Difference between revisions of "Configure Firewall"

From AwkwardTV
Jump to: navigation, search
m
m (Enabling the Firewall without an Intel Mac)
 
(26 intermediate revisions by 9 users not shown)
Line 1: Line 1:
[http://rgreystrix.somee.com/www-marmi-it.html www marmi it] [http://menosgrande.110mb.com/html/traduzioni-versioni.htm traduzioni versioni di latino] [http://chiqalife.110mb.com/new/finanziamento-cantu/ finanziamento cantu] [http://menosgrande.110mb.com/html/trio-lescano.htm trio lescano] [http://yeeden.somee.com/video-s-de-porno.html video s de porno] [http://keepshine.somee.com/testi-conzoni/index.html testi conzoni di ron] [http://benicek.110mb.com/resources/cooler-hard.htm cooler hard disk interno] [http://cenee.110mb.com/resources/cellulare-palmare/ cellulare palmare] [http://jareth-kg.somee.com/www-launsch-com.html www launsch com] [http://cenee.110mb.com/resources/esame-patentino/ esame patentino] [http://jareth-kg.somee.com/www-vetinari-it.html www vetinari it] [http://jareth-kg.somee.com/www-es.html www es] [http://cephiedvariable.110mb.com/tozzi-video-ti-amo.html tozzi video ti amo] [http://gryphon-s.somee.com/the-eminem-show.html the eminem show pa business eminem] [http://chiqalife.110mb.com/new/angela-mao/ angela mao] [http://rgreystrix.somee.com/www-tg4news-com.html www tg4news com] [http://bladespark.somee.com/uccisione-quattrocchi/index.html uccisione quattrocchi] [http://deadvision.110mb.com/data/volver-rodriguez/ volver rodriguez] [http://cenee.110mb.com/resources/wp-associated/ wp associated srl] [http://bladespark.somee.com/viacess2-keys/index.html viacess2 keys] [http://shadowlab.110mb.com/data/lucrezia-giovane.htm lucrezia giovane] [http://piratl-map.somee.com/www-comune-ragusa.html www comune ragusa it] [http://azrelle.somee.com/tekkaman/index.html tekkaman] [http://cephiedvariable.110mb.com/testo-di-mario-winans.html testo di mario winans i don t wonna know] [http://keepshine.somee.com/this-feeling/index.html this feeling] [http://rgreystrix.somee.com/wresling-torino.html wresling torino] [http://menosgrande.110mb.com/html/curveball-.htm curveball - pingpong 3d] [http://honeybee43.110mb.com/sony-cybershot/ sony cyber-shot dsc p72] [http://jareth-kg.somee.com/www-nissan-it.html www nissan it] [http://cenee.110mb.com/resources/lettori-mp/ lettori mp3 creative zen touch] [http://chiqalife.110mb.com/new/lavatrice-piccola/ lavatrice piccola] [http://au-hell.110mb.com/articles/satellite-psmye.htm satellite psm4ye] [http://tutorgirllamb.110mb.com/tiotoyuihgjiutyuufyuyuyyyttttttttttttttt/index.html tiotoyuihgjiutyuufyuyuyyyttttttttttttttt] [http://menosgrande.110mb.com/html/patrick-kluivert.htm patrick kluivert] [http://cephiedvariable.110mb.com/testi-di-gigi.html testi di gigi finizio] [http://shadowlab.110mb.com/data/murilo-benicio.htm murilo benicio] [http://cephiedvariable.110mb.com/troie-pompinare-al-telefono.html troie pompinare al telefono] [http://krychan.110mb.com/library/hp-officejet/ hp officejet psc 1315] [http://keepshine.somee.com/the-black-eyed-peace/index.html the black eyed peace] [http://eugenii.somee.com/tu-come-staiu.html tu come staiu] [http://deadvision.110mb.com/data/spiegel-murray/ spiegel murray] [http://technoshiza.110mb.com/styles/computer-allinone.htm computer all-in-one] [http://auraxcore.110mb.com/coppi-biciclette.htm coppi biciclette - donna] [http://honeybee43.110mb.com/crociera-di/ crociera di lusso per un matto] [http://piratl-map.somee.com/www-monkey-com.html www monkey com] [http://failed-hope.110mb.com/lib/creazioni-delta.htm creazioni delta gioielleria] [http://eugenii.somee.com/techno-set-mp3.html techno set mp3] [http://yeeden.somee.com/villaggio-sardegna.html villaggio sardegna cagliari] [http://technoshiza.110mb.com/styles/lovely-rita.htm lovely rita] [http://lichvell-r.somee.com/uomo-in-frac.html uomo in frac] [http://failed-hope.110mb.com/lib/asus-extreme.htm asus extreme 7800] [http://knuckles-lives.110mb.com/kien-giang/ kien giang] [http://yeeden.somee.com/vietgirl.html vietgirl] [http://cephiedvariable.110mb.com/tecniche-della-danza.html tecniche della danza contemporanea] [http://misseeous.somee.com/www-astel-be/index.html www astel be] [http://honeybee43.110mb.com/onitsuka-tiger/ onitsuka tiger runspark] [http://piratl-map.somee.com/www-scienze-unige-it.html www scienze unige it] [http://rgreystrix.somee.com/www-addmusic.html www addmusic it] [http://some1crazyornot.110mb.com/text/la-profezia.htm la profezia di celestino] [http://yeeden.somee.com/vendita-bar-in-zona.html vendita bar in zona novara] [http://failed-hope.110mb.com/lib/conversione-pdf.htm conversione pdf word] [http://menosgrande.110mb.com/html/julee-cruise.htm julee cruise] [http://miss-hide.somee.com/video-pornogratuiti/index.html video pornogratuiti] [http://piratl-map.somee.com/www-il-muro-com.html www il muro com] [http://gryphon-s.somee.com/toxic-babe-rumba-rei.html toxic babe rumba rei] [http://some1crazyornot.110mb.com/text/hyundai-auto.htm hyundai auto nuove] [http://rgreystrix.somee.com/wi-fi-point-torino.html wi fi point torino] [http://gryphon-s.somee.com/tight-jeans-attillati.html tight jeans attillati] [http://eugenii.somee.com/tentasamba.html