Originally posted by udecker:
<STRONG>Someone on here recently posted the following snippet for the terminal:
sudo ipfw add deny from any to any 2222
to add a rule to the internal firewall to block all UDP traffic across port 2222.
It was stated that this "adds" the rule to the firewall, and that it will last through subsequent reboots.
</STRONG>
This does add the rule, but it doesn't make sure that the rule will get added at bootup, which is what you need to do to get it to make it through reboots. You'll need to create a startup item for that in /Library/StartupItems. If you've done that before, it should be no problem. If you haven't, here's what I have in my /Library/StartupItems/Firewall - a file called Firewall, which checks the kernel config and opens the rule file, a file called firewall.conf which contains all of the rules I want to load, and a file called StartupParameters.plist which is a basic plist file for the firewall. Then I added a line to /private/etc/hostconfig to toggle the firewall on and off as needed:
<BLOCKQUOTE><font size="1"face="Geneva, Verdana, Arial">code:</font><HR><pre><font size=1 face=courier>
FIREWALL=-YES-
</font>[/code]
Firewall looks like this:
<BLOCKQUOTE><font size="1"face="Geneva, Verdana, Arial">code:</font><HR><pre><font size=1 face=courier>
#!/bin/sh
. /etc/rc.common
##
# start the server or not?
##
if [ <font color = red>"${FIREWALL:=-NO-}"</font> = <font color = red>"-YES-"</font> ]; then
ConsoleMessage <font color = red>"Starting ipfw firewall"</font>
#
# let's enable verbose logging in the kernel
#
if [ `/usr/sbin/sysctl -n net.inet.ip.fw.verbose` == <font color = blue>0</font> ] ; then
/usr/sbin/sysctl -w net.inet.ip.fw.verbose=<font color = blue>1</font>
fi
#
# start from nothing
#
/sbin/ipfw -q flush
#
# load the rules
#
/sbin/ipfw -q /Library/StartupItems/Firewall/firewall.conf
##
# well, firewall wasn't set in /etc/hostconfig
# so no firewall today...
##
fi
#
</font>[/code]
firewall.conf will vary, depending on what you want to block, but here's a snippet of what I have, for context:
<BLOCKQUOTE><font size="1"face="Geneva, Verdana, Arial">code:</font><HR><pre><font size=1 face=courier>
#
# allow loopback
#
add <font color = blue>00750</font> allow ip from any to any via lo0
add <font color = blue>00751</font> allow ip from <font color = blue>127.0</font>.<font color = blue>0.1</font> to any via lo0
#
# deny ipoptions (source routing and fingerprinting)
#
add <font color = blue>00800</font> deny log ip from any to any ipoptions ssrr
add <font color = blue>00801</font> deny log ip from any to any ipoptions lsrr
#
# deny tcpflags used for fingerprinting
#
add <font color = blue>00850</font> deny log tcp from any to any tcpflags syn,fin
add <font color = blue>00851</font> deny log tcp from any to any tcpflags fin,urg,psh
add <font color = blue>00852</font> deny log tcp from any to any tcpflags !syn,!fin,!rst,!ack
#
# allow outbound
#
add <font color = blue>00995</font> allow ip from any to any out
#</font>[/code]
Those are rules that I would suggest are pretty useful in any firewall ruleset...
Here's the StartupParameters.plist:
<BLOCKQUOTE><font size="1"face="Geneva, Verdana, Arial">code:</font><HR><pre><font size=1 face=courier>
<?xml version=<font color = red>"<font color = blue>1.0</font>"</font> encoding=<font color = red>"UTF-<font color = blue>8</font>"</font>?>
<!DOCTYPE plist SYSTEM <font color = red>"file:<font color = brown>//localhost/System/Library/DTDs/PropertyList.dtd"</font>></font>
<plist version=<font color = red>"<font color = blue>0.9</font>"</font>>
<dict>
<key>Description</key>
<string>firewall</string>
<key>Messages</key>
<dict>
<key>start</key>
<string>Starting firewall</string>
<key>stop</key>
<string>Stopping firewall</string>
</dict>
<key>OrderPreference</key>
<string>Last</string>
<key>Provides</key>
<array>
<string>Firewall</string>
</array>
<key>Requires</key>
<array>
<string>Resolver</string>
</array>
</dict>
</plist></font>[/code]
This combination works fine for me, it never fails to start, it's stable, etc. There may be some weirdness in the plist, which I got from someone else, but I haven't really fiddled much with plist files, and this one is working...