Go Back   MacRumors Forums > Apple Systems and Services > OS X

Reply
 
Thread Tools Search this Thread Display Modes
Old Jan 22, 2013, 01:17 PM   #1
ghostpaladin
macrumors newbie
 
Join Date: Jan 2013
Configuring ipfw on OS X

Good day everyone. My problem is the next

I have an macbook pro with os x 10.5.8 with squid and ipfw running as a proxy.

In my company I don't want people to connect to facebook neither twitter.

My squid configuration is running correctly, my only problem is configuring the ipfw to force users to use port 8080. my ipfw conf is:

Code:
00010 divert 8668 ip from any to any via en0
00100 allow ip from any to any via lo*
01010 allow ip from 10.0.2.0/24 to me dst-port 8080
01011 allow ip from me to any
65535 allow ip from any to any
being en0 my internet connection and en1 my airport shared connection

The problem is that user still can connect to internet without configuring their proxies. what am I doing wrong?
ghostpaladin is offline   0 Reply With Quote
Old Jan 22, 2013, 01:44 PM   #2
freejazz-man
macrumors regular
 
Join Date: May 2010
The rule seems to allow anything to you on 8080

given there isn't an implicit deny-all after it, you aren't actually blocking anything

firewall rules are supposed to end with a deny-all so that the only allowances are those that you specified, but you end your ruleset with an allow any any, which will allow port 80 traffic through your firewall. You also might want to consider https traffic which runs of 443.

So your solution is to either specifically deny port 80 (and 443) traffic, or to put in a 'deny-all'

if you go the 'deny-all' route, you are going to have to make a lot of other outbound rules as well.
freejazz-man is offline   0 Reply With Quote
Old Jan 22, 2013, 03:38 PM   #3
ghostpaladin
Thread Starter
macrumors newbie
 
Join Date: Jan 2013
i tried

I tried this:

Code:
sudo ipfw add 65534 deny ip from any to any
but it doesn't let me navigate, even configuring browser to use port 8080.
any ideas?
ghostpaladin is offline   0 Reply With Quote
Old Jan 22, 2013, 04:41 PM   #4
freejazz-man
macrumors regular
 
Join Date: May 2010
ok so I did some googling and it seems ipfw already has the implicit deny-all:

"When a packet enters the firewall it is compared against the first rule in the ruleset and progresses one rule at a time moving from top to bottom of the set in ascending rule number sequence order. When the packet matches the selection parameters of a rule, the rules' action field value is executed and the search of the ruleset terminates for that packet. This is referred to as “the first match wins” search method. If the packet does not match any of the rules, it gets caught by the mandatory IPFW default rule, number 65535 which denies all packets and discards them without any reply back to the originating destination."

It looks like you might've originally written over that rule because you used rule #65535 to make an allow all. But upon further review I think I might have found the culprit:

"00010 divert 8668 ip from any to any via en0"

I think this might be the problem - every bit of traffic is going to hit it as long as it is IP and from any to any

you might want to try from en1 to en0 or something more specific

Last edited by freejazz-man; Jan 22, 2013 at 04:49 PM.
freejazz-man is offline   0 Reply With Quote
Old Jan 23, 2013, 07:56 AM   #5
Bear
macrumors G3
 
Join Date: Jul 2002
Location: Sol III - Terra
Quote:
Originally Posted by ghostpaladin View Post
...
The problem is that user still can connect to internet without configuring their proxies. what am I doing wrong?
What you're probably doing wrong is that your network setup is probably not forcing people to go through the proxy system. You would need your networking gear configured to block all web access except for what is going through the proxy server.

And you need to figure out was else you want blocked and what people need to be allowed access to.

Of course without a rough network diagram and such, it's hard to troubleshoot the issue.

You might be better off hiring a networking consultant for a few hours to have thing set up the way you want.
__________________
-----Bear
Bear is offline   1 Reply With Quote
Old Jan 23, 2013, 08:14 AM   #6
blueroom
macrumors 603
 
blueroom's Avatar
 
Join Date: Feb 2009
Location: Toronto, Canada
Get a router that supports IP blocking. Why on earth are you doing this on your Mac?
__________________
My iOS devices are not jailbroken.
Bill
My Blog
blueroom is offline   0 Reply With Quote
Old Jan 23, 2013, 12:19 PM   #7
freejazz-man
macrumors regular
 
Join Date: May 2010
Quote:
Originally Posted by Bear View Post
What you're probably doing wrong is that your network setup is probably not forcing people to go through the proxy system. You would need your networking gear configured to block all web access except for what is going through the proxy server.
that's what he is trying to do with ipfw - that's what we've been trying to troubleshoot
freejazz-man is offline   0 Reply With Quote
Old Jan 23, 2013, 01:17 PM   #8
Bear
macrumors G3
 
Join Date: Jul 2002
Location: Sol III - Terra
Quote:
Originally Posted by freejazz-man View Post
that's what he is trying to do with ipfw - that's what we've been trying to troubleshoot
That doesn't work unless all internet traffic goes through the Mac.

It sounds like he's only expecting web traffic to route through the Mac. Or at least that the setup allows the local machines to connect to the internet.
__________________
-----Bear
Bear is offline   0 Reply With Quote
Old Jan 23, 2013, 03:03 PM   #9
ElectricSheep
macrumors 6502
 
Join Date: Feb 2004
Location: Wilmington, DE
Send a message via AIM to ElectricSheep
Assuming that your machine is acting as the gateway for your office with en0 being the WAN interface and en1 being the LAN interface, you need to add a forwarding rule to ipfw:

fwd 127.0.0.1,8080 from 10.0.2.0/24 to any dst-port 80
__________________
15'' MBP (early 2011) | i7 3770k Hackintosh | i7 Mac Mini (late 2012) | iPhone 5 | iPad 3 (2012) | iPad mini | MacOS X 10.9.2
ElectricSheep is offline   0 Reply With Quote
Old Jan 23, 2013, 08:10 PM   #10
ghostpaladin
Thread Starter
macrumors newbie
 
Join Date: Jan 2013
Quote:
Originally Posted by blueroom View Post
Get a router that supports IP blocking. Why on earth are you doing this on your Mac?
Because something is wrong with the video card in this macbook.
I prefer give it a better use than throw it =)
ghostpaladin is offline   0 Reply With Quote
Old Jan 23, 2013, 08:26 PM   #11
ghostpaladin
Thread Starter
macrumors newbie
 
Join Date: Jan 2013
Quote:
Originally Posted by Bear View Post
That doesn't work unless all internet traffic goes through the Mac.

It sounds like he's only expecting web traffic to route through the Mac. Or at least that the setup allows the local machines to connect to the internet.
That is exactly the situation, my friend...
http://www.flickr.com/photos/92528398@N07/8410290120/

----------

[/COLOR]
Quote:
Originally Posted by ElectricSheep View Post
Assuming that your machine is acting as the gateway for your office with en0 being the WAN interface and en1 being the LAN interface, you need to add a forwarding rule to ipfw:

fwd 127.0.0.1,8080 from 10.0.2.0/24 to any dst-port 80
But that is to do a transparent proxy isn't it?.

I can't use a transparent proxy right now
ghostpaladin is offline   0 Reply With Quote
Old Jan 24, 2013, 09:46 AM   #12
freejazz-man
macrumors regular
 
Join Date: May 2010
Ok - I'm positive you aren't using the divert rule appropriately.

http://unix.stackexchange.com/questi...ve-to-ipfw-fwd

from the link:

"No, you can't. divert can be used only with software that listens on sockets created with IPPROTO_IPDIVERT, but proxy servers usually listen on TCP ports."

Does your version of ipfw allow for a forwarding rule? That might be more appropriate
freejazz-man is offline   0 Reply With Quote
Old Jan 24, 2013, 11:44 AM   #13
ElectricSheep
macrumors 6502
 
Join Date: Feb 2004
Location: Wilmington, DE
Send a message via AIM to ElectricSheep
Quote:
Originally Posted by ghostpaladin View Post
That is exactly the situation, my friend...
http://www.flickr.com/photos/92528398@N07/8410290120/

----------

[/COLOR]

But that is to do a transparent proxy isn't it?.

I can't use a transparent proxy right now
Well, if your aim is to simply block all traffic that I suggest to do what freejazz-man suggested and block all traffic destined for the outside world to ports 80 and 443:

deny tcp from 10.0.2.0/24 to any dst-port 80 via en1
deny tcp from 10.0.2.0/24 to any dst-port 443 via en1

Coupled with your allow on port 8080, users will be forced to configure their proxies.

Quote:
Ok - I'm positive you aren't using the divert rule appropriately.
The divert rule is for NAT. Port 8668 is commonly chosen for natd to listen on.
__________________
15'' MBP (early 2011) | i7 3770k Hackintosh | i7 Mac Mini (late 2012) | iPhone 5 | iPad 3 (2012) | iPad mini | MacOS X 10.9.2
ElectricSheep is offline   0 Reply With Quote
Old Jan 24, 2013, 12:18 PM   #14
freejazz-man
macrumors regular
 
Join Date: May 2010
right - and seeing as he hasn't configured natd to forward the packets via the path outlined in his firewall rules - it's not going to work
freejazz-man is offline   0 Reply With Quote
Old Jan 24, 2013, 02:05 PM   #15
ghostpaladin
Thread Starter
macrumors newbie
 
Join Date: Jan 2013
ok. I deleted the divert rule and modified my ruleset as follows:

Code:
00100 allow ip from any to any via lo*
00110 allow ip from 10.0.2.0/24 to me dst-port 8080
00130 allow tcp from any to any out keep-state
00140 allow udp from any to any out keep-state
00150 allow tcp from any to any dst-port 22
00160 allow udp from any to any dst-port 67
00170 allow udp from any to any dst-port 68
01010 allow tcp from any to me dst-port 80 in
01011 allow tcp from any 80 to any out
01012 allow tcp from me to any dst-port 80 out
65534 deny log logamount 1000 ip from any to any in
65535 allow ip from any to any
I'm aware that some rules are not necessary but as far the proxy works exactly as I want.
My only last problem is this: which port do I need to open for my LAN can send and receive mails in microsoft outlook? anybody knows?

----------

Quote:
Originally Posted by ElectricSheep View Post
Well, if your aim is to simply block all traffic that I suggest to do what freejazz-man suggested and block all traffic destined for the outside world to ports 80 and 443:

deny tcp from 10.0.2.0/24 to any dst-port 80 via en1
deny tcp from 10.0.2.0/24 to any dst-port 443 via en1

Coupled with your allow on port 8080, users will be forced to configure their proxies.



The divert rule is for NAT. Port 8668 is commonly chosen for natd to listen on.
Ok. electricSheep. thank you. I will try ths rules after my allow on port 8080 to see how it works
ghostpaladin is offline   0 Reply With Quote
Old Jan 24, 2013, 03:58 PM   #16
freejazz-man
macrumors regular
 
Join Date: May 2010
it depends on the protocols being used, pop or imap.

is your setup actually blocking attempts out to the web that don't go through the proxy?
freejazz-man is offline   0 Reply With Quote
Old Jan 24, 2013, 05:28 PM   #17
ghostpaladin
Thread Starter
macrumors newbie
 
Join Date: Jan 2013
Quote:
Originally Posted by freejazz-man View Post
it depends on the protocols being used, pop or imap.

is your setup actually blocking attempts out to the web that don't go through the proxy?
Yes, actually I'm denying all web connections except connection throw port 8080 but since miscrosoft outlook cannot be configured to work with proxies I've decided to open just the ports necessary to work with it but I'm not sure which ports should I open and which sintax use for achieve that
ghostpaladin is offline   0 Reply With Quote
Old Jan 25, 2013, 12:53 AM   #18
freejazz-man
macrumors regular
 
Join Date: May 2010
you are denying all connections except for port 8080

if you want me to take the time and write out a ruleset that I'm positive will work (and take the time to help you if it doesn't) you can pm me

otherwise good luck at this point
freejazz-man is offline   0 Reply With Quote

Reply
MacRumors Forums > Apple Systems and Services > OS X

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
ipfw configuration meme1255 OS X 0 Dec 8, 2013 06:47 AM
IPFW what's the minimum set of required open ports/rules (config from Lion bad) macncrumors OS X Mavericks (10.9) 0 Oct 24, 2013 10:23 AM
IPFW help please. houserhythm OS X 10.8 Mountain Lion 3 Sep 9, 2013 03:43 PM
ipfw rules to run on startup DarthMuflon Mac OS X 10.7 Lion 2 Jul 11, 2013 05:08 PM
redirect with ipfw to an external server Bob2001 Mac OS X Server, Xserve, and Networking 1 Apr 27, 2013 10:01 AM

Forum Jump

All times are GMT -5. The time now is 08:11 AM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC