dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1617
share rss forum feed


TamaraB
Question The Current Paradigm
Premium
join:2000-11-08
Da Bronx
Reviews:
·Optimum Online
·Clearwire Wireless

[OS X] PF Firewall FrontEnd

Hi:

I am looking for more control over my Mountain Lion's PF firewall. I want to be able to block entire networks like 208.91.196.0/22. At the same time I don't want to interfere with the application portion of OSX's firewall interface, so things like back-to-my-mac still functions. I searched for and found IceFloor.

Anyone here use this?



Irish Shark
Play Like A Champion Today
Premium,MVM
join:2000-07-29
Las Vegas, NV
kudos:4

Do you have a router?



TamaraB
Question The Current Paradigm
Premium
join:2000-11-08
Da Bronx
Reviews:
·Optimum Online
·Clearwire Wireless

said by Irish Shark:

Do you have a router?

Yes. I have two 3TB Time Capsules, one is my Internet router and backup drive. The other one is extending my local network and also a secondary Time Machine backup drive.



Da Geek Kid

join:2003-10-11
::1
kudos:1
reply to TamaraB

check out Little Snitch: »www.obdev.at/products/littlesnit···dex.html



TamaraB
Question The Current Paradigm
Premium
join:2000-11-08
Da Bronx
Reviews:
·Optimum Online
·Clearwire Wireless

Looks like an interesting program to manage specific services. What it seems to lack is the ability to do such things like drop syn packets from entire CIDR blocks. I am looking to open some services on my iMac, and want to restrict all access from certain geographic areas like all of apnic, lacnic, and much of eastern europe. Dropping all packets from 200.0.0.0/8 for instance is something which PF can do easily, but the interface to PF which Apple supplies is woefully deficient.

What I am looking for is a GUI front end to PF (pfctl). IceFloor seems to be the closest I have found. What I am concerned about is its effect on all the auto-magic OSX does.
--
"Remember, remember the fifth of November.
Gunpowder, Treason and Plot.
I see no reason why Gunpowder Treason
Should ever be forgot."

"People should not be afraid of their governments. Governments should be afraid of their people"



Da Geek Kid

join:2003-10-11
::1
kudos:1

Those addresses go into your hosts file...

I'd use both...



TamaraB
Question The Current Paradigm
Premium
join:2000-11-08
Da Bronx
Reviews:
·Optimum Online
·Clearwire Wireless

said by Da Geek Kid:

Those addresses go into your hosts file...

How do you put IP ranges into a hosts file? What entry in a hosts file would block 200.0.0.0 to 200.254.254.254?


Irish Shark
Play Like A Champion Today
Premium,MVM
join:2000-07-29
Las Vegas, NV
kudos:4
reply to TamaraB

The reason that I asked if you have a router is because most routers will block incoming, outgoing, or both IPs, sites, Domains, even a whole country.

I am not 100% up to speed on the TC firewall, but I believe it can be done.
--
"You can observe a lot by watching". Yogi Berra



Da Geek Kid

join:2003-10-11
::1
kudos:1
Reviews:
·Callcentric
reply to TamaraB

for things like IP addresses I would use IceFloor. But I would highly recommend not using any apple device as a firewall. They are very simple in design and do not assist in anything for network troubleshooting. I would recommend anything that runs DD-WRT or any other open WRT firmware. They provide a wide range of abilities and tweaks. Although, doing this on your laptop is a good idea as always when going out to the open world. You want to make sure you are covered not just behind the firewall at home.


daveinpoway
Premium
join:2006-07-03
Poway, CA
kudos:2
reply to Irish Shark

It has been my experience that most consumer-grade routers will not handle advanced stuff such as country blocking- you
need after-market (Linux-based) software for this.

I am using the Home (free) edition of Astaro Security Gateway (now renamed as Sophos UTM) on a PC that I assembled for this purpose- it has all of these advanced blocking features.



PFiOS

@pnap.net
reply to TamaraB

Below is the pf.conf I am using with iOS 5 on my iPhone 4. Since you're pretty adept I think you could use this as a starting point without having to deal with a firewall front end. My experience has been the CLI, both with pf and iptables, are far superior than a GUI system.

Forgive me if I'm showing you things you already know.


## Last modified Feb 03, 2012

############## Default Policy ##############

set skip on lo0
set limit states 20000

block in all
pass out all keep state

############## Ingress Firewall ##############

##Localhost
pass in quick from 127.0.0.0/8 to 127.0.0.0/8 keep state
pass in quick from ::1 to ::1 keep state

##Permit certain IPv4 ICMP types
pass in quick inet proto icmp icmp-type echoreq keep state
pass in quick inet proto icmp icmp-type unreach keep state

##Permit DHCP
pass in quick on en0 proto udp from any to any port 67:68 keep state

##Permit SSH access on en0 (Wifi)
##If you use SSH on your iOS device enable these networks here.
#pass in quick on en0 proto tcp from 192.168.1.0/24 to any port 22 keep state

##Allow Push for FaceTime to Apple's CIDR /8 but don't allow rogue XMPP over SSL (Apple Pu sh Notification Service)
##If you are using a 3rd party Push server such as with Colloquy, then add these networks in addition to Apple's CIDR /8.
pass in quick proto tcp from 17.0.0.0/8 port 5223 to any no state

##IPv6 Required icmpv6 per RFC 4890
pass in quick inet6 proto ipv6-icmp icmp6-type toobig keep state
pass in quick inet6 proto ipv6-icmp icmp6-type timex keep state
pass in quick inet6 proto ipv6-icmp icmp6-type paramprob keep state
pass in quick inet6 proto ipv6-icmp icmp6-type echorep keep state
pass in quick inet6 proto ipv6-icmp icmp6-type echoreq keep state

##IPv6 Trust link-local for all icmpv6 traffic
pass in quick proto ipv6-icmp from fe80::/10 to any keep state
pass in quick proto ipv6-icmp from ff02::/16 to any keep state
pass in quick proto ipv6-icmp from any to ff02::/16 keep state

##IPv6 Trust our allocated /64 for all icmpv6 traffic on en0 (Wifi)
##If you are using IPv6 add your IPv6 allocation here
#pass in quick on en0 proto ipv6-icmp from 2001:db8::/64 to any keep state

############## Egress Firewall ##############

##Allow Push for FaceTime to Apple's CIDR /8 but don't allow rogue XMPP over SSL (Apple Pu sh Notification Service)
##If you are using a 3rd party Push server such as with Colloquy, then add these networks in addition to Apple's CIDR /8.
block return-rst out quick proto tcp from any to !17.0.0.0/8 port 5223 flags S/S

##Block mDNS egress, for many networks this is an nuisance, if you depend on mDNS then com ment or remove this line.
block out quick from any to 224.0.0.251


In your example, simply add:


block out quick from any to 208.91.196.0/22


If you'd want to issue TCP RST you could:


block return-rst out quick proto tcp from any to 208.91.196.0/22
block out quick from any to 208.91.196.0/22


For iOS, I effect the firewall rules by running
pfctl -ef /path/to/pf.conf


To view the status of the firewall I simply
pfctl -sa

colbond

join:2012-12-02
Broomfield, CO
reply to TamaraB

Check out IceFloor. It's basically a gui of pf. I haven't had much opportunity to play with it, but it sounds like exactly what you're looking for.

»www.hanynet.com/icefloor/



Da Geek Kid

join:2003-10-11
::1
kudos:1

did you NOT at least read the Original Post? He actually included the link himself.


colbond

join:2012-12-02
Broomfield, CO

No problem. I won't try to help next time.



Da Geek Kid

join:2003-10-11
::1
kudos:1

rofl. Please do. I just asked a simple "Yes/No" question. A no would have been helpful.



Irish Shark
Play Like A Champion Today
Premium,MVM
join:2000-07-29
Las Vegas, NV
kudos:4
reply to daveinpoway

Maybe not all routers with stock FW can do this (SOHO) routers that most folks buy.

You may have to slap Tomato or DD-WRT on it, but it can be done.
--
"You can observe a lot by watching". Yogi Berra