Apple: "If it ain't broke, don't fix it".
Solution: I went back to ipfw. I sure wish Tiger's ipfw front-end GUI was available through some preference pane!
a) Disable the system firewall (Allow all incoming connections)
b) Create an entry in /Library/LaunchDaemons/ipfw_firewall.plist [link to pastie]
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict> <key>Label</key> <string>ipfw_firewall</string> <key>ProgramArguments</key> <array> <string>/usr/local/etc/ipfw_firewall.sh</string> </array> <key>RunAtLoad</key> <true/> <key>UserName</key> <string>root</string> <key>GroupName</key> <string>wheel</string></dict></plist>c) Create /usr/local/etc/ipfw_firewall.sh and /etc/ipfw.conf - see code at the bottom of this message.
d) Modify /etc/syslog.conf [link to pastie] to create a separate ipfw log file
*.err;kern.*;auth.notice;authpriv,remoteauth,install.none;mail.crit /dev/console*.notice;authpriv,remoteauth,ftp,install.none;kern.debug;mail.crit /var/log/system.log
# Send messages normally sent to the console also to the serial port.# To stop messages from being sent out the serial port, comment out this line.#*.err;kern.*;auth.notice;authpriv,remoteauth.none;mail.crit /dev/tty.serial
# The authpriv log file should be restricted access; these# messages shouldn't go to terminals or publically-readable# files.auth,authpriv.*;remoteauth.crit /var/log/secure.log
lpr.info /var/log/lpr.logmail.* /var/log/mail.logftp.* /var/log/ftp.lognetinfo.err /var/log/netinfo.loginstall.* /var/log/install.loginstall.* @127.0.0.1:32376local0.* /var/log/ipfw.log
*.emerg *Reference:
/usr/local/etc/ipfw_firewall.sh [link to pastie]
#!/bin/sh## Boot Script for firewall
## CONSTANTS#
IPFW=/sbin/ipfwSYSCTL=/usr/sbin/sysctl
## Required startup script statements#
. /etc/rc.commonConsoleMessage "Configuring Firewall"
## Enable logging to /var/log/ipfw.log#
/usr/libexec/ipfwloggerd
$SYSCTL -w net.inet.ip.fw.verbose=2$SYSCTL -w net.inet.ip.fw.verbose_limit=100
## Enable Blackholes#
$SYSCTL -w net.inet.tcp.blackhole=2$SYSCTL -w net.inet.udp.blackhole=1
## Purge existing rules, this blanks any existing rules#
$IPFW -f flush
## Load rule set from /etc/ipfw.conf#
$IPFW -q /etc/ipfw.conf/etc/ipfw.conf [link to pastie]
##################### Localhost Settings####################
# Allow everything on the localhost (127.0.0.1)add 00100 set 0 allow ip from any to any via lo*
# Prevent spoofing attacks via localhostadd 00200 set 0 deny log all from 127.0.0.0/8 to any inadd 00201 set 0 deny log all from any to 127.0.0.0/8 inadd 00202 set 0 deny log ip from 224.0.0.0/3 to any inadd 00203 set 0 deny log tcp from any to 224.0.0.0/3 in ############################################################### ip-options# (per FreeBSD Security Advisory: FreeBSD-SA-00:23.ip-options)##############################################################
add 00250 set 0 deny log ip from any to any ipoptions ssrr,lsrr,ts,rr ############################################# Allow outbound TCP, UDP & ICMP keep-state############################################
add 00300 set 1 check-stateadd 00301 set 1 deny log all from any to any frag in add 00302 set 1 deny log tcp from any to any establishedadd 00303 set 1 allow tcp from me to any out setup keep-stateadd 00304 set 1 allow udp from me to any out keep-stateadd 00305 set 1 allow icmp from any to any out keep-state
# Allow traceroute out for diagnosticsadd 00307 set 1 allow udp from me to any 33434-33525 out keep-stateadd 00308 set 1 allow log udp from any to any 33434-33525 in keep-state
# Prevent spoofing attacksadd 00309 set 1 deny log ip from me to me in keep-state
# Deny Inbound NetBios traffic which just clogs up the logsadd 00311 set 1 deny tcp from any to any 137,138,139 in setup keep-stateadd 00312 set 1 deny udp from any to any 137,138,139 in keep-state
# Prevent ident requestsadd 00313 set 1 deny log tcp from any to me 113 in setup keep-state
# Attempt to prevent os fingerprinting, port 0 is commonly used for fingerprinting purposesadd 00314 set 1 deny log tcp from any to any 0 in setup keep-stateadd 00315 set 1 deny log udp from any to any 0 in keep-state
###################################### DNS, Rendevouz, DHCP & NTP Services##################################### # Allow DNS add 00400 set 2 allow tcp from any to any 53 out setup keep-stateadd 00401 set 2 allow udp from any to any 53 out keep-state
#Allow Rendezvous packets (mDNS Responder)add 00402 set 2 allow udp from any 5353 to any in keep-state#Multicast packet required by Rendezvousadd 00403 set 2 allow ip from any to 224.0.0.251 out keep-state
# Allow DHCP add 00500 set 2 allow udp from any 68 to any 67 out keep-stateadd 00501 set 2 allow log udp from any 67 to any dst-port 68 in keep-state
# Allow NTPadd 00600 set 2 allow udp from any to any 123 out keep-stateadd 00601 set 2 allow tcp from any to any 123 out setup keep-state
################### Services Inbound##################
# Allow SSH inboundadd 00700 set 3 count log tcp from any to any dst-port 22 in setup add 00701 set 3 allow tcp from any to any dst-port 22 in setup keep-state
# Allow TCP 2456 inboundadd 00710 set 3 allow log tcp from any to any dst-port 2456 in setup keep-state
# Allow TCP 6881 inboundadd 00720 set 3 allow log tcp from any to any dst-port 6881 in setup keep-state
# Deny any TCP setup requests from the outside worldadd 00800 set 3 deny log tcp from any to any setup in keep-state
####### ICMP######
# Deny ICMPadd 00900 set 4 deny log icmp from any to me in icmptypes 0,3,4,8,11,12
# Deny external ICMP redirect requestsadd 00901 set 4 deny log icmp from any to any icmptype 5 in keep-state
# Silent block on router advertisementsadd 00902 set 4 deny log icmp from any to any icmptypes 9 # Drop all other ICMPadd 00903 set 4 deny log icmp from any to any ########## Cleanup#########
# Default deny ruleadd 10000 set 5 deny log logamount 500 all from any to anyFurther References:
No comments:
Post a Comment