Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Protecting your OSX with IPFW and LittleSnitch

So, after posting on twitter about my OSX firewall configuration, a few people asked me to post up a copy of my rules. Now, I’m by no means a OSX expert, an IPFW expert, or a networking expert for that matter…. but this configuration could be useful as a starting point for people.

I use waterroof on my mac to work with firewall configurations, and the following sets of rules should import into Waterroof of IPFW fine.

IPFW IPv4 Rules

add 00010 deny icmp from any to any in
add 00100 allow ip from any to any via lo*
add 00110 deny ip from 127.0.0.0/8 to any in
add 00120 deny ip from any to 127.0.0.0/8 in
add 00130 allow udp from any to 224.0.0.251 dst-port 5353
add 00140 allow udp from 224.0.0.251 to any dst-port 5353
add 00300 deny ip from 224.0.0.0/3 to any in
add 00400 deny tcp from any to 224.0.0.0/3 in
add 00500 deny tcp from any to any dst-port 0 in
add 00600 check-state
add 01000 allow tcp from me to any keep-state
add 01001 allow udp from me to any keep-state
add 25000 allow ip from me to <INSERT VPN HOST HERE>
add 25100 allow ip from <INSERT VPN HOST HERE> to me in
add 33300 deny tcp from any to any established
add 65000 allow udp from any 67 to any dst-port 68 in
add 65100 deny log icmp from any to me in icmptypes 8
add 65200 deny udp from any to any in
add 65300 deny icmp from any to any in
add 65400 deny ip from any to any in
add 65535 allow ip from any to any

IPFW IPv6 Rules

(I disable IPv6 currently)

add 02070 deny ipv6 from any to any
add 33300 deny log ipv6-icmp from any to any in icmptype 128

I also use LittleSnitch to control application level communications. If you’ve not already seen LittleSnitch I’d highly recommend taking a look. It’s not going to replace IPFW anytime soon, but that’s not its goal.

“A firewall protects your computer against unwanted guests from the Internet. But who protects your private data from being sent out? LittleSnitch does!”

Unfortunately LittleSnitch doesn’t have anything like profiles or locations. To get around this I have a standard set of rules I use at home and trusted sites (few and far between), and by backing this ruleset up and wiping the rules, I can stop applications from being able to communicate out unless I accept the request.

LittleSnitch allows various types of acceptance when an application wants to communicate. This gives you the freedom to control the application as you see fit!

I find these two solutions work well for me… hopefully they will for you as well. If you see anything you think might work better, please let me know. I’m always looking to streamline the process!

Updates:

An alternative to LittleSnitch called HandsOff has been suggested by @chadskidmore. It looks interesting as it seems to cover what LittleSnitch does as well as a few more advanced features. I’ll certainly be taking a look at this when I’ve got a chance.

The IPv4 rules I listed above include a couple of rules that you might wish to disable depending on your configuration. It’s up to you, but the first stage is understanding what the rules do. so  with that in mind here’s a few rules I listed that you might want to look closer at.

add 00130 allow udp from any to 224.0.0.251 dst-port 5353
add 00140 allow udp from 224.0.0.251 to any dst-port 5353

The above rule will allow mDNS Bonjour communications (UDP 5353). I usually allow this as I do not share anything using this protocol, and I like to see when others on the local LAN are sharing their music collections for me to browse 😉 This might or might not be your thing…

add 65000 allow udp from any 67 to any dst-port 68 in

This rule will allow inbound UDP packets to allow DHCP to work correctly… again, if you’re using a static IP-Address then there’s no reason for this rule to be active.

Advertisements

4 responses to “Protecting your OSX with IPFW and LittleSnitch

  1. Tallenz July 31, 2011 at 17:11

    Thanks Chris. This helps. I have been looking for something like this for a while. Only got my mac about 5 months ago and I have just not had time to do all the research to find out these things yet.

  2. Roland Dobbins August 1, 2011 at 08:07

    By denying all ICMP, you’ve broken PMTU-D.

    Filtering all ICMP is non-optimal. Unfortunately, many organizations mistakenly do this, resulting in performance and accessibility problems which are never resolved, resulting in lost productivity for users.

  3. ChrisJohnRiley August 1, 2011 at 09:34

    I weighed up the pros and cons when blocking ICMP and decided that for my use, blocking seemed to be the best. However you’re perfectly correct, blocking ICMP is and will be more of an issue (with IPv6 in particular!)

  4. Jon August 2, 2011 at 06:31

    I’ve been using LittleSnitch for a while, but I hadn’t tried the IPFW rules approach, yet. Thanks.

%d bloggers like this: