01.30.06
Mac OS X firewall
Using the builtin preference pane for managing the Mac OS X 10.4 firewall is adequate for simple things, like opening service-specific ports. But when a bit more control is wanted, like allowing some traffic from specific subnets, the preference pane just doesn’t cut it.
Luckily, the firewall is controlled using the ipfw command. So disabling the firewall in the preference pane and then using a script like this one:
djn:~ djn$ cat /sw/etc/firewall
#!/bin/sh
IPFW='/sbin/ipfw -q'
AUBNET=/24
HOME=
PRIV=192.168.0.0/16
$IPFW -f flush
$IPFW add 2000 allow ip from any to any via lo*
$IPFW add 2010 deny log ip from 127.0.0.0/8 to any in
$IPFW add 2020 deny log ip from any to 127.0.0.0/8 in
$IPFW add 2030 deny log ip from 224.0.0.0/3 to any in
$IPFW add 2040 deny log tcp from any to 224.0.0.0/3 in
$IPFW add 2050 allow log tcp from any to any out
$IPFW add 2060 allow log tcp from any to any established
$IPFW add 2070 allow log tcp from any to any dst-port 22 in
$IPFW add 2080 allow log tcp from any to any dst-port 8080 in
$IPFW add 2090 allow log tcp from any to any dst-port 6881-6999 in
$IPFW add 2100 allow log tcp from any to any dst-port 80 in
$IPFW add 2110 allow log tcp from any to any dst-port 427 in
$IPFW add 2120 allow log tcp from any to any dst-port 443 in
$IPFW add 2130 allow log tcp from $AUBNET to any dst-port 139 in
$IPFW add 2131 allow log tcp from $HOME to any dst-port 139 in
$IPFW add 2132 allow log tcp from $PRIV to any dst-port 139 in
$IPFW add 2140 allow log tcp from any to any dst-port 5900-5910 in
$IPFW add 12190 deny log tcp from any to any
$IPFW add 20000 deny log icmp from any to me in icmptypes 8
djn:~ djn$
along with daemonic from fink, with a configuration file like this one:
djn:~ djn$ cat /sw/etc/daemons/firewall.xml
Firewall
djns modified firewall
/sw/etc/firewall
djn:~ djn$
then running the command sudo daemonic enable firewall and then checking /Library/StartupItems/ like this:
djn:~ djn$ ll /Library/StartupItems/daemonic-firewall/
total 8
-rw-r--r-- 1 root wheel 289 Jan 30 15:45 StartupParameters.plist
-rwxr-xr-x 1 root wheel 279 Jan 30 15:45 daemonic-firewall
djn:~ djn$
And everything should work fine. Reboot to check it 
. Running a sudo ipfw list reveals the current configuration of the firewall.
Daniel’s personal and sometimes geeky blog » Updated: Mac OS X Tiger firewall script said,
June 19, 2006 at 9:42
[...] As explained here, I am using a custom setup for my firewall on my Mac at work. It had the odd habit of freezing the machine when I had an update to the script. And I finally figured out why! [...]