Welcome to the MacNN Forums.

Guru22 · Jun 21, 2004, 03:00 AM

Hello,

I was wondering where the defaults rules where stored for ipfw. Also I need to divert all traffic from port 80 to port 8080 on the same ip. I am trying to learn IPFW and I have sunShield.
I thought it might have been:

sudo ipfw divert any from 80 to any 8080 in

Cheers guys

OreoCookie · Jun 21, 2004, 03:53 AM

Why don't you use Brickwall to modify them?

I'm not sure how well BrickWall interacts with Apple's FireWall tool, though.

entrox · Jun 21, 2004, 05:36 AM

Originally posted by Guru22:
I was wondering where the defaults rules where stored for ipfw. Also I need to divert all traffic from port 80 to port 8080 on the same ip. I am trying to learn IPFW and I have sunShield.
I thought it might have been:

sudo ipfw divert any from 80 to any 8080 in

The rules are stored in /Library/Preferences/com.apple.sharing.firewall.plist, which is pretty useless, because it doesn't store ipfw rules but rather only the state from the firewall preference pane. So you can't really do funky things like diverting traffic from there.

You have 3 alternatives:

1) You can write a complete /etc/rc.firewall by yourself and set the rules from a startup script. This is how it's done on a real BSD.

2) You can use Brickwall to write more complex rules. Sadly, this will disable the Apple preference pane, since it essentially does the same as 1).

3) You can write a simple StartupItem to add extra rules after NetworkExtensions has run. This will break if you modify the firewall settings in the preference pane, since all rules get rewritten.

If you really want to learn ipfw, I'd go with 1). Otherwise 2) or 3) are preferable. The rule should be placed before the last deny and is something like
ipfw add 5000 divert 80 tcp from any to any 8080 in.

OreoCookie · Jun 21, 2004, 06:54 AM

Originally posted by entrox:
The rules are stored in /Library/Preferences/com.apple.sharing.firewall.plist, which is pretty useless, because it doesn't store ipfw rules but rather only the state from the firewall preference pane. So you can't really do funky things like diverting traffic from there.

You have 3 alternatives:

1) You can write a complete /etc/rc.firewall by yourself and set the rules from a startup script. This is how it's done on a real BSD.

2) You can use Brickwall to write more complex rules. Sadly, this will disable the Apple preference pane, since it essentially does the same as 1).

3) You can write a simple StartupItem to add extra rules after NetworkExtensions has run. This will break if you modify the firewall settings in the preference pane, since all rules get rewritten.

If you really want to learn ipfw, I'd go with 1). Otherwise 2) or 3) are preferable. The rule should be placed before the last deny and is something like
ipfw add 5000 divert 80 tcp from any to any 8080 in.

You can directly edit the rules (as a text file) within Brickwall and save several configs. Probably the easier way for a newbie.

Zim · Jun 21, 2004, 10:47 AM

Gary over at the Apple forums has done a good job of setting up a set of files for this that should be reasonably newbie-friendly.

http://discussions.info.apple.com/[email protected]

After any such attempt, always do a

sudo ipfw list

to be sure the rules "took" (ie. I found I had to remove a check in my ipfw script with 10.3, my rules were no longer getting executed).

Mike

Guru22 · Jun 21, 2004, 11:30 PM

Cool. Thanks for the info. I couldn't find a brick wall. I found a brick house which I am playing with. U cannot seem to divert with brick house so i'm reading to though the documentation to try and find a way of forwarding traffic to port 8080 from port 80.

Cheers fellas.

OreoCookie · Jun 22, 2004, 03:25 AM

Originally posted by Guru22:
Cool. Thanks for the info. I couldn't find a brick wall. I found a brick house which I am playing with. U cannot seem to divert with brick house so i'm reading to though the documentation to try and find a way of forwarding traffic to port 8080 from port 80.

Cheers fellas.

Well, you can edit the config files directly, so you can do everything as if directly editing the config files.

Guru22 · Jun 22, 2004, 06:57 PM

add 2050 deny log tcp from any to any 8080 in via en0?
This is the rule I have added into the Brick House expert config. I hit Save then Apply.
Still No work!

I read all those MAN's and I think I'm asking the impossible. Basically it's a 4D Server. To run at port 80 it must be run as root. So I thought I would run the Server on port 8080 and divert all port 80 traffic into port 8080. I'm at a school. Our internet is managed from an office and getting extra ports forwarded to the school is very difficult.

Is this command just wrong or am I being silly or can this not be done?

entrox · Jun 23, 2004, 05:07 AM

The command is wrong. This rule will silently drop all TCP packets which come from any IP/Port to any other IP on port 8080 via the ethernet interface and log a message. I already pasted a possible rule in an earlier reply:

ipfw add 5000 divert 80 tcp from any to any 8080 in

I haven't tested it, but it should say "add another rule at 5000, which diverts all inbound TCP traffic on port 80 from any IP to any other on port 8080".