InformIT: Mac OS X Unleashed > Disabling Access

Table of Contents

Disabling Access

An important part of securing your machine is limiting access to it. In this section, we will look at choosing services that run on your machine, using TCP Wrappers to restrict access, and some common-sense preventive measures you can take.

Selecting Services in the Graphical User Interface

As you might recall, Apple ships OS X with many services disabled. In many of the Unix operating systems, you have to be careful to disable some common services that are turned on by default, but that you might not actually need. With OS X, however, many of these common services are disabled. Instead, if you want to run a common service, such as a remote login service, you specifically have to turn it on in OS X.

In the Sharing pane of the System Preferences panel, controls to enable or disable the SSH, FTP, Web, and AppleShare servers are available. Choose only those services that you really need. Remember, the more services you turn on, the more vulnerable to attack your machine becomes.

Selecting Services Manually

As you saw earlier in the book, the actual controls that can be accessed via a graphical user interface are stored in a variety of places on the system.

`/etc/inetd.conf`

Some of the common services on your system, such as FTP and telnet, are controlled in the /etc/inetd.conf file. If you remembered to look at the /etc/inetd.conf file before turning on FTP in the Sharing pane, you noticed that all the lines were commented out. In other words, all the services controlled in /etc/inetd.conf are turned off by default in OS X.

If you decide to turn on a service, as a precaution, make a backup copy of the /etc/inetd.conf file. Next, uncomment the line containing the service you want to enable and save the file. Finally, restart the inetd process. If you decide to disable a service that starts out of inetd, simply comment the line that contains the service, save the file, and restart the inetd process—either by rebooting your machine or using kill -HUP <inetd pid> .

You might have also noticed that some of the services listed in /etc/inetd.conf have ## at the beginning of the line, rather than #. These services are not yet implemented in the operating system.

`StartupItems`

As you also saw earlier in the book, some of the services that run in OS X are started in /System/Library/StartupItems. Some of the services started in /System/Library/StartupItems also have controls in /etc/hostconfig that the startup scripts in /System/Library/StartupItems check. The Web server, SSH server, and AppleShare server are controlled in such a fashion.

If you enabled those services, but later decided to disable them, set the appropriate /etc/hostconfig variable to NO and kill their current processes. The next time you reboot, the services won't start. To manually start one of those services, set the appropriate variable in /etc/hostconfig to YES, and manually execute the startup script. For example, for the SSH server, you would make the SSHSERVER line in /etc/hostconfig read SSHSERVER=-YES-. Then you would execute /System/Library/StartupItems/ SSH/SSH. To disable a service that does not have a control in /etc/hostconfig, simply rename the startup script and kill its process.

Using TCP Wrappers

A common way to restrict access to some TCP services is to use the TCP Wrappers program. TCP Wrappers is a package that monitors and filters requests for TCP (Transmission Control Protocol) services. We will not look at the protocol in any detail—that is a book subject in itself. Suffice it to say the protocol has enough control information in it that we can use a package like TCP Wrappers to filter some of that traffic. TCP Wrappers can be used to restrict certain network services to individual computers or networks.

To make use of this program on some flavors of Unix, TCP Wrappers has to be installed by the system administrator. This is not a necessary step in OS X because the TCP Wrappers program comes pre-installed on the system. The /etc/inetd.conf file in OS X already assumes that you will use TCP Wrappers, as evidenced by a line such as

#ftp    stream  tcp     nowait  root    /usr/libexec/tcpd               ftpd -l

The /usr/libexec/tcpd portion of the previous line indicates that TCP Wrappers will be used to call ftpd.

Configuring TCP Wrappers

The particularly difficult part about using TCP Wrappers is configuring it. We will look at two ways you can configure TCP Wrappers in OS X: the traditional method of using two control files and a newer method that uses only one control file.

Traditionally, TCP Wrappers has two control files: /etc/hosts.allow and /etc/hosts.deny. We will look at the traditional method in more detail because it is the default setup for a machine when extended processing options are not enabled. An understanding of the traditional method should carry over to the new method. Be sure to read the hosts_access and hosts_options man pages for detailed information.

Here is the format of the access control files:

daemon_list : client_list : option : option ...

Through /etc/hosts.allow, you can allow specific services for specific hosts.

Through /etc/hosts.deny, you can deny services to hosts and provide global exceptions.

The easiest way to think of and use these configuration files is to think of TCP Wrappers putting a big fence up around all the services on your machine.

The specifications in /etc/hosts.deny tell the fence what services are on the outside of the fence, and therefore not denied. The fence can appear to be around different sets of services for different clients. For example, an /etc/hosts.deny file might look like this:

ALL EXCEPT ftpd : 192.168.1. : banners /usr/libexec/banners
ALL : 140.254.12.100 140.254.12.135 : banners /usr/libexec/banners
ALL EXCEPT ftpd sshd : ALL : banners /usr/libexec/banners

This file says:

For the subdomain 192.168.1., deny all connections except connections to the FTP daemon, ftpd.
For the specific machines 140.254.12.100 and 140.254.12.135 (maybe they're troublemakers), deny absolutely all connections.
For all other IP addresses, deny everything except connections to ftpd and to the secure-shell daemon sshd.

The banners /usr/libexec/banners entry is an option that tells tcpd that if it denies a connection to a service based on this entry, try to find an explanation file in this location. Use this option if you have a need to provide an explanation as to why the service is not available.

The specifications in /etc/hosts.allow make little gates through the fences erected by /etc/hosts.deny for specific host and service combinations. For example, an /etc/hosts.allow file might look like this:

ALL: 140.254.12.137 192.168.2. 192.168.3.
popd: 140.254.12.124 140.254.12.151 192.168.1.36

This file says:

Allow connections to any TCP service from the host 140.254.12.137 and all hosts in the 192.168.2. and 192.168.3. subdomains. (Perhaps the 192.168.2. and 192.168.3. subdomains are known highly secure networks, and we really trust 140.254.12.137 because it's so well run.)
Allow connections to the popd service for three specific machines 140.254.12.124, 140.254.12.151, and 192.168.1.36.

If used in combination with the previous /etc/hosts.deny file, these allowances still stand. They override the denials in /etc/hosts.deny, even though the 192.168.1. subdomain is denied all access except to ftpd by /etc/hosts.deny, the specific machine 192.168.1.36 has its own private gate that allows it access to the popd service as well.

Note

Services with a smile or without? There can be a bit of confusion as to the name of the service to put in an /etc/hosts.allow or /etc/hosts.deny file. If it's a service out of inetd.conf, generally the name to use is the service name from the leftmost column of the file. If this doesn't work, try adding a d to the end of the service name (ftp -> ftpd).

Other services use names that don't seem to be recorded officially anywhere. Other services that you encounter and decide to wrap with TCP Wrappers might require a bit of experimenting on your part. Thus far, my experience has been that their names are relatively easy to guess.

Now that we have seen how the traditional method of controlling TCP Wrappers works, let's take a brief look at a newer method that uses only the /etc/hosts.allow file. The newer method can be used on systems where extended option processing has been enabled. This is indeed the case with OS X. Nevertheless, either method works in OS X.

In the single file, /etc/hosts.allow, you specify allow and deny rules all in the same file. With the /etc/hosts.allow only method, tcpd reads the file on a first-match-wins basis. Consequently, it is important that your allow rules appear before your deny rules.

For example, to restrict access to ftpd only to our host, 140.254.12.124, we would use these rules:

ftpd: 140.254.12.124 127.0.0.1 localhost: ALLOW
ftpd: ALL: DENY

In the first line, we allow our host, 140.254.12.124, access to ftpd using various addresses that it knows for itself. On the second line, we deny access to all other hosts. If we reversed these lines, even the host that we want to allow ftpd access to would be denied access.

After you have sufficiently tested that you have properly set up your allow and deny rules, there is nothing else you need to do to keep TCP Wrappers running. As you are testing your rules, check your logs carefully to see where, if at all, the behaviors are logged. You will rarely see entries for tcpd itself in your logs, but you might see additional logging for a wrapped service under that service.

Wrapping Services to Allow Tunneling over SSH

As you saw earlier in the book, it is possible to tunnel connections over SSH. If you do decide to run the FTP service on your machine, you might be interested in restricting access to the service so that anyone who uses the service has to tunnel it through SSH. You saw in detail how to configure a Mac client running traditional Mac OS to do this. We have not yet officially seen how to configure the OS X machine to permit this.

The key to setting this up is restricting access to the desired service to your host by its IP address and as localhost addresses. Sometimes it can be helpful to include your machine by its name, too, but we have not encountered this problem on an OS X machine.

To restrict access to ftpd so that a user would have to tunnel her FTP connection, you could have an /etc/hosts.deny file like this:

ALL EXCEPT sshd: ALL

In this example, all services are denied except sshd.

In the /etc/hosts.allow file, add a line for your host that includes your host's IP address, 127.0.0.1 and localhost.

ftpd: 140.254.12.124 127.0.0.1 localhost

In this example, our host, 124.254.12.124, is the only host allowed access to ftpd.

In the /etc/hosts.allow only method:

sshd: ALL: ALLOW
ftpd: 140.254.12.124 127.0.0.1 localhost: ALLOW
ftpd: ALL: DENY

Common Sense Preventive Measures

Before we continue any further in this chapter, we have reached a good time to point out some common sense preventive measures to provide basic security for your machine. They do not guarantee the safety of your machine, of course, but they provide good basic guidelines for you. These common sense activities apply not only to OS X, but also to any other operating system.

Common sense preventive security measures that you should always keep in mind are

Keep your operating system current. You can easily do this by setting Software Update to a regular update schedule. If you prefer not to have Software Update check for updates automatically, make sure that you check Apple's Web site regularly for any updates and subsequently run Software Update. This is perhaps the most important common sense activity you can do.
For OS X, do not turn on any network services that you don't need. For other operating systems, this often means turning off services you don't need, because many operating services tend to come with many network services turned on by default.
Restrict access to the services you have to run. Using TCP Wrappers is one method for restricting access to some services.
Replace insecure services with secure services. For many systems, this advice especially targets using sshd instead of telnetd because sshd typically has to be installed separately. For OS X, enabling remote login in the Sharing pane automatically starts sshd, which is included in the OS X distribution, rather than telnetd.
Run services with the least privilege necessary for the job. Check the documentation for the service to see advice on this.

Using BrickHouse as an Interface to the Built-in Firewall Package

As we have already seen, OS X has basic tools available to help you secure your machine. In addition to the basic tools, OS X comes with a firewall package called ipfw. A nice graphical interface to configuring and using ipfw is a shareware product called BrickHouse, available at http://personalpages.tds.net/~brian_hill/.

There is another shareware graphical interface to configure the firewall package, called Firewalk X, which we will not discuss. It is available from http://www.users.qwest.net/~mvannorsdel/firewalkx/. We have not investigated this package. However, from the picture of the interface on the Web site, BrickHouse appears to be a friendlier package for the first-time ipfw user.

Preparation

Because you will probably want to see some of the before and after effects of BrickHouse, we suggest a couple commands that you might want to take a quick look at now before you get started with the application.

Run this command:

[localhost:/Users/joray] root# ipfw show

     65535 82606 46703351 allow ip from any to any

What you just did was ask ipfw to show you the current firewall settings. As you probably guessed, ipfw on OS X ships in an open state.

In order to correctly configure a firewall, you'll need to know the network interfaces being used on your system. The "ifcconfig" command displays and sets interface information on your system. Try this command, especially if you are hoping to use BrickHouse to help you set up your OS X machine as a gateway for your home network. This process will require you to correctly identify the interface of your internal (private) network and main Internet connection. ifconfig will be discussed at more length later in the chapter.

[localhost:~/security-misc] joray% ifconfig -a

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet 127.0.0.1 netmask 0xff000000
en0: flags=8863<UP,BROADCAST,b6,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 140.254.12.124 netmask 0xffffff00 broadcast 140.254.12.255
        ether 00:30:65:ca:f9:a2
        media: autoselect (100baseTX <half-duplex>) status: active
        supported media: none autoselect 10baseT/UTP <half-duplex>
            ore network-security related. —- JER'in network services to individual

      
    computers or networks.______________________________10baseT/UTP <full-duplex> 100baseTX

      
    <half-duplex> 100baseTX <full-duplex>

The utility ifconfig enables you to configure interface parameters. As shown previously, ifconfig -a produces a full listing of available interfaces.

Because the firewall package can be tricky to work with, what you try to do in BrickHouse might make your machine completely unusable. This is no fault of BrickHouse, but you should be prepared to remove components that you might have BrickHouse install. Depending on your situation, this might be possible only in single-user mode. If you have not yet put your machine in single-user mode, we suggest you do so before doing anything in BrickHouse. If you tried single-user mode a while ago, but have forgotten what you did, take this moment to try again. Use Command+S while rebooting to get into single-user mode. The last few lines that appear are

Singleuser boot - fsck not done
Root device is mounted read-only
If you want to make modifications to files,
run '/sbin/fsck -y' first and then '/sbin/mount -uw /'
localhost#

Using BrickHouse

After you have downloaded and uncompressed the BrickHouse disk image, you are ready to start using it.

