In Panther, I edited /System/Library/StartupItems/NetworkExtensions/NetworkExtensions to startup ipfw with my config file using /sbin/ipfw -q /etc/ipfw.conf That was simple.
The many changes to Tiger include ipfw getting launched a new way: by launchd. I like Apple's implementation of launchd, and I'm eager to see what they've changed for Leopard. Here's what I did to enable ipfw to be launched with my settings.
Step #1) Create a plist file that launchd will always use.
I created a text file of XML and named it: /Library/LaunchDaemons/ipfw_startup.plist. I created it in TextEdit, but you can use anything. It's just XML. You can see that it gives the path to the script that I want launchd to execute on system startup.
<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<!DOCTYPE plist PUBLIC \"-//Apple Computer//DTD PLIST
Step #2) Create a shell script to start ipfw.
I created the shell script /usr/local/bin/ipfw_startup. The contents are shown below. You can see that I startup ipfw using my ipfw.conf settings file, and then it turns on logging. Lastly, I like to have some confirmation that it was started using my rules. I got tired of using: sudo ipfw list
# Start Tiger's ipfw2 using my custom rule set
/sbin/ipfw -q /etc/ipfw.conf
sysctl -w net.inet.ip.fw.verbose=1
sysctl -w net.inet.ip.fw.verbose_limit=50
date >> /TESTING/ipfwtest.log
echo "Started ipfw2 with my custom ruleset" >> /TESTING/ipfwtest.log
Be sure to create those files as root, or change their group and ownership settings appropriately.
For more information about Tiger's startup sequence and the role of launchd, Apple has decent documentation at this page. I recommend downloading the PDF using the link in the upper left corner of the page. Finally, for those readers that also want to post HTML/XML code on Blogger - I used this handy-dandy escape-code generation page.