TamaraBQuestion The Current Paradigm Premium Member join:2000-11-08 Da Bronx ·Verizon FiOS Ubiquiti NSM5 Synology RT2600ac Apple AirPort Extreme (2013)
|
TamaraB
Premium Member
2012-Nov-30 12:23 pm
[OS X] PF Firewall FrontEndHi: I am looking for more control over my Mountain Lion's PF firewall. I want to be able to block entire networks like 208.91.196.0/22. At the same time I don't want to interfere with the application portion of OSX's firewall interface, so things like back-to-my-mac still functions. I searched for and found IceFloor. Anyone here use this? |
|
|
Irish SharkPlay Like A Champion Today MVM join:2000-07-29 Las Vegas, NV |
Do you have a router? |
|
TamaraBQuestion The Current Paradigm Premium Member join:2000-11-08 Da Bronx ·Verizon FiOS Ubiquiti NSM5 Synology RT2600ac Apple AirPort Extreme (2013)
|
TamaraB
Premium Member
2012-Nov-30 5:49 pm
Yes. I have two 3TB Time Capsules, one is my Internet router and backup drive. The other one is extending my local network and also a secondary Time Machine backup drive. |
|
|
to TamaraB
|
|
TamaraBQuestion The Current Paradigm Premium Member join:2000-11-08 Da Bronx ·Verizon FiOS Ubiquiti NSM5 Synology RT2600ac Apple AirPort Extreme (2013)
|
TamaraB
Premium Member
2012-Dec-1 2:08 am
Looks like an interesting program to manage specific services. What it seems to lack is the ability to do such things like drop syn packets from entire CIDR blocks. I am looking to open some services on my iMac, and want to restrict all access from certain geographic areas like all of apnic, lacnic, and much of eastern europe. Dropping all packets from 200.0.0.0/8 for instance is something which PF can do easily, but the interface to PF which Apple supplies is woefully deficient.
What I am looking for is a GUI front end to PF (pfctl). IceFloor seems to be the closest I have found. What I am concerned about is its effect on all the auto-magic OSX does. |
|
|
Those addresses go into your hosts file... I'd use both... |
|
TamaraBQuestion The Current Paradigm Premium Member join:2000-11-08 Da Bronx ·Verizon FiOS Ubiquiti NSM5 Synology RT2600ac Apple AirPort Extreme (2013)
|
TamaraB
Premium Member
2012-Dec-1 10:52 am
said by Da Geek Kid:Those addresses go into your hosts file... How do you put IP ranges into a hosts file? What entry in a hosts file would block 200.0.0.0 to 200.254.254.254? |
|
Irish SharkPlay Like A Champion Today MVM join:2000-07-29 Las Vegas, NV |
to TamaraB
The reason that I asked if you have a router is because most routers will block incoming, outgoing, or both IPs, sites, Domains, even a whole country.
I am not 100% up to speed on the TC firewall, but I believe it can be done. |
|
|
to TamaraB
for things like IP addresses I would use IceFloor. But I would highly recommend not using any apple device as a firewall. They are very simple in design and do not assist in anything for network troubleshooting. I would recommend anything that runs DD-WRT or any other open WRT firmware. They provide a wide range of abilities and tweaks. Although, doing this on your laptop is a good idea as always when going out to the open world. You want to make sure you are covered not just behind the firewall at home. |
|
|
to Irish Shark
It has been my experience that most consumer-grade routers will not handle advanced stuff such as country blocking- you need after-market (Linux-based) software for this.
I am using the Home (free) edition of Astaro Security Gateway (now renamed as Sophos UTM) on a PC that I assembled for this purpose- it has all of these advanced blocking features. |
|
|
PFiOS to TamaraB
Anon
2012-Dec-2 12:11 pm
to TamaraB
Below is the pf.conf I am using with iOS 5 on my iPhone 4. Since you're pretty adept I think you could use this as a starting point without having to deal with a firewall front end. My experience has been the CLI, both with pf and iptables, are far superior than a GUI system. Forgive me if I'm showing you things you already know. ## Last modified Feb 03, 2012
############## Default Policy ##############
set skip on lo0 set limit states 20000
block in all pass out all keep state
############## Ingress Firewall ##############
##Localhost pass in quick from 127.0.0.0/8 to 127.0.0.0/8 keep state pass in quick from ::1 to ::1 keep state
##Permit certain IPv4 ICMP types pass in quick inet proto icmp icmp-type echoreq keep state pass in quick inet proto icmp icmp-type unreach keep state
##Permit DHCP pass in quick on en0 proto udp from any to any port 67:68 keep state
##Permit SSH access on en0 (Wifi) ##If you use SSH on your iOS device enable these networks here. #pass in quick on en0 proto tcp from 192.168.1.0/24 to any port 22 keep state
##Allow Push for FaceTime to Apple's CIDR /8 but don't allow rogue XMPP over SSL (Apple Pu sh Notification Service) ##If you are using a 3rd party Push server such as with Colloquy, then add these networks in addition to Apple's CIDR /8. pass in quick proto tcp from 17.0.0.0/8 port 5223 to any no state
##IPv6 Required icmpv6 per RFC 4890 pass in quick inet6 proto ipv6-icmp icmp6-type toobig keep state pass in quick inet6 proto ipv6-icmp icmp6-type timex keep state pass in quick inet6 proto ipv6-icmp icmp6-type paramprob keep state pass in quick inet6 proto ipv6-icmp icmp6-type echorep keep state pass in quick inet6 proto ipv6-icmp icmp6-type echoreq keep state
##IPv6 Trust link-local for all icmpv6 traffic pass in quick proto ipv6-icmp from fe80::/10 to any keep state pass in quick proto ipv6-icmp from ff02::/16 to any keep state pass in quick proto ipv6-icmp from any to ff02::/16 keep state
##IPv6 Trust our allocated /64 for all icmpv6 traffic on en0 (Wifi) ##If you are using IPv6 add your IPv6 allocation here #pass in quick on en0 proto ipv6-icmp from 2001:db8::/64 to any keep state
############## Egress Firewall ##############
##Allow Push for FaceTime to Apple's CIDR /8 but don't allow rogue XMPP over SSL (Apple Pu sh Notification Service) ##If you are using a 3rd party Push server such as with Colloquy, then add these networks in addition to Apple's CIDR /8. block return-rst out quick proto tcp from any to !17.0.0.0/8 port 5223 flags S/S
##Block mDNS egress, for many networks this is an nuisance, if you depend on mDNS then com ment or remove this line. block out quick from any to 224.0.0.251
In your example, simply add: block out quick from any to 208.91.196.0/22
If you'd want to issue TCP RST you could: block return-rst out quick proto tcp from any to 208.91.196.0/22 block out quick from any to 208.91.196.0/22
For iOS, I effect the firewall rules by running pfctl -ef /path/to/pf.conf To view the status of the firewall I simply pfctl -sa |
|
colbond join:2012-12-02 Broomfield, CO |
to TamaraB
Check out IceFloor. It's basically a gui of pf. I haven't had much opportunity to play with it, but it sounds like exactly what you're looking for. » www.hanynet.com/icefloor/ |
|
|
did you NOT at least read the Original Post? He actually included the link himself. |
|
colbond join:2012-12-02 Broomfield, CO |
No problem. I won't try to help next time. |
|
|
rofl. Please do. I just asked a simple "Yes/No" question. A no would have been helpful. |
|
Irish SharkPlay Like A Champion Today MVM join:2000-07-29 Las Vegas, NV |
to daveinpoway
Maybe not all routers with stock FW can do this (SOHO) routers that most folks buy.
You may have to slap Tomato or DD-WRT on it, but it can be done. |
|