Updated: See http://securosis.com/2007/11/15/ipfw-rules/.

Thanks to an email from John Baxter via MacInTouch, it looks like Apple posted some documentation on the new firewall that contains some really good news:

The Application Firewall does not overrule rule set with ipfw, because ipfw operates on packets at a lower level in the networking stack.

If true, this is some seriously good news. It means we can run ipfw rule sets in conjunction with the new firewall. Why would you want to do that? I plan on writing an ipfw rule set that allows file sharing, web, and ssh through and will use the GUI in the application firewall to allow or deny those services I sometimes want to open up without manually changing firewall rule sets.

sigh if only I’d known this earlier! I won’t have a chance to test today, so please let me know in the comments if the application firewall overrides your ipfw rule sets.

This should help us create the best Leopard ipfw rule set