Mac OS X includes support for the ipfw(8) firewall. Limited configuration via the Sharing PreferencePane is possible. Third party graphical utilities— such as Brickhouse or Firewalk X— offer greater customization of the firewall rules. In contrast, mfw is a command line tool to manage multiple firewall configurations. mfw can also record an existing firewall configuration as a mode for reuse.
To install, move the script to a bin directory, and make it executable.
$ chmod +x mfw
$ sudo cp mfw /usr/local/bin
To setup mfw with the current firewall configuration, run mfw as root without any arguments.
$ sudo mfw
mfw notice: configuration not found, building from scratch
If all goes well, there should be new files under /etc/mfw. These include default and vendor ipfw shell scripts.
$ ls -l /etc/mfw /etc/mfw/modes
drwxr-xr-x 6 root wheel 204 Jan 31 19:02 modes
-rw-r--r-- 1 root wheel 31 Jan 31 19:02 vendor-rules
lrwxr-xr-x 1 root wheel 7 Jan 31 19:02 cur -> default
-rwxr-xr-x 1 root wheel 828 Jan 31 19:02 default
lrwxr-xr-x 1 root wheel 7 Jan 31 19:02 startup -> default
-rwxr-xr-x 1 root wheel 233 Jan 31 19:02 vendor
Use a command line switch, or specify a mode to run.
$ sudo mfw -l
$ sudo mfw apple
Some modes are soft links to other modes. These include cur, pre, and startup. The first two are set by virtue of modes being started from the command line; pre is good for testing a new ruleset, and reverting back to the last one on errors or after a set period of time. Use the -m flag to list all modes.
# mfw -m
cur -> apple
pre -> default
startup -> default
startup is called by the StartupItems/MFW startup script (see below), and can be changed with the -s flag.
# mfw -s apple
New modes can be created from the current firewall rules with the -n flag. This allows one to use another tool to generate the rules, then hijack them into a named mode.
# mfw -n newmode
There is no way to remove modes using mfw, delete the mode files from /etc/mfw/modes. Mode files are shell scripts, and may be edited to do anything required.
A practical use for this script is testing of new firewall modes; the pre mode is easily reverted to after a minute of testing. Automatic undoing of the firewall ruleset being tested can prevent one from being locked out of the system in the event the rules were too strict.
# mfw newbetamode; sleep 60; mfw pre
One can then toggle between two modes by simply invoking the pre option each time.
mfw is easy to integrate into a StartupItems startup bundle; the MFW/MFW script calls the startup mode when the system starts up.
User-installed startup items go under /Library/StartupItems. See SystemStarter(8) for details.
The MFW startup script expects mfw to be installed and executable under /usr/local/bin.
$ sudo crontab -l | grep mfw
@reboot /usr/local/bin/mfw startup
Modes populate the /etc/mfw/modes directory by default. These are shell scripts that configure the firewall. The sample modes contain configurations I use on my laptop.
- apple - default Apple rules, when enable firewall under Sharing PreferencePane.
- default - my paranoid block-most-everything ruleset.
- log - default, but with lots of logging for debugging.
- nmap - block incoming log-a-lot mode for doing nmap scans.
- vendor - flushes all rules.
If writing your own modes, be sure to create a stop option handler to undo any complex setups so the next mode has a clean slate to work from.