Make the Mac ipfirewall sturdy with this shareware tool
|Flying Buttress is a tool that helps you manage and configure the ipfirewall (ipfw) firewall in Mac OS X. It offers granular configuration abilities and is a GUI alternative to using the command line.|
We seem to be seeing more Macintosh computers in corporate environments these days. The Mac's UNIX underpinnings, Intel core, and fast speed have prompted many PC folks to change over to Apple’s flagship product. This month, we’ll look at Flying Buttress, a shareware application for Mac OS X that acts as a robust front end to Apple’s built-in firewall, ipfirewall (ipfw). Flying Buttress lets you configure this powerful firewall at a granular level. If you use a Mac or are responsible for the security of Macs within your organization, you’ll find Flying Buttress a useful addition to your toolbox.
The Mac Firewall—ipfw
Before we dive deeper into Flying Buttress, let's examine the firewall it helps manage. Included with every version of Mac OS X, ipfw is a well-regarded, command-based firewall that originated from FreeBSD. It can be configured as either a network- or host-based firewall. Using the command line, you can create a simple filter or rule. For example, typing
ipfw add allow icmp from 192.168.0.0/24 to any
allows Internet Control Message Protocol (ICMP) traffic (e.g., ping) from the 192.168.0.0 Class C subnet to anywhere (e.g., the host computer). Immediately after you execute this command from the terminal, the firewall begins allowing traffic. To review firewall rules created by Mac OS X system preferences, type
Figure 1 shows the firewall configuration on a Mac OS X computer when you’ve instructed the computer to lock itself down. You can also see several rules that allow certain traffic. Using the firewall to lock everything down disables access to all services (including Windows sharing and remote logon using Secure Shell—SSH) and enables advanced options such as the ability to block UDP ports and enable stealth mode.
You can use Apple’s System Preferences Sharing dialog box to easily start and stop the firewall or configure the firewall to allow file sharing and remote logon services. However, Apple's built-in firewall management software doesn't let you configure to a granular level—for example, if you’re connected to a hostile network and you want to ensure your host is completely protected from outside traffic, or if you want to allow access to services from specific addresses or on specific interfaces. This is where Flying Buttress comes in—you can use it to protect your computer from any type of network access.
Flying Buttress Basics
Flying Buttress lets you configure rules for each interface. For example, you could permit remote SSH access (i.e., remote access that uses SSH) across your Ethernet cable connection but not across your wireless AirPort Express connection or your VPN connection. Flying Buttress includes utilities to view the firewall logs and metrics of your filters, making it easier to see the activity on your network interfaces.
Flying Buttress also provides a GUI to help you create rules. You can click the Expert button within Flying Buttress to configure your rules using the direct ipfw commands. Even if you use the Flying Buttress GUI to create your rules, you can click Expert to see the ipfw commands that Flying Buttress created based on your GUI configuration.
Installing Flying Buttress
You can install Flying Buttress by downloading it from developer Brian Hill's Web site (personalpages.tds.net/~brian_hill/flyingbuttress.html) and mounting the disk image (.dmg) file. Copy the Flying Buttress program from the mount to a location on your hard drive, such as the Applications or Applications, Utilities folder. Then, unmount the volume and run the program from your hard drive. (Because it’s a disk image, Mac OS X mounts it as a drive; as long as it's mounted, you can generally run an application from it without installing it on your drive. When you "eject" the .dmg, it no longer shows as a drive, but the file is still on your disk.) I recommend keeping the .dmg file around, as the author includes an uninstall program as well.
Using Flying Buttress
When you first run the program, a wizard asks how you connect to the Internet and which services you wish to share, such as allowing users to connect to a Web server that you host. You can also install a startup script that will configure ipfw each time you restart your computer. Figure 2 shows the Flying Buttress UI with rules displayed that apply to the AirPort wireless connection interface—a green Allow icon confirms that WWW and WWW SSL are allowed from the Internet to the host computer on TCP 80 and TCP 443, respectively. You can also see each of the network interfaces on the computer and create specific rules for other interfaces.
Creating new rules is a snap—just select the interface you wish to filter, click Add Filter, and enter the typical details about the service, such as the source address, destination address, and protocol type. Although the developer of Flying Buttress has done a good job at keeping the configuration simple, previous firewall experience is still helpful to understand the basics of creating an effective group of firewall rules.
Like the built-in firewall, in its default configuration Flying Buttress leaves some ports open. For example, you’ll still be able to ping your computer. Click the Advanced button, and you can disallow what Flying Buttress calls “important protocols,” including ICMP, Network Time Protocol (NTP), and FTP data port traffic.
Other features of Flying Buttress include an IP Sharing feature (similar to Internet Connection Sharing in Windows), which lets you share one Internet connection among several computers and use Flying Buttress to regulate available services to the connected computers. The Firewall Monitor feature shows you the status of your configured filters, including the amount of network traffic that’s been processed by a filter and the last time that a filter was used, which can be useful for identifying spurious rules or specific traffic patterns. For example, you could create a “deny” filter for known Trojan horse programs or specific malware activity—seeing any hits against that rule might indicate that you’re under attack.
Flying Buttress isn’t a complete host firewall like Check Point Software Technologies' ZoneAlarm or Symantec Norton Internet Security for Windows machines. Instead, it’s a rule interpreter for the built-in ipfw firewall, and it provides quick access to firewall log data. If you'd like to avoid using the command line, or if you just want a quick way to create a few firewall rules for your Mac, check out Flying Buttress—I think you’ll be pleased.