What is wrong with this firewall?

[galilao 2]

Below is the firewall script:

sudo sysctl -w net.inet.ip.fw.enable=0

sudo sysctl -w net.inet.ip.forwarding=0

sudo ipfw flush

sudo ipfw delete set 31

sudo sysctl -w net.inet.ip.fw.enable=1

sudo sysctl -w net.inet.ip.forwarding=0

sudo ipfw add 01100 allow ip from 192.168.0.0/16 to 92.42.186.167 keep-state

sudo ipfw add 01200 allow ip from 192.168.0.0/16 to 37.235.51.133 keep-state

sudo ipfw add 01300 allow ip from 192.168.0.0/16 to 89.149.226.185 keep-state

sudo ipfw add 01400 allow ip from 192.168.0.0/16 to 46.165.208.65 keep-state

sudo ipfw add 01500 allow ip from 192.168.0.0/16 to 31.193.12.74 keep-state

sudo ipfw add 01600 allow ip from 192.168.0.0/16 to 31.193.12.98 keep-state

sudo ipfw add 01700 allow ip from 192.168.0.0/16 to 95.211.169.3 keep-state

sudo ipfw add 01800 allow ip from 192.168.0.0/16 to 94.242.205.234 keep-state

sudo ipfw add 01900 allow ip from 192.168.0.0/16 to 85.17.123.26 keep-state

sudo ipfw add 02000 allow ip from 192.168.0.0/16 to 95.211.191.33 keep-state

sudo ipfw add 02100 allow ip from 192.168.0.0/16 to 62.212.85.65 keep-state

sudo ipfw add 02200 allow ip from 192.168.0.0/16 to 95.211.98.154 keep-state

sudo ipfw add 02300 allow ip from 192.168.0.0/16 to 178.248.30.131 keep-state

sudo ipfw add 02400 allow ip from 192.168.0.0/16 to 198.15.111.162 keep-state

sudo ipfw add 02500 allow ip from 192.168.0.0/16 to 108.59.11.194 keep-state

sudo ipfw add 02600 allow ip from 192.168.0.0/16 to 108.59.8.147 keep-state

sudo ipfw add 02800 allow ip from 192.168.0.0/16 to 69.163.36.66 keep-state

sudo ipfw add 03000 allow ip from 127.0.0.1 to any

sudo ipfw add 05000 allow log ip from 10.0.0.0/8 to any

sudo ipfw add 05100 allow log ip from any to 10.0.0.0/8

sudo ipfw add 65534 deny log ip from any to any

But this is how it runs in the Snow Leopard terminal, what happened to the sysctl lines, the first two lines? They are no longer there.

net.inet.ip.fw.enable: 1 -> 0

net.inet.ip.forwarding: 0 -> 0

net.inet.ip.fw.enable: 0 -> 1

net.inet.ip.forwarding: 0 -> 0

02000 allow ip from any to any src-ip 166.122.0.0/16 dst-ip 46.165.208.65 keep-state [What happened here? I didn't type from any to any src-ip in the

02004 allow ip from 166.122.0.0/16 to 95.211.169.3 keep-state

02008 allow ip from 166.122.0.0/16 to 178.248.29.132 keep-state

02012 allow ip from 166.122.0.0/16 to 108.59.8.147 keep-state

02016 allow ip from 166.122.0.0/16 to 69.163.36.66 keep-state

02020 allow ip from 166.122.0.0/16 to 89.149.226.185 keep-state

02024 allow ip from 166.122.0.0/16 to 146.185.25.170 keep-state

02028 allow ip from 166.122.0.0/16 to 62.212.85.65 keep-state

02032 allow ip from 166.122.0.0/16 to 85.17.123.26 keep-state

02036 allow ip from 166.122.0.0/16 to 95.211.98.154 keep-state

02040 allow ip from any to any src-ip 166.122.0.0/16 dst-ip 95.211.191.33 keep-state [Again, what happened here?]

02044 allow ip from 166.122.0.0/16 to 46.165.208.65 keep-state

02048 allow ip from 166.122.0.0/16 to 178.248.30.131 keep-state

04000 allow ip from 127.0.0.1 to any

05000 allow log ip from 10.0.0.0/8 to any

05004 allow log ip from any to 10.0.0.0/8

65534 deny log ip from any to any

What happened in lines 2000 and 2040 when I ran the script? Hope somebody will elucidate me.

Thank you

[jessez 3]

Hi galilao,

These lines are system control commands:

sudo sysctl -w net.inet.ip.fw.enable=0

sudo sysctl -w net.inet.ip.forwarding=0

Running that in terminal translates to these lines, which are telling you the status of the firewall and forwarding ( 1 = on/enabled, 0=off/disabled )

net.inet.ip.fw.enable: 1 -> 0 --- 1 -> 0 is saying the firewall was enabled, but now is disabled

net.inet.ip.forwarding: 0 -> 0 --- forwarding was disabled and is still disabled

net.inet.ip.fw.enable: 0 -> 1 --- fw was disabled, now is enabled

net.inet.ip.forwarding: 0 -> 0 --- forwarding was disabled and is still disabled

I think for the rest of it, it looks like there are a bunch of leftover rules for some reason. This command should flush out everything as far as I know. sudo ipfw flush

Check it with: sudo ipfw -a l

You should only get the following if the flushing is working properly:

65535 0 0 allow ip from any to any

I hope that helps,

Best regards,

jessez

[galilao 2]

Hello,

The firewall was running fine until I installed an Apple security update for Snow Leopard. Then the firewall started acting up and I lost the ability to print with the firewall enabled. If I want to print, the firewall must be turned off.

Here is the result after I executed sudo ipfw -a l, "65535 21785 12879441 allow ip from any to any".

As can be seen, the second and the third elements are not zero. Is something wrong?

Thank you

[jessez 3]

Hi galilao,

well I was stumped by the results you posted so I looked it up and what I found is that the last two numbers refer to the traffic in and out since the last reboot, so nothing abnormal there. Here's the reference and some tips that may help you with the problem you are having:

http://hintsforums.macworld.com/archive/index.php/t-13326.html

In your case it is different from the post I reference here in that your issue started after an O/s update, but maybe might help pointing you in the right direction. I use startpage for searches which uses a google backend and got over 500 results for this search: sudo ipfw -a l, 65535 --maybe something in those results may also help.

Best regards, and let me know how it goes if you get no joy from any of that,

jessez