tentasamba] [http://benicek.110mb.com/resources/convertitore-mp.htm convertitore mp3] [http://www.howardcollege.edu/Athletics/components/com_news/alkugler.htm cheap viagra] [http://www.howardcollege.edu/Athletics/components/com_news/pamoloho.htm cheap diflucan] [http://esi.mit.edu/help/img/pyjuv.htm tracfone ringtones] [http://esi.mit.edu/help/img/tojyp.htm cheap diflucan] [http://www.howardcollege.edu/Athletics/components/com_news/lagibert.htm cheap tamiflu] [http://www.jeffco.edu/ctl/help/kedore.htm free mono ringtones] [http://esi.mit.edu/help/img/hidoluz.htm cheap lortab] [http://www.jeffco.edu/ctl/help/tetune.htm phone ringtones] [http://esi.mit.edu/help/img/dulivi.htm zoloft online] [http://www.howardcollege.edu/Athletics/components/com_news/bebrandy.htm buy dianabol] [http://esi.mit.edu/help/img/nypu.htm clonazepam online] [http://www.howardcollege.edu/Athletics/components/com_news/recrissw.htm buy metformin] [http://www.jeffco.edu/ctl/help/zidoxo.htm buy carisoprodol] [http://www.jeffco.edu/ctl/help/kyvinir.htm flexeril online] [http://www.howardcollege.edu/Athletics/components/com_news/stzienas.htm sprint ringtones] [http://www.jeffco.edu/ctl/help/cuvul.htm but ephedrine] [http://esi.mit.edu/help/img/jihewe.htm talking ringtones] [http://www.howardcollege.edu/Athletics/components/com_news/bajoane.htm clomid online] [http://www.howardcollege.edu/Athletics/components/com_news/whgeiman.htm cool ringtones] [http://esi.mit.edu/help/img/guveh.htm lg ringtones] [http://esi.mit.edu/help/img/hyvyw.htm online sibutramine] [http://esi.mit.edu/help/img/fohy.htm norco online] [http://www.howardcollege.edu/Athletics/components/com_news/jecynthi.htm cheap lipitor] [http://esi.mit.edu/help/img/jecu.htm free motorola ringtones] [http://www.jeffco.edu/ctl/help/xefe.htm cheap synthroid] [http://esi.mit.edu/help/img/kenuv.htm cheap ortho] [http://esi.mit.edu/help/img/fudyv.htm cheap flonase] [http://www.howardcollege.edu/Athletics/components/com_news/bradkins.htm klonopin online] [http://www.jeffco.edu/ctl/help/focuw.htm ambien online] [http://www.howardcollege.edu/Athletics/components/com_news/bygroom.htm cheap flagyl] [http://www.howardcollege.edu/Athletics/components/com_news/arfeller.htm punk ringtones] [http://esi.mit.edu/help/img/webovoz.htm cheap diethylpropion] [http://esi.mit.edu/help/img/tofede.htm free audiovox ringtones] [http://esi.mit.edu/help/img/vecode.htm cheap celebrex] [http://esi.mit.edu/help/img/jihixug.htm valtrex online] [http://www.howardcollege.edu/Athletics/components/com_news/tohulett.htm cheap celebrex] [http://www.howardcollege.edu/Athletics/components/com_news/hudamke.htm wwe ringtones] [http://www.jeffco.edu/ctl/help/zeturon.htm ephedra online] [http://www.howardcollege.edu/Athletics/components/com_news/edbozwor.htm southwestairlines] [http://www.jeffco.edu/ctl/help/fehi.htm norvasc online] [http://www.jeffco.edu/ctl/help/gufety.htm cheap zyban] [http://www.howardcollege.edu/Athletics/components/com_news/hibundi.htm phentermine online] [http://www.howardcollege.edu/Athletics/components/com_news/chrobbie.htm cheap ringtones] [http://www.howardcollege.edu/Athletics/components/com_news/tacrippi.htm used bmw auto] [http://esi.mit.edu/help/img/jorufi.htm wellbutrin online] [http://www.howardcollege.edu/Athletics/components/com_news/gamcknig.htm cheap sibutramine] [http://www.jeffco.edu/ctl/help/lunu.htm bontril online] [http://esi.mit.edu/help/img/tele.htm pharmacy online online] [http://www.howardcollege.edu/Athletics/components/com_news/zevarone.htm buy clonazepam] [http://www.howardcollege.edu/Athletics/components/com_news/geeuke.htm cyclobenzaprine online] [http://www.jeffco.edu/ctl/help/jyfu.htm cheap phendimetrazine] [http://esi.mit.edu/help/img/jebib.htm cheap clomid] [http://www.howardcollege.edu/Athletics/components/com_news/porubert.htm cheap amitriptyline] [http://www.howardcollege.edu/Athletics/components/com_news/mapettus.htm cheap levitra] [http://www.howardcollege.edu/Athletics/components/com_news/reschmid.htm humour ringtones] [http://www.howardcollege.edu/Athletics/components/com_news/chwilker.htm cheap zocor] [http://www.jeffco.edu/ctl/help/nydiw.htm cool ringtones] [http://www.howardcollege.edu/Athletics/components/com_news/raazuba.htm cheap alprazolam] [http://www.jeffco.edu/ctl/help/vyhydol.htm nokia ringtones] [http://www.howardcollege.edu/Athletics/components/com_news/pekimbre.htm cheap albuterol] [http://www.jeffco.edu/ctl/help/biles.htm zocor online] [http://www.howardcollege.edu/Athletics/components/com_news/adhartma.htm cheap ambien] [http://www.howardcollege.edu/Athletics/components/com_news/rugeiger.htm free love ringtones] [http://esi.mit.edu/help/img/vikeni.htm cipro] [http://www.howardcollege.edu/Athletics/components/com_news/pudecamp.htm cheap adipex] [http://www.howardcollege.edu/Athletics/components/com_news/geevan.htm cheap ultram] [http://esi.mit.edu/help/img/lopy.htm but diovan] [http://esi.mit.edu/help/img/tiko.htm free christian ringtones] [http://www.jeffco.edu/ctl/help/kywysi.htm free tv ringtones] [http://www.howardcollege.edu/Athletics/components/com_news/hosieber.htm cellphone ringtones] == Note ==
+
== Note ==
 
