Created
August 29, 2011 14:56
-
-
Save JasonGiedymin/1178550 to your computer and use it in GitHub Desktop.
OSX IPFW Firewall Scripts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # Script originally from: https://www.haught.org/article/osx-firewall/ | |
| ###################### | |
| #### Installation #### | |
| ###################### | |
| # - Copy this file to: | |
| # /usr/local/sbin/rc.firewall # Make sure this file is in the correct location | |
| # - chmod 0750 /usr/local/sbin/rc.firewall | |
| # - Create/Copy the xml for rc.firewall.plist in /Library/LaunchDaemons | |
| # - sudo launchctl load /Library/LaunchDaemons/firewall.plist | |
| # - Verify it is in the list by doing: | |
| # sudo launchctl list | |
| ###################### | |
| ####### Basic ######## | |
| ###################### | |
| # Script is from: | |
| # https://www.haught.org/article/osx-firewall/ | |
| # Edit subnet here | |
| trust="192.168.0.0/24" | |
| # Purge existing rules | |
| /sbin/ipfw -f flush | |
| # Allow localhost | |
| /sbin/ipfw -f add 00100 allow ip from any to any via lo0 | |
| # Deny spoofed localhost | |
| /sbin/ipfw -f add 00110 deny log ip from 127.0.0.0/8 to any in | |
| /sbin/ipfw -f add 00120 deny log ip from any to 127.0.0.0/8 in | |
| # Keep state table | |
| /sbin/ipfw -f add 25000 check-state | |
| # Allow outbound tcp/udp/icmp and keep state on udp/tcp | |
| /sbin/ipfw -f add allow tcp from any to any out setup keep-state | |
| /sbin/ipfw -f add allow udp from any to any out keep-state | |
| /sbin/ipfw -f add allow icmp from any to any out | |
| # Allow incoming icmp traffic for ping and traceroute | |
| /sbin/ipfw -f add allow icmp from any to any in | |
| ###################### | |
| ###### Services ###### | |
| ###################### | |
| # Allow SSH | |
| /sbin/ipfw -f add allow tcp from any to any 22 keep-state setup | |
| # Allow Apple File Sharing from our trusted subnet | |
| /sbin/ipfw -f add allow tcp from $trust to any 548 keep-state setup | |
| /sbin/ipfw -f add allow tcp from $trust to any 427 keep-state setup | |
| # Allow SMB file sharing from our trusted subnet | |
| /sbin/ipfw -f add allow tcp from $trust to any 139 keep-state setup | |
| /sbin/ipfw -f add allow tcp from $trust to any 139 keep-state setup | |
| /sbin/ipfw -f add allow tcp from $trust to any 139 keep-state setup | |
| # Allow Rendevous fron our trusted subnet | |
| /sbin/ipfw -f add allow udp from $trust to any 5353 keep-state | |
| # Allow bacula-fd from our trusted subnet | |
| /sbin/ipfw -f add allow tcp from $trust to any 9102 keep-state setup | |
| ##################### | |
| ### Default Block ### | |
| ##################### | |
| # Default reject for udp | |
| /sbin/ipfw -f add 65532 reject log udp from any to any in | |
| # Default reject for tcp | |
| /sbin/ipfw -f add 65533 reject log tcp from any to any in | |
| # Default reject for ip | |
| /sbin/ipfw -f add 65534 deny log ip from any to any in |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version=“1.0” encoding=“UTF-8”?> | |
| <!DOCTYPE plist PUBLIC “-//Apple Computer//DTD PLIST 1.0//EN” | |
| “http://www.apple.com/DTDs/PropertyList-1.0.dtd”> | |
| <plist version=“1.0”> | |
| <dict> | |
| <key>Label</key> | |
| <string>com.apple.firewall</string> | |
| <key>ProgramArguments</key> | |
| <array> | |
| <string>/usr/local/sbin/rc.firewall</string> | |
| </array> | |
| <key>RunAtLoad</key> | |
| <true/> | |
| <key>UserName</key> | |
| <string>root</string> | |
| </dict> | |
| </plist> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment