Intro to ipfw

The low level firewall built into FreeBSD, ipfw, is also a part of OS X. It is one of the juicy UNIX bits that came along for the ride. The program itself lives at /sbin/ipfw and is a stateful packet filter capable of controlling access to and from specific IP addresses, ports, or combinations of each.

The Firewall in System Preferences

The firewall settings in Preferences are application level, and are separate from the low level rules set by ipfw.

On Leopard, you can get to the Firewall settings by going into System Preferences, select the Security icon, then the Firewall tab. The default setting is to allow all incoming connections. This is a little misleading because OS X comes with network services generally locked down until you enable them.

If you enable sharing, for example web sharing via the Apache 2 server in the Sharing Preferences, you will see Web Sharing appear in the firewall box in System Preferences. For most people, this level of control is fine, especially if you have another firewall between you and the Internet. For advanced configurations, ipfw can meet your needs.

Listing ipfw rules

To list all active ipfw rules:
sudo ipfw list

Each rule is assigned a number up to 65535. Lower numbered rules are executed first, and if they don't apply to the packet in question, it moves down the list until it matches a rule. It is possible for a packet to be injected back into the rules, but usually a packet matches one rule and is either accepted, denied, or routed to a new destination.

Clearing all ipfw rules

To list all active ipfw rules:
sudo ipfw flush

Creating custom rules

The command line interface to ipfw is somewhat arcane, and you can get yourself into trouble if you don't know exactly what ports you need open and why. Here is an article that has some sample configurations and command line syntax examples.

While I normally prefer the command line to GUI tools, if you are just starting to use ipfw, I recommend the very friendly NoobProof, a program that offers a useful GUI front end to ipfw.

NoobProof comes preconfigured with all the common Mac services that you can enable or disable at the network level using ipfw. It also has an install tool to create a script that saves your configuration and starts it automatically after a reboot. It is a truly wonderful tool and a much safer way to get started with ipfw.