ikawnoclastic thoughts

Mac OS X pf firewall: Avoiding known bad guys

Apple Mac OS X has multiple firewall options. In this article, we will look at enabling the Mac OS X pf firewall and loading a list of IPs and networks that are known to host spammers, attackers, botnet command and control servers, and other undesirable actors on the Internet.

Most Apple Mac OS X users are familiar with the application level firewall. Each application that opens a network socket to accept an incoming connection needs explicit user permission. You may have seen a firewall dialog box when starting applications for the first time that asks you if you want to allow an application to access the network. This service and is managed through the Firewall tab in the Security & Privacy section of System Preferences.

The Mac OS X Lion System Preferences Security & Privacy Advanced Firewall settings

There is also another less well known firewall tool available. It is a network packet filter. Since parts of Mac OS X are derived from FreeBSD, the packet filter has been ipfw, which is the default packet filter in FreeBSD. With the release of Mac OS X Lion (10.7), there is another packet filter tool available: pf. In fact, ipfw is deprecated and pf is the new packet filter hotness. It is also included in Mountain Lion (10.8), and ipfw is still deprecated but not removed yet.

pf is the OpenBSD packet filter. It is a robust software package with many impressive and useful features. It has been ported to a number of open source operating systems. FreeBSD also has pf, and now Mac OS X Lion and Mountain Lion do too. I have built several transparent bridge packet filters on FreeBSD and pf. The performance has met our needs and that includes several tables with over 4000 IPs and networks that we block. One of those tables includes the Emerging Threats Block IP list.

The Emerging Threats ETOpen Ruleset is an open source community project that collects IP addresses of the “bad guys” and then shares that collection in the form of routers access control lists (ACLs), firewall rules, intrusion detection/prevention rules, and just a plain old list. The project collects IP addresses and network ranges of known attackers, spammers, malware sites, botnet command and control systems, and other unpleasantness on the internet. The rules and lists are published daily. When you load these rules into your network security device, you can block those IP addresses or get an alert when one attempts to reach your network. At our office, we just use the plain list and load it into a pf table with that says any IP address in this table is bad, so just block it.

Now that Lion supports pf, we can easily use the Emerging Threat list on our Macs. By loading the ETOpen Ruleset into a table on your Lion system you can block packets from some of the bigger bad guys on the internet.

Setting up the Mac OS X pf firewall rules

Mac OS X uses pf anchors to divide up filter rules into functional groups. We can also use this technique and create an anchor for our purposes. Edit your /etc/pf.conf file to include the following lines:

Now we need to write the lines for the anchor we defined. From the /etc/pf.conf configuration we just added, those should go into the file /etc/pf.anchors/emerging-threats. Create that file and add these lines:

The first line establishes a table called emerging_threats and on an initial start will load the contents of the /etc/emerging-Block-IPs.txt file.

The second line is the filter rule that blocks and logs from any IP address or network listed in the emerging_threats table. If you are not interested in logging the packets that are dropped, just leave out the log keyword.

Loading the ETOpen Ruleset

Now, we need to acquire the Emerging Threats list and save it to the /etc directory. The URL for the list is

http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

You download it and save it using your browser or execute these commands:

The pfctl command is used to interact with the pf packet filter. In this example, pfctl loads the entire ruleset from /etc/pf.conf.

On system start, launchd loads pf from the /System/Library/LaunchDaemons/com.apple.pfctl.plist file. It loads the default rule set which now contains our anchor for the Emerging Threats table.

Logging dropped packets

For some reason, Lion and Mountain Lion do not include pflogd, a pf daemon to record logged packets into a file. The only way to capture the packets logged from the Emerging Threats block table is to use tcpdump to listen on the pflog0 interface and write the results to a file. To me that does not seem to be the best approach. I will spend time on this problem and provide another blog post on a solution.

For now, you can monitor those logged packets using this command from the pflog(4) man page as an example:

Considerations

pf is a powerful packet filter tool. This post barely scratches the surface of its capabilities. Building firewalls requires very detailed knowledge of low-level TCP/IP. There are some unique things that you can do with pf that may be helpful to some Mac users. I will be posting more as I experiment more with it.

If you are a normal Mac desktop user, then this is not the tool for you. I would recommend that you use the Mac OS X Application Firewall.

Here are some things to think about when using pf and the Emerging Threats ETOpen Ruleset:

  1. If your system has no public network services, these techniques will probably not help you. This includes laptops, which typically do not have incoming network services enabled.
  2. The ETOpen Ruleset is updated daily with new IP addresses that are discovered to be attacking or facilitating attacks (botnet control). You should automate updating the list. I will provide a future blog post with more information on doing that.
  3. Using the ETOpen Ruleset will not protect you from everything or, in fact, anything. It is merely a list of networks and IP addresses that have been known to be the source or destination of malicious, network based attacks. Attackers move around constantly and change networks and IP addresses all of the time. This list should not be your only source of bad IPs.
  4. pf has many features and capabilities. It can also ruin your day if you do not know what you are doing. There are many books, articles, blog posts, and man pages on pf. Study those before attempting to use it.
  5. Emerging Threats is a commercial company. While they are kind enough to open source some of their ruleset, that could change in the future.
  6. Just as ipfw was THE packet filter in Mac OS X, pf may be replaced in the future.

Resources

The OpenBSD pf FAQ

pfctl(8)

pflog(4)

ikawnoclast

, ,

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: