On occasion I need to configure the firewall on OS X machines (10.5), and I've been trying to figure out the best (read: easy without sacrificing too much control) way to do it.
So far it seems like my options are:
- Apple's built-in utility (System Preferences, Security, Firewall). It's got the "easy" down, but (unless there's something I'm missing) I'd like a bit more control.
- Learning ipfw. It'd give me all the control I want, but it seems like it's got a steep learning curve and I'd be worried about accidentally getting it wrong.
- "Some" graphical utility. So far all I've found is Firewall Builder, which isn't free and seems fairly complex (but the complexity may be worth it)... But there may be more, which I haven't found.
So, what would my best bet be?
There's also WaterRoof on the graphical configuration end, it was presented at my local MUG a couple of months back and the reaction from people who've tried it has been positive. It's also free.
Well, you're asking for two different things here. Certainly the "easiest" thing to do would be to use Apple's built-in GUI. For most things that should be sufficient, as long as you're doing ingress filtering and just want to open up a few services it should be more than enough.
If you want more control, I think ipfw is certainly worth the time investment. However, to use it effectively, you should have a solid grasp of existing networking concepts and protocols. Otherwise it's very easy to make mistakes and leave yourself open.
If you want to test the effectiveness of your firewall and service security from the outside, I recommend using tools like nmap and nessus in either case.
Here's an example ipfw ruleset to play with (& get started with learning ipfw):
http://codesnippets.joyent.com/posts/show/1267