Topic '[OS X] PF Firewall FrontEnd' in forum 'All Things Macintosh' - dslreports.com

Re: [OS X] PF Firewall FrontEnd

Mon, 03 Dec 2012 18:12:49 EDT

Irish Shark posted : Maybe not all routers with stock FW can do this (SOHO) routers that most folks buy.

You may have to slap Tomato or DD-WRT on it, but it can be done.
--
"You can observe a lot by watching". Yogi Berra

Re: [OS X] PF Firewall FrontEnd

Sun, 02 Dec 2012 19:31:46 EDT

Da Geek Kid posted : rofl. Please do. I just asked a simple "Yes/No" question. A no would have been helpful.

Re: [OS X] PF Firewall FrontEnd

Sun, 02 Dec 2012 17:49:25 EDT

colbond posted : No problem. I won't try to help next time.

Re: [OS X] PF Firewall FrontEnd

Sun, 02 Dec 2012 17:02:47 EDT

Da Geek Kid posted : did you NOT at least read the Original Post? He actually included the link himself.

Re: [OS X] PF Firewall FrontEnd

Sun, 02 Dec 2012 15:59:25 EDT

colbond posted : Check out IceFloor. It's basically a gui of pf. I haven't had much opportunity to play with it, but it sounds like exactly what you're looking for.

»www.hanynet.com/icefloor/

Re: [OS X] PF Firewall FrontEnd

Sun, 02 Dec 2012 12:11:16 EDT

anon posted : Below is the pf.conf I am using with iOS 5 on my iPhone 4. Since you're pretty adept I think you could use this as a starting point without having to deal with a firewall front end. My experience has been the CLI, both with pf and iptables, are far superior than a GUI system.

Forgive me if I'm showing you things you already know.


## Last modified Feb 03, 2012
 
############## Default Policy ##############
 
set skip on lo0
set limit states 20000
 
block in all
pass out all keep state
 
############## Ingress Firewall ##############
 
##Localhost
pass in quick from 127.0.0.0/8 to 127.0.0.0/8 keep state
pass in quick from ::1 to ::1 keep state
 
##Permit certain IPv4 ICMP types
pass in quick inet proto icmp icmp-type echoreq keep state
pass in quick inet proto icmp icmp-type unreach keep state
 
##Permit DHCP
pass in quick on en0 proto udp from any to any port 67:68 keep state
 
##Permit SSH access on en0 (Wifi)
##If you use SSH on your iOS device enable these networks here.
#pass in quick on en0 proto tcp from 192.168.1.0/24 to any port 22 keep state
 
##Allow Push for FaceTime to Apple's CIDR /8 but don't allow rogue XMPP over SSL (Apple Pu sh Notification Service)
##If you are using a 3rd party Push server such as with Colloquy, then add these networks  in addition to Apple's CIDR /8.
pass in quick proto tcp from 17.0.0.0/8 port 5223 to any no state
 
##IPv6 Required icmpv6 per RFC 4890
pass in quick inet6 proto ipv6-icmp icmp6-type toobig keep state
pass in quick inet6 proto ipv6-icmp icmp6-type timex keep state
pass in quick inet6 proto ipv6-icmp icmp6-type paramprob keep state
pass in quick inet6 proto ipv6-icmp icmp6-type echorep keep state
pass in quick inet6 proto ipv6-icmp icmp6-type echoreq keep state
 
##IPv6 Trust link-local for all icmpv6 traffic
pass in quick proto ipv6-icmp from fe80::/10 to any keep state
pass in quick proto ipv6-icmp from ff02::/16 to any keep state
pass in quick proto ipv6-icmp from any to ff02::/16 keep state
 
##IPv6 Trust our allocated /64 for all icmpv6 traffic on en0 (Wifi)
##If you are using IPv6 add your IPv6 allocation here
#pass in quick on en0 proto ipv6-icmp from 2001:db8::/64 to any keep state
 
############## Egress Firewall ##############
 
##Allow Push for FaceTime to Apple's CIDR /8 but don't allow rogue XMPP over SSL (Apple Pu sh Notification Service)
##If you are using a 3rd party Push server such as with Colloquy, then add these networks  in addition to Apple's CIDR /8.
block return-rst out quick proto tcp from any to !17.0.0.0/8 port 5223 flags S/S
 
##Block mDNS egress, for many networks this is an nuisance, if you depend on mDNS then com ment or remove this line.
block out quick from any to 224.0.0.251

In your example, simply add:


block out quick from any to 208.91.196.0/22

If you'd want to issue TCP RST you could:


block return-rst out quick proto tcp from any to 208.91.196.0/22
block out quick from any to 208.91.196.0/22

For iOS, I effect the firewall rules by running

pfctl -ef /path/to/pf.conf

To view the status of the firewall I simply

pfctl -sa

Re: [OS X] PF Firewall FrontEnd

Sun, 02 Dec 2012 01:50:41 EDT

daveinpoway posted : It has been my experience that most consumer-grade routers will not handle advanced stuff such as country blocking- you
need after-market (Linux-based) software for this.

I am using the Home (free) edition of Astaro Security Gateway (now renamed as Sophos UTM) on a PC that I assembled for this purpose- it has all of these advanced blocking features.

Re: [OS X] PF Firewall FrontEnd

Sat, 01 Dec 2012 18:02:45 EDT

Da Geek Kid posted : for things like IP addresses I would use IceFloor. But I would highly recommend not using any apple device as a firewall. They are very simple in design and do not assist in anything for network troubleshooting. I would recommend anything that runs DD-WRT or any other open WRT firmware. They provide a wide range of abilities and tweaks. Although, doing this on your laptop is a good idea as always when going out to the open world. You want to make sure you are covered not just behind the firewall at home.

Re: [OS X] PF Firewall FrontEnd

Sat, 01 Dec 2012 16:02:53 EDT

Irish Shark posted : The reason that I asked if you have a router is because most routers will block incoming, outgoing, or both IPs, sites, Domains, even a whole country.

I am not 100% up to speed on the TC firewall, but I believe it can be done.
--
"You can observe a lot by watching". Yogi Berra

Re: [OS X] PF Firewall FrontEnd

Sat, 01 Dec 2012 10:52:33 EDT

TamaraB posted :

said by Da Geek Kid:

Those addresses go into your hosts file... ;)

How do you put IP ranges into a hosts file? What entry in a hosts file would block 200.0.0.0 to 200.254.254.254?

Re: [OS X] PF Firewall FrontEnd

Sat, 01 Dec 2012 03:12:07 EDT

Da Geek Kid posted : Those addresses go into your hosts file... ;)

I'd use both...

Re: [OS X] PF Firewall FrontEnd

Sat, 01 Dec 2012 02:08:37 EDT

TamaraB posted : Looks like an interesting program to manage specific services. What it seems to lack is the ability to do such things like drop syn packets from entire CIDR blocks. I am looking to open some services on my iMac, and want to restrict all access from certain geographic areas like all of apnic, lacnic, and much of eastern europe. Dropping all packets from 200.0.0.0/8 for instance is something which PF can do easily, but the interface to PF which Apple supplies is woefully deficient.

What I am looking for is a GUI front end to PF (pfctl). IceFloor seems to be the closest I have found. What I am concerned about is its effect on all the auto-magic OSX does.
--
"Remember, remember the fifth of November.
Gunpowder, Treason and Plot.
I see no reason why Gunpowder Treason
Should ever be forgot."

"People should not be afraid of their governments. Governments should be afraid of their people"

Re: [OS X] PF Firewall FrontEnd

Fri, 30 Nov 2012 20:51:25 EDT

Da Geek Kid posted : check out Little Snitch: »www.obdev.at/products/littlesnit···dex.html

Re: [OS X] PF Firewall FrontEnd

Fri, 30 Nov 2012 17:49:50 EDT

TamaraB posted :

said by Irish Shark:

Do you have a router?

Yes. I have two 3TB Time Capsules, one is my Internet router and backup drive. The other one is extending my local network and also a secondary Time Machine backup drive.

Re: [OS X] PF Firewall FrontEnd

Fri, 30 Nov 2012 12:31:06 EDT

Irish Shark posted : Do you have a router?

[OS X] PF Firewall FrontEnd

Fri, 30 Nov 2012 12:23:09 EDT

TamaraB posted : Hi:

I am looking for more control over my Mountain Lion's PF firewall. I want to be able to block entire networks like 208.91.196.0/22. At the same time I don't want to interfere with the application portion of OSX's firewall interface, so things like back-to-my-mac still functions. I searched for and found