Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

OS X built in firewall

caligula357

caligula357

macrumors member
Original poster
Dec 31, 2006
70
0
U.K.
ok,
i have enabled it, and put it in stealth mode.

how do i set it up to allow firefox access? i couldn't see firefox in the list of applications :(


thanks

:apple: n00b
 
The built in firewall only protects your computer from incoming connections. It does not limit, report or otherwise effect outgoing connections so no setup should be required for individual applications.

This could be seen as a weakness in the current implementation...
 
ipfw2 from the GUIfied control that Apple throws in doesn't effect outbound connections, but it CAN, if one configures it via the command line.
 
when the firewall is set to 'on', web pages don't load.

when the firewall is set to 'off', everything is fine.

:confused:
 
Set the firewall to 'on'. Open Terminal.app. Tpye in:

sudo ipfw list

And then copy & paste the results here in a response.
 
02000 allow ip from any to any via lo*
02010 deny ip from 127.0.0.0/8 to any in
02020 deny ip from any to 127.0.0.0/8 in
02030 deny ip from 224.0.0.0/3 to any in
02040 deny tcp from any to 224.0.0.0/3 in
02050 allow tcp from any to any out
02060 allow tcp from any to any established
12190 deny tcp from any to any
65535 allow ip from any to any


safari connects to pages regardless of whether firewall is switch on/off though...

cheers
 
That makes no sense. Firefox and Safari use the same outbound facility.

And your ipfw implementation isn't blocking anything outbound.

Actually... this is an odd rule:

12190 deny tcp from any to any

Who added that one? What does it appear as in the GUIfied list?

My box in "stealth mode" looks very different.

Code: 
02000 allow ip from any to any via lo*
02010 deny ip from 127.0.0.0/8 to any in
02020 deny ip from any to 127.0.0.0/8 in
02030 deny ip from 224.0.0.0/3 to any in
02040 deny tcp from any to 224.0.0.0/3 in
02050 allow tcp from any to any out
02060 allow tcp from any to any established
02070 allow tcp from any to any dst-port 3283 in
02080 allow tcp from any to any dst-port 5900 in
02090 allow tcp from any to any dst-port 22 in
02100 allow tcp from any to any dst-port 548 in
02110 allow tcp from any to any dst-port 427 in
02120 allow tcp from any to any dst-port 80 in
02130 allow tcp from any to any dst-port 427 in
02140 allow tcp from any to any dst-port 443 in
12190 deny tcp from any to any
20000 deny icmp from any to me in icmptypes 8
65535 allow ip from any to any

I'd say, find that rule and remove it.

"Stealth Mode" should be the deny icmp types line, as it's all about ignoring pings. I don't know what rule that is in yours. But get rid of it and restart the firewall and you'll be fine.
 
ok, i'm a noob to mac os x, how would i go about removing that rule?

could it be possible to wipe/reset all the rules through terminal, then rebuild them from scratch?
 
turn off the firewall.
trash the file /Library/Preferences/com.apple.sharing.firewall.plist
turn on the firewall.

You're back to default.
 
done that, but still does the same thing.

perhaps i have to manually create a rule for firefox with the ports it needs?
 
nope, i have not set anything like that.

i only get the problem with firefox when firewall is started. it doesn't seem to effect safari though.

EDIT: my mistake, safari does'nt work either with firewall on (it navigates apple's website though...)
 
caligula357 said:
perhaps i have to manually create a rule for firefox with the ports it needs?
Click to expand...

No. Outbound connections should NOT be affected.

So, you turned off the firewall, removed that file (the one in the root library, not one in your home directory's library, correct?), and then restarted the firewall?

And what is the new output of sudo ipfw list?
 
the terminal gives exactly the same values as before.
i only have 'network time' ticked in the firewall box, if that makes any difference.

the fact that firefox/safari connect when firewall is off, and don't connect when firewall is active, narrows it down to something the firewall is (or isn't doing).

is it possible for me to import someone else's com.apple.sharing.firewall.plist, to see if that makes a difference?

cheers.
 
That makes no sense. If the rules have changed, then the changes should be evident in the firewall output.

What version of OS X are you running?

Have you ever downloaded and used BrickHouse or something else to fiddle with the firewall?
 
only had the macbook a couple of days. running tiger.

i did run software update, maybe they put out a duff security update something.

never installed any other firewall apps.

i think i might just have to run with no firewall, or maybe i might download a 3rd party firewall sometime.

although it would be nice to use the built in one!

cheers.
 
I don't understand how you're getting what you're getting, just to go over it..
Follow these steps:

1) turn off the firewall

2) enter sudo ipfw list in the Terminal. If the output is ANYTHING other than "65535 allow ip from any to any", then post back. There's something else wrong. If that is the output, move onto step 3.

3) remove the file called "com.apple.sharing.firewall.plist" from the /Library/Preferences/ folder

4) turn on the firewall

5) enter sudo ipfw list in the Terminal. Post the output here.
 
Just as a side note, if you have a NAT router between you and the Internet, having the OS X firewall on really isn't that big a deal.

That said, the built-in firewall shouldn't limit outgoing connections at all, as previously noted, so I think there's something else we don't know. Can you describe your network setup, caligula357?
 
terminal shows "65535 allow ip from any to any" only with firewall off.

with firewall turned on, it shows all the entries i posted before.

software updates still connect and work with firewall on, so it seems it only affects safari and firefox. maybe they are in conflict or something?
 
No.. no, no conflict. This is the rule entry that is screwing you up: 12190 deny tcp from any to any.

Did you remove the file or not?
 
caligula357 said:
02000 allow ip from any to any via lo*
02010 deny ip from 127.0.0.0/8 to any in
02020 deny ip from any to 127.0.0.0/8 in
02030 deny ip from 224.0.0.0/3 to any in
02040 deny tcp from any to 224.0.0.0/3 in
02050 allow tcp from any to any out
02060 allow tcp from any to any established
12190 deny tcp from any to any
65535 allow ip from any to any


safari connects to pages regardless of whether firewall is switch on/off though...

cheers
Click to expand...

Mine looks like that with file sharing, AIM, and MSN Messenger ports open but I run Firefox as my primary browser.

It sounds more like it's something with the browser itself.
 
With the "12190 deny tcp from any to any" line?
I can't seem to duplicate that on any of the tiger boxes in reach, of which there are 6.

For what it's worth, Software Update connects to a website.. so it makes little sense that other web browsers don't work.

Try this then:

Turn on the firewall and go to: http://209.85.165.147

Does it work?
 
nope, safari and firefox both refuse to load that link.

i did trash the file like you said, but it seems to create a new one exactly the same as before. i might try and delete/reinstall firefox to see if that remedies it.

how would i remove '12190 deny tcp from any to any' from the rule list?


PS, i do have a NAT firewall on my wireless router, that is set up to allow certain ports for windows machines i have ie torrents etc, but the fact that i can connect to it without the firewall on, says to me that its all down to either mac os x firewall, and/or firefox and safari.

thanks again.
 
There's lots of things that can go wrong for your browser not to work, certainly the firewall is one part, perhaps the browsers or other applications also.

- You don't have or had "little snitch" installed by any chance ?
- Your browsers aren't configured to work with a proxy ?
- If you go into terminal and ping the above address, ie
Code: 
ping 209.85.165.147
What is the result then, both with the firewall on and off ?
- You mentioned that you activated stealth mode (why ?) : is this still on ?


What would also be very interesting is to paste the last portion of the firewall log. Go into SHARING, choose the Firewall tab, and click on Advanced and then 'Enable log' and, with the firewall on, try to connect via safari or firefox to the internet.

After that come back to the firewall tab, and click on the log button - copy paste the last few pages of entries in the firewall here so we can see what happens...
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back