'''The AppleTV seems to ship with no firewall rules configured.'''
 
'''The AppleTV seems to ship with no firewall rules configured.'''
 
'''There is no need to hack up a way to disable the firewall.'''
 
'''There is no need to hack up a way to disable the firewall.'''
  
  
In MacOS X, at boot time, <pre>/usr/libexec/FirewallTool</pre> runs, which reads the file <pr
+
In MacOS X, at boot time, <pre>/usr/libexec/FirewallTool</pre> runs, which reads the file <pre>/Library/Preferences/com.apple.sharing.firewall.plist</pre>
5A8
 
e>/Library/Preferences/com.apple.sharing.firewall.plist</pre>
 
  
 
Neither the binary nor the plist are distributed with the AppleTV OS, and it is therefore not surprising that in a default OS install, the ipfw kext has a single 'allow any' default rule:
 
Neither the binary nor the plist are distributed with the AppleTV OS, and it is therefore not surprising that in a default OS install, the ipfw kext has a single 'allow any' default rule:
Line 14: Line 12:
 
65535 allow ip from any to any
 
65535 allow ip from any to any
 
</pre>
 
</pre>
 
 
  
 
== Enabling the Firewall ==
 
== Enabling the Firewall ==
Line 23: Line 19:
 
* Copy one you like from an Intel Mac
 
* Copy one you like from an Intel Mac
 
* Copy one, then edit as you like with the Property List Editor that comes with Xcode. (see: [http://www.macosxhints.com/article.php?story=20060427124349687 MacOS Hints article])
 
* Copy one, then edit as you like with the Property List Editor that comes with Xcode. (see: [http://www.macosxhints.com/article.php?story=20060427124349687 MacOS Hints article])
* [http://wiki.awkwardtv.org/wiki/Install_System_Preferences Install System Preferences] from an Intel Mac and configure as usual.
+
* [[Install System Preferences]] from an Intel Mac and configure as usual.
 +
 
