It would also definitely be better to have the ipfw_firewall.sh somewhere within the /usr/local/ tree (maybe /usr/local/scripts/, or /usr/local/bin). If you had also bothered to read the ipfw manpage, you would realise that /sbin/ipfw -q /etc/nf tells ipfw to load firewall rules in the configuration file that is in the path /etc/nf, which is where you put all the text under the line: - and last but not least the /etc/nf file looks like this:It even states: # Load rule set from /etc/nfįor info, the group ownership for the ipfw_ist file should really be with wheel, the same as the plists in /System/Library/LaunchDaemons/ and the /etc/nf file should be owned by root, and only readable by root, no one else. To that end, it is obvious that the script ends on the line $IPFW -q /etc/nf. If you had bothered to read the attached file, you would notice that the file (after the XML) starts with #!/bin/sh and, if you are aware of how shell scripts work then you would know that there are no shell commands for add 00100 set 0 allow ip from any to any via lo* (as an example) unless coupled with the command ipfw add which is not the case here. Hi What good are these permissions when the ipfw_ist you published in your hint outsources your firewall rules to:Can you explain to me the benefits of having your system's firewall rules trivially in your user space? The result of the above firewall config is this when you run nmap against it:
I just used their stuff and modified it to fit my requirements. The actual scripts and firewall rules here are the result of research I did on ipfw on OS X and BSD, and are the result of other people's work, for instance, Dru Lavigne.
#Mac noobproof firewall serial
*.err kern.* auth.notice authpriv,remoteauth,install.none mail.crit /dev/console*.notice authpriv,remoteauth,ftp,install.none bug mail.crit /var/log/system.log# Send messages normally sent to the console also to the serial port.# To stop messages from being sent out the serial port, comment out this line.#*.err kern.* auth.notice authpriv,remoteauth.none mail.crit /dev/tty.serial# The authpriv log file should be restricted access these# messages shouldn't go to terminals or publically-readable# th,authpriv.* remoteauth.crit /var/log/ /var/log/lpr.logmail.* /var/log/mail.logftp.* /var/log/ /var/log/netinfo.loginstall.* /var/log/install.loginstall.* /var/log/ipfw.log*.emerg *With those changes, you get your firewall logs in /var/log/ipfw.log.
0 kommentar(er)
