Blog

Help Build The Best IPFW Firewall Rules Sets Ever

By Rich

Updated: See https://securosis.com/wp-content/uploads/2007/11/ipfw-securosis.txt.

I need to completely thank and acknowledge windexh8er for suggesting this post in the comments on the Leopard firewall post, and providing the starting content. In his (or her) own words:

So how about everyone constantly complaining about the crap-tastic new implementation of the Leopard firewall we baseline a good IPFW config? Here’s for starters:

00100 allow ip from any to any via lo*
00110 deny ip from 127.0.0.0/8 to any in
00120 deny ip from any to 127.0.0.0/8 in
00500 check-state
00501 deny log ip from any to any frag
00502 deny log tcp from any to any established in
01500 allow udp from 10.100.0.0/24 5353 to any dst-port 1024-65535 in
01700 allow icmp from any to any icmptypes 3
01701 allow icmp from any to any icmptypes 4
01702 allow icmp from any to any icmptypes 8 out
01703 allow icmp from any to any icmptypes 0 in
01704 allow icmp from any to any icmptypes 11 in
65500 allow tcp from me to any keep-state
65501 allow udp from me to any keep-state
65534 deny log ip from any to any
65535 allow ip from any to any

this firewall configuration will do a number of things. First of all line 500 is key to checking the state table before we block any poser incoming connections. Line 502 blocks connections coming in that pretend they were established, but really weren’t. Line 501 is pretty self explanatory, blocking fragmented packets in. I know nothing I’m using is fragmenting, so YMMV.

Line 1500 is an example. Since Bonjour services cannot be tracked correctly in the state table we need to allow things back to 5353/UDP on the box (that is if you want to use it). But my example shows that I’m only allowing those services on my local network. Anytime I head to Panera or Starbucks I don’t have to worry about 5353 being ‘open’, unless of course those networks are using 10.100.0.0/24. Most of the time they’re not. But if I noticed that I would disable that rule for the time being.

Next we get to ICMP. What do these let us do? ICMP type 3 let’s path MTU in and out (i.e. PMTU – Path MTU Discovery). Many people don’t realize the advantages of PMTU, because they think ICMP is inherently evil. Try doing some performance engineering and PMTU becomes a great resource. Anyway, type 3 is not evil. Next, type 8 is source quench. It will tell my upstream gateway to “slow down” if need be. Again, not evil for the most part. The pros outweigh the cons anyway. Types 8 and 0 rely on each other. 8 lets me ping out and 0 lets that back in. BUT – people will not be able to ping me. Sneaky sneaky The last one, type 11, will let me run traceroute.

So now 65500 and 65501 basically let my computer open any port out. In the essence of keeping this ruleset “set it and forget it” style this can be done better. Like specifying everything you need to let out and blocking everything else. But I can’t delve into that for ‘every’ user, so this makes it a little more convenient.

65534 is our deny. Notice all the denies I setup have logging statements. I always have a terminal running tailing my firewall log. Then again, for those who don’t know how to respond maybe just keep that on the down low – you might get sick if you saw all of the traffic hitting your box depending on the network you’re connected to.

Rich – you should start a thread for whittling down the best default ruleset for IPFW on Tiger/Leopard and let’s do a writeup on how to implement it

Ask and ye shall receive- I’ll be putting together some of my own suggestions, but this is a heck of a great start and I’m having trouble thinking of any good additions right now.

Let’s all pile on- once we get consensus I’ll do another post with the results.

No Related Posts
Comments

folks,
I have simple question: mac (10.6.7) connected to cable modem. NO routers of any kind!
My goal is, to write(create) rules for IPFW which will block everything in/out except dns /UDP 53/ resolutions (may be mDNSResponder but only to resolve DNS), hhtp /tcp 80/, https /tcp 443/, imap /tcp 143/, pop3 /tcp 110/, smtp /tcp 25/ and icmp (ping, traceroute), and UDP NTP /port 123/

Please correct me if I make mistake.
Here is my exercise:
ipfw add 00100 allow ip from any to any via lo*
ipfw add 00110 deny ip from 127.0.0.0/8 to any in
ipfw add 00120 deny ip from any to 127.0.0.0/8 in
ipfw add 00130 deny ip from 224.0.0.0/3 to any in
ipfw add 00140 deny ip from 224.0.0.0/8 to any in
ipfw add 00150 deny tcp from any to 224.0.0.0/3 in
ipfw add 00160 deny tcp from any to 224.0.0.0/8 in
ipfw add 00500 check-state
ipfw add 02010 allow udp from any 5353 to any dst-port 1024-65535 in
ipfw add 02020 allow tcp from any to any dst-port 80
ipfw add 02030 allow tcp from any to any dst-port 443
ipfw add 02040 allow tcp from any to any dst-port 25
ipfw add 02050 allow tcp from any to any dst-port 143
ipfw add 02060 allow tcp from any to any dst-port 110
ipfw add 02070 allow udp from any to time.apple.com dst-port 123
ipfw add 02480 allow all from any to any established
ipfw add 02490 reject ICMP from any to any in
ipfw add 03100 deny log tcp from any to any in
ipfw add 03180 reset tcp from any to any setup
ipfw add 04000 deny ip from any to any not verrevpath in
ipfw add 05000 deny ICMP from any to any out
ipfw add 60000 deny all from any to any
ipfw add 65535 allow ip from any to any

Thank you for yours advises!

By bgjoshua


You should use paragraphs. Would look much better

By Karl


I’‘ve been working on an IPFW implementation for a while now.  My progress can be found by clicking on the heading of this comment.  In short, the main ruleset is the following:

add 00010 allow   all from any to any via lo*
add 02010 check-state
add 02020 deny     tcp from any to any in established
add 04010 allow   udp from any 67 to any 68 in
add 04020 deny log all from any to any not verrevpath in
add 06010 allow   icmp from any to any icmptype 8 keep-state
add 06020 allow   icmp from any to any icmptype 3,11,12
add 08010 allow   all from any to any out keep-state
add 10010 allow   udp from any to 224.0.0.0/4 in
add 10030 allow   udp from any 137,138 to me 49152-65535 in keep-state
add 65534 deny log all from any to any

Key differences include a shortening of the martian/spoofing checking and ICMP rules, being more permissive on outbound ICMP, and the addition of the 10k section which includes rules necessary for unassociated inbound traffic.  Allowing source quench is not recommended, and stateful pings will allow replies. 

The goal of this ruleset is to be secure but do no harm.  The base ruleset should never have to be edited by a user because customizations can be placed in local rulesets that are not overwritten when the base ruleset is upgraded.

Much more detail is available in the inline comments in the rules files, all available at the same link above.

By Curby


I don’‘t have one, but Chris Pepper has configured server a bunch. I’‘ll ask him to poke in these forums and he might have an answer…

By rmogull


I am trying to configure firewall in my MAC OSX tiger server with GUI mode but it seems bit confusing. Can anyone point me in right way. I just want to do following.

First I want to block all traffic to my server then
I would like to allow certain subnet to the server.
and allow everyoutgoing traffic from my server.

Is there any step by step guide ?

By Cool BRO


[...] Even though new boxes will be shipping with Leopard, the Tiger Security Configuration Guide - approved by our friends at the NSA & Apple - provides a good starting point for boosting the security profile of your dektop. If you’re really the adventurous type, you can even make your Leopard firewall experience a bit more secure. [...]

By 2007 Apple Year in Review: Security - The Apple Bl


I have found this rule to be effective

00500 deny ip from any to any not verrevpath

Filters out packets from machines pretending to be someone other than who they are.

By loop


[...] Help Build The Best IPFW Firewall Rules Sets Ever [...]

By 101 FreeBSD Ipfw resources | Learning On Demand


Please choose a different name for your Web pages.

"bla | securosis.com"

is not a good name for either bookmarks or the files that are saved from the Web pages.

Thanks

Keep up the good work

By Foo


Hey thanks Rich!  :)  Here’s my updated list, although I think there’s only one line difference and that’s for DHCP in.  Wasn’‘t really using it when I originally posted, but here it is:

00100 allow ip from any to any via lo*
00110 deny ip from 127.0.0.0/8 to any in
00120 deny ip from any to 127.0.0.0/8 in
00500 check-state
00501 deny log ip from any to any frag
00502 deny log tcp from any to any established in
01500 allow udp from any 67 to any dst-port 68 in
01501 allow udp from 10.100.0.0/24 5353 to any dst-port 1024-65535 in
01700 allow icmp from any to any icmptypes 3
01701 allow icmp from any to any icmptypes 4
01702 allow icmp from any to any icmptypes 8 out
01703 allow icmp from any to any icmptypes 0 in
01704 allow icmp from any to any icmptypes 11 in
65500 allow tcp from me to any keep-state
65501 allow udp from me to any keep-state
65534 deny log ip from any to any
65535 allow ip from any to any

...I’‘ll be interested to see what you and Chris come up with, I saw the note on one of the posts today (11/15/2007).

—windexh8er

By windexh8er


If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.