whenever I make change to ipfw to block certain activity on certain ports, it keeps reseting back to just the default when I reboot.

for example

sudo ipfw -a list

only shows

65535 12647 6249193 allow ip from any to any

after a restart.

for example I add a block:

sudo ipfw add 1 deny udp from any to any 2222

then list again it shows up correctly:

00001 0 0 deny udp from any to any 2222
65535 13002 6300081 allow ip from any to any

however, if I reboot the machine, it reverts back to just:

65535 13002 6300081 allow ip from any to any


Any thoughts?

Sure, make a Startup Otem.

what's a 'startup Otem'? do you mean start up 'item'?

Doesn't explain why the settings aren't being saved between runs. Hardly seems reasonable that you would have to install all of your ifpw setting everytime you reboot. Maybe I'm missing something here?

And I'm not sure a StartupItem will work either. Since installing 10.2, I have been unable to get my StartupItem settings to "stick".

I have Order set to Last, and Requiring Extensions and Resolver (something like that, I cannot get to the file at this second to check).

And I see in the startup window "Starting up Firewall *****" (I put the **** so it would be easy to see).

And still, after Terminal launches I do an ipfw list and am greeted with only the default system rule.

The problem is that Apple's sharing panel is using ipfw now (since 10.2?). How one waits for it to do its thing, I cannot figure out. Nor have I seen a solution yet.

I've looked at Brickhouse's pkg StartupItem and see no magic there. LOL, I wonder if Brickhouse users went to the Terminal and typed "ipfw list", what they'd see?

Mike

Apple's half-hearted firewall uses a kernel extension to call ipfw. My own seems to load fine with Apple's firewall off. Check in /var/tmp/console.log to see if there's any error message regarding your rulesets. One thing is for sure, "Starting up Firewall *****" should display in the log regardless.

Originally posted by legionare:
Apple's half-hearted firewall uses a kernel extension to call ipfw. My own seems to load fine with Apple's firewall off. Check in /var/tmp/console.log to see if there's any error message regarding your rulesets. One thing is for sure, "Starting up Firewall *****" should display in the log regardless.

It does indeed show in my /var/log/system.log, but when I do a sudo ipfw list.. all I get is

65535 allow ip from any to any

I still have to start it by hand. So the StartupItem is seemingly useless.

It was working fine pre 10.2.

Mike

My IPFW StartupItem is still working fine...

Aight, since I'm so damn proud of my ipfw defense, I can't let another opportunity of showing off slip by. Here are the requisite files:

StartupParameters.plist (super-duper bleeding edge edition)
***************************
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist SYSTEM "file://localhost/System/Library/DTDs/PropertyList.dtd">
<plist version="1.0">
<dict>
<key>Description</key>
<string>IPFW</string>
<key>Messages</key>
<dict>
<key>start</key>
<string>Starting IPFW</string>
<key>stop</key>
<string>Stopping IPFW</string>
</dict>
<key>OrderPreference</key>
<string>Last</string>
<key>Provides</key>
<array>
<string>Firewall</string>
</array>
<key>Requires</key>
<array>
<string>Network</string>
</array>
</dict>
</plist>

StartupParameters.plist (back-up old-sytle edition)
***************************
{
Description = "firewall";
Provides = ("Firewall");
Requires = ("Network");
OrderPreference = "None";
Messages =
{
start = "Starting firewall";
stop = "Stopping firewall";
};
}


Firewall (this file's name should match the name of the ipfw startupitems folder)
***************************
#!/bin/sh

. /etc/rc.common

ConsoleMessage "Configuring IPFW"

IPFW=/sbin/ipfw

# Change this to ppp0 if you want to apply these rules to
# a PPP dialup connection instead of the built-in ethernet.
ETHERNET=en0
AIRPORT=en1
PPP=ppp0

StartService ()
{
if [ "${FIREWALL:=-YES-}" = "-YES-" ]; then

CheckForNetwork

# check for network
if [ "${NETWORKUP}" = "-NO-" ]; then exit; fi

# clear all rules
ConsoleMessage "Flushing existing ipfw ruleset"
${IPFW} -f flush

ConsoleMessage "Starting ipfw"

