Block outside connections from local web server?

[svenr]

I activated PHP and run the built-in (Mac OS X 10.5.8, PPC) Apache server for web development. I only access this content locally with http://localhost/ and do not want to serve it up to the net.

However, my server is accessible through the IP address and I see in my Apache access log that I'm constantly being scanned by some scammers with IPs in China and Russia looking for certain exploitable files. My Apache doesn't have them, so it serves a 404 error.

I would much prefer those connections blocked before they even reach Apache. I looked under System Prefs > Security > Firewall but the settings are way too rough. If I set it to "Access for specific services and applications", I can only choose GUI applications in the Applications folder, but not UNIX processes like Apache or Tor.

How can I make it so that my web server is only available for local access while services like Tor, Bittorrent etc. still work?

 

[munkery]

You could try using CLI to block the port used by the service using the packet filter built into OS X (IPFW).

NoobProof is a GUI to modify IPFW rules if you don't want to mess with CLI if you don't have too. NoobProof also makes it easy to set up IPFW to perform stateful packet inspection.

 

[svenr]

Thanks!

Didn't know the built-in firewall is actually that flexible. I tried to do it the manual way through CLI at first, but meh, why torture myself. Then I just downloaded that GUI and it works like a charm.

 

[munkery]

The firewall system in Mac OS X has three components: application firewall (system preferences), packet filter (IPFW via CLI), and sandboxing (TrustedBSD MAC framework for some services - including those using webkit2 in Mac OS X Lion).

Quite flexible once you get to know how to use all the parts.

 

[svenr]

I have another question about this.

I activated both the System Prefs firewall and IPFW via NoobProof. I set NoobProof to allow connections to port 80 (web server) only from localhost, blocked a few other ports completely (SSH, VPN etc) and allowed all others (because denying all others broke things like Tor).

I noticed the System Prefs firewall is now asking every now and then whether to allow or deny connections to specific applications. So that is how I can select UNIX processes like Apache or Tor, which I thought earlier wasn't possible. Obviously, system preferences is application-focused while NoobProof is port-focused.

You said those are two of three components; are they completely separate or is the System Prefs firewall also just a front-end for IPFW? Do the two interfere with each other in any way?

 

[munkery]

You said those are two of three components; are they completely separate or is the System Prefs firewall also just a front-end for IPFW? Do the two interfere with each other in any way?

The firewall in System Preferences is an Application Firewall. IPFW is a packet filter capable of stateful packet inspection. They are completely separate.

The rules you set for IPFW supersede those of the application firewall. This means that data coming into your system is first checked against IPFW then the application firewall. Two separate layers.

The TrustedBSD MAC framework sandboxes services that use it so the hacker cannot access anything outside of the sandbox, such as your user files or the system level of the OS, if the service is exploited.

Once you allow connections to a specific app with the application firewall, it shouldn't ask again unless:

a) the application firewall preferences are corrupted. If the services asking for re-authentication are default services, such as mdnsresponder, this is usually the case.

b) http://support.apple.com/kb/ht1810 See below:

Some applications check their own integrity when they are run without using code signing. If the Application Firewall recognizes such an application it will not sign it, but then it will re-present the dialog every time the application is run. This may be avoided by upgrading to a version of the application which is signed by its developer.