Re: Keyboard Maestro Calling Home... how to stop?
- From: claudel@xxxxxxxxx (Claude V. Lucas)
- Date: 21 Feb 2006 02:17:36 GMT
In article <warren.oates-457CB7.19441920022006@xxxxxxxxxxxxxxxxxxxxxxx>,
Warren Oates <warren.oates@xxxxxxxxx> wrote:
In article <43fa5a69$0$58111$742ec2ed@xxxxxxxxxxxxxx>,
claudel@xxxxxxxxx (Claude V. Lucas) wrote:
I have ipfw rules that only allow outbound on certain
ports like 22 to my ISP, 80, and 443 so it sends the UDP broadcast
on 2222 to the bit bucket. Once I figured out what it was I
quit bothering to include it in my daily log report.
How do you write those rules?
A tutorial on writing firewall rules is really beyond the
scope of this newsgroup, but I'll try and get you started.
Plase don't do any of this to your system unless you are
absolutely certain what it will do and more importantly,
how to back out of it if you have unintended results.
A bit of background on my setup.
I do a bit of web dev work on my powerbook, so I run
Apache, MySql, PHP, etc. When I initially set up my
webserver I decided to build the components from source
rather than use the Apple supplied ones for a variety
of reasons. I wanted the webserver to be accessible via
localhost but not from external addresses. When I first
enabled the webserver via the "Sharing" panel I was annoyed
to find that doing that also opened an inbound hole in the
stock firewall configuration on port 80 so I decided to
write my own rules and control the firewall using a configuration
file rather than the System Preferences GUI.
OK so far?
I had to construct a startup item to start the firewall at startup.
I made a directory "/Library/StartupItems/ipfw"
Then I made two items in that directory
an executable script called "ipfw" containing
#!/bin/sh
/usr/sbin/sysctl -w net.inet.ip.fw.verbose=1
/usr/sbin/sysctl -w net.inet.ip.fw.verbose_limit=100000
/sbin/ipfw -q /etc/ipfw.conf
This script enables ipfw logging and starts the firewall
using the configuration file "/etc/ipfw.conf" which
contains the rules.
and
StartupParameters.plist
Which I evidently stole from someone from Italy :^)
containing:
{
Description = "ipfw firewall";
OrderPreference = "None";
Provides = ("Firewall");
Requires = ("Super Server");
Messages =
{
start = "Sto avviando il firewall";
stop = "Sto disattivando il firewall";
};
}
Now that we have the firewall starting using it's own
config file I'll get you started writing your own rules.
in /etc/ipfw.conf put the lines
# Flush all rules
flush
# - Anything in the state table.
add check-state
# - Allow loopback traffic
add allow ip from any to any via lo0
# - Drop all traffic to 127/8 that doesn't use lo0
add deny log ip from any to 127.0.0.0/8
# - Reject source-routed packets
add unreach host log ip from any to any ipoptions ssrr,lsrr
# dhcp / bootps
add allow udp from any 67-68 to any 67-68
# Allow multicast DNS in
# This rule needs to precede the Drop RFC 1918 rule
add allow udp from any 5353 to 224.0.0.251/8 5353 in
# Drop RFC1918 addresses on the outside interface
# This rule may cause problems if host is on one of these nets
#Comment the lines that correspond to your network.
#add deny log ip from 192.168.0.0/16 to any in
add deny log ip from 172.16.0.0/12 to any in
add deny log ip from 10.0.0.0/8 to any in
#add deny log ip from any to 192.168.0.0/16 in
add deny log ip from any to 172.16.0.0/12 in
add deny log ip from any to 10.0.0.0/8 in
#
add allow log all from any to any
and start the firewall (sudo ipfw /etc/ipfw.conf).
This will allow all traffic and log it into a file.
This configuration is probably not safe and you should
probably not run with it for too long.
It is known as a "default allow" configuration
You need to figure out where the firewall logging info goes
on your system. Probably into a logfile in /var/log.
Watch that log file (sudo tail -f /var/log/logfile ) see what
traffic is being generated to and from your machine and decide
what you want to allow and what you want to not allow.
Once you get an idea of the traffic flow change the
"add allow log all any from any" line in /etc/ipfw.conf to
"add deny log all any from any" and leave it as the final
rule in the file. Restart the firewall.
This is known as a "default deny" configuration.
Anything not explicitly permitted is then disallowed.
Note that this by itself will completely shut off both inbound
and outbound network traffic so you need to write some "allow"
rules depending on your specific requirements.
add allow tcp from any to any 80 out keep-state
add allow tcp from any to any 443 out keep-state
will enable unlogged outbound web traffic and is probably necessary
as is
add allow udp from any to any 53 out keep-state
add allow udp from any to any 5353 out keep-state
add allow tcp from any to any 53 out setup keep-state
which allows name service access and is definately necessary.
and so on.
"keep-state" is a good thing. It tells the firewall to remember
what is going out and to allow inbound traffic that is a response.
If an application stops working, look in the log and see what port
it wants to use and write another rule to allow it...
Watch for accidental "allow too much" rules. Rule order matters.
It's OK to use service names instead of port numbers in rules.
Unless it doesn't work. :^)
It's not OK to use destination names instead of IP addresses for
destination specific rules. If the firewall starts and is unable
to resolve the names it will fail in a totally open state.
(Don't ask how I found *this* out :^) )
The order of the rules matters.
If your logfile fills up with records of MS Windows network chatter
use rules like these
add deny tcp from any to any 135 in
add deny tcp from any to any 137-139 in
add deny udp from any to any 137-139 in
add deny tcp from any to any 445 in
as early rules. This will bit-bucket the traffic without
logging the uninteresting rejects.
I told you this would be long. :^)
The UDP broadcast on port 2222 by MS Office gets blocked
by the "default deny" rule as do many other things...
This isn't a total explanation, but should provide you with
enough information to be dangerous.
anyway, "man ipfw" tells all, and a Google of ipfw possibly
will offer additional useful explanation.
Good Luck
Claude
.
- Follow-Ups:
- Re: Keyboard Maestro Calling Home... how to stop?
- From: Warren Oates
- Re: Keyboard Maestro Calling Home... how to stop?
- References:
- Keyboard Maestro Calling Home... how to stop?
- From: Madwen
- Re: Keyboard Maestro Calling Home... how to stop?
- From: Madwen
- Re: Keyboard Maestro Calling Home... how to stop?
- From: Claude V. Lucas
- Re: Keyboard Maestro Calling Home... how to stop?
- From: Warren Oates
- Keyboard Maestro Calling Home... how to stop?
- Prev by Date: Re: Safari source layout...
- Next by Date: Re: Mac OS X Newsreaders: Opinions?
- Previous by thread: Re: Keyboard Maestro Calling Home... how to stop?
- Next by thread: Re: Keyboard Maestro Calling Home... how to stop?
- Index(es):
Relevant Pages
|
