Browsing articles tagged with "ipfw - Admins Goodies"
May 16, 2012
tom

Will dropping only SYN packets improve or decrease firewall performance?

I’m setting ipfw, and the following was suggested to me: If I make the rule only to drop SYN packets for TCP, no connection could be established and the firewall won’t even have to look at other packets. It seems counter intuitive for me. I think that firewall will perform better if I block all communication on the specified port (less packet inspection involved), and since no connection can be established either way, the number […]

Continue Reading »
Feb 23, 2012
tom

IPFW settings to allow trusted client to connect to Mac (e.g., over ssh)

I have the following ipfw settings on my Mac OS X 10.4 Tiger: 00100 allow ip from any to 123.123.123.123 00110 allow tcp from any to 123.123.123.123 00120 allow udp from any to 123.123.123.123 00130 allow ip from 123.123.123.123 to any 00140 allow tcp from 123.123.123.123 to any 00150 allow udp from 123.123.123.123 to any 65534 deny ip from any to any 65535 allow ip from any to any I am trying to ssh to […]

Continue Reading »
Nov 23, 2011
tom

Setup a local bridged connection using VirtualBox

I’m trying to forward/masquarade some trafic from my guest CentOS6 (virtualbox with bridged connection). Host is OSX Lion. Here is my network layout: en1 – host iface address: 78.251.xx.yy alias: 10.0.2.1 eth0 – guest iface address: 10.0.2.2 Now the connection between the guest and the host is working. Only if I could make the guest to talk to the internet my job would be done. So I tried this ipfw rule (actually made the things […]

Continue Reading »
Nov 6, 2011
tom

Converting iptables command to ipfw

I am trying to convert code I made on ubuntu work with osx. I do not know how to convert the iptables commands to ipfw commands. Any help would be appreciated. Ubuntu Code: echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE ssh server -l root -w0:0 ifconfig tun0 10.0.0.1 netmask 255.0.0.0 route add -net 1.2.3.4 dev tun0 iptables -t nat -A OUTPUT -p all -d 15.0.0.5 -o tun0 -j DNAT […]

Continue Reading »
Aug 29, 2011
tom

What is the difference between using ipfw and hosts.deny in terms of security?

I’m in the middle of securing an OSX server that is the target of hundreds of automated requests per second from Chinese, Russian and US servers (see: Recovering a server from being an open relay). I’ve used ipfw to set up rules that exclude all but local IP requests (i.e. 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). What is the difference between setting up ipfw rules, and implementing similar rules in hosts.allow/hosts.deny? As I understand it, the hosts files […]

Continue Reading »
Aug 23, 2011
tom

Mac OS X Firewall Configuration: what’s the easiest way to do it?

On occasion I need to configure the firewall on OS X machines (10.5), and I’ve been trying to figure out the best (read: easy without sacrificing too much control) way to do it. So far it seems like my options are: Apple’s built-in utility (System Preferences, Security, Firewall). It’s got the “easy” down, but (unless there’s something I’m missing) I’d like a bit more control. Learning ipfw. It’d give me all the control I want, […]

Continue Reading »
Aug 20, 2011
tom

Does PF support divert like IPFW?

I’m currently using IPFW on 3 dedicated firewall servers, and I would like to convert them to PF for some of its functionalities, but I need divert to work. Specifically I am teeing packets to a custom application for network analysis purposes. Is it (or something similar) supported in PF? No, in OpenBSD v4.6 version, PF has no divert-like feature. But good news, divert for PF will be included in OpenBSD v4.7 version See http://www.mail-archive.com/source-changes@openbsd.org/msg11694.html […]

Continue Reading »
Aug 20, 2011
tom

How do I enable IP-forwarding in MacOS X?

What is the correct way to enable IP-forwarding in MacOS X? More specifically, what is the MacOS X command line quivalent of the following two Linux commands: echo 1 > /proc/sys/net/ipv4/ip_forward iptables -A FORWARD -j ACCEPT You’re doing two things there. Enabling IP forwarding. The OS X equivalent might be: sysctl -w net.inet.ip.forwarding=1 …but since I don’t know exactly what you’re trying to do, this might be technically correct but unhelpful. Adding a largely unnecessary […]

Continue Reading »
Aug 19, 2011
tom

iptables equivalent for mac os x

I want to forward requests from 192.168.99.100:80 to 127.0.0.1:8000. This is how I’d do it in linux using iptables: iptables -t nat -A OUTPUT -p tcp –dport 80 -d 192.168.99.100 -j DNAT –to-destination 127.0.0.1:8000 How do I do the same thing in MacOS X? I tried out a combination of ipfw commands without much success: ipfw add fwd 127.0.0.1,8000 tcp from any to 192.168.99.100 80 (Success for me is pointing a browser at http://192.168.99.100 and […]

Continue Reading »
Aug 17, 2011
tom

Transparent proxying leaves sockets with SYN_RCVD in MacOS X 10.6 Snow Leopard (and maybe FreeBSD)

I’m trying to create a transparent proxy on my MacOS machine in order to port the sshuttle ssh-based transproxy VPN from Linux. I think I almost have it working, but sadly, almost is not 100%. Short version is this. In one window, start something that listens on port 12300: $ while :; do nc -l 12300; done Now enable proxying: # sysctl -w net.inet.ip.forwarding=1 # sysctl -w net.inet.ip.fw.enable=1 # ipfw add 1000 fwd 127.0.0.1,12300 log […]

Continue Reading »
Pages:12»