dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
3
share rss forum feed


PFiOS

@pnap.net
reply to TamaraB

Re: [OS X] PF Firewall FrontEnd

Below is the pf.conf I am using with iOS 5 on my iPhone 4. Since you're pretty adept I think you could use this as a starting point without having to deal with a firewall front end. My experience has been the CLI, both with pf and iptables, are far superior than a GUI system.

Forgive me if I'm showing you things you already know.


## Last modified Feb 03, 2012

############## Default Policy ##############

set skip on lo0
set limit states 20000

block in all
pass out all keep state

############## Ingress Firewall ##############

##Localhost
pass in quick from 127.0.0.0/8 to 127.0.0.0/8 keep state
pass in quick from ::1 to ::1 keep state

##Permit certain IPv4 ICMP types
pass in quick inet proto icmp icmp-type echoreq keep state
pass in quick inet proto icmp icmp-type unreach keep state

##Permit DHCP
pass in quick on en0 proto udp from any to any port 67:68 keep state

##Permit SSH access on en0 (Wifi)
##If you use SSH on your iOS device enable these networks here.
#pass in quick on en0 proto tcp from 192.168.1.0/24 to any port 22 keep state

##Allow Push for FaceTime to Apple's CIDR /8 but don't allow rogue XMPP over SSL (Apple Pu sh Notification Service)
##If you are using a 3rd party Push server such as with Colloquy, then add these networks in addition to Apple's CIDR /8.
pass in quick proto tcp from 17.0.0.0/8 port 5223 to any no state

##IPv6 Required icmpv6 per RFC 4890
pass in quick inet6 proto ipv6-icmp icmp6-type toobig keep state
pass in quick inet6 proto ipv6-icmp icmp6-type timex keep state
pass in quick inet6 proto ipv6-icmp icmp6-type paramprob keep state
pass in quick inet6 proto ipv6-icmp icmp6-type echorep keep state
pass in quick inet6 proto ipv6-icmp icmp6-type echoreq keep state

##IPv6 Trust link-local for all icmpv6 traffic
pass in quick proto ipv6-icmp from fe80::/10 to any keep state
pass in quick proto ipv6-icmp from ff02::/16 to any keep state
pass in quick proto ipv6-icmp from any to ff02::/16 keep state

##IPv6 Trust our allocated /64 for all icmpv6 traffic on en0 (Wifi)
##If you are using IPv6 add your IPv6 allocation here
#pass in quick on en0 proto ipv6-icmp from 2001:db8::/64 to any keep state

############## Egress Firewall ##############

##Allow Push for FaceTime to Apple's CIDR /8 but don't allow rogue XMPP over SSL (Apple Pu sh Notification Service)
##If you are using a 3rd party Push server such as with Colloquy, then add these networks in addition to Apple's CIDR /8.
block return-rst out quick proto tcp from any to !17.0.0.0/8 port 5223 flags S/S

##Block mDNS egress, for many networks this is an nuisance, if you depend on mDNS then com ment or remove this line.
block out quick from any to 224.0.0.251


In your example, simply add:


block out quick from any to 208.91.196.0/22


If you'd want to issue TCP RST you could:


block return-rst out quick proto tcp from any to 208.91.196.0/22
block out quick from any to 208.91.196.0/22


For iOS, I effect the firewall rules by running
pfctl -ef /path/to/pf.conf


To view the status of the firewall I simply
pfctl -sa