Recently I purchased a 15" PowerBook G4 to use in cafe's and other public locations. Today I worked on securing the network interfaces. My approach is to use three different firewalls, Little Snitch, Apples Firewall and ipfw.
Little Snitch is used to control outbound traffic. Apples Firewall controls inbound traffic. ipfw controls both inbound and outbound traffic. By default ipfw contains a single rule allowing all inbound and outbound traffic. That means ipfw blocks (or allows) traffic -BEFORE- either Little Snitch or Apples Firewall see it (that's important to understand as you make and test ipfw rules).
For Little Snitch I disabled "Approve rules automatically", enabled "Mark new rules as unapproved" and disabled or edited several of the default rules. In Apples Firewall (accessed via the preference pane) I selected "Set access for specific services and applications". Finally for ipfw I created a custom list of rules and made the needed changes to ensure those rules are auto loaded when Leopard boots.
A good guide for configuring ipfw can be found in this blog post (http://blog.scottlowe.org/2012/04/05/setting-up-ipfw-on-mac-os-x/). For those shy using terminal there is a GUI for working with ipfw access rules called WaterRoof (http://www.hanynet.com/waterroof/).
Hopefully this brief overview of Firewalling for Leopard will help you stay safe while in public.
If you need to allow SSH, VNC or file sharing (APF) add the following lines as needed.
NOTE: Enabling access to these services on a machine that is used outside of the home / office (IE: in public) is NOT recommended. It exposes services that can be used to attack your machine.
If you want to log activity on any of these rules add log after the allow or deny command. For example: to log all blocked traffic change
to
By default logging is disabled - to enable logging enter the following at the command line (terminal):
$ sudo sysctl -w net.inet.ip.fw.verbose=1
the change will take effect immediately. Note that this change will not survive a reboot.
Little Snitch is used to control outbound traffic. Apples Firewall controls inbound traffic. ipfw controls both inbound and outbound traffic. By default ipfw contains a single rule allowing all inbound and outbound traffic. That means ipfw blocks (or allows) traffic -BEFORE- either Little Snitch or Apples Firewall see it (that's important to understand as you make and test ipfw rules).
For Little Snitch I disabled "Approve rules automatically", enabled "Mark new rules as unapproved" and disabled or edited several of the default rules. In Apples Firewall (accessed via the preference pane) I selected "Set access for specific services and applications". Finally for ipfw I created a custom list of rules and made the needed changes to ensure those rules are auto loaded when Leopard boots.
A good guide for configuring ipfw can be found in this blog post (http://blog.scottlowe.org/2012/04/05/setting-up-ipfw-on-mac-os-x/). For those shy using terminal there is a GUI for working with ipfw access rules called WaterRoof (http://www.hanynet.com/waterroof/).
Hopefully this brief overview of Firewalling for Leopard will help you stay safe while in public.
Code:
# Allow DHCP
add allow udp from any 67 to any dst-port 68 in
# Set up stateful traffic rules
add check-state
add allow tcp from me to any keep-state
add allow udp from me to any keep-state
# Allow outbound ip - TinyFirewall controls traffic
add allow ip from any to any out
# Allow ping replies
add allow icmp from any to me icmptypes 0,3,11 in
# Block all inbound ip traffic not matched by a previous rule
add 65000 reject udp from any to any in
add deny icmp from any to any in
add deny ip from any to any inIf you need to allow SSH, VNC or file sharing (APF) add the following lines as needed.
NOTE: Enabling access to these services on a machine that is used outside of the home / office (IE: in public) is NOT recommended. It exposes services that can be used to attack your machine.
Code:
# Allow inbound SSH
add allow tcp from any to any 22 keep-state setup
# Allow inbound VNC Connections
add allow tcp from any to any 3283 keep-state setup
add allow tcp from any to any 5900 keep-state setup
# Allow inbound APF Connections
add allow tcp from any to any 548 keep-state setupIf you want to log activity on any of these rules add log after the allow or deny command. For example: to log all blocked traffic change
Code:
# Block all inbound ip traffic not matched by a previous rule
add 65000 reject udp from any to any in
add deny icmp from any to any in
add deny ip from any to any into
Code:
# Block all inbound ip traffic not matched by a previous rule
add 65000 reject log udp from any to any in
add deny log icmp from any to any in
add deny log ip from any to any inBy default logging is disabled - to enable logging enter the following at the command line (terminal):
$ sudo sysctl -w net.inet.ip.fw.verbose=1
the change will take effect immediately. Note that this change will not survive a reboot.
Last edited:
