|
|
IPFW Questions
|
|
|
|
Fresh-Faced Recruit
Join Date: May 2004
Location: Australia
Status:
Offline
|
|
Hello,
I was wondering where the defaults rules where stored for ipfw. Also I need to divert all traffic from port 80 to port 8080 on the same ip. I am trying to learn IPFW and I have sunShield.
I thought it might have been:
sudo ipfw divert any from 80 to any 8080 in
Cheers guys
|
|
|
|
|
|
|
|
|
Moderator
Join Date: May 2001
Location: Hilbert space
Status:
Offline
|
|
Why don't you use Brickwall to modify them?
I'm not sure how well BrickWall interacts with Apple's FireWall tool, though.
|
I don't suffer from insanity, I enjoy every minute of it.
|
|
|
|
|
|
|
|
Senior User
Join Date: Jan 2003
Location: Stuttgart, Germany
Status:
Offline
|
|
Originally posted by Guru22:
I was wondering where the defaults rules where stored for ipfw. Also I need to divert all traffic from port 80 to port 8080 on the same ip. I am trying to learn IPFW and I have sunShield.
I thought it might have been:
sudo ipfw divert any from 80 to any 8080 in
The rules are stored in /Library/Preferences/com.apple.sharing.firewall.plist, which is pretty useless, because it doesn't store ipfw rules but rather only the state from the firewall preference pane. So you can't really do funky things like diverting traffic from there.
You have 3 alternatives:
1) You can write a complete /etc/rc.firewall by yourself and set the rules from a startup script. This is how it's done on a real BSD.
2) You can use Brickwall to write more complex rules. Sadly, this will disable the Apple preference pane, since it essentially does the same as 1).
3) You can write a simple StartupItem to add extra rules after NetworkExtensions has run. This will break if you modify the firewall settings in the preference pane, since all rules get rewritten.
If you really want to learn ipfw, I'd go with 1). Otherwise 2) or 3) are preferable. The rule should be placed before the last deny and is something like
ipfw add 5000 divert 80 tcp from any to any 8080 in.
|
|
|
|
|
|
|
|
|
Moderator
Join Date: May 2001
Location: Hilbert space
Status:
Offline
|
|
Originally posted by entrox:
The rules are stored in /Library/Preferences/com.apple.sharing.firewall.plist, which is pretty useless, because it doesn't store ipfw rules but rather only the state from the firewall preference pane. So you can't really do funky things like diverting traffic from there.
You have 3 alternatives:
1) You can write a complete /etc/rc.firewall by yourself and set the rules from a startup script. This is how it's done on a real BSD.
2) You can use Brickwall to write more complex rules. Sadly, this will disable the Apple preference pane, since it essentially does the same as 1).
3) You can write a simple StartupItem to add extra rules after NetworkExtensions has run. This will break if you modify the firewall settings in the preference pane, since all rules get rewritten.
If you really want to learn ipfw, I'd go with 1). Otherwise 2) or 3) are preferable. The rule should be placed before the last deny and is something like
ipfw add 5000 divert 80 tcp from any to any 8080 in.
You can directly edit the rules (as a text file) within Brickwall and save several configs. Probably the easier way for a newbie.
|
I don't suffer from insanity, I enjoy every minute of it.
|
|
|
|
|
|
|
|
Senior User
Join Date: Apr 2001
Location: Cary, NC
Status:
Offline
|
|
Gary over at the Apple forums has done a good job of setting up a set of files for this that should be reasonably newbie-friendly.
http://discussions.info.apple.com/[email protected]
After any such attempt, always do a
sudo ipfw list
to be sure the rules "took" (ie. I found I had to remove a check in my ipfw script with 10.3, my rules were no longer getting executed).
Mike
|
|
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: May 2004
Location: Australia
Status:
Offline
|
|
Cool. Thanks for the info. I couldn't find a brick wall. I found a brick house which I am playing with. U cannot seem to divert with brick house so i'm reading to though the documentation to try and find a way of forwarding traffic to port 8080 from port 80.
Cheers fellas.
|
|
|
|
|
|
|
|
|
Moderator
Join Date: May 2001
Location: Hilbert space
Status:
Offline
|
|
Originally posted by Guru22:
Cool. Thanks for the info. I couldn't find a brick wall. I found a brick house which I am playing with. U cannot seem to divert with brick house so i'm reading to though the documentation to try and find a way of forwarding traffic to port 8080 from port 80.
Cheers fellas.
Well, you can edit the config files directly, so you can do everything as if directly editing the config files.
|
I don't suffer from insanity, I enjoy every minute of it.
|
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: May 2004
Location: Australia
Status:
Offline
|
|
add 2050 deny log tcp from any to any 8080 in via en0?
This is the rule I have added into the Brick House expert config. I hit Save then Apply.
Still No work!
I read all those MAN's and I think I'm asking the impossible. Basically it's a 4D Server. To run at port 80 it must be run as root. So I thought I would run the Server on port 8080 and divert all port 80 traffic into port 8080. I'm at a school. Our internet is managed from an office and getting extra ports forwarded to the school is very difficult.
Is this command just wrong or am I being silly or can this not be done?
|
|
|
|
|
|
|
|
|
Senior User
Join Date: Jan 2003
Location: Stuttgart, Germany
Status:
Offline
|
|
The command is wrong. This rule will silently drop all TCP packets which come from any IP/Port to any other IP on port 8080 via the ethernet interface and log a message. I already pasted a possible rule in an earlier reply:
ipfw add 5000 divert 80 tcp from any to any 8080 in
I haven't tested it, but it should say "add another rule at 5000, which diverts all inbound TCP traffic on port 80 from any IP to any other on port 8080".
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|