Configuring ipfw on OS X

Discussion in 'macOS' started by ghostpaladin, Jan 22, 2013.

  1. ghostpaladin macrumors newbie

    Joined:
    Jan 22, 2013
    #1
    Good day everyone. My problem is the next

    I have an macbook pro with os x 10.5.8 with squid and ipfw running as a proxy.

    In my company I don't want people to connect to facebook neither twitter.

    My squid configuration is running correctly, my only problem is configuring the ipfw to force users to use port 8080. my ipfw conf is:

    Code:
    00010 divert 8668 ip from any to any via en0
    00100 allow ip from any to any via lo*
    01010 allow ip from 10.0.2.0/24 to me dst-port 8080
    01011 allow ip from me to any
    65535 allow ip from any to any
    being en0 my internet connection and en1 my airport shared connection

    The problem is that user still can connect to internet without configuring their proxies. what am I doing wrong?
     
  2. freejazz-man macrumors regular

    Joined:
    May 12, 2010
    #2
    The rule seems to allow anything to you on 8080

    given there isn't an implicit deny-all after it, you aren't actually blocking anything

    firewall rules are supposed to end with a deny-all so that the only allowances are those that you specified, but you end your ruleset with an allow any any, which will allow port 80 traffic through your firewall. You also might want to consider https traffic which runs of 443.

    So your solution is to either specifically deny port 80 (and 443) traffic, or to put in a 'deny-all'

    if you go the 'deny-all' route, you are going to have to make a lot of other outbound rules as well.
     
  3. ghostpaladin thread starter macrumors newbie

    Joined:
    Jan 22, 2013
    #3
    i tried

    I tried this:

    Code:
    sudo ipfw add 65534 deny ip from any to any
    but it doesn't let me navigate, even configuring browser to use port 8080.
    any ideas?
     
  4. freejazz-man, Jan 22, 2013
    Last edited: Jan 22, 2013

    freejazz-man macrumors regular

    Joined:
    May 12, 2010
    #4
    ok so I did some googling and it seems ipfw already has the implicit deny-all:

    "When a packet enters the firewall it is compared against the first rule in the ruleset and progresses one rule at a time moving from top to bottom of the set in ascending rule number sequence order. When the packet matches the selection parameters of a rule, the rules' action field value is executed and the search of the ruleset terminates for that packet. This is referred to as “the first match wins” search method. If the packet does not match any of the rules, it gets caught by the mandatory IPFW default rule, number 65535 which denies all packets and discards them without any reply back to the originating destination."

    It looks like you might've originally written over that rule because you used rule #65535 to make an allow all. But upon further review I think I might have found the culprit:

    "00010 divert 8668 ip from any to any via en0"

    I think this might be the problem - every bit of traffic is going to hit it as long as it is IP and from any to any

    you might want to try from en1 to en0 or something more specific
     
  5. Bear macrumors G3

    Joined:
    Jul 23, 2002
    Location:
    Sol III - Terra
    #5
    What you're probably doing wrong is that your network setup is probably not forcing people to go through the proxy system. You would need your networking gear configured to block all web access except for what is going through the proxy server.

    And you need to figure out was else you want blocked and what people need to be allowed access to.

    Of course without a rough network diagram and such, it's hard to troubleshoot the issue.

    You might be better off hiring a networking consultant for a few hours to have thing set up the way you want.
     
  6. blueroom macrumors 603

    blueroom

    Joined:
    Feb 15, 2009
    Location:
    Toronto, Canada
    #6
    Get a router that supports IP blocking. Why on earth are you doing this on your Mac?
     
  7. freejazz-man macrumors regular

    Joined:
    May 12, 2010
    #7
    that's what he is trying to do with ipfw - that's what we've been trying to troubleshoot
     
  8. Bear macrumors G3

    Joined:
    Jul 23, 2002
    Location:
    Sol III - Terra
    #8
    That doesn't work unless all internet traffic goes through the Mac.

    It sounds like he's only expecting web traffic to route through the Mac. Or at least that the setup allows the local machines to connect to the internet.
     
  9. ElectricSheep macrumors 6502

    ElectricSheep

    Joined:
    Feb 18, 2004
    Location:
    Wilmington, DE
    #9
    Assuming that your machine is acting as the gateway for your office with en0 being the WAN interface and en1 being the LAN interface, you need to add a forwarding rule to ipfw:

    fwd 127.0.0.1,8080 from 10.0.2.0/24 to any dst-port 80
     
  10. ghostpaladin thread starter macrumors newbie

    Joined:
    Jan 22, 2013
    #10
    Because something is wrong with the video card in this macbook.
    I prefer give it a better use than throw it =)
     
  11. ghostpaladin thread starter macrumors newbie

    Joined:
    Jan 22, 2013
    #11
    That is exactly the situation, my friend...
    http://www.flickr.com/photos/92528398@N07/8410290120/

    ----------

    [/COLOR]
    But that is to do a transparent proxy isn't it?.

    I can't use a transparent proxy right now
     
  12. freejazz-man macrumors regular

    Joined:
    May 12, 2010
    #12
  13. ElectricSheep macrumors 6502

    ElectricSheep

    Joined:
    Feb 18, 2004
    Location:
    Wilmington, DE
    #13
    Well, if your aim is to simply block all traffic that I suggest to do what freejazz-man suggested and block all traffic destined for the outside world to ports 80 and 443:

    deny tcp from 10.0.2.0/24 to any dst-port 80 via en1
    deny tcp from 10.0.2.0/24 to any dst-port 443 via en1

    Coupled with your allow on port 8080, users will be forced to configure their proxies.

    The divert rule is for NAT. Port 8668 is commonly chosen for natd to listen on.
     
  14. freejazz-man macrumors regular

    Joined:
    May 12, 2010
    #14
    right - and seeing as he hasn't configured natd to forward the packets via the path outlined in his firewall rules - it's not going to work
     
  15. ghostpaladin thread starter macrumors newbie

    Joined:
    Jan 22, 2013
    #15
    ok. I deleted the divert rule and modified my ruleset as follows:

    Code:
    00100 allow ip from any to any via lo*
    00110 allow ip from 10.0.2.0/24 to me dst-port 8080
    00130 allow tcp from any to any out keep-state
    00140 allow udp from any to any out keep-state
    00150 allow tcp from any to any dst-port 22
    00160 allow udp from any to any dst-port 67
    00170 allow udp from any to any dst-port 68
    01010 allow tcp from any to me dst-port 80 in
    01011 allow tcp from any 80 to any out
    01012 allow tcp from me to any dst-port 80 out
    65534 deny log logamount 1000 ip from any to any in
    65535 allow ip from any to any
    
    I'm aware that some rules are not necessary but as far the proxy works exactly as I want.
    My only last problem is this: which port do I need to open for my LAN can send and receive mails in microsoft outlook? anybody knows?

    ----------

    Ok. electricSheep. thank you. I will try ths rules after my allow on port 8080 to see how it works
     
  16. freejazz-man macrumors regular

    Joined:
    May 12, 2010
    #16
    it depends on the protocols being used, pop or imap.

    is your setup actually blocking attempts out to the web that don't go through the proxy?
     
  17. ghostpaladin thread starter macrumors newbie

    Joined:
    Jan 22, 2013
    #17
    Yes, actually I'm denying all web connections except connection throw port 8080 but since miscrosoft outlook cannot be configured to work with proxies I've decided to open just the ports necessary to work with it but I'm not sure which ports should I open and which sintax use for achieve that
     
  18. freejazz-man macrumors regular

    Joined:
    May 12, 2010
    #18
    you are denying all connections except for port 8080

    if you want me to take the time and write out a ruleset that I'm positive will work (and take the time to help you if it doesn't) you can pm me

    otherwise good luck at this point
     

Share This Page