I’m setting ipfw, and the following was suggested to me: If I make the rule only to drop SYN packets for TCP, no connection could be established and the firewall won’t even have to look at other packets. It seems counter intuitive for me. I think that firewall will perform better if I block all communication on the specified port (less packet inspection involved), and since no connection can be established either way, the number [...]Continue Reading »
I have the following ipfw settings on my Mac OS X 10.4 Tiger: 00100 allow ip from any to 188.8.131.52 00110 allow tcp from any to 184.108.40.206 00120 allow udp from any to 220.127.116.11 00130 allow ip from 18.104.22.168 to any 00140 allow tcp from 22.214.171.124 to any 00150 allow udp from 126.96.36.199 to any 65534 deny ip from any to any 65535 allow ip from any to any I am trying to ssh to [...]Continue Reading »
I’m trying to forward/masquarade some trafic from my guest CentOS6 (virtualbox with bridged connection). Host is OSX Lion. Here is my network layout: en1 – host iface address: 78.251.xx.yy alias: 10.0.2.1 eth0 – guest iface address: 10.0.2.2 Now the connection between the guest and the host is working. Only if I could make the guest to talk to the internet my job would be done. So I tried this ipfw rule (actually made the things [...]Continue Reading »
I am trying to convert code I made on ubuntu work with osx. I do not know how to convert the iptables commands to ipfw commands. Any help would be appreciated. Ubuntu Code: echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE ssh server -l root -w0:0 ifconfig tun0 10.0.0.1 netmask 255.0.0.0 route add -net 188.8.131.52 dev tun0 iptables -t nat -A OUTPUT -p all -d 184.108.40.206 -o tun0 -j DNAT [...]Continue Reading »
I’m in the middle of securing an OSX server that is the target of hundreds of automated requests per second from Chinese, Russian and US servers (see: Recovering a server from being an open relay). I’ve used ipfw to set up rules that exclude all but local IP requests (i.e. 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). What is the difference between setting up ipfw rules, and implementing similar rules in hosts.allow/hosts.deny? As I understand it, the hosts files [...]Continue Reading »
On occasion I need to configure the firewall on OS X machines (10.5), and I’ve been trying to figure out the best (read: easy without sacrificing too much control) way to do it. So far it seems like my options are: Apple’s built-in utility (System Preferences, Security, Firewall). It’s got the “easy” down, but (unless there’s something I’m missing) I’d like a bit more control. Learning ipfw. It’d give me all the control I want, [...]Continue Reading »
I’m currently using IPFW on 3 dedicated firewall servers, and I would like to convert them to PF for some of its functionalities, but I need divert to work. Specifically I am teeing packets to a custom application for network analysis purposes. Is it (or something similar) supported in PF? No, in OpenBSD v4.6 version, PF has no divert-like feature. But good news, divert for PF will be included in OpenBSD v4.7 version See http://email@example.com/msg11694.html [...]Continue Reading »
What is the correct way to enable IP-forwarding in MacOS X? More specifically, what is the MacOS X command line quivalent of the following two Linux commands: echo 1 > /proc/sys/net/ipv4/ip_forward iptables -A FORWARD -j ACCEPT You’re doing two things there. Enabling IP forwarding. The OS X equivalent might be: sysctl -w net.inet.ip.forwarding=1 …but since I don’t know exactly what you’re trying to do, this might be technically correct but unhelpful. Adding a largely unnecessary [...]Continue Reading »
I want to forward requests from 192.168.99.100:80 to 127.0.0.1:8000. This is how I’d do it in linux using iptables: iptables -t nat -A OUTPUT -p tcp –dport 80 -d 192.168.99.100 -j DNAT –to-destination 127.0.0.1:8000 How do I do the same thing in MacOS X? I tried out a combination of ipfw commands without much success: ipfw add fwd 127.0.0.1,8000 tcp from any to 192.168.99.100 80 (Success for me is pointing a browser at http://192.168.99.100 and [...]Continue Reading »
I’m trying to create a transparent proxy on my MacOS machine in order to port the sshuttle ssh-based transproxy VPN from Linux. I think I almost have it working, but sadly, almost is not 100%. Short version is this. In one window, start something that listens on port 12300: $ while :; do nc -l 12300; done Now enable proxying: # sysctl -w net.inet.ip.forwarding=1 # sysctl -w net.inet.ip.fw.enable=1 # ipfw add 1000 fwd 127.0.0.1,12300 log [...]Continue Reading »
- Cron expression that runs every 5 minutes from 1:30 am – 6:00 am [duplicate]
- Understanding redundant power supplies
- Is there a way for administrators to disable users from installing Firefox extensions?
- Is there research material on NTP accuracy available?
- How to create a limited “domain admin” that does not have access to domain controllers?