Difference between revisions of "Configure Firewall"
(→Note) |
(→Enabling the Firewall) |
||
Line 20: | Line 20: | ||
* Copy one, then edit as you like with the Property List Editor that comes with Xcode. (see: [http://www.macosxhints.com/article.php?story=20060427124349687 MacOS Hints article]) | * Copy one, then edit as you like with the Property List Editor that comes with Xcode. (see: [http://www.macosxhints.com/article.php?story=20060427124349687 MacOS Hints article]) | ||
* [[Install System Preferences]] from an Intel Mac and configure as usual. | * [[Install System Preferences]] from an Intel Mac and configure as usual. | ||
+ | |||
+ | == Enabling the Firewall without an Intel Mac == | ||
+ | |||
+ | It's possible to set up the firewall without using any Mac GUI, and this appears to work (tested on a v2.1 AppleTV) without copying the plist or any other files. '''Be warned''' - using this method it's quite likely that your machine will be un-firewalled for a short time during boot-up, before the firewall rules script takes effect. | ||
+ | |||
+ | Create the following file as firewall_config.sh in /Users/frontrow. It can serve as a base set of firewall rules to get you started - if you want more google for "ipfw". | ||
+ | #!/bin/sh | ||
+ | sudo ipfw -f flush | ||
+ | #sudo ipfw -f list | ||
+ | |||
+ | # exclude loopback traffic | ||
+ | sudo ipfw add 00003 allow all from any to any via lo0 | ||
+ | |||
+ | #Deny any spoofed loopback/multicast traffic | ||
+ | sudo ipfw add 02010 deny log ip from 127.0.0.0/8 to any in | ||
+ | sudo ipfw add 02020 deny log ip from any to 127.0.0.0/8 in | ||
+ | sudo ipfw add 2030 deny log ip from 224.0.0.0/3 to any in | ||
+ | sudo ipfw add 2040 deny log tcp from any to 224.0.0.0/3 in | ||
+ | |||
+ | #Allow anything from LAN | ||
+ | sudo ipfw add 02050 allow ip from 10.0.0.0/24 to any | ||
+ | |||
+ | #Block everything else | ||
+ | sudo ipfw add 12190 deny log tcp from any to any | ||
+ | sudo ipfw add 65535 allow ip from any to any | ||
+ | |||
+ | Make sure this script is executable | ||
+ | chmod 755 firewall_config.sh | ||
+ | |||
+ | Add the following to the top line of /etc/rc.local: | ||
+ | /Users/frontrow/firewall_config.sh | ||
[[Category:How-to]] | [[Category:How-to]] |
Revision as of 00:39, 11 January 2009
Note
The AppleTV seems to ship with no firewall rules configured. There is no need to hack up a way to disable the firewall.
/usr/libexec/FirewallToolruns, which reads the file
/Library/Preferences/com.apple.sharing.firewall.plist
Neither the binary nor the plist are distributed with the AppleTV OS, and it is therefore not surprising that in a default OS install, the ipfw kext has a single 'allow any' default rule:
-bash-2.05b$ sudo ipfw list 65535 allow ip from any to any
Enabling the Firewall
It is likely that copying over FirewallTool from an Intel Mac will enable MacOS firewall configuration at boot time. In addition, it is neccesary to create /Library/Preferences/com.apple.sharing.firewall.plist. If the prefs plist file does not exist, FirewallTool will not configure ipfw. There are several ways to create this file:
- Copy one you like from an Intel Mac
- Copy one, then edit as you like with the Property List Editor that comes with Xcode. (see: MacOS Hints article)
- Install System Preferences from an Intel Mac and configure as usual.
Enabling the Firewall without an Intel Mac
It's possible to set up the firewall without using any Mac GUI, and this appears to work (tested on a v2.1 AppleTV) without copying the plist or any other files. Be warned - using this method it's quite likely that your machine will be un-firewalled for a short time during boot-up, before the firewall rules script takes effect.
Create the following file as firewall_config.sh in /Users/frontrow. It can serve as a base set of firewall rules to get you started - if you want more google for "ipfw".
#!/bin/sh sudo ipfw -f flush #sudo ipfw -f list # exclude loopback traffic sudo ipfw add 00003 allow all from any to any via lo0 #Deny any spoofed loopback/multicast traffic sudo ipfw add 02010 deny log ip from 127.0.0.0/8 to any in sudo ipfw add 02020 deny log ip from any to 127.0.0.0/8 in sudo ipfw add 2030 deny log ip from 224.0.0.0/3 to any in sudo ipfw add 2040 deny log tcp from any to 224.0.0.0/3 in #Allow anything from LAN sudo ipfw add 02050 allow ip from 10.0.0.0/24 to any #Block everything else sudo ipfw add 12190 deny log tcp from any to any sudo ipfw add 65535 allow ip from any to any
Make sure this script is executable
chmod 755 firewall_config.sh
Add the following to the top line of /etc/rc.local:
/Users/frontrow/firewall_config.sh