# Allow outgoing traffic
#${IPFW} add 8000 allow all from any to any out via any

# Allow loopback traffic; was allow ip from any to any via lo0
${IPFW} add 8010 allow all from any to any via lo0
${IPFW} add 8020 allow all from any to 127.0.0.1

# block webtrendslive.com 63.88.212.0 - 63.88.213.255
${IPFW} add 7911 deny log tcp from 63.88.212.0/23 to any in via any

# block pennyweb.com 63.208.235.8
${IPFW} add 7912 deny log tcp from 63.208.235.0/25 to any in via any

# block doubleclick.net
# 199.95.206.0 - 199.95.209.255
# 204.253.104.0 - 204.253.105.255
# 208.184.29.210.doubleclick.net 208.184.0.0 - 208.185.255.255
${IPFW} add 7913 deny log tcp from 199.95.206.0/23 to any in via any
${IPFW} add 7914 deny log tcp from 199.95.208.0/23 to any in via any
${IPFW} add 7915 deny log tcp from 204.253.104.0/23 to any in via any
${IPFW} add 7916 deny log tcp from 208.184.29.0/23 to any in via any

# block websponsors.com 209.207.236.48-49
${IPFW} add 7917 deny log tcp from 209.207.236.0/25 to any in via any

# block questionmarket.com 64.14.62.196
${IPFW} add 7918 deny log tcp from 64.14.62.0/24 to any in via any

# block ad-flow.com 216.151.100.246
${IPFW} add 7919 deny log tcp from 216.151.100.0/24 to any in via any

# block hitbox.com
# 209.75.20.41
# 209.75.22.238
# 209.75.23.185
${IPFW} add 7920 deny log tcp from 209.75.20.0/22 to any in via any

# block i-pipe intelliads.com/inet1.com
# 206.138.137.0 - 206.138.137.255
${IPFW} add 7921 deny log ip from 206.138.137.0/24 to any in via any

# block spylog.com 194.67.35.205
# 194.67.35.0 - 194.67.35.255
${IPFW} add 7922 deny log ip from 194.67.35.0/24 to any in via any

# block valueclick mediaplex.com
# 209.85.157.0 - 209.85.157.255
# 209.85.3.0 - 209.85.3.255
${IPFW} add 7923 deny log ip from 209.85.157.0/24 to any in via any
${IPFW} add 7924 deny log ip from 209.85.3.0/24 to any in via any

# block a.tribalfusion.com tribalfusion.speedera.net
# 208.185.101.167
# 64.15.250.0 - 64.15.255.255
${IPFW} add 7925 deny log ip from 208.185.101.0/24 to any in via any

# block admonitor.com 216.136.177.95
${IPFW} add 7927 deny log ip from 216.136.0/25 to any in via any

# block x10.com 63.211.210.22
${IPFW} add 7928 deny log ip from 63.211.210.0/24 to any in via any

# block valuesponsor.com 203.186.128.71
# 203.186.128.64 - 203.186.128.79
${IPFW} add 7929 deny log ip from 203.186.128.64/29 to any in via any

# block servedby.advertising.com
# 209.225.0.6
# 209.225.4.72
${IPFW} add 7930 deny log ip from 209.225.0.0/21 to any in via any

# block avenuea.com 216.34.88.111
${IPFW} add 7931 deny log tcp from 216.34.88.0/24 to any in via any

# block www.qksrv.net 216.34.209.13
${IPFW} add 7932 deny log tcp from 216.34.209.0/24 to any in via any

# block nextlevel.com 209.17.153.119
# 209.17.153.112 - 209.17.153.127
${IPFW} add 7933 deny log tcp from 209.17.153.112/28 to any in via any

# block 2o7.net mycomputer.com
# 64.14.0.0 - 64.14.255.255
# 64.15.160.0 - 64.15.191.255
${IPFW} add 7934 deny log tcp from 64.14.0.0/16 to any in via any
${IPFW} add 7935 deny log tcp from 64.15.160.0/19 to any in via any

# block ad2.linxcz.cz 212.65.220.156
# 212.65.220.0 - 212.65.220.255
${IPFW} add 7936 deny log tcp from 212.65.220.153/29 to any in via any

fi
} #end of StartService ()

StopService ()
{
#if pid=$(GetPID ntpd); then
ConsoleMessage "Stopping ipfw"
#kill -TERM "${pid}"
#else
#echo "ntpd is not running."
#fi
}

RestartService () { StopService; StartService; }

RunService "$1"

Originally posted by Zim:
I have Order set to Last, and Requiring Extensions and Resolver (something like that, I cannot get to the file at this second to check).


