### DO NOT USE WITHOUT REVIEWING PORT ASSIGNMENTS # As an absolute minimum you will need to replace X.X.X.X with the address of your LAN # Note also a few non-standard ports (SSH and VNC) - yes, good old security by obscurity ### Pan-interface rules first, followed by those unique to wireless (en1) then those unique to ethernet (en0). # A nasty on Mac OS X Server only, documented here as a reminder. # serialnumberd forcibly re-opens this port if closed manually :o( # 100 allow udp from any 626 to any dst-port 626 # Allow Loopback # Many services and apps use this interface for their correct operation add 1000 allow ip from any to any via lo* # Loopback addresses on non-loopback interfaces are bogus. # Don't however let anything in to the loopback interface from outside the machine add 1001 deny log logamount 1000 ip from any to 127.0.0.0/8 # Block multicast if you don't use it. # Almost all IP you do is point-to-point unicast communication add 1002 deny log ip from 224.0.0.0/4 to any in # Deny Source Routed Packets # Source routing is a feature to allow packets to specify the route they take, but is abused to deceive a # destination as to the source of packets, hence drop such packets regardless. add 1003 unreach host log ip from any to any ipoptions ssrr,lsrr # Check Dynamic Rules Table # All rules below that include the keep-state keyword will cause the creation of a temporary dynamic rule. # This rule checks that table so as to allow through communication that has already been given the green light. add 1010 check-state ## If the conversation began on my machine, let it continue. # Like it says - this rule pair allows out _all_ packets that originate internally add 1031 allow tcp from any to any out keep-state add 1032 allow udp from any to any out keep-state # Block bogus inbounds that claim they were established (an ACK from someone no SYN was sent to). # CAUTION - this might block Internet Connection Sharing add 1033 deny log tcp from any to any established in # Allow fragmented packets # Your choice - these _may_ be used in hack attempts, but mis-matched MTUs can cause these - blocking them would then slow your connection. add 1050 allow all from any to any frag # Allow DHCP responses # This is a special case. DHCP return comms are broadcasts and hence will not match the dynamic rule # created by the DHCP request, hence we must explicitly let them back in. add 1060 allow udp from any 67 to any 68 in ## ICMP Traffic # Destination unreachable # Subsidiary code helps source to retransmit packets in a more appropriate fashion # e.g. shrink packet size add 1070 allow icmp from any to any icmptypes 3 # Source quench (reduce the rate of packets sent) add 1071 allow icmp from any to any icmptypes 4 # Ping out; accept ping answers. add 1072 allow icmp from any to any icmptypes 8 out add 1073 allow icmp from any to any icmptypes 0 in # Time exceeded # The packet sent has died since it exceeded it's TTL. # Important for meaningful traceroute. add 1074 allow icmp from any to any icmptypes 11 in # Parameter problem - packet has a problem not described by any other ICMP message add 1075 allow icmp from any to any icmptypes 12 in # Timestamp and timestamp reply - used for quality of service measurement add 1076 allow icmp from any to any icmptypes 13 in add 1077 allow icmp from any to any icmptypes 14 in ## DNS - better to specify sets of these four per DNS server ## to protect against DNS changer attacks add 1080 allow tcp from any to any 53 add 1081 allow udp from any to any 53 add 1082 allow tcp from any to any 53 out keep-state add 1083 allow udp from any to any 53 out keep-state # mDNS (Bonjour) only from the local network (fill in your own, # preferably non-standard, network after 'from'). # For Back to My Mac, you might need this from 'any'. add 1090 allow udp from X.X.X.X/24 to any 5353 add 1091 allow udp from X.X.X.X/24 5353 to any 1024-65535 in ## Catch-all rule to deny anything not matching an explicit rule add 65534 deny log logamount 1000 all from any to any in ##### Additional rules for the en1 interface # File Transfer (FTP) add 2007 allow tcp from any to any 20-21 setup keep-state in via en1 add 2008 allow tcp from any 20-21 to any 1024-65535 in via en1 # Samba/CIFS (TCP) # 137-139 SMB over NetBIOS, 445 SMB over TCP/IP add 2009 allow tcp from any to any 137-139,445 setup keep-state in via en1 add 2010 allow udp from any to any 137-139,445,65534,65535 keep-state in via en1 # IRC Chat (TCP) add 2011 allow tcp from any to any 194 setup keep-state in via en1 # IRC Chat (UDP) add 2012 allow udp from any to any 194 keep-state in via en1 # ICQ Chat (TCP) add 2013 allow tcp from any to any 4000 setup keep-state in via en1 # ICQ Chat (UDP) add 2014 allow udp from any to any 4000 keep-state in via en1 # Soulseek add 2015 allow tcp from any to any 2234-2240 setup keep-state in via en1 #### Addtional rules for the en0 interface # Wake on WAN add 4006 allow udp from any to any 4 in via en0 # File Transfer (FTP) add 4007 allow tcp from any to any 20-21 setup keep-state in via en0 add 4008 allow tcp from any 20-21 to any 1024-65535 in via en0 # Samba/CIFS (TCP) # 137-139 SMB over NetBIOS, 445 SMB over TCP/IP add 4009 allow tcp from any to any 137-139,445 setup keep-state in via en0 add 4010 allow udp from any to any 137-139,445,65534,65535 keep-state in via en0 # IRC Chat (TCP) add 4011 allow tcp from any to any 194 setup keep-state in via en0 # IRC Chat (UDP) add 4012 allow udp from any to any 194 keep-state in via en0 # ICQ Chat (TCP) add 4013 allow tcp from any to any 4000 setup keep-state in via en0 # ICQ Chat (UDP) add 4014 allow udp from any to any 4000 keep-state in via en0 # Soulseek add 4015 allow tcp from any to any 2234-2240 setup keep-state in via en0 # SSH add 4016 allow tcp from any to any 2233 setup keep-state in via en0 # VNC add 4017 allow tcp from any to any 5905 setup keep-state in via en0 ##### END OF RULES ##### ### Other potentially useful filters ### NOTES: ### - replace the 10.42.24.0 with your local network range ### - the syntax is ipfw2-specific, in that ipfw does not support the ### src/dst-port keywords. # ssh #add 5200 allow tcp from any to any dst-port 22 # iTunes music sharing # add 5300 allow tcp from 10.42.24.0/24 to any dst-port 3689 # AFP # add 5400 allow tcp from 10.42.24.0/24 to any dst-port 548 # HTTP (Apache); HTTPS # add 5500 allow tcp from any to any dst-port 80 # add 5510 allow tcp from any to any dst-port 443 # L2TP VPN # add 5600 allow udp from any to any dst-port 1701 # add 5610 allow esp from any to any # add 5620 allow udp from any to any dst-port 500 # add 5630 allow udp from any to any dst-port 4500 # iChat: local # add 5700 allow tcp from 10.42.24.0/24 to any dst-port 5298 # add 5710 allow udp from 10.42.24.0/24 to any dst-port 5298 # add 5720 allow udp from 10.42.24.0/24 to any dst-port 5297,5678 # Server Admin SSL (Mac OS X Server only) # add 5800 allow tcp from 10.42.24.0/24 to any dst-port 311 # add 5810 allow tcp from 10.42.24.0/24 to any dst-port 427 # add 5820 allow udp from 10.42.24.0/24 to any dst-port 427 # syslog # add 5900 allow udp from 10.42.24.0/24 to any dst-port 514 # ipp (CUPS printing) # add 6000 allow tcp from 10.42.24.0/24 to any dst-port 631 # ntp (Network Time) #add 6100 allow udp from any 123 to any 1024-65535,123