Built-in Firewall

A computer firewall is either software or hardware that is intended to protect your computer from outside threats, while allowing you to use the Internet and to share specific resources. Firewalls are often installed on corporate computer networks in order to protect inside computers from outside attacks. However, having a firewall on your local computer is of great benefit. With a firewall enabled, you can browse the Internet unhindered, however connections to your machine will be denied, if they are not explicitly allowed. For example if you are providing Web services, you can configure the firewall to only allow access to the Web server, and no other ports on your computer.

Apple has shipped a software firewall as part of a standard Mac OS X installation since Version 10.0. This is just one way that Mac OS X users have benefited from Mac OS X’s Unix heritage. The included software is called ipfw for IP Firewall. ipfw is actually a front end to two individual programs called dummynet and ipfirewall.

Inspecting firewall rulesets using Terminal

If you are interested in directly interacting with the firewall, you can do so by opening the Terminal application and using the ipfw command. To learn more about the ipfw command and how to use it open the Terminal application and type the command man ipfw. To see what rulesets are in place, type the command sudo ipfw list. If you’ve not implemented any rules the only rule listed will be the catchall rule 65535 allow ip from any to any, which lets any ip traffic from any port on any host to any port on your computer. Although further discussion of manual ipfw configuration is out of the scope of this Chapter, as you set up various firewall rules using methods discussed later in this section, you can always check the rules that have been created by issuing the command sudo ipfw list in a Terminal widow.

Implementing firewall rulesets using Sharing preferences

Apple includes a simple GUI for configuring ipfw rules with Mac OS X. To access this open the Firewall panel of the Sharing preferences pane. From here you can enable the firewall and select what type of traffic to allow to your computer. Example services are Personal File Sharing, FTP Access, Printer Sharing, and Personal Web Sharing. There are several more to choose from. Figure 26-10 shows the Firewall preferences. You will see that services you have selected to share in the Services panel of the Sharing preferences pane are already selected for you. Any additional ports you wish to open may be checked here as well.

Figure 26-10: Firewall panel of the Sharing preferences pane.

Implementing firewall rulesets using a third-party GUI

There is a shareware program called BrickHouse that acts as a more complete front end to ipfw. BrickHouse can be downloaded from http://personalpages.tds.net/~brian_hill/downloads.html. If you find you’ve got a service you wish to share, and it’s not available in the Firewall panel of the Sharing preferences pane, and you don’t wish to create a rule manually, this program can help. Figure 26-11 shows the BrickHouse main window. The program is distributed as a stuffed .dmg file. Simply unstuff the archive and mount the disk image. BrickHouse installs a firewall start up script in /Library/StartupItems/Firewall. Should you wish to run BrickHouse you should ensure that the built in firewall is not enabled, by going to the Firewall panel of the Sharing preferences pane and clicking the stop button if the text in the window says Firewall On. You don’t want both the built-in controls and BrickHouse firing at boot time. If you wish to disable the firewall as set by BrickHouse simply click the Remove Startup Script button in BrickHouse. This will return the firewall to the default state of allowing all connections.

Figure 26-11: Setting firewall rules using BrickHouse.