Help Build The Best IPFW Firewall Rules Sets Ever
Updated: See http://securosis.com/2007/11/15/ipfw-rules/.
I need to completely thank and acknowledge windexh8er for suggesting this post in the comments on the Leopard firewall post, and providing the starting content. In his (or her) own words:
So how about everyone constantly complaining about the crap-tastic new implementation of the Leopard firewall we baseline a good IPFW config? Here’s for starters:
00100 allow ip from any to any via lo*
00110 deny ip from 127.0.0.0/8 to any in
00120 deny ip from any to 127.0.0.0/8 in
00500 check-state
00501 deny log ip from any to any frag
00502 deny log tcp from any to any established in
01500 allow udp from 10.100.0.0/24 5353 to any dst-port 1024-65535 in
01700 allow icmp from any to any icmptypes 3
01701 allow icmp from any to any icmptypes 4
01702 allow icmp from any to any icmptypes 8 out
01703 allow icmp from any to any icmptypes 0 in
01704 allow icmp from any to any icmptypes 11 in
65500 allow tcp from me to any keep-state
65501 allow udp from me to any keep-state
65534 deny log ip from any to any
65535 allow ip from any to any…this firewall configuration will do a number of things. First of all line 500 is key to checking the state table before we block any poser incoming connections. Line 502 blocks connections coming in that pretend they were established, but really weren’t. Line 501 is pretty self explanatory, blocking fragmented packets in. I know nothing I’m using is fragmenting, so YMMV.
Line 1500 is an example. Since Bonjour services cannot be tracked correctly in the state table we need to allow things back to 5353/UDP on the box (that is if you want to use it). But my example shows that I’m only allowing those services on my local network. Anytime I head to Panera or Starbucks I don’t have to worry about 5353 being “open”, unless of course those networks are using 10.100.0.0/24. Most of the time they’re not. But if I noticed that I would disable that rule for the time being.
Next we get to ICMP. What do these let us do? ICMP type 3 let’s path MTU in and out (i.e. PMTU — Path MTU Discovery). Many people don’t realize the advantages of PMTU, because they think ICMP is inherently evil. Try doing some performance engineering and PMTU becomes a great resource. Anyway, type 3 is not evil. Next, type 8 is source quench. It will tell my upstream gateway to “slow down” if need be. Again, not evil for the most part. The pros outweigh the cons anyway. Types 8 and 0 rely on each other. 8 lets me ping out and 0 lets that back in. BUT — people will not be able to ping me. Sneaky sneaky… The last one, type 11, will let me run traceroute.
So now 65500 and 65501 basically let my computer open any port out. In the essence of keeping this ruleset “set it and forget it” style this can be done better. Like specifying everything you need to let out and blocking everything else. But I can’t delve into that for “every” user, so this makes it a little more convenient.
65534 is our deny. Notice all the denies I setup have logging statements. I always have a terminal running tailing my firewall log. Then again, for those who don’t know how to respond maybe just keep that on the down low — you might get sick if you saw all of the traffic hitting your box depending on the network you’re connected to.
Rich — you should start a thread for whittling down the best default ruleset for IPFW on Tiger/Leopard and let’s do a writeup on how to implement it…
Ask and ye shall receive- I’ll be putting together some of my own suggestions, but this is a heck of a great start and I’m having trouble thinking of any good additions right now.
Let’s all pile on- once we get consensus I’ll do another post with the results.
Lee Nov 7
Here’s another 2 you might want to add that are used a lot in spoofing:
ipfw add deny log ip from 224.0.0.0/3 to any in
ipfw add deny log ip from 224.0.0.0/8 to any in
rob Nov 7
Lee, your rules are redundant; a /3 incorporates a /8.
So, how does one determine whether you’re running anything that’s fragmenting or not? Set up the rule, watch the log, and then run Etherreal if anything breaks, maybe?
Wilbur Nov 9
I’m waiting for a new Mini to arrive with Leopard. I Will be using as my primary home machine. How would I implement the above, and would I need all the rules for a non-mobile unit?
Cheers.
windexh8er Nov 15
Hey thanks Rich! :) Here’s my updated list, although I think there’s only one line difference and that’s for DHCP in. Wasn’t really using it when I originally posted, but here it is:
00100 allow ip from any to any via lo*
00110 deny ip from 127.0.0.0/8 to any in
00120 deny ip from any to 127.0.0.0/8 in
00500 check-state
00501 deny log ip from any to any frag
00502 deny log tcp from any to any established in
01500 allow udp from any 67 to any dst-port 68 in
01501 allow udp from 10.100.0.0/24 5353 to any dst-port 1024-65535 in
01700 allow icmp from any to any icmptypes 3
01701 allow icmp from any to any icmptypes 4
01702 allow icmp from any to any icmptypes 8 out
01703 allow icmp from any to any icmptypes 0 in
01704 allow icmp from any to any icmptypes 11 in
65500 allow tcp from me to any keep-state
65501 allow udp from me to any keep-state
65534 deny log ip from any to any
65535 allow ip from any to any
…I’ll be interested to see what you and Chris come up with, I saw the note on one of the posts today (11/15/2007).
–windexh8er
Foo Nov 15
Please choose a different name for your Web pages.
“bla | securosis.com”
is not a good name for either bookmarks or the files that are saved from the Web pages.
Thanks
Keep up the good work
loop Nov 24
I have found this rule to be effective
00500 deny ip from any to any not verrevpath
Filters out packets from machines pretending to be someone other than who they are.
Cool BRO Jan 14
I am trying to configure firewall in my MAC OSX tiger server with GUI mode but it seems bit confusing. Can anyone point me in right way. I just want to do following.
First I want to block all traffic to my server then
I would like to allow certain subnet to the server.
and allow everyoutgoing traffic from my server.
Is there any step by step guide ?
rmogull Jan 14
I don’t have one, but Chris Pepper has configured server a bunch. I’ll ask him to poke in these forums and he might have an answer…
Curby Feb 21
I’ve been working on an IPFW implementation for a while now. My progress can be found by clicking on the heading of this comment. In short, the main ruleset is the following:
add 00010 allow all from any to any via lo*
add 02010 check-state
add 02020 deny tcp from any to any in established
add 04010 allow udp from any 67 to any 68 in
add 04020 deny log all from any to any not verrevpath in
add 06010 allow icmp from any to any icmptype 8 keep-state
add 06020 allow icmp from any to any icmptype 3,11,12
add 08010 allow all from any to any out keep-state
add 10010 allow udp from any to 224.0.0.0/4 in
add 10030 allow udp from any 137,138 to me 49152-65535 in keep-state
add 65534 deny log all from any to any
Key differences include a shortening of the martian/spoofing checking and ICMP rules, being more permissive on outbound ICMP, and the addition of the 10k section which includes rules necessary for unassociated inbound traffic. Allowing source quench is not recommended, and stateful pings will allow replies.
The goal of this ruleset is to be secure but do no harm. The base ruleset should never have to be edited by a user because customizations can be placed in local rulesets that are not overwritten when the base ruleset is upgraded.
Much more detail is available in the inline comments in the rules files, all available at the same link above.