It needs to require NetworkExtensions .

&nbsp;&nbsp;&nbsp;All kernel firewalls that I have read about (for LINUX and BSD) require the rules be added after the kernel boots. MacOS X makes this easy with StartupItems like that which legionare describes. The only issue with these is that they are run during the boot process and thus it is possible that some required services aren't available at runtime. ipfw requires DNS lookup when it runs, even if rules specify only raw IP addresses. (don't ask me why) It is thus necessary for an ipfw StartupItem to run fairly late in the boot process. This is why OrderPreference is often set to "Late" or "Last".
&nbsp;&nbsp;&nbsp;Of course this a general instruction, so it is also a good idea (probably necessary and possibly sufficient) to specify the services required. As I mentioned, lookup is required so the "Requires" should include "Resolver". Also, the firewall extension is loaded in "NetworkExtensions" so I require this. I suspect this extension is simply a part of Apple's new configuration tool, so it may not be necessary when you use ipfw to configure the firewall. However, waiting for it may help insure that your script runs sufficiently late in the boot process.

legionare,
&nbsp;&nbsp;&nbsp;I have a couple of suggestions. I've read (and in fact was recently reminded on this list) that your rule 8020 opens your machine to IP spoofing. A packet that says it's source is 127.0.0.1 need not really be from your machine. My first two rules are in fact:

# Local loopback interface is open
${IPFW} add 1000 allow ip from any to any via lo0
${IPFW} add 1100 deny all from any to 127.0.0.0/8

&nbsp;&nbsp;&nbsp;Your firewall is based on denying things that you consider "bad". I'm impressed with your list and plan to adopt a number of them. However, I've read recommendations that firewalls focus on allowing all necessary and beneficial traffic in the early rules and then deny all the rest. This requires work in the beginning and probably some packet sniffing to help determine what is necessary. However, it has the long term benefit of protecting you against attacks you may not anticipate.

Originally posted by legionare:
[B]Aight, since I'm so damn proud of my ipfw defense, I can't let another opportunity of showing off slip by. Here are the requisite files:

StartupParameters.plist (super-duper bleeding edge edition)


Thanks for the great info. However, being fairly new to all this, where am I supposted to place this stuff?

I see that in /system/library/StartupItems that there is a list of folders which correspond with various items that will be initiated on startup (Apache, cron, NFS, etc), but I don't seem to have an IPFW folder on my system.

Am I supposed to create one and place the materials you've created into it?

Could you please provide a specific layout for the materials you've provided.

Thanks.

You can put them in just /Library/StartupItems (create the folder if it's not already there); that's where my Firewall and MySQL startup scripts are.

Originally posted by Filmo:

Thanks for the great info. However, being fairly new to all this, where am I supposted to place this stuff?


&nbsp;&nbsp;&nbsp;There are two place it can go, /System/Library/StartupItems/ and /Library/StartupItems/. The latter is preferable because, I think, it is ececuted last. Thus it is least susceptible to issues of service availability. The easiest way to get started is to simply duplicate one of the directories, change the name of the copy to ipfw or firewall, change the name of the executable inside to the same, and edit them as we suggest. To get a better understanding, read Apple's howto's

http://developer.apple.com/techpubs/macosx/Essentials/SystemOverview/BootingLogin/Customization_Techniques.html
http://www.opensource.apple.com/projects/documentation/howto/html/SystemStarter_HOWTO.html
http://developer.apple.com/techpubs/macosx/Darwin/PortingUNIX/additionalfeatures/Boot_Sequence.html

&nbsp;&nbsp;&nbsp;These are rather complete and excellently written. However, as of Jaguar, they are slightly out of date. Still, it shouldn't be difficult to tell what to do.

I wonder in which place Apple actually recommends implementing the checks for required services, in the startupitems.plist or in the Firewall script file?
Right now I'm checking for "Network" in both places but it's just for FYI
purpose and is probably redundant. I'm not sure how to arrange the multiple
checks in startupitems.plist. Would "network" go before "resolver"?

