Living with Leopard’s Firewall


I made the plunge and upgraded to Leopard. A CompUSA rebate of $30 (bringing Leopard down to a mere $99) was too much to pass up. I like a lot of Leopard and I haven’t had many problems so far, though I do see a good amount of room for improvement. One place that needs serious improvement is Leopard’s new Firewall system. I’d heard that you could now choose to open the firewall on the application level, and I thought that was nice, but I hadn’t heard that you *had* to do on the application level. That’s dumb. Application level rules are fine if I have a simple application I want to open a port for, but if I want to open a port for something like a custom build of apache it can’t be done.

Thankfully you can still use the terminal to open ports in the firewall for Leopard. Not as easy as using the firewall in Tiger, but it gets the job done. Here’s a few helpful tips:

to add a port:
sudo ipfw add allow [udp or tcp] from [port] to [port]
So, if you want allow port 80 with tcp you’d type sudo ipfw add allow tcp from 80 to 80

to see your rules:
sudo ipfw list

to delete an open port:
first type sudo ipfw list, you’ll get something like this

33300 deny icmp from any to me in icmptypes 8
33400 allow udp from 0.0.0.80 to 0.0.0.80
33500 allow tcp from 0.0.0.80 to 0.0.0.80

take the number proceeding the rule you want to delete and type sudo ipfw deletem [rule number], so if I wanted to delete the rule “33500 allow tcp from 0.0.0.80 to 0.0.0.80″ I’d just type
sudo ipfw delete 33400

Hopefully Apple will realize that giving users no advanced options is dumb. But until then, start loving the terminal!

Related items

This entry was written by jon, posted on October 29, 2007 at 10:14 am, filed under mac, tips and tagged , , , , , , , , . Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback: Trackback URL.

5 Comments

  1. Juan
    Posted November 8, 2007 at 6:49 pm | Permalink

    We both did exactly the same thing: I bought my Leopard copy at 6pm in a compUSA and got the rebate. Works pretty good.

    I agree with you about the firewall issue. I thought little snitch was not going to be as useful as it was before, but i’m afraid it will be more needed than it was before :/

  2. Kotov
    Posted November 23, 2007 at 9:42 am | Permalink

    dude only thing
    >> sudo ipfw add allow tcp from 80 to 80
    is not opening port, but rather treats it as IP, so this:
    >> 33400 allow udp from 0.0.0.80 to 0.0.0.80
    is exactly what it looks like

    should be
    add allow tcp from any 80 to any 80
    or even ad allow tcp from any 80,8080… you get the point :)

    cheers

  3. E Fox
    Posted April 9, 2008 at 3:47 pm | Permalink

    At least for me, the fix from Kotov did not work entirely, the syntax no longer makes the port into the ip (thanks Kotov), but it just did not get traction for me . . . so I found some other syntax that did. Hope this helps prevent the day I have had.

    DID NOT WORK:
    ipfw add allow tcp from any 80 to any 80

    DID WORK:
    ipfw add allow tcp from any to any 80

    To test:
    run your portscan or nmap
    ipfw show
    ipfw delete (the entry number)
    run your portscan or nmap again

    repeat to convince yourself. . .

    e

  4. hagbard_23
    Posted April 23, 2008 at 9:12 am | Permalink

    Thanks E Fox,
    I’ve been looking for this so long, but your commands finally worked!

  5. Miss.Detd
    Posted June 8, 2008 at 3:09 pm | Permalink

    Well…i can enter this codes…but nothing seems to work with warcraft 3.

    The ports 6112 to 6119 should be open. it’s not my router because I can hoste fine on Vista…
    Mac on the other hand gives problems, and can’t figure out why.

    pleasy help.

    grtz

One Trackback

  1. By rob zand » Blog Archive » links for 2008-06-17 on June 17, 2008 at 6:56 pm

    [...] Atomic Lemur » Living with Leopard’s Firewall (tags: leopard mac firewall) [...]

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*