Configure Firewall

From AwkwardTV
Jump to: navigation, search


The AppleTV seems to ship with no firewall rules configured. There is no need to hack up a way to disable the firewall.

In MacOS X, at boot time,
runs, which reads the file

Neither the binary nor the plist are distributed with the AppleTV OS, and it is therefore not surprising that in a default OS install, the ipfw kext has a single 'allow any' default rule:

-bash-2.05b$ sudo ipfw list
65535 allow ip from any to any

Enabling the Firewall

It is likely that copying over FirewallTool from an Intel Mac will enable MacOS firewall configuration at boot time. In addition, it is neccesary to create /Library/Preferences/ If the prefs plist file does not exist, FirewallTool will not configure ipfw. There are several ways to create this file:

Enabling the Firewall without an Intel Mac

It's possible to set up the firewall without using any GUI, and this appears to work (tested on a v2.1 AppleTV) without copying the plist or any other files from an Intel Mac. Be warned - using this method it's quite likely that your machine will be un-firewalled for a short time during boot-up, before the firewall rules script takes effect.

Create the following file as in /Users/frontrow. It can serve as a base set of firewall rules to get you started - if you want more google for "ipfw". Don't forget you must change the IP address under the comment 'Allow anything from LAN' depending on your own LAN's ip address range.

sudo ipfw -f flush
#sudo ipfw -f list

#exclude loopback traffic
sudo ipfw add 00003 allow all from any to any via lo0

#Deny any spoofed loopback/multicast traffic
sudo ipfw add 02010 deny log ip from to any in
sudo ipfw add 02020 deny log ip from any to in
sudo ipfw add 2030 deny log ip from to any in
sudo ipfw add 2040 deny log tcp from any to in

#Allow outgoing/established
sudo ipfw add 02050 allow tcp from any to any out
sudo ipfw add 02060 allow tcp from any to any established

#Allow anything from LAN
sudo ipfw add 02070 allow ip from to any

#Block everything else
sudo ipfw add 12190 deny log tcp from any to any
sudo ipfw add 65535 allow ip from any to any

Make sure this script is executable

chmod 755

Add the following to the top line of /etc/rc.local (it should be at the top so the firewall rules kick in as soon as possible - your AppleTV is effectively unfirewalled until this script has executed!):