Back
to Macintosh Security >>
________
By
Brennan Stehling
08/28/2001
MacOS
X keeps getting better and better the more I learn about it.
Most recently, I have figured out how to edit the startup
process. I am also customizing the settings for the ipfw firewall
that is built into this new OS. By combining the startup process
with some firewalling, I was able to build my very own firewall
system from scratch in minutes.
Traditional BSD:
Background
First
off, I had to figure out how to step into the startup process.
In other Unix systems, you typically use the rc.d method of
controlling startup scripts. There are similar systems in
the FreeBSD, NetBSD, and OpenBSD world, and they sometimes
change to add more features. In fact, NetBSD gave an overhaul
to their rc.d system earlier this year.
That
system was mostly unchanged from its 4.4BSD beginnings and
now offers some features for flexibility, like setting the
order in which the scripts run.
Flexibility
can be important if you need MySQL to start up before Apache
so the database is ready when Apache needs it. With FreeBSD,
I have startup scripts in /usr/local/etc/rc.d that run the
startup process for my local customizations beyond what the
typical BSD system does automatically, like configuring network
interfaces.
In
my rc.d directory, I have a startup script called mysql-server.sh
among many other scripts that are given the argument "start"
during the booting process. Also in that directory, I have
my apache startup script, which I always want to run last,
so I call it xyz-apache.sh. The scripts are run in alphabetical
order, so this ensures that the apache startup script is run
last. It is not the most sophisticated system, but I am a
Unix administrator, not a ballet dancer, so I deal.
MacOS X: Today
Now
with MacOS X they have taken this rc.d system to the next
level, and it is quite interesting. The startup folder is
/Library/StartupItems, and it includes more than just a script.
There is also a control file called StartupParameters.plist.
The control file apparently allows you to set the ordering
preference and add messages for when the script is starting
and stopping. The control file for my firewall script is displayed
here:
{
Description = "Custom Firewall Rules";
Provides = ("Firewall");
OrderPreference = "Last";
Messages =
{
start = "Adding Firewall Rules";
stop = "Firewall Going Away";
};
}
When
preparing to add this firewall script to my Startup Items,
I created a folder called Firewall in the StartupItems folder
and added the control file and a script also called Firewall.
Now I am set for this to work with a little flexibility. To
do so, I edit /etc/hostconfig, which defines several Yes or
No variables. These variables include the following. (You
may be interested to know that the MacOS X web server and
SSH server are Apache and OpenSSH.) Below, you see I have
them turned off.
TIMESYNC=-YES-
QTSSERVER=-NO-
SSHSERVER=-NO-
WEBSERVER=-NO-
To
keep my custom firewall system up to snuff with the existing
Startup Items, I also added my own variable.
FIREWALL=-YES-
Now
I just have to set my shell script to account for this setting
and I am ready to reboot.
#!/bin/sh
##
# Add Firewall Rules
##
. /etc/rc.common
if [ "${FIREWALL:=-NO-}" = "-YES-" ];
then
ConsoleMessage "Adding Firewall Rules"
ipdeny=`cat /Documents/Firewall/Firewall.deny | sort | uniq`
ipallow=`cat /Documents/Firewall/Firewall.allow | sort | uniq`
# allow first
counter=2000
for i in ${ipallow}; do
ipfw add $counter allow all from $i to any
counter=`expr $counter + 1`
done
# deny second
counter=`expr $counter + 1000`
for i in ${ipdeny}; do
ipfw add $counter deny all from $i to any
counter=`expr $counter + 1`
done
fi
Most
of this script is similar to your standard rc.d startup script.
On line 7, it starts by reading in the settings from the rc.common
script, which extracts settings from /etc/hostconfig file.
This allows for the check on line 9, which only allows the
firewall rules to be added if the FIREWALL variable is set
to YES. If it is, the script reads in the deny and allow lists
on lines 12 and 13 and proceeds to lines 18 and 24, where
the script loops through each IP address in your list and
adds either an allow or deny rule to your firewall. I increment
the counter each time I get a new IP, so each rule has its
own numerical ID. I also add the allow rules first, so that
I can always be sure I will have access to the servers I need
to reach, like my mail server. After these changes are in
place, you can simply add any IPs you want to your allow and
deny lists and reboot for them to take effect.
What
does this get you? What would I want to firewall? That depends
on what you want to do. I created this strictly to block some
banner ads that I was finding to be overly annoying. If you
are a little creative, you can do all kinds of things with
your allow and deny lists. If you know the ipfw firewall,
you will know you can also put "any" into your deny
list instead of an IP and put only specific hosts in your
allow list. This combination will allow those specific hosts
in while it denies everything else. But for my purposes, it
is a great way to stop annoying banner ads.
|
