Strotmann.de

Thursday Apr 07, 2011

Managing the MacOS X IPv6 firewall

MacOS X (10.3 and up) contains an IPv6 firewall (ip6fw), which has been inherited from FreeBSD and the KAME project. However there are no configuration or startup scripts, nor any other support available in a stock MacOS X system to manage this firewall.

The script presented here will read a firewall configuration from '/etc/ip6fw.conf' and will apply the IPv6 firewall rules to the MacOS X firewall.


#!/bin/sh

ip6fwconf="/etc/ip6fw.conf"
ip6fw=`which ip6fw` 
logcmd="logger -p local0.info -t IP6FW"

if [ -z "$ip6fw" ]; then
   $logcmd "no ip6fw binary found in path"
fi

$ip6fw -fq flush

while read line; do
  # remove comments and normalize to lowercase
  line=`echo $line | sed '/^ *#/d;s/#.*//' | tr "[:upper:]" "[:lower:]"`


  if [[ $line == *logging=* ]]; then
    value=${line#*=}
    if [[ $value == 'yes' ]]; then
      $logcmd "logging on"
      sysctl -w 'net.inet6.ip6.fw.verbose=2'
    else
      $logcmd "logging off"
      sysctl -w 'net.inet6.ip6.fw.verbose=0'
    fi
  fi
  action=`echo $line | awk '{ print $2 }'`
  rulenum=`echo $line | awk '{ print $1 }'`
  rule=`echo $line | awk '{ for (i = 3; i <= NF; i++) { printf "%s ",$i } }'`

  case $action in 
     allow | deny | unreach )
        $logcmd -s "add $rulenum $action $rule"
        $ip6fw add $rulenum $action $rule
       ;;
     "")
       ;; 
     *) $logcmd "unsupported action $action"
       ;;
  esac

done < $ip6fwconf

The default configuration for the MacOS X firewall is

# MacOS X 10.x ip6fw configuration

logging=yes

# loopback 
10000 allow ipv6 from any to any via lo0

# Duplicate Address detection (DAD)
20000 allow ipv6-icmp from any to FF02::/16

# Neighborhood discovery (ND)
20010 allow ipv6-icmp from FE80::/10 to FE80::/10
20015 allow ipv6-icmp from FE80::/10 to FF02::/16
20016 allow ipv6-icmp from any to any icmptype 135,136

# ICMPv6 from the network
20020 allow ipv6-icmp from any to any in icmptype 1,2,3,4,128,129

# Router Advertisements 
20050 allow ipv6-icmp from any to any icmptype 134
20055 allow ipv6-icmp from any to any icmptype 133

# allow established TCP connections
20100 allow tcp from any to any established

# NTP multicast
20210 allow udp from any to ff02::1010 123 via en0

# mDNS (Rendezvous/Bonjour)
20220 allow udp from any to ff02::fb 5353 via en0

# allow all outgoing IPv6 connections
20230 allow ipv6 from any to any out

# allow DNS in and out
20240 allow udp from any to any 53 out
20241 allow udp from any 53 to any in

# Secure Shell
20500 allow tcp from any to any 22

# Web-Server
#20510 allow tcp from any to any 80

# Postfix SMTP
#20520 allow tcp from any to any 25

# IPP / CUPS
20530 allow tcp from any to any 631

# Apple Filing Protocol
20540 allow tcp from any to any 548
20541 allow tcp from any to any 427

# block all not otherwise allowed and log
65534 unreach admin log ipv6 from any to any

To execute this script everytime MacOS X boots, a LaunchDaemon configuration is installed in '/Library/LaunchDaemons':

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Disabled</key>
	<false/>
	<key>Label</key>
	<string>de.strotmann.ip6fw</string>
	<key>OnDemand</key>
	<false/>
	<key>ProgramArguments</key>
	<array>
		<string>/usr/local/sbin/ip6fw-load</string>
	</array>
	<key>LaunchOnlyOnce</key>
	<true/>
	<key>RunAtLoad</key>
	<true/>
	<key>KeepAlive</key>
	<false/>
	<key>ServiceDescription</key>
	<string>loads ip6fw firewall rules from /etc/ip6fw.conf</string>
</dict>
</plist>
The installer package will install the script into '/usr/local/sbin/ip6fw-load', a default configuration file into '/etc/ip6fw.conf/default' and if no file '/etc/ip6fw.conf' exists, it will create this file containing the default configuration. It will then load the LaunchDaemon configuration with
launchctl load -w /Library/LaunchDaemons/de.strotmann.ip6fw.plist

MacOS X 10.5/10.6 installer package

With 'sudo ip6fw list' on the terminal commandline we can check that all the rules are loaded and active:

# sudo ip6fw list
Password:
10000 allow ipv6 from any to any via lo0
20000 allow ipv6-icmp from any to ff02::/16
20010 allow ipv6-icmp from fe80::/10 to fe80::/10
20015 allow ipv6-icmp from fe80::/10 to ff02::/16
20016 allow ipv6-icmp from any to any icmptype 135,136
20020 allow ipv6-icmp from any to any in icmptype 1,2,3,4,128,129
20050 allow ipv6-icmp from any to any icmptype 134
20055 allow ipv6-icmp from any to any icmptype 133
20100 allow tcp from any to any established
20210 allow udp from any to ff02::1010 123 via en0
20220 allow udp from any to ff02::fb 5353 via en0
20230 allow ipv6 from any to any out
20240 allow udp from any to any 53 out
20241 allow udp from any 53 to any in
20500 allow tcp from any to any 22
20530 allow tcp from any to any 631
20540 allow tcp from any to any 548
20541 allow tcp from any to any 427
65534 unreach admin log ipv6 from any to any
65535 allow ipv6 from any to any

Comments:

My ISP goes native IPv6 production rollout today with /60 static being given to customers.

Can be happy with any luck the curse is lifted see how i go with OS X 10.5.8 server.

Any other thing's we the new to IPv6 should see?

Thanks for a solving a much known and dreaded nuisance.

Posted by vco.bz on July 25, 2011 at 01:45 AM CEST #

Thanks a lot!
It works great with Lion BTW.

Posted by supafly on October 23, 2011 at 02:28 AM CEST #

Thanks a lot for the great tips
Tested successfully with MacOS X 10.6.8

- a quick suggestion : maybe good to mention also that the package will create a postinstall~ file in /

- two quick questions:
a. I have used the script "as is" with logging done with local0.info - as a result logging, is done in appfirewall.log & system.log
however in the Console, they appear with level "Notice" and not "Info"

b. even when I have some match in the rule 65534 (proved with ip6fw show), I don't see any messages logged anywhere - any idea ?

Merry Xmas and thanks again!

Posted by stefb12 on December 22, 2011 at 12:58 PM CET #

Post a Comment:
  • HTML Syntax: Allowed

Calendar

Feeds

Search

Links

Navigation

Info