The Setup Assistant appears. Please note that you can also use the Setup Assistant at any time later by clicking on the Assistant button in the main BrickHouse window. The first part of the Setup Assistant is the External Network sheet, shown in Figure 31.1. Select your connection type and IP address assignment method (dynamic or static). Connection-type choices are DSL or Cable Ethernet (Regular Ethernet), Dialup Modem (PPP), DSL or Cable PPPoE, AirPort (+ External AirPort Base Station).

Figure 31.1 The BrickHouse Setup Assistant begins with your External Network settings.
The Public Services sheet, shown in Figure 31.2, is next. Check the boxes by the services that you want your machine to run. If you are not sure what a service is, select it and a description appears at the bottom of the window. Don't forget to check the appropriate AppleTalk services, if you typically share your machine over an AppleTalk network.

Figure 31.2 In the Public Services sheet, select the services you want your machine to run.
The Blocked Services sheet, shown in Figure 31.3, is where you select specific ports to be blocked. The list primarily includes ports aimed at various known attacks. The sheet notes that incoming traffic is blocked by default.

Figure 31.3 In the Blocked Services sheet, select additional ports to have blocked.
The next sheet to appear is the Firewall Setup Complete sheet, shown in Figure 31.4. To enable the configuration, click Apply Configuration. To install a startup script, click Install Startup Script. If you are interested in using your OS X machine as a gateway for an internal network, click the Setup IP Sharing button. If you decide you want to make changes to your configuration, you can make changes in the main window and apply a new configuration. Additionally, you can install or remove a startup script under the application's Options menu.

Figure 31.4 In the Firewall Setup Complete sheet, you can preliminarily finalize your setup, or you can continue your setup by clicking on the Setup IP Sharing button to configure your machine to serve as a gateway for an internal network.
If you plan to set up your OS X machine as a gateway for your internal network, the next sheet that appears is the IP Sharing sheet, shown in Figure 31.5. Here you select how your machine connects to the internal network and what internal IP address should be used for the machine. Connection choices are Ethernet Card (en0), AirPort or Second Ethernet Card (en1).

Figure 31.5 Make specifications about your local network in the IP Sharing sheet.

After you are done with this sheet, this version of BrickHouse then displays another sheet giving you instructions on starting IP Sharing in BrickHouse. At this time, BrickHouse does not configure IP Sharing to start at boot time.

You have just completed the initial BrickHouse setup. Now let's take the time to examine the rest of the BrickHouse interface. The default interface is the Quick Configuration, shown in Figure 31.6. The filters you selected during the setup process are shown under the tab for your interface. The IP Gateway tab shows information that pertains to any IP sharing that you might have set up.

Figure 31.6 The default BrickHouse interface is the Quick Configuration interface.

The Advanced button, shown in Figure 31.7, allows you to edit some additional settings involving rules for some select protocols, DHCP, and your domain name service. The bottom-right buttons allow you to add, edit, and delete filters. When you add a filter, you can choose among the same options you saw in the Setup Assistant, as well as Custom Service, which allows you to specify a port or port range. The interface for adding a filter is shown in Figure 31.8. You can rearrange the order of filter rules by dragging them around in the main window.

Figure 31.7 The Advanced button allows you to edit rules involving some select protocols, DHCP, and your domain name service.

Figure 31.8 The Add Filter button opens this sheet, where you can add another filter. Specify the action, service, protocol, port, source host, and destination host.

From the toolbar, you can access the Setup Assistant any time by clicking on the Assistant button. The Setup Assistant always starts from scratch. The Monitor button allows you to monitor the firewall. A sample of what it looks like is shown in Figure 31.9.

Figure 31.9 The Firewall Monitor window is where you can monitor the firewall's activity.

Settings allows you to manipulate settings files. You can duplicate, rename, delete, import, or export. By clicking the Log button, you can access the Daily Firewall Log window, shown in Figure 31.10, from which you can enable logging. If you want to have logging enabled at startup, be sure to reinstall the startup script, which you can do by either clicking the Install button or under the Options menu. Even if you don't think you want to have logging all the time, you might find having logging on at this stage to be a way to help you troubleshoot problems with the firewall configuration.

