Friday, July 20, 2007

Custom Firewall Setup for Tiger

I recently had to upgrade to Tiger (in order to sync with my new iPhone) and I've been totally buried in all the changes from Panther. In this post, I'll describe the simple method to use ipfw with custom firewall settings (actually, in Tiger it's ipfw2 but the binary is still "ipfw"). Like most unix wonks, I prefer to customize the firewall settings using the /etc/ipfw.conf file. This allows me to impose stricter security on my home network. For example, by default my mac system does not trust anything from my windows system.

In Panther, I edited /System/Library/StartupItems/NetworkExtensions/NetworkExtensions to startup ipfw with my config file using /sbin/ipfw -q /etc/ipfw.conf That was simple.

The many changes to Tiger include ipfw getting launched a new way: by launchd. I like Apple's implementation of launchd, and I'm eager to see what they've changed for Leopard. Here's what I did to enable ipfw to be launched with my settings.

Step #1) Create a plist file that launchd will always use.

I created a text file of XML and named it: /Library/LaunchDaemons/ipfw_startup.plist. I created it in TextEdit, but you can use anything. It's just XML. You can see that it gives the path to the script that I want launchd to execute on system startup.

<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<!DOCTYPE plist PUBLIC \"-//Apple Computer//DTD PLIST
1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">
<plist version=\"1.0\">
<dict>
<key>Label</key>
<string>ipfw_startup</string>
<key>ProgramArguments</key>
<array>
<string>/usr/local/bin/ipfw_startup</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>


Step #2) Create a shell script to start ipfw.

I created the shell script /usr/local/bin/ipfw_startup. The contents are shown below. You can see that I startup ipfw using my ipfw.conf settings file, and then it turns on logging. Lastly, I like to have some confirmation that it was started using my rules. I got tired of using: sudo ipfw list

#!/bin/sh

##
# Start Tiger's ipfw2 using my custom rule set
##

/sbin/ipfw -q /etc/ipfw.conf
/usr/libexec/ipfwloggerd
sysctl -w net.inet.ip.fw.verbose=1
sysctl -w net.inet.ip.fw.verbose_limit=50

date >> /TESTING/ipfwtest.log
echo "Started ipfw2 with my custom ruleset" >> /TESTING/ipfwtest.log

Be sure to create those files as root, or change their group and ownership settings appropriately.

For more information about Tiger's startup sequence and the role of launchd, Apple has decent documentation at this page. I recommend downloading the PDF using the link in the upper left corner of the page. Finally, for those readers that also want to post HTML/XML code on Blogger - I used this handy-dandy escape-code generation page.

No comments: