dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2570

TamaraB
Question The Current Paradigm
Premium Member
join:2000-11-08
Da Bronx
·Verizon FiOS
Ubiquiti NSM5
Synology RT2600ac
Apple AirPort Extreme (2013)

TamaraB

Premium Member

[OS X] PF Firewall FrontEnd

Hi:

I am looking for more control over my Mountain Lion's PF firewall. I want to be able to block entire networks like 208.91.196.0/22. At the same time I don't want to interfere with the application portion of OSX's firewall interface, so things like back-to-my-mac still functions. I searched for and found IceFloor.

Anyone here use this?

Irish Shark
Play Like A Champion Today
MVM
join:2000-07-29
Las Vegas, NV

Irish Shark

MVM

Do you have a router?

TamaraB
Question The Current Paradigm
Premium Member
join:2000-11-08
Da Bronx
·Verizon FiOS
Ubiquiti NSM5
Synology RT2600ac
Apple AirPort Extreme (2013)

TamaraB

Premium Member

said by Irish Shark:

Do you have a router?

Yes. I have two 3TB Time Capsules, one is my Internet router and backup drive. The other one is extending my local network and also a secondary Time Machine backup drive.


Da Geek Kid
join:2003-10-11
::1

Da Geek Kid to TamaraB

Member

to TamaraB
check out Little Snitch: »www.obdev.at/products/li ··· dex.html

TamaraB
Question The Current Paradigm
Premium Member
join:2000-11-08
Da Bronx
·Verizon FiOS
Ubiquiti NSM5
Synology RT2600ac
Apple AirPort Extreme (2013)

TamaraB

Premium Member

Looks like an interesting program to manage specific services. What it seems to lack is the ability to do such things like drop syn packets from entire CIDR blocks. I am looking to open some services on my iMac, and want to restrict all access from certain geographic areas like all of apnic, lacnic, and much of eastern europe. Dropping all packets from 200.0.0.0/8 for instance is something which PF can do easily, but the interface to PF which Apple supplies is woefully deficient.

What I am looking for is a GUI front end to PF (pfctl). IceFloor seems to be the closest I have found. What I am concerned about is its effect on all the auto-magic OSX does.

Da Geek Kid
join:2003-10-11
::1

Da Geek Kid

Member

Those addresses go into your hosts file...

I'd use both...

TamaraB
Question The Current Paradigm
Premium Member
join:2000-11-08
Da Bronx
·Verizon FiOS
Ubiquiti NSM5
Synology RT2600ac
Apple AirPort Extreme (2013)

TamaraB

Premium Member

said by Da Geek Kid:

Those addresses go into your hosts file...

How do you put IP ranges into a hosts file? What entry in a hosts file would block 200.0.0.0 to 200.254.254.254?

Irish Shark
Play Like A Champion Today
MVM
join:2000-07-29
Las Vegas, NV

Irish Shark to TamaraB

MVM

to TamaraB
The reason that I asked if you have a router is because most routers will block incoming, outgoing, or both IPs, sites, Domains, even a whole country.

I am not 100% up to speed on the TC firewall, but I believe it can be done.

Da Geek Kid
join:2003-10-11
::1

Da Geek Kid to TamaraB

Member

to TamaraB
for things like IP addresses I would use IceFloor. But I would highly recommend not using any apple device as a firewall. They are very simple in design and do not assist in anything for network troubleshooting. I would recommend anything that runs DD-WRT or any other open WRT firmware. They provide a wide range of abilities and tweaks. Although, doing this on your laptop is a good idea as always when going out to the open world. You want to make sure you are covered not just behind the firewall at home.
daveinpoway
Premium Member
join:2006-07-03
Poway, CA

daveinpoway to Irish Shark

Premium Member

to Irish Shark
It has been my experience that most consumer-grade routers will not handle advanced stuff such as country blocking- you
need after-market (Linux-based) software for this.

I am using the Home (free) edition of Astaro Security Gateway (now renamed as Sophos UTM) on a PC that I assembled for this purpose- it has all of these advanced blocking features.

PFiOS
@pnap.net

PFiOS to TamaraB

Anon

to TamaraB
Below is the pf.conf I am using with iOS 5 on my iPhone 4. Since you're pretty adept I think you could use this as a starting point without having to deal with a firewall front end. My experience has been the CLI, both with pf and iptables, are far superior than a GUI system.

Forgive me if I'm showing you things you already know.


## Last modified Feb 03, 2012

############## Default Policy ##############

set skip on lo0
set limit states 20000

block in all
pass out all keep state

############## Ingress Firewall ##############

##Localhost
pass in quick from 127.0.0.0/8 to 127.0.0.0/8 keep state
pass in quick from ::1 to ::1 keep state

##Permit certain IPv4 ICMP types
pass in quick inet proto icmp icmp-type echoreq keep state
pass in quick inet proto icmp icmp-type unreach keep state

##Permit DHCP
pass in quick on en0 proto udp from any to any port 67:68 keep state

##Permit SSH access on en0 (Wifi)
##If you use SSH on your iOS device enable these networks here.
#pass in quick on en0 proto tcp from 192.168.1.0/24 to any port 22 keep state

##Allow Push for FaceTime to Apple's CIDR /8 but don't allow rogue XMPP over SSL (Apple Pu sh Notification Service)
##If you are using a 3rd party Push server such as with Colloquy, then add these networks in addition to Apple's CIDR /8.
pass in quick proto tcp from 17.0.0.0/8 port 5223 to any no state

##IPv6 Required icmpv6 per RFC 4890
pass in quick inet6 proto ipv6-icmp icmp6-type toobig keep state
pass in quick inet6 proto ipv6-icmp icmp6-type timex keep state
pass in quick inet6 proto ipv6-icmp icmp6-type paramprob keep state
pass in quick inet6 proto ipv6-icmp icmp6-type echorep keep state
pass in quick inet6 proto ipv6-icmp icmp6-type echoreq keep state

##IPv6 Trust link-local for all icmpv6 traffic
pass in quick proto ipv6-icmp from fe80::/10 to any keep state
pass in quick proto ipv6-icmp from ff02::/16 to any keep state
pass in quick proto ipv6-icmp from any to ff02::/16 keep state

##IPv6 Trust our allocated /64 for all icmpv6 traffic on en0 (Wifi)
##If you are using IPv6 add your IPv6 allocation here
#pass in quick on en0 proto ipv6-icmp from 2001:db8::/64 to any keep state

############## Egress Firewall ##############

##Allow Push for FaceTime to Apple's CIDR /8 but don't allow rogue XMPP over SSL (Apple Pu sh Notification Service)
##If you are using a 3rd party Push server such as with Colloquy, then add these networks in addition to Apple's CIDR /8.
block return-rst out quick proto tcp from any to !17.0.0.0/8 port 5223 flags S/S

##Block mDNS egress, for many networks this is an nuisance, if you depend on mDNS then com ment or remove this line.
block out quick from any to 224.0.0.251


In your example, simply add:


block out quick from any to 208.91.196.0/22


If you'd want to issue TCP RST you could:


block return-rst out quick proto tcp from any to 208.91.196.0/22
block out quick from any to 208.91.196.0/22


For iOS, I effect the firewall rules by running
pfctl -ef /path/to/pf.conf


To view the status of the firewall I simply
pfctl -sa
colbond
join:2012-12-02
Broomfield, CO

colbond to TamaraB

Member

to TamaraB
Check out IceFloor. It's basically a gui of pf. I haven't had much opportunity to play with it, but it sounds like exactly what you're looking for.

»www.hanynet.com/icefloor/

Da Geek Kid
join:2003-10-11
::1

Da Geek Kid

Member

did you NOT at least read the Original Post? He actually included the link himself.
colbond
join:2012-12-02
Broomfield, CO

colbond

Member

No problem. I won't try to help next time.

Da Geek Kid
join:2003-10-11
::1

Da Geek Kid

Member

rofl. Please do. I just asked a simple "Yes/No" question. A no would have been helpful.

Irish Shark
Play Like A Champion Today
MVM
join:2000-07-29
Las Vegas, NV

Irish Shark to daveinpoway

MVM

to daveinpoway
Maybe not all routers with stock FW can do this (SOHO) routers that most folks buy.

You may have to slap Tomato or DD-WRT on it, but it can be done.