mfw - multiple firewall configurations

mfw | Usage | Startup | Modes | Related

Mac OS X includes support for the ipfw(8) firewall. Limited configuration via the Sharing PreferencePane is possible. Third party graphical utilities— such as Brickhouse or Firewalk X— offer greater customization of the firewall rules. In contrast, mfw is a command line tool to manage multiple firewall configurations. mfw can also record an existing firewall configuration as a mode for reuse.

mfw

Download current version of mfw.

The script requires Mac OS X 10.2 or higher, or 10.1 with the mktemp(1) utility installed for safe temporary file generation. The source code for mktemp is available online.

To install, move the script to a bin directory, and make it executable.

$ chmod +x mfw
$ sudo cp mfw /usr/local/bin

To setup mfw with the current firewall configuration, run mfw as root without any arguments.

$ sudo mfw
mfw notice: configuration not found, building from scratch

If all goes well, there should be new files under /etc/mfw. These include default and vendor ipfw shell scripts.

$ ls -l /etc/mfw /etc/mfw/modes
/etc/mfw:
total 8
drwxr-xr-x 6 root wheel 204 Jan 31 19:02 modes
-rw-r--r-- 1 root wheel 31 Jan 31 19:02 vendor-rules

/etc/mfw/modes:
total 32
lrwxr-xr-x 1 root wheel 7 Jan 31 19:02 cur -> default
-rwxr-xr-x 1 root wheel 828 Jan 31 19:02 default
lrwxr-xr-x 1 root wheel 7 Jan 31 19:02 startup -> default
-rwxr-xr-x 1 root wheel 233 Jan 31 19:02 vendor

Usage

Use a command line switch, or specify a mode to run.

$ sudo mfw -l
apple
default
log
vendor
$ sudo mfw apple

Some modes are soft links to other modes. These include cur, pre, and startup. The first two are set by virtue of modes being started from the command line; pre is good for testing a new ruleset, and reverting back to the last one on errors or after a set period of time. Use the -m flag to list all modes.

# mfw -m
apple
cur -> apple
default
log
pre -> default
startup -> default
vendor

startup is called by the StartupItems/MFW startup script (see below), and can be changed with the -s flag.

# mfw -s apple

New modes can be created from the current firewall rules with the -n flag. This allows one to use another tool to generate the rules, then hijack them into a named mode.

# mfw -n newmode

There is no way to remove modes using mfw, delete the mode files from /etc/mfw/modes. Mode files are shell scripts, and may be edited to do anything required.

A practical use for this script is testing of new firewall modes; the pre mode is easily reverted to after a minute of testing. Automatic undoing of the firewall ruleset being tested can prevent one from being locked out of the system in the event the rules were too strict.

# mfw newbetamode; sleep 60; mfw pre

One can then toggle between two modes by simply invoking the pre option each time.

Startup

Download MFW StartupItems bundle.

mfw is easy to integrate into a StartupItems startup bundle; the MFW/MFW script calls the startup mode when the system starts up.

User-installed startup items go under /Library/StartupItems. See SystemStarter(8) for details.

The MFW startup script expects mfw to be installed and executable under /usr/local/bin.

Another option is to call mfw from crontab(1). See crontab(5) for details on cron job syntax.

$ sudo crontab -l | grep mfw
@reboot /usr/local/bin/mfw startup

Modes

Download sample modes.

Modes populate the /etc/mfw/modes directory by default. These are shell scripts that configure the firewall. The sample modes contain configurations I use on my laptop.

If writing your own modes, be sure to create a stop option handler to undo any complex setups so the next mode has a clean slate to work from.

Related