How to configure IPFW on Snow Leopard

Snow Leopard’s default, GUI based firewall is convenient, but not very configurable. You can block or allow certain applications, but you can’t filter at the port or host level, can’t NAT, etc…

Fortunately, OS X 10.6 and earlier comes with IPFW (IPFIREWALL), a nice little packet filter that was included in FreeBSD for many years. By default, it’s managed through text files and the command line. If you want a GUI interface for ipfw management, try Waterroof (get it?). But here’s how you configure ipfw to run at boot on your Snow Leopard or earlier machine with just the tools Steve gave you.

Create the file /etc/ipfw.conf. This is where your filtering rules go. By default, ipfw runs one rule, which allows all traffic (65535 allow from any to any). If you’re configuring ipfw, you obviously want something more. You can get information on how to write ipfw rules from the FreeBSD site.

Once you have created and saved your configuration, you need to tell the OS to run ipfw at boot. On a Mac, this is done through the use of a launch daemon, which is configured using an XML file.

Create the file /Library/LaunchDaemons/com.ipfw.plist, and include the following text –

www.apple.com/DTDs/PropertyList-1.0.dtd”>


Label
ipfw
Program
/sbin/ipfw
ProgramArguments

/sbin/ipfw
/etc/ipfw.conf

RunAtLoad


This tells OS X to run ipfw using the configuration file /etc/ipfw.conf.

Change ownership of the launch daemon file to root:admin

sudo chown root:admin /Library/LaunchDaemons/com.ipfw.plist

This is necessary for the OS to be able to run the daemon.

And finally, load your rules right now, instead of waiting for the next reboot

sudo /sbin/ipfw /etc/ipfw.conf

You can check what rules are loaded at any time using sudo ipfw list. And you can clear all rules using sudo ipfw flush.