Firewall script | NatScript | ReadMe
#!/bin/sh
#
#######################################################################
# Firewall startup script for Mac OS X 10 #
# Requirements: Mac OS X 10.2 or newer #
# By Fredrik Jonsson <mailto(colon)fredrik(at)combonet(dot)se> #
# Home page: <http://xdeb.org/wiki/Firewall> #
# Date: 2004-07-05 #
# The resources I have found most helpful are: #
# <http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO> #
# <http://www.freebsd-howto.com/HOWTO/Ipfw-Advanced-Supplement-HOWTO> #
# <http://www.afp548.com/Articles/system/natserver.html> #
# <http://www3.sympatico.ca/dccote/firewall.html> #
# <http://www.sial.org/howto/osx/firewall/> #
# <http://www.macosxhints.com/article.php?story=20030830130455582> #
# Dru Lavigne <http://www.onlamp.com/pub/ct/15> #
# BrickHouse <http://brianhill.dyndns.org/> #
# Port numbers from: #
# <http://www.iana.org/assignments/port-numbers> #
# <http://www.akerman.ca/port-table.html> #
# <http://docs.info.apple.com/article.html?artnum=106439> #
#######################################################################
# Common setup for startup scripts
. /etc/rc.common
############################################################
## Define your variables ##
############################################################
fwcmd="/sbin/ipfw -q" # path to ipfw, -q for quiet mode
exif="en*" # set to external interface name
# en-star matches en0, en1, ...
exip="any" # set to external ip address,
# use "any" if dynamic
############################################################
ConsoleMessage "Configuring Firewall"
StartService ()
{
if [ "${FIREWALL:=-YES-}" = "-NO-" ]; then exit; fi
CheckForNetwork
if [ "${NETWORKUP:=-YES-}" = "-NO-" ]; then exit; fi
#################################################
## Enable IP Firewall Logging and set logging limit
#
ConsoleMessage "Enabling IP Firewall Logging"
if [ `/usr/sbin/sysctl -n net.inet.ip.fw.verbose` == 0 ] ; then
/usr/sbin/sysctl -w net.inet.ip.fw.verbose=1 > /dev/null
/usr/sbin/sysctl -w net.inet.ip.fw.verbose_limit=10000 > /dev/null
fi
#################################################
## Set longer ACK lifetime so ssh etc. don't timeout so quickly
#
if [ `/usr/sbin/sysctl -n net.inet.ip.fw.dyn_ack_lifetime` == 300 ] ; then
/usr/sbin/sysctl -w net.inet.ip.fw.dyn_ack_lifetime=1800 > /dev/null
fi
#################################################
## Set the maximum number of dynamic rules
## Default is 256/1000, this will double it.
## Check how many you are using with the command
## % sysctl -n net.inet.ip.fw.dyn_count
#
# if [ `/usr/sbin/sysctl -n net.inet.ip.fw.dyn_buckets` == 256 ] ; then
# /usr/sbin/sysctl -w net.inet.ip.fw.dyn_buckets=512 > /dev/null
# /usr/sbin/sysctl -w net.inet.ip.fw.dyn_max=2000 > /dev/null
# fi
#################################################
## Clear all rules
#
ConsoleMessage "Flushing existing ipfw ruleset"
${fwcmd} -f flush
############################################################
## Essential rules that more or less everyone needs ##
############################################################
ConsoleMessage "Setting up ipfw"
#################################################
## Allow your loop back to work
#
${fwcmd} add 1000 allow ip from any to any via lo0
#################################################
## Stop and log spoofing of your loopback
#
${fwcmd} add 1010 deny log ip from any to 127.0.0.0/8
${fwcmd} add 1011 deny log ip from 127.0.0.0/8 to any
#################################################
## *** TESTING PURPOSES ONLY *** TESTING PURPOSES ONLY ***
## Will open up the Firewall completely!
#
# ${fwcmd} add 2000 allow log logamount 500 ip from any to any
# ${fwcmd} add 2001 allow ip from any to any
#################################################
## Apple have these rules in 10.3.x for some reason...
#
${fwcmd} add 2100 deny log ip from 224.0.0.0/3 to any in
${fwcmd} add 2101 deny log tcp from any to 224.0.0.0/3 in
#################################################
## Allow Rendezvous Multicast (mDNSResponder)
#
${fwcmd} add 2200 allow udp from any 5353 to any via ${exif}
${fwcmd} add 2201 allow ip from any to 224.0.0.251 via ${exif}
#################################################
## Allow SSH (times out with state)
#
# ${fwcmd} add 2401 allow tcp from any 22 to ${exip} established in
# ${fwcmd} add 2402 allow tcp from ${exip} to any 22 out setup
#################################################
## Allow all packets that has previously been added to the
## "dynamic" rules table by an allow keep-state statement.
#
${fwcmd} add 2500 check-state
#################################################
## Deny all fragments as bogus packets
#
${fwcmd} add 2520 deny ip from any to any frag in
#################################################
## Deny ACK packets that did not match the dynamic rule table
#
${fwcmd} add 2530 deny tcp from any to any established in
#################################################
## Deny Source Routed Packets
#
${fwcmd} add 2540 unreach host log ip from any to any ipopt ssrr,lsrr
#################################################
## Send a RESET to all ident packets
## Disable if you are actually running Auth/Identd
#
${fwcmd} add 2550 reset tcp from any to any 113 in
#################################################
## Allow DHCP/BOOTP
#
${fwcmd} add 2600 allow udp from any 67-68 to any 67-68
#################################################
## Allow DHCP Broadcast
#
${fwcmd} add 2610 allow udp from any to 255.255.255.255 67-68
#################################################
## Allow all ICMP Packets for diagnostic purposes
## you probably wish to leave this commented out
#
# ${fwcmd} add 2620 allow icmp from any to any via ${exif}
#################################################
## Allow Required ICMP Traffic
## path-mtu, source quench plus outgoing traceroute and ping
#
${fwcmd} add 2630 allow icmp from any to any icmptypes 3,4
${fwcmd} add 2631 allow icmp from any to any icmptypes 0,11 in
${fwcmd} add 2632 allow icmp from any to any icmptypes 8 out
############################################################
## Outbound rules ##
############################################################
#################################################
## Allow DNS
#
${fwcmd} add 3000 allow udp from any 1024-65535 to any 53 out keep-state
#################################################
## Allow Network Time (NTP)
#
${fwcmd} add 3010 allow udp from any to any 1024-65535,123 out keep-state
#################################################
## Allow passive FTP control channel
#
${fwcmd} add 3020 allow tcp from ${exip} to any 21 out setup keep-state
${fwcmd} add 3021 allow tcp from ${exip} to any 10000-65000 out setup keep-state
#################################################
## Allow all outgoing ip traffic
#
${fwcmd} add 3500 allow tcp from ${exip} to any out setup keep-state
${fwcmd} add 3501 allow ip from ${exip} to any out keep-state
############################################################
## Inbound rules for Standard Services on port 0-1023 ##
############################################################
#################################################
## File Transfer, FTP
#
# ${fwcmd} add 4010 allow tcp from any to ${exip} 20-21 in via ${exif} setup keep-state
#################################################
## Remote Login, SSH
#
# ${fwcmd} add 4020 allow tcp from any to ${exip} 22 in via ${exif} setup keep-state
#################################################
## SMTP Mail (Normal/SSL)
#
# ${fwcmd} add 4030 allow tcp from any to ${exip} 25 in via ${exif} setup keep-state
# ${fwcmd} add 4031 allow tcp from any to ${exip} 465 in via ${exif} setup keep-state
#################################################
## DNS
#
# ${fwcmd} add 4040 allow udp from any to ${exip} 53 in via ${exif} keep-state
#################################################
## World Wide Web (Normal/SSL)
#
# ${fwcmd} add 4050 allow tcp from any to ${exip} 80 in via ${exif} setup keep-state
# ${fwcmd} add 4051 allow tcp from any to ${exip} 443 in via ${exif} setup keep-state
#################################################
## POP3 Mail (Normal/SSL)
#
# ${fwcmd} add 4060 allow tcp from any to ${exip} 110 in via ${exif} setup keep-state
# ${fwcmd} add 4061 allow tcp from any to ${exip} 995 in via ${exif} setup keep-state
#################################################
## Auth/Identd (TCP/UDP)
#
# ${fwcmd} add 4070 allow tcp from any to ${exip} 113 in via ${exif} setup keep-state
# ${fwcmd} add 4071 allow udp from any to ${exip} 113 in via ${exif} keep-state
#################################################
## Samba/CIFS (TCP/UDP)
#
# ${fwcmd} add 4080 allow tcp from any to ${exip} 137-139 in via ${exif} setup keep-state
# ${fwcmd} add 4081 allow udp from any to ${exip} 137-139 in via ${exif} keep-state
## Deny with no log, I get to many entries from people trying to crack Windows servers
# ${fwcmd} add 4082 deny tcp from any to ${exip} 137-139 in via ${exif}
# ${fwcmd} add 4083 deny udp from any to ${exip} 137-139 in via ${exif}
#################################################
## IMAP Mail (Normal/SSL)
#
# ${fwcmd} add 4090 allow tcp from any to ${exip} 143 in via ${exif} setup keep-state
# ${fwcmd} add 4091 allow tcp from any to ${exip} 993 in via ${exif} setup keep-state
#################################################
## SNMP
#
# ${fwcmd} add 4100 allow tcp from any to ${exip} 161,162 in via ${exif} setup keep-state
# ${fwcmd} add 4101 allow udp from any to ${exip} 161,192 in via ${exif} keep-state
#################################################
## IRC Chat (TCP/UDP)
#
# ${fwcmd} add 4110 allow tcp from any to ${exip} 194 in via ${exif} setup keep-state
# ${fwcmd} add 4111 allow udp from any to ${exip} 194 in via ${exif} keep-state
#################################################
## Apple web/remote Admin Apps
#
# ${fwcmd} add 4120 allow tcp from any to ${exip} 311 in via ${exif} setup keep-state
# ${fwcmd} add 4121 allow tcp from any to ${exip} 625 in via ${exif} setup keep-state
# ${fwcmd} add 4122 allow tcp from any to ${exip} 660 in via ${exif} setup keep-state
#################################################
## Timbuktu Pro (TCP/UDP)
#
# ${fwcmd} add 4130 allow tcp from any to ${exip} 407 in via ${exif} setup keep-state
# ${fwcmd} add 4131 allow udp from any to ${exip} 407 in via ${exif} keep-state
#################################################
## Network Browser (SLP)
#
# ${fwcmd} add 4140 allow udp from any to ${exip} 427 in via ${exif} keep-state
#################################################
## Retrospect
#
# ${fwcmd} add 4150 allow tcp from any to ${exip} 497 in via ${exif} setup keep-state
#################################################
## LPR (printing)
#
${fwcmd} add 4160 allow tcp from any to ${exip} 515 in via ${exif} setup keep-state
#################################################
## QuickTime Streaming Server, RTSP (TCP/UDP)
#
# ${fwcmd} add 4170 allow tcp from any to ${exip} 554 in via ${exif} setup keep-state
# ${fwcmd} add 4171 allow udp from any to ${exip} 554 in via ${exif} keep-state
# ${fwcmd} add 4172 allow udp from any to ${exip} 6970-6999 in via ${exif} keep-state
# ${fwcmd} add 4173 allow udp from any to ${exip} 7070 in via ${exif} keep-state
#################################################
## Apple File Protocol (AFP)
#
# ${fwcmd} add 4180 allow tcp from any to ${exip} 548 in via ${exif} setup keep-state
#################################################
## IPP (Internet Printing Protocol)
#
# ${fwcmd} add 4190 allow tcp from any to ${exip} 631 in via ${exif} setup keep-state
############################################################