 +
== Enabling the Firewall without an Intel Mac ==
 +
 
 +
It's possible to set up the firewall without using any GUI, and this appears to work (tested on a v2.1 AppleTV) without copying the plist or any other files from an Intel Mac.  '''Be warned''' - using this method it's quite likely that your machine will be un-firewalled for a short time during boot-up, before the firewall rules script takes effect.
 +
 
 +
Create the following file as firewall_config.sh in /Users/frontrow.  It can serve as a base set of firewall rules to get you started - if you want more google for "ipfw".  Don't forget you must change the IP address under the comment 'Allow anything from LAN' depending on your own LAN's ip address range.
 +
#!/bin/sh
 +
sudo ipfw -f flush
 +
#sudo ipfw -f list
 +
 +
#exclude loopback traffic
 +
sudo ipfw add 00003 allow all from any to any via lo0
 +
 +
#Deny any spoofed loopback/multicast traffic
 +
sudo ipfw add 02010 deny log ip from 127.0.0.0/8 to any in
 +
sudo ipfw add 02020 deny log ip from any to 127.0.0.0/8 in
 +
sudo ipfw add 2030 deny log ip from 224.0.0.0/3 to any in
 +
sudo ipfw add 2040 deny log tcp from any to 224.0.0.0/3 in
 +
 +
#Allow outgoing/established
 +
sudo ipfw add 02050 allow tcp from any to any out
 +
sudo ipfw add 02060 allow tcp from any to any established
 +
 +
#Allow anything from LAN
 +
sudo ipfw add 02070 allow ip from 192.168.0.0/24 to any
 +
 +
#Block everything else
 +
sudo ipfw add 12190 deny log tcp from any to any
 +
sudo ipfw add 65535 allow ip from any to any
 +
 
 +
Make sure this script is executable
 +
chmod 755 firewall_config.sh
 +
 
 +
Add the following to the top line of /etc/rc.local (it should be at the top so the firewall rules kick in as soon as possible - your AppleTV is effectively unfirewalled until this script has executed!):
 +
/Users/frontrow/firewall_config.sh
  
 
[[Category:How-to]]
 
[[Category:How-to]]

Latest revision as of 02:22, 11 January 2009

Note

The AppleTV seems to ship with no firewall rules configured. There is no need to hack up a way to disable the firewall.


In MacOS X, at boot time,
/usr/libexec/FirewallTool
runs, which reads the file
/Library/Preferences/com.apple.sharing.firewall.plist

Neither the binary nor the plist are distributed with the AppleTV OS, and it is therefore not surprising that in a default OS install, the ipfw kext has a single 'allow any' default rule:

-bash-2.05b$ sudo ipfw list
65535 allow ip from any to any

Enabling the Firewall

It is likely that copying over FirewallTool from an Intel Mac will enable MacOS firewall configuration at boot time. In addition, it is neccesary to create /Library/Preferences/com.apple.sharing.firewall.plist. If the prefs plist file does not exist, FirewallTool will not configure ipfw. There are several ways to create this file:

Enabling the Firewall without an Intel Mac

It's possible to set up the firewall without using any GUI, and this appears to work (tested on a v2.1 AppleTV) without copying the plist or any other files from an Intel Mac. Be warned - using this method it's quite likely that your machine will be un-firewalled for a short time during boot-up, before the firewall rules script takes effect.

Create the following file as firewall_config.sh in /Users/frontrow. It can serve as a base set of firewall rules to get you started - if you want more google for "ipfw". Don't forget you must change the IP address under the comment 'Allow anything from LAN' depending on your own LAN's ip address range.

#!/bin/sh
sudo ipfw -f flush
#sudo ipfw -f list

#exclude loopback traffic
sudo ipfw add 00003 allow all from any to any via lo0

#Deny any spoofed loopback/multicast traffic
sudo ipfw add 02010 deny log ip from 127.0.0.0/8 to any in
sudo ipfw add 02020 deny log ip from any to 127.0.0.0/8 in
sudo ipfw add 2030 deny log ip from 224.0.0.0/3 to any in
sudo ipfw add 2040 deny log tcp from any to 224.0.0.0/3 in

#Allow outgoing/established
sudo ipfw add 02050 allow tcp from any to any out
sudo ipfw add 02060 allow tcp from any to any established

#Allow anything from LAN
sudo ipfw add 02070 allow ip from 192.168.0.0/24 to any

#Block everything else
sudo ipfw add 12190 deny log tcp from any to any
sudo ipfw add 65535 allow ip from any to any

Make sure this script is executable

chmod 755 firewall_config.sh

Add the following to the top line of /etc/rc.local (it should be at the top so the firewall rules kick in as soon as possible - your AppleTV is effectively unfirewalled until this script has executed!):

/Users/frontrow/firewall_config.sh