I'd like to fine tune the firewall rules in my Mac OS X, without a GUI I mean.
I came from Linux world and I'm used to manually fine tune my firewalls, having full control on every rule, adding filtering rules on a per-IP or per-MAC basis and so on ...
Is it possible (of course, I hope) and how it is possible to fulfill this need in Mac OS X?
I'd like to find something similar to the very very powerful and reliable "Shorewall" scripts I had in Linux
Thanks in advance to everyone would give me a tip.
I recommend checking out this related question for discussion of
ipfw
and, even though you say you don't want a GUI tool, it maybe worth investigating WaterRoof as a free config utility for it.Mac OS X v10.5 actually has two firewalls, ipfw (a packet-filtering firewall like you're probably used to), and AppFirewall (aka alf, which filters programs attempting to listen for incoming traffic). AppFirewall is new in v10.5, and is the only one the GUI deals with at all (except on OS X Server running in advanced mode -- that has a GUI for ipfw). AppFirewall isn't terribly configurable, it basically has lists of programs and whether they're allowed to listen for connections. If you want to look at its config, use
editing can be done with
sudo defaults write
or any other plist editor you happen to prefer (or a text editor, as long as the file is in text/xml format; if not, use `plutil -convert xml1' to convert it).However, it sounds like what you really want is a packet-filtering firewall. No problem, both can run in parallel (well, series actually -- traffic only gets in after going through both firewalls). So you can go ahead and configure ipfw however you want (use WaterRoof, or build your own script to configure it and use launchd to fire it off, or whatever) and not worry about interfering with the regular firewall.
BTW, it occurred to me that there's an exception to what I said about the GUI not touching ipfw: if you turn on Internet Sharing (in the Sharing pane in System Preferences), it activates ipfw to divert packets through the address translator. If you want to use this feature, I'm not sure how to make it and a manual ipfw config coexist peaceably; its setup is not at all configurable.
Maybe have a look at this example ipfw ruleset to get started with finetuning ipfw:
http://codesnippets.joyent.com/posts/show/1267