I need to configure IP access restrictions on a couple of OS X clients. I’m familiar with iptables on Linux, and once upon a time knew how to do it with ipfw. However, recent OS X releases switched to BSD’s packet filter (pf).
Has anyone spun up BigFix tasks for configuring the packet filter (pf) firewall in OS X Lion and later?
add line for our new pf file: “echo ‘anchor edu.school’ >> /etc/pf.conf”
add line to load it: "echo ‘load anchor edu.school from “/etc/pf.anchors/edu.school”’ >> /etc/pf.conf"
You can repeat steps 2 & 3 if you want to load multiple anchor files
create custom anchor file. /etc/pf.anchors/edu.school is a plain text file that contains the following (specific to our needs). This configures clients to block port 22 on any subnet except the custom 10.0.1.0/26 range:
table {
10.0.1.0/26
}
block in on en0 proto tcp from any to any port 22
pass in on en0 proto tcp from to any port 22
Once the custom rules file is in place, and added to the pf.conf, you can use the task to start the firewall.
Our relevance for these tasks includes lines like:
not exists file “/etc/pf.anchors/edu.school” whose (concatenation of lines of it contains “10.0.1.0/26”)
We then run the “chown 0:0” and “chmod 755” commands against the /etc/pf.anchors/edu.school file to prevent modifications.