The default firewall setup in Mac OS X does not allow the user to configure per-CIDR directives. As an example, let's I want to allow UD's Nagios monitoring server access to port 5666 on my desktop Mac. Through the preference pane interface to the firewall, I'd have to open port 5666 to the world.|
The solution implemented by this Startup Item is to put the additional firewall directives in a text file (/etc/ipfw-extras) and automatically load them into the firewall at startup. The entries in the file boil down to being ipfw command lines sans the ipfw command, the add directive, and the rule number; the Item auto-assigns rule numbers to each directive and writes a list of the numbers to a file. Later, when/if the user stop's the Item or restart's it that file is used to remove the appropriate rules by-number.
# Additional ipfw rules to append to the OS X firewall
# See the man page for ipfw for syntax, etc. The startup item that checks
# this file takes care of adding rule numbers.
# Example: Nagios monitoring by 172.16.100.25, let him in:
allow tcp from 172.16.100.25/32 to any dst-port 5666 in
While we're at it, why not make any necessary manual route modifications, too? Again, the Item uses commands contained in a text file (/etc/route-extras). The commands boil down to being route command lines sans the route command itself.
# Additional route commands to apply at startup
# See the man page for route for syntax, etc. Each line in this
# file should consist of a "route" command line sans the actual
# "route" command.
# Example: route 172.16.100.0/16 to localhost
add 172.16.100.0/16 127.0.0.1