OS X built in firewall

Discussion in 'macOS' started by caligula357, Jan 23, 2007.

  1. caligula357 macrumors member

    caligula357

    Joined:
    Dec 31, 2006
    Location:
    U.K.
    #1
    ok,
    i have enabled it, and put it in stealth mode.

    how do i set it up to allow firefox access? i couldn't see firefox in the list of applications :(


    thanks

    :apple: n00b
     
  2. robbieduncan Moderator emeritus

    robbieduncan

    Joined:
    Jul 24, 2002
    Location:
    London
    #2
    The built in firewall only protects your computer from incoming connections. It does not limit, report or otherwise effect outgoing connections so no setup should be required for individual applications.

    This could be seen as a weakness in the current implementation...
     
  3. yellow Moderator emeritus

    yellow

    Joined:
    Oct 21, 2003
    Location:
    Portland, OR
    #3
    ipfw2 from the GUIfied control that Apple throws in doesn't effect outbound connections, but it CAN, if one configures it via the command line.
     
  4. caligula357 thread starter macrumors member

    caligula357

    Joined:
    Dec 31, 2006
    Location:
    U.K.
    #4
    when the firewall is set to 'on', web pages don't load.

    when the firewall is set to 'off', everything is fine.

    :confused:
     
  5. yellow Moderator emeritus

    yellow

    Joined:
    Oct 21, 2003
    Location:
    Portland, OR
    #5
    Set the firewall to 'on'. Open Terminal.app. Tpye in:

    sudo ipfw list

    And then copy & paste the results here in a response.
     
  6. caligula357 thread starter macrumors member

    caligula357

    Joined:
    Dec 31, 2006
    Location:
    U.K.
    #6
    02000 allow ip from any to any via lo*
    02010 deny ip from 127.0.0.0/8 to any in
    02020 deny ip from any to 127.0.0.0/8 in
    02030 deny ip from 224.0.0.0/3 to any in
    02040 deny tcp from any to 224.0.0.0/3 in
    02050 allow tcp from any to any out
    02060 allow tcp from any to any established
    12190 deny tcp from any to any
    65535 allow ip from any to any


    safari connects to pages regardless of whether firewall is switch on/off though...

    cheers
     
  7. yellow Moderator emeritus

    yellow

    Joined:
    Oct 21, 2003
    Location:
    Portland, OR
    #7
    That makes no sense. Firefox and Safari use the same outbound facility.

    And your ipfw implementation isn't blocking anything outbound.

    Actually... this is an odd rule:

    12190 deny tcp from any to any

    Who added that one? What does it appear as in the GUIfied list?

    My box in "stealth mode" looks very different.

    Code:
    02000 allow ip from any to any via lo*
    02010 deny ip from 127.0.0.0/8 to any in
    02020 deny ip from any to 127.0.0.0/8 in
    02030 deny ip from 224.0.0.0/3 to any in
    02040 deny tcp from any to 224.0.0.0/3 in
    02050 allow tcp from any to any out
    02060 allow tcp from any to any established
    02070 allow tcp from any to any dst-port 3283 in
    02080 allow tcp from any to any dst-port 5900 in
    02090 allow tcp from any to any dst-port 22 in
    02100 allow tcp from any to any dst-port 548 in
    02110 allow tcp from any to any dst-port 427 in
    02120 allow tcp from any to any dst-port 80 in
    02130 allow tcp from any to any dst-port 427 in
    02140 allow tcp from any to any dst-port 443 in
    12190 deny tcp from any to any
    20000 deny icmp from any to me in icmptypes 8
    65535 allow ip from any to any
    
    I'd say, find that rule and remove it.

    "Stealth Mode" should be the deny icmp types line, as it's all about ignoring pings. I don't know what rule that is in yours. But get rid of it and restart the firewall and you'll be fine.
     
  8. caligula357 thread starter macrumors member

    caligula357

    Joined:
    Dec 31, 2006
    Location:
    U.K.
    #8
    ok, i'm a noob to mac os x, how would i go about removing that rule?

    could it be possible to wipe/reset all the rules through terminal, then rebuild them from scratch?
     
  9. yellow Moderator emeritus

    yellow

    Joined:
    Oct 21, 2003
    Location:
    Portland, OR
    #9
    turn off the firewall.
    trash the file /Library/Preferences/com.apple.sharing.firewall.plist
    turn on the firewall.

    You're back to default.
     
  10. caligula357 thread starter macrumors member

    caligula357

    Joined:
    Dec 31, 2006
    Location:
    U.K.
    #10
    done that, but still does the same thing.

    perhaps i have to manually create a rule for firefox with the ports it needs?
     
  11. iMeowbot macrumors G3

    iMeowbot

    Joined:
    Aug 30, 2003
    #11
    Are you using Privoxy or any similar local proxy-type things with your browser?
     
  12. caligula357 thread starter macrumors member

    caligula357

    Joined:
    Dec 31, 2006
    Location:
    U.K.
    #12
    nope, i have not set anything like that.

    i only get the problem with firefox when firewall is started. it doesn't seem to effect safari though.

    EDIT: my mistake, safari does'nt work either with firewall on (it navigates apple's website though...)
     
  13. yellow Moderator emeritus

    yellow

    Joined:
    Oct 21, 2003
    Location:
    Portland, OR
    #13
    No. Outbound connections should NOT be affected.

    So, you turned off the firewall, removed that file (the one in the root library, not one in your home directory's library, correct?), and then restarted the firewall?

    And what is the new output of sudo ipfw list?
     
  14. caligula357 thread starter macrumors member

    caligula357

    Joined:
    Dec 31, 2006
    Location:
    U.K.
    #14
    the terminal gives exactly the same values as before.
    i only have 'network time' ticked in the firewall box, if that makes any difference.

    the fact that firefox/safari connect when firewall is off, and don't connect when firewall is active, narrows it down to something the firewall is (or isn't doing).

    is it possible for me to import someone else's com.apple.sharing.firewall.plist, to see if that makes a difference?

    cheers.
     
  15. yellow Moderator emeritus

    yellow

    Joined:
    Oct 21, 2003
    Location:
    Portland, OR
    #15
    That makes no sense. If the rules have changed, then the changes should be evident in the firewall output.

    What version of OS X are you running?

    Have you ever downloaded and used BrickHouse or something else to fiddle with the firewall?
     
  16. caligula357 thread starter macrumors member

    caligula357

    Joined:
    Dec 31, 2006
    Location:
    U.K.
    #16
    only had the macbook a couple of days. running tiger.

    i did run software update, maybe they put out a duff security update something.

    never installed any other firewall apps.

    i think i might just have to run with no firewall, or maybe i might download a 3rd party firewall sometime.

    although it would be nice to use the built in one!

    cheers.
     
  17. yellow Moderator emeritus

    yellow

    Joined:
    Oct 21, 2003
    Location:
    Portland, OR
    #17
    That's super weird...

    Well, I'll test it on an Intel Mac, maybe things are different. Though I doubt it.

    EDIT:
     
  18. yellow Moderator emeritus

    yellow

    Joined:
    Oct 21, 2003
    Location:
    Portland, OR
    #18
    I don't understand how you're getting what you're getting, just to go over it..
    Follow these steps:

    1) turn off the firewall

    2) enter sudo ipfw list in the Terminal. If the output is ANYTHING other than "65535 allow ip from any to any", then post back. There's something else wrong. If that is the output, move onto step 3.

    3) remove the file called "com.apple.sharing.firewall.plist" from the /Library/Preferences/ folder

    4) turn on the firewall

    5) enter sudo ipfw list in the Terminal. Post the output here.
     
  19. killmoms macrumors 68040

    killmoms

    Joined:
    Jun 23, 2003
    Location:
    Washington, DC
    #19
    Just as a side note, if you have a NAT router between you and the Internet, having the OS X firewall on really isn't that big a deal.

    That said, the built-in firewall shouldn't limit outgoing connections at all, as previously noted, so I think there's something else we don't know. Can you describe your network setup, caligula357?
     
  20. caligula357 thread starter macrumors member

    caligula357

    Joined:
    Dec 31, 2006
    Location:
    U.K.
    #20
    terminal shows "65535 allow ip from any to any" only with firewall off.

    with firewall turned on, it shows all the entries i posted before.

    software updates still connect and work with firewall on, so it seems it only affects safari and firefox. maybe they are in conflict or something?
     
  21. yellow Moderator emeritus

    yellow

    Joined:
    Oct 21, 2003
    Location:
    Portland, OR
    #21
    No.. no, no conflict. This is the rule entry that is screwing you up: 12190 deny tcp from any to any.

    Did you remove the file or not?
     
  22. bousozoku Moderator emeritus

    Joined:
    Jun 25, 2002
    Location:
    Gone but not forgotten.
    #22
    Mine looks like that with file sharing, AIM, and MSN Messenger ports open but I run Firefox as my primary browser.

    It sounds more like it's something with the browser itself.
     
  23. yellow Moderator emeritus

    yellow

    Joined:
    Oct 21, 2003
    Location:
    Portland, OR
    #23
    With the "12190 deny tcp from any to any" line?
    I can't seem to duplicate that on any of the tiger boxes in reach, of which there are 6.

    For what it's worth, Software Update connects to a website.. so it makes little sense that other web browsers don't work.

    Try this then:

    Turn on the firewall and go to: http://209.85.165.147

    Does it work?
     
  24. caligula357 thread starter macrumors member

    caligula357

    Joined:
    Dec 31, 2006
    Location:
    U.K.
    #24
    nope, safari and firefox both refuse to load that link.

    i did trash the file like you said, but it seems to create a new one exactly the same as before. i might try and delete/reinstall firefox to see if that remedies it.

    how would i remove '12190 deny tcp from any to any' from the rule list?


    PS, i do have a NAT firewall on my wireless router, that is set up to allow certain ports for windows machines i have ie torrents etc, but the fact that i can connect to it without the firewall on, says to me that its all down to either mac os x firewall, and/or firefox and safari.

    thanks again.
     
  25. blaster_boy macrumors 6502

    blaster_boy

    Joined:
    Jan 31, 2004
    Location:
    Belgium
    #25
    There's lots of things that can go wrong for your browser not to work, certainly the firewall is one part, perhaps the browsers or other applications also.

    - You don't have or had "little snitch" installed by any chance ?
    - Your browsers aren't configured to work with a proxy ?
    - If you go into terminal and ping the above address, ie
    Code:
    ping 209.85.165.147
    
    What is the result then, both with the firewall on and off ?
    - You mentioned that you activated stealth mode (why ?) : is this still on ?


    What would also be very interesting is to paste the last portion of the firewall log. Go into SHARING, choose the Firewall tab, and click on Advanced and then 'Enable log' and, with the firewall on, try to connect via safari or firefox to the internet.

    After that come back to the firewall tab, and click on the log button - copy paste the last few pages of entries in the firewall here so we can see what happens...
     

Share This Page