Information Division
LAN Server Group

Firewall configuration for OS X.3

• Introduction
• Graphical interface
• Command line interface

Introduction

Mac OS X's firewall is included in both the Client and Server version of the operating system, though with different configuration interfaces. OS X is based on BSD so it is not too surprising that the firewall is based on a BSD application, in this case ipfw. By default, ipfw is stateless, but by using the option "keep-state", it can be made to be stateful.

OS X.3 Client offers a basic graphical configuration interface to allow you to turn the firewall on and off, and to selectively allow simple services incluing filesharing, webserving and SSH. More sophisticated configuration must be done through the command line.

The graphical interface for ipfw on OS X.3 Server is far more powerful, allowing configuration of nearly all the options available using the command line. The screenshots and descriptions below refer to this interface.

Apple's network services documentation (PDF) contains more detailed information on the OS X.3 Server firewall while MacEnterprise.org has an article on GUI firewall tools for OS X clients.

Graphical interface

Firewall configuration under OS X.3 Server is done using the "Firewall" section in the /Applications/Server/Server Admin tool.

The "Overview" tab allows you to view the current firewall ruleset.

Selecting the "Log" tab shows the firewall logs. Changing the log settings is done from the "Settings" and "Logging" tab combination.

Under "Settings", the "General" tab allows configuration of common services to be allowed or denied. This can be done for an individual IP address, a network address group, or "any" network address.  Address groups can be created using lists of IP addresses, network ranges, or both.

The "Advanced" tab allows you to configure the firewall for services not listed under "General". You can manually enter the action (allow, deny), the protocol (TCP, UDP, Other), the service, and the source and destination ports and addresses.

Command line interface

ipfw has a command line interface that is used to enter firewall rules in the format of:

[prob match_probability] action [log [logamount number]] proto from src to dst [interface-spec] [options]

Each packet can be filtered based on:

• Transmit and receive interface, referenced by name or address
• Direction of packet, whether inbound or outbound
• Source and destination, specified by address or netmask
• Source and destination port
• Protocol, generally one of TCP, UDP or ICMP

"prob" can allow matches to be made based on a probability and is not used much in practice. It could be useful if you wanted to drop packets randomly for some reason.

"action" can be one of:

• allow - Allow packets matching this rule, and terminate parsing of rules. You can also use pass, permit and accept as aliases for allow.
• deny - Discard packets matching this rule and terminate. Drop can be used as an alias for deny.
• reject - Discard packet and send a host unreachable ICMP packet in return. This is used commonly with the Linux firewall but is deprecated in ipfw.
• unreach - Discard packets and send an ICMP unreachable notice with a code number, where code is a number from 0 - 255 or an alias for one of the code numbers. unreach is now used in place of reject.
• check-state - Checks the packet against a dynamic rule. If a match is found, the search terminates.

There are other actions, but these are the most common ones. Typing "man ipfw" at an OS X command prompt will bring up the manual page listing all the options.

"proto" should be an IP protocol specified either by number or name (as listed in /etc/protocols). Using "ip" or "all" here will match all protocols.

"from" and "to" refer to IP addresses and may be specified as:

• A single IP number which will only match the exact number.
• An IP number with a mask in the form of 1.2.3.4/24, which will match 1.2.3.0 through to 1.2.3.255.
• An IP number with a mask in the form of 1.2.3:255.255.240.0, which will match 1.2.0.0 through to 1.2.15.255.

"not" can be used to match the inverse, and a port number or range may be included when matching the TCP and UDP protocols.

"interface-spec" can include:

• in - To only match incoming packets
• out - To only match outgoing packets
• via - In conjunction with an interface, to match packets going through that interface

OS X uses ipfw without modification, though it does offer a GUI interface to configure the firewall. The Client operating system includes a basic interface for configuration of common services, while the Server version offers a wide variety of configuration options including:

• One click to allow or deny of common network services
• The ability to apply rules to groups of related machines
• Easy modification of logging rules and locations

To create an ipfw firewall, you should save your firewall rules in /etc/ipfw.conf and load them with the command ipfw -q /etc/ipfw.conf.

OS X server will allow you to use serveradmin start ipfilter and serveradmin stop ipfilter to start and stop the firewall.

ipfw list displays a list of the current rulesets, including any created dynamically to retain state.

Example server configurations

Server one

A firewall configuration for a server with a single ethernet connections offering:

• SSH - Unrestricted inbound and outbound via any interface
• HTTP, HTTPS - unrestricted
• SMB, AFP - access for the 128.250.0.0/16 range only
• Unrestricted outbound traffic
• Logging for any rejected traffic

# Flush all rules
flush 

# Add stateful behaviour and allow established connections
add check-state 

# Allow all loopback (lo0) traffic
# Drop all traffic to 127/8 that doesn't use lo0
add allow ip from any to any via lo0
add drop ip from any to 127.0.0.0/8 

# Allow DNS
add allow udp from any to any 53 out keep-state
add allow tcp from any to any 53 out keep-state 

# Allow NTP
add allow udp from any to any ntp out keep-state 

# Allow inbound and outbound SSH
add allow tcp from any to any ssh keep-state 

# Allow HTTP, HTTPS
add allow tcp from any to any http
add allow tcp from any to any https 

# Allow SMB file sharing to 128.250. range
add allow udp from 128.250.0.0/16 to any 137-138
add allow tcp from 128.250.0.0/16 to any 139
add allow tcp from 128.250.0.0/16 to any 445 

# Allow Apple file sharing to 128.250. range
add allow udp from 128.250.0.0/16 to any 548
add allow tcp from 128.250.0.0/16 to any 548 

# Allow all outbound traffic
add allow all from any to any out keep-state 

# Reject and log all remaining traffic
add reject log all from any to any

Server two

A firewall configuration for a server with dual ethernet connections offering:

• SSH - Unrestricted inbound and outbound via any interface
• SMTP - interface en0 only
• POP3, IMAP, POP3S, IMAPS - interface en1 only
• Unrestricted outbound traffic
• Logging for any rejected traffic

# Flush all rules
flush

# Add stateful behaviour and allow established connections
add check-state 

# Allow all loopback (lo0) traffic
# Reject all traffic to 127/8 that doesnít use lo0
add allow ip from any to any via lo0
add reject ip from any to 127.0.0.0/8 

# Allow DNS
add allow udp from any to any 53 out keep-state
add allow tcp from any to any 53 out keep-state 

# Allow NTP
add allow udp from any to any ntp out keep-state 

# Allow inbound and outbound SSH
add allow tcp from any to any ssh keep-state 

# Allow inbound access to smtp via first ethernet device 
add allow tcp from any to any smtp in via en0 

# Allow access to other mail services via second ethernet device
add allow tcp from any to any pop3 in via en1
add allow tcp from any to any imap in via en1
add allow tcp from any to any pop3s in via en1
add allow tcp from any to any imaps in via en1 

# Allow all outbound traffic
add allow all from any to any out keep-state 

# Reject and log all remaining traffic
add reject log all from any to any