<key>Requires</key>
<array>
<string>Network</string>
<string>Resolver</string>
</array>

I'm skeptical "NetworkExtensions" is required since we are skipping Apple's
NetworkExtensions and calling ipfw directly. I'd love to convert my humongous
rulesets though, to Apple firewall's XML plist format and see how
"NetworkExtensions" handles it, but converting to XML manually is just too much.

I think I started with the principle of opening up only the ports that one
needs. But after many internet appls failed to work (take FTP client connection
for example, how'd I implement the rules to open up the wide range of ports for the FTP server to talk back?), even a blacklist-happy person like me got tired and lowered the protection. Heck, if someone can figure out how to spoof
loopback, his/her skills are probably way above my league, so I might as well
not bother.

I also want to mention I'm very interested in the bandwidth allocation piece
(known as "dummynet" and another name) of ipfw that is not implemented in OS X. I copied some sample "dummynet" syntax from the BSD side. Let's just say OS X bootup got pretty ugly and required three-finger solute to the rescue.

Finally, anyone wants to take a guess what'd happen if I replace

<!DOCTYPE plist SYSTEM "file://localhost/System/Library/DTDs/PropertyList.dtd">
<plist version="0.9">

in my startupitmes.plist with the following that I scraped off Apple's mailing
list?

<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">

Well I finally discovered that my problem was with the line

if ifconfig -a -u | grep "en0.*RUNNING"; then

I commented this out of my script (called by the startup item) and noticed a 5 seconds pause in the startup.. so it would seem that in 10.2.x, the RUNNING status is taking longer than previously to be reported. Removing the check seemed like it could be bad, and the the config would blow right on by a system not yet ready, but instead the ipfw commands seemed to wait on their own until the system was ready.

Anyway, my IPFW commands now run at startup. I'm not sure I need all of these dependencies but my plist file is

{
Description = "Firewall";
Provides = ("Firewall");
Requires = ("Network","NetworkExtensions","Resolver");
Uses = ();
OrderPreference = "Last";
Messages =
{
start = "Starting Zimmy Firewall";
stop = "Stopping Zimmy Firewall";
};
}

and my StartupFile is

#!/bin/sh

##
# Firewall
##

. /etc/rc.common

ConsoleMessage "Starting zimmy Firewall"

logger -i -t "firewallmonitor.sh" "Starting IP monitoring and firewall"

sh /usr/local/sbin/rc.firewall.current > /dev/null

exit 0

where rc.firewall.current is a shell script that contains only ipfw commands.

Mike

Originally posted by Zim:
I'm not sure I need all of these dependencies

You don't. "NetworkExtensions" already depends on "Resolver" and "Network" - but it's harmless having them there.

I've been playing around with the setting given above. But now that I'm blocking 'double.click', some pages take an extremely long time to load because they are clearly waiting for a response from the ad server before loading the rest of the page. Essentially, the page waits for the blocked ad.server to timeout before rendering. I know this depends on how the HTML is set up on particular pages, but is there a way to not only block the ad.server, but either spoof or cause IE to recognize that it's been blocked 'quicker' so it can move on with rendering the page instead of waiting for the ad.server time out?

Originally posted by Filmo:
Essentially, the page waits for the blocked ad.server to timeout before rendering.

&nbsp;&nbsp;&nbsp;That doesn't surprise me. In fact, I've heard that some won't load at all. Unfortunately, I'm not at my machine right now. However, I recall that there is a Java program that does the spoofing. I saw it referenced in a wonderful MacOSXHints, I believe. The article described how to block ad servers with a NetInfo equivalent of hosts.deny. If you haven't found it by then, I'll post the link when I get home tomorrow night.

When using Leginare's settings, I get the following errors in my system log.

