How to Configure a Firewall for Mac OS X: ipfw for Snow Leopard

The following allows for the creation of granular firewalls. It has been tested on Mac OS X Snow Leopard (MacOS 10.6), Lion (MacOS10.7), and Mountain Lion (MacOS 10.8).

Get to a command line interface by opening the Terminal application.

Enter the following commands.

sudo su <Enter>
mkdir /Library/StartupItems/Firewall <Enter>
chmod 755 /Library/StartupItems/Firewall <Enter>
vi /Library/StartupItems/Firewall/Firewall <Enter>

After entering the vi command above, copy and paste the following.

After entering the vi command above, copy and paste the following.
#!/bin/sh
###start###
# Created by:
# Redknight @ 2006
# insecurus@gmail.com
# Edited by: Alex Everett 2012
. /etc/rc.common
StartService ()
{
ConsoleMessage "firewall startup"
# Enabling logging
if [ `/usr/sbin/sysctl -n net.inet.ip.fw.verbose` == 0 ] ; then /usr/sbin/sysctl -w net.inet.ip.fw.verbose=2 fi
#set low mtu for wireless, otherwise ipfw drops frags
/sbin/ifconfig en1 mtu 1300
# Clean any pre-existing rules
/sbin/ipfw -f flush
# Setting up the localhost
/sbin/ipfw -f add 100 allow ip from any to any via lo*
/sbin/ipfw -f add 110 deny log ip from 127.0.0.0/8 to any in
/sbin/ipfw -f add 120 deny log ip from any to 127.0.0.0/8 in
/sbin/ipfw -f add 130 deny log ip from 224.0.0.0/3 to any in
/sbin/ipfw -f add 140 deny log tcp from any to 224.0.0.0/3 in
# Tracking states
/sbin/ipfw -f add 20000 check-state
/sbin/ipfw -f add allow tcp from any to any established
/sbin/ipfw -f add allow tcp from any to any out keep-state
/sbin/ipfw -f add allow udp from any to any out keep-state
#for mtn lion below
#/sbin/ipfw -f add allow udp from any 53 to any 1024-65535 in keep-state
/sbin/ipfw -f add allow tcp from any 53 to any 1024-65535 in keep-state
/sbin/ipfw -f add allow icmp from any to any out
# Standard Services & Protocols
# Setting up SSH
/sbin/ipfw -f add allow tcp from 152.2.20.88 to any 22 keep-state setup
/sbin/ipfw -f add allow tcp from 152.2.20.89 to any 22 keep-state setup
# Setting up BonJour
/sbin/ipfw -f add allow udp from any to any 5353 keep-state
# Setting up ICMP
/sbin/ipfw -f add allow icmp from 152.2.0.0/16 to any in
/sbin/ipfw -f add allow icmp from 152.19.0.0/16 to any in
# Setting up SMB
#/sbin/ipfw -f add allow tcp from any to any 139 keep-state setup
# Setting up DHCP
/sbin/ipfw -f add allow udp from any 67 to any dst-port 68 in
# Setting up Apple Remote Desktop
#/sbin/ipfw -f add allow tcp from any to any 3283 keep-state setup
#/sbin/ipfw -f add allow tcp from any to any 5900 keep-state setup
# Setting up NTP
/sbin/ipfw -f add allow udp from any to any 123 keep-state
# Do not log udp 137,138
/sbin/ipfw -f add 65000 deny udp from any to any 137 in
/sbin/ipfw -f add 65001 deny udp from any to any 138 in
# Closing Up
/sbin/ipfw -f add 65532 deny ipv6 from any to any in
/sbin/ipfw -f add 65533 reject log udp from any to any in
/sbin/ipfw -f add 65534 deny log ip from any to any in
}
StopService ()
{
ConsoleMessage "Firewall stop"
/sbin/ipfw flush
}
RestartService ()
{
 StopService
 StartService
}
RunService "$1"
###end###

After entering the vi command below, copy and paste the material that follows.

vi /Library/StartupItems/Firewall/StartupParameters.plist
###start###
{
Description = "Firewall";
Provides = ("Firewall");
Requires = ("Network");
OrderPreference = "Late";
Messages = 
 {
 start = "Starting Firewall";
 stop = "Stopping Firewall";
 };
}
###end###

Enter the following commands.

chmod 755 /Library/StartupItems/Firewall/Firewall <Enter>

chmod 755 /Library/StartupItems/Firewall/StartupParameters.plist <Enter>

cd /Library/StartupItems/Firewall

ls –al <Enter>

After entering the ls command above, the output of ls should look as follows.

sh-3.2# ls -al
total 24
drwxr-xr-x 5 root wheel 170 Jan 3 13:28 .
drwxr-xr-x 9 root wheel 306 Dec 4 15:31 ..
-rwxr-xr-x 1 root wheel 2441 Jan 3 13:27 Firewall
-rwxr-xr-x 1 root wheel 191 Jan 3 13:25 StartupParameters.plist

Reboot your computer

Get to a command line interface by opening the Terminal application.

Enter the following commands.

sudo su <Enter>
ipfw list <Enter>

After entering the ipfw command above, the output should look as follows.

sh-3.2# ipfw list
00100 allow ip from any to any via lo*
00110 deny log ip from 127.0.0.0/8 to any in
00120 deny log ip from any to 127.0.0.0/8 in
00130 deny log ip from 224.0.0.0/3 to any in
00140 deny log tcp from any to 224.0.0.0/3 in
20000 check-state
20100 allow tcp from any to any established
20200 allow tcp from any to any out keep-state
20300 allow udp from any to any out keep-state
20400 allow icmp from any to any out
20500 allow tcp from 152.2.20.88 to any dst-port 22 setup keep-state
20600 allow tcp from 152.2.20.89 to any dst-port 22 setup keep-state
20700 allow udp from any to any dst-port 5353 keep-state
20800 allow icmp from 152.2.0.0/16 to any in
20900 allow icmp from 152.19.0.0/16 to any in
21000 allow udp from any 67 to any dst-port 68 in
21100 allow udp from any to any dst-port 123 keep-state
65000 deny udp from any to any dst-port 137 in
65001 deny udp from any to any dst-port 138 in
65532 deny ipv6 from any to any in
65533 reject log udp from any to any in
65534 deny log ip from any to any in
65535 allow ip from any to any