IceFloor: Harden Your Mac OS X Firewall

IceFloor
Figure 1.

Once upon a time, I believed that computers behind the router/firewall on a home network were pretty safe from hacking. Yes, I knew that I could download nasty bits of software from the Internet, but as far as being hacked by access from “my” network, it just wasn’t likely. I didn’t use software firewalls on my local computers. I didn’t need to. This of course, proved to be a text-book example of denial. Hackers and bots destroyed the innocent view that my home network was a safe place for me to play in. I got hacked. I got a lot less naive. I also woke up.

Today, I often watch who is traveling around my home network. There is activity that appears to be from China, Russia, Europe, and so on. Of course, most of the visible addresses are mostly “spoofed”, and any back-trace will probably run you through a number of servers, – good hackers simply cover their tracks. The fact that these “guys” have gotten past my lame router firewall, tells me their presence is not one bent on extending goodwill to my network activities. It isn’t really important where these guys came from, it is only important that they are floating around my network, NOW.

As time has passed, technology has improved, for both people who are simply using their computers, and for those people who are trying to take advantage of the people who simply use their computers. Hackers have gotten really good and their efforts are multiplied many times over by their use of bots. If you think for one moment that your computers are safe on your home or small business network, you are sooner or later going being setup for a rude awakening.

You have to do a number of things to protect your computers and your data (safely surf the net, routine password changes, do not reuse a password, anti-virus and anti malware software, and so on). Most of these efforts are geared toward a user’s internet activity. One thing paramount to your computer’s security on your home network is the installation and/or configuration of a software firewall. Hacking can definitely come from people who have accessed your network. To that end, for Mac users, IceFloor is one of the best solutions.

Mac OSX Firewalls

Basically, a firewall regulates traffic going “in” and “out” of your computer. In doing that, its real strength becomes clear: that is, determining “what” to let in, and “what” to let out. Your Mac has two very advanced ways of doing this.

Socket-Filter Firewall (a.k.a. Application firewall or AF). Here, network requests are based on the application making the request. Here is how MacWorld explains it:

“When a program asks to accept network traffic, a socket filter checks a list of programs that have been authorized to do so. If the program is on that list, the firewall allows the connection.. If the program isn’t on the list – as in the case of new or upgraded software – OS X asks you whether to allow the program to accept incoming traffic[1].”

A downside to socket filtered firewalls is that they can’t distinguish between “trusted” and “untrusted” addresses, and thus possibly creating more problems than the firewall itself solves.

The Unix-based IPFW firewall (Packet-filtering firewall). Again, we’ll let MacWorld describe this:

“In security parlance, ipfw is a packet-filtering firewall: it checks each packet coming or going through the Mac’s network interfaces against a set of rules, and allows it to pass or blocks it. Packet-filtering firewalls like ipfw classify network traffic two ways: by type, using port numbers, and by origin and destination, using IP addresses. For instance, a packet-filtering firewall could accept file-sharing connections from IP addresses of your work network but not from other addresses on the Internet[2].”

What Is IceFloor?

IceFloor isn’t a firewall. It is first, a GUI, allowing you to configure the ipfw firewall, and as well offers added enhancements for the af firewall. IceFloor doesn’t stop there:

• IceFloor is group based. Create groups and assign addresses, services and parameters to pass or block connections
• IceFloor uses its own set of PF configuration files; default OS X PF configuration files are not modified
• start with IceFloor Wizard to create a basic PF configuration in a few mouse clicks
• use IceFloor interface to set up very complex and customized PF rulesets
• manage inbound and outbound connections with filtering and bandwidth rules for your Mac and NAT clients
• hide services using port knocking, list and block connections on the fly using Inspector
• create custom PF presets including custom rules, options, filtering and bandwidth rules
• mix IceFloor PF rules with your custom PF rules, interact with external applications like sshguard
• share Internet connection using PF NAT, assign per-client filtering and bandwidth rules and redirections
• browse PF ruleset with the new PF Rules Browser, display filtering, bandwidth and NAT PF rules and pipes
• analyze PF logs with numerical and graphical statistics
• debug and test PF rulesets easily and quickly using IceFloor Menulet
• IceFloor is free and open source. It requires OS X 10.7. Some features are available only on OS X 10.8 and newer[3].

IceFloor Setup

Here is an excellent link I have used to help set up IceFloor[4]: http://www.farces.com/wikis/naked-server/firewall/icefloor/

IceFloor
Figure 1. IceFloor Wizard

From the link, you will see the author is setting up IceFloor on both a Mountain Lion Server, and a Mavericks Server. IceFloor works equally well on your iMac or Mac Pro. Using the IceFloor Setup Wizard (Fig. 1), the setup is painless. Figure 2 will show you changes I made to the linked article’s Firewall Options page, and Figure 3 displays changes to the Inbound Firewall settings.

IceFloor
Figure 2. Firewall Options

 

IceFloor Inbound Firewall Setup
Fig. 3 Inbound Firewall Configuration

 

Summary

For me, the settings to IceFloor are more than enough to aid in keeping my Macs safe on my network. I routinely monitor IceFloor’s excellent log access, where I see the Firewall configuration is living up to my expectations. Should I need even more security from my Mac’s firewalls, IceFloor is there to give me a hand. Be safe, – give IceFloor a try.  It’s Open Source, and FREE!!!

Update: 10/25/2014

Icefloor, at this point, does not support Yosemite.  Its author has another interface, entitled Murus, that will, and is very similar to Icefloor (Learn more about Murus by clicking HERE).    I am using it now, and have the same configuration in place as my older Icefloor version.  Simple and uncomplicated setup.  Worth doing…..

Endnotes

1. http://www.macworld.com/article/1135888/firewalls.html | Mac Security: Firewalls | Chris Pepper and Rich Mogul | 10/06/2008
2. Ibid.
3. http://www.hanynet.com/icefloor/
4. http://www.farces.com/wikis/naked-server/firewall/icefloor/ | Install and configure IceFloor | Michael Frasse | 07/40/2013

By prometheus

Husband. Father. Grandfather. World class Geek.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.