####

Sep 29 12:36:50 FCP-G4 mach_kernel: IP packet filtering initialized, divert enabled, rule-based forwarding enabled, default to accept, logging disabled
Sep 29 12:36:50 FCP-G4 mach_kernel: IP firewall loaded
Sep 29 12:36:50 FCP-G4 ConsoleMessage: Configuring Glau IPFW
Sep 29 12:36:50 FCP-G4 SystemStarter: Unable to load localization strings for /Library/StartupItems/FireWall
Sep 29 12:36:50 FCP-G4 ConsoleMessage: Flushing existing ipfw ruleset
Sep 29 12:36:50 FCP-G4 SystemStarter: Unable to load localization strings for /Library/StartupItems/FireWall
Sep 29 12:36:50 FCP-G4 ConsoleMessage: Starting Glau IPFW
Sep 29 12:36:50 FCP-G4 SystemStarter: Unable to load localization strings for /Library/StartupItems/FireWall
Sep 29 12:36:54 FCP-G4 SystemStarter: Unable to load localization strings for /Library/StartupItems/FireWall
Sep 29 12:36:57 FCP-G4 SystemStarter: Waiting for Firewall
Sep 29 12:37:06 FCP-G4 last message repeated 2 times
Sep 29 12:37:07 FCP-G4 WindowServer[177]: CGXDisableUpdate: Updates disabled by connection 0x5c03 for over 1.000000 seconds
Sep 29 12:37:09 FCP-G4 SystemStarter: Waiting for Firewall
Sep 29 12:37:12 FCP-G4 SystemStarter: Startup complete.

#####

I confess that I'm really quite new at shell scripting, so I have no idea what the 'localization string' is or why is isn't loading. (I removed the 'log' part of the ipfw commands from his list as it seems my system has logging turned off.)

Despite the errors in the system.log, it does seem to install the settings. When I 'sudo ipfw -a list', I get a list of all the correct settings as laid out by Legionare.

Originally posted by Filmo:
When using Leginare's settings, I get the following errors in my system log.


I believe you are simply missing a "Resources" subdirectory within your Startup item. Simply copy one over from any of the other startup items I think will do the trick.

Mike

I get that localization error too. The rules still work, so I never bother to do anything about it.

BTW, I use squidGuard on top of squid to deal with partial site blocks, such as a situation where I want to block rmedia.boston.com/ads, but not the rest of boston.com. It may be an overkill.

There's an ads-filtering proxy listed on VT: Privoxy 3.0.0 - Local proxy to filter out banner ads, manage cookies, & more.

http://www.versiontracker.com/moreinfo.fcgi?id=15049&db=mac

There's also java-based Muffin, which I used at one point to daisy-chain to squid, but squidGuard replaces it now.

Originally posted by Zim:


I believe you are simply missing a "Resources" subdirectory within your Startup item.

Mike

Don't know what you mean specifically as I'm not familar with shell scripting, but if you mean

'. /etc/rc.common'

It's there at the top of the script. I looked at a couple other one (MySQL, WebMin) and it didn't look much different at the top of the script.

Originally posted by Filmo:


Don't know what you mean specifically as I'm not familar with shell scripting, but if you mean



&nbsp;&nbsp;&nbsp;The link I promised that presents an alternative method for blocking ad servers and a link to the java app, eDexter, that spoofs ad servers is:

http://www.macwrite.com/criticalmass/mac-os-x-hosts-revisited.php

&nbsp;&nbsp;&nbsp;Oh, "directory" is the UNIX word for what classic Mac called a "Folder". If you look in any StartupItem "Folder" you will see that they all contain a "Subfoder" named "Resources". Borrow one.

Originally posted by Filmo:


Don't know what you mean specifically as I'm not familar with shell scripting, but if you mean

'. /etc/rc.common'

It's there at the top of the script. I looked at a couple other one (MySQL, WebMin) and it didn't look much different at the top of the script.

No, I mean that in your

/System/Library/StartupItems/Firewall directory, you need to have a Resources subdirectory

[QUOTE]
zimmy:Library/StartupItems/Firewall >dir
total 8
drwxrwxrwx 5 zimmy wheel 170 Aug 7 23:00 ./
drwxr-xr-x 36 root wheel 1224 Aug 7 23:00 ../
-rwxr-xr-- 1 zimmy wheel 366 Sep 26 16:03 Firewall*
drwxrwxrwx 3 zimmy wheel 102 Sep 4 23:15 Resources/
-rw-r--r-- 1 zimmy wheel 281 Sep 26 15:51 StartupParameters.plist
[\QUOTE]

You can copy that over from any of the other directories in StartupItems if you want the errors to do away. As someone else pointed out, this may not be keeping your rules from being used, its just complaining that it can't find the Localization strings.

Mike