple includes a rule to allow all (even if the Firewall is "disabled" in the Sharing preference pane).
• Like CurlosMeerkat said, packets are filtered through the rules in ascending order, that is, rule 00000 to 65535. Make sure you are aware of this when you create your rules.
• Rules are applied in real time. You can verify this by opening an ssh connection to a host and then banning all traffic to that host. You will no longer be able to communicate with the host unless you quickly delete the rule.
• On a Mac OS X Server box, you can add custom rules to /etc/ipfilter/ipfw.conf and they will be applied whenever the server or firewall restarts.

References:

• FreeBSD Handbook
• IPFW man page

[Curios Meerkat]

Originally posted by [APi]TheMan:
You mentioned ipfw zero for use with clearing rules. The "zero" command is actually used to clear counters for the specified rule number. You can see the totals of the counters for each rule with the command ipfw -a list. Deleting a rule is actually done like this: ipfw delete <rule number>.

Yes you are right. Sorry if I confused you. ipfw delete is the right command.

[[APi]TheMan]

Originally posted by Curios Meerkat:
Yes you are right. Sorry if I confused you. ipfw delete is the right command.

No worries here, I'm just glad that someone has been actually responding to my last few posts. The Unix section has always been more quiet than the other areas in Software, but it's been really slow the last few weeks!

It's nice to have a resolution or at the least some level of discussion on these issues, because when someone comes here several months from now on a tip from some search engine, they'll have a starting point to troubleshoot their problems.