| Figure 1: Firewall tab of the Sharing System Preferences application |
Blocking UDP under MacOS X 10.4Mike Patterson |
Abstract: The MacOS X firewall is notoriously leaky. In particular, it does not block unsolicited UDP packets by default. This document describes briefly, with screenshots, how to enable this functionality.
MacOS X (at least up to version 10.4) has several ways of manipulating its built-in firewall, although as per many Apple implementations, it really is best if one sticks to the GUI tools. Consequently, although I will demonstrate some output from the command line, that is just for demonstration purposes, showing the end result from the firewall's point of view. Don't worry if you are not familiar with the output of ipfw, as it is fairly straightforward; the leading numbers are just the rule number, and for the purposes of this document can be ignored. The references are to a PowerPC system running OS X 10.4.10, although this information should apply to any architecture running 10.4.x.
The firewall GUI is reached through the System Preferences utility. From the Apple menu, choose System Preferences, then the Sharing utility under Internet and Network, and from there click the Firewall tab. In the following screenshot, you can see that this system has no services running but SSH for remote logins, and that the firewall is already enabled. (Note that the “Remote Login” - SSH - service does not run by default.)
Figure 1: Firewall tab of the Sharing System Preferences application
It is safe enough (indeed, desireable) to start the firewall on your system if it is not already running. No services are required to be running. This setup results in the following firewall configuration:
executor:~ mpatters$ sudo ipfw list 02000 allow ip from any to any via lo* 02010 deny ip from 127.0.0.0/8 to any in 02020 deny ip from any to 127.0.0.0/8 in 02030 deny ip from 224.0.0.0/3 to any in 02040 deny tcp from any to 224.0.0.0/3 in 02050 allow tcp from any to any out 02060 allow tcp from any to any established 02065 allow tcp from any to any frag 02070 allow tcp from any to any dst-port 22 in 12190 deny tcp from any to any 65535 allow ip from any to any executor:~ mpatters$
At this point, you should choose the Advanced button, which will give you a screen like the following:
Figure 2: Advanced tab of the firewall configuration tool
From there, simply check the box next to “Block UDP Traffic”, and then click OK. Doing so changes your firewall configuration as follows:
executor:~ mpatters$ sudo ipfw list 02000 allow ip from any to any via lo* 02010 deny ip from 127.0.0.0/8 to any in 02020 deny ip from any to 127.0.0.0/8 in 02030 deny ip from 224.0.0.0/3 to any in 02040 deny tcp from any to 224.0.0.0/3 in 02050 allow tcp from any to any out 02060 allow tcp from any to any established 02065 allow tcp from any to any frag 02070 allow tcp from any to any dst-port 22 in 12190 deny tcp from any to any 20310 allow udp from any to any dst-port 53 in 20320 allow udp from any to any dst-port 68 in 20321 allow udp from any 67 to me in 20322 allow udp from any 5353 to me in 20340 allow udp from any to any dst-port 137 in 20350 allow udp from any to any dst-port 427 in 20360 allow udp from any to any dst-port 631 in 20370 allow udp from any to any dst-port 5353 in 30510 allow udp from me to any out keep-state 30520 allow udp from any to any in frag 35000 deny udp from any to any in 65535 allow ip from any to any executor:~ mpatters$
This is still not the strongest configuration possible, as the “allow udp” statements allow for some level of working around the firewall. Additionally, it provides no egress rules for UDP traffic (nor, indeed, for any IP traffic). It is certainly not safe in a hostile environment, even beyond the holes it makes for certain UDP traffic, but on-campus, it should suffice to provide some moderate protection for an otherwise well-configured and administered MacOS machine.
Users desiring further discussion of the weaknesses of the MacOS implementation of ipfw firewall should consult Jay Beale's slides from his DefCon 14 presentation, available directly (in PDF format) from <http://bastille-linux.sourceforge.net/jay/dc14.pdf>. There is a MacOS port of Bastille Linux available, although it is still in beta and I have not tried it myself. It can be obtained from <http://bastille-linux.org>.
This document was translated from LATEX by HEVEA.