## Inbound rules for User Services on port 1024-65535 ##
############################################################
#################################################
## iConquer game server (TCP/UDP)
#
# ${fwcmd} add 5010 allow tcp from any to ${exip} 2998 in via ${exif} setup keep-state
#################################################
## iTunes Music Sharing (TCP/UDP)
#
# ${fwcmd} add 5020 allow tcp from any to ${exip} 3689 in via ${exif} setup keep-state
#################################################
## ICQ Chat (TCP/UDP)
#
# ${fwcmd} add 5030 allow tcp from any to ${exip} 4000 in via ${exif} setup keep-state
# ${fwcmd} add 5031 allow udp from any to ${exip} 4000 in via ${exif} keep-state
#################################################
## FileMaker Pro (TCP/UDP)
#
# ${fwcmd} add 5040 allow tcp from any to ${exip} 5003 in via ${exif} setup keep-state
# ${fwcmd} add 5041 allow udp from any to ${exip} 5003 in via ${exif} keep-state
#################################################
## iChat/AOL Instant Messenger
#
## iChat/AOL
# ${fwcmd} add 5050 allow tcp from any to ${exip} 5190 in via ${exif} setup keep-state
# ${fwcmd} add 5051 allow udp from any to ${exip} 5190 in via ${exif} keep-state
#
## iChat/Rendezvous
# ${fwcmd} add 5052 allow tcp from any to any 5297-5298 in via ${exif} setup keep-state
# ${fwcmd} add 5053 allow udp from any to any 5297-5298 in via ${exif} keep-state
# ${fwcmd} add 5054 allow tcp from any to any 17421 in via ${exif} setup keep-state
#
## iChat AV
# ${fwcmd} add 5055 allow udp from any to ${exip} 5060 in via ${exif} keep-state
# ${fwcmd} add 5056 allow udp from any to ${exip} 5678 in via ${exif} keep-state
# ${fwcmd} add 5057 allow udp from any to ${exip} 16384-16403 in via ${exif} keep-state
#################################################
## WarCraft III
#
# ${fwcmd} add 5060 allow tcp from any to ${exip} 6112 in via ${exif} setup keep-state
#################################################
## Gnutella/Limewire
#
# ${fwcmd} add 5060 allow tcp from any to ${exip} 6346 in via ${exif} setup keep-state
#################################################
## BitTorrent
#
# ${fwcmd} add 5070 allow tcp from any to ${exip} 6881-6999 in via ${exif} setup keep-state
#################################################
## SubEthaEdit
#
# ${fwcmd} add 5080 allow tcp from any to ${exip} 6942-6951 in via ${exif} setup keep-state
#################################################
## iPhoto Sharing (TCP/UDP)
#
# ${fwcmd} add 5090 allow tcp from any to ${exip} 8770 in via ${exif} setup keep-state
#################################################
## NetFone
#
# ${fwcmd} add 5100 allow tcp from any to ${exip} 10200-10210 in via ${exif} setup keep-state
############################################################
## Generic inbound rules to wrap things up ##
############################################################
#################################################
## Deny all other Privileged Ports (TCP/UDP)
#
${fwcmd} add 6000 deny log tcp from any to ${exip} 1-1023 in via ${exif}
${fwcmd} add 6010 deny log udp from any to ${exip} 1-1023 in via ${exif}
#################################################
## Deny all other Non-Privileged Ports (TCP/UDP)
#
${fwcmd} add 6100 deny log tcp from any to ${exip} 1024-65535 in via ${exif}
${fwcmd} add 6110 deny log udp from any to ${exip} 1024-65535 in via ${exif}
## Allow all Non-Privileged Ports (TCP/UDP)
# ${fwcmd} add 6120 allow tcp from any to ${exip} 1024-65535 in via ${exif} setup keep-state
# ${fwcmd} add 6121 allow tcp from any to ${exip} 10000-65535 in via ${exif} setup keep-state
# ${fwcmd} add 6130 allow udp from any to ${exip} 1024-65535 in via ${exif} keep-state
# ${fwcmd} add 6131 allow udp from any to ${exip} 10000-65535 in via ${exif} keep-state
#################################################
## Deny everything else
#
${fwcmd} add 7000 deny log ip from any to any
}
# End of StartService
StopService ()
{
#################################################
## Clear all rules
#
ConsoleMessage "Flushing existing ipfw ruleset"
${fwcmd} -f flush
}
RestartService () { StopService; StartService; }
RunService "$1"