Figure 31.10 Click the Enable button at the right in the Daily Firewall Log window to enable firewall logging. If you want to enable logging at startup, reinstall the startup script.

In addition to the default Quick Configuration mode is an Expert Configuration mode, accessible from the Expert button. The Expert Configuration window, shown in Figure 31.11, is a split window that displays the rules that are being passed to ipfw as well as a configuration file for natd, which redirects packets to another machine if you configured your machine as a gateway.

Figure 31.11 In the Expert Configuration window, you can edit the firewall rules more precisely.

It is worthwhile to experiment with some filters that you might be most concerned about while you are still in the BrickHouse interface. With each set you want to try, just click the Apply button to apply those settings. The Quick Configuration mode is useful for adding basic filters, whereas the Expert Configuration mode allows you to tweak the configuration. After you have a set that you are happy with, don't forget to save the settings. If you were working in the Expert Configuration mode, you might also want to save the settings in a text file in a terminal window, just to be sure that you can easily find the file without the graphical interface. After you are relatively satisfied with the results, install the startup script if you want the firewall to start at startup.

If your OS X machine is an NFS client, do not test to see whether the mounts still work in the graphical interface. If your mounts are not working properly, you will hang your console when you check. If you check in the terminal, you will be able to continue testing until you are finally satisfied. For an OS X machine that is an NFS client, you might ultimately find it necessary to add a line in the Expert mode that allows all traffic from your NFS server.

Finally, you should be aware of the options available under the Options menu: Allow Changes, Quick Configuration, Expert Configuration, Apply Settings, Install Startup Script, Clear All Rules, Remove Startup Script. All those options are not available in the toolbar.

When you are satisfied with your firewall configuration, reboot your machine— especially if you had BrickHouse install a startup script for you. This tells you exactly what behavior to expect from the firewall starting from scratch. If something undesirable occurs, the potential cause for the behavior is fresh in your mind and more easily fixed.

Behind the Scenes

So, what are some of the things that BrickHouse did for you?

First, if you decided to have BrickHouse install a startup script for you, you should have noticed a comment about the firewall starting.

Run the first command that you ran before you started:

[localhost:/Users/joray] root# ipfw show

01000 10656 1346992 allow ip from any to any via lo0
01002   607   40266 allow tcp from any to any established
01003     0       0 allow ip from any to any frag
01004   408   22848 allow icmp from any to any icmptype 3,4,11,12
01011     0       0 unreach host log ip from any to any ipopt ssrr,lsrr
01999     0       0 allow udp from any 67-68 to 140.254.12.124 67-68 via en0
02000   244   29380 allow ip from any to 255.255.255.255 via en0
02001     0       0 allow udp from any 123 to any 123 via en0
02002     0       0 allow icmp from any to any via en0
02003     0       0 allow tcp from any 20 to any in recv en0
02005    89    6372 allow udp from any to any 53 out xmit en0
02006    89   10357 allow udp from any 53 to any in recv en0
02007     0       0 allow tcp from any to 140.254.12.124 20-21 in recv en0
02007     0       0 allow tcp from 140.254.12.124 20-21 to any out xmit en0
02008     3     144 allow tcp from any to 140.254.12.124 22 in recv en0
02008     0       0 allow tcp from 140.254.12.124 22 to any out xmit en0
02010     0       0 allow tcp from any to 140.254.12.124 548 in recv en0
02010     0       0 allow tcp from 140.254.12.124 548 to any out xmit en0
02011     0       0 allow udp from any to 140.254.12.124 427 in recv en0
02011     0       0 allow udp from 140.254.12.124 427 to any out xmit en0
02012     0       0 allow tcp from any to 140.254.12.124 600-1000,111,2049 in recv en0
02012     0       0 allow tcp from 140.254.12.124 600-1000,111,2049 to any out xmit en0
02013     0       0 allow udp from any to 140.254.12.124 600-1000,111,2049 in recv en0
02013     0       0 allow udp from 140.254.12.124 600-1000,111,2049 to any out xmit en0
02014     0       0 deny log tcp from any to 140.254.12.124 1524 in recv en0
02015     0       0 deny log tcp from any to 140.254.12.124 12345 in recv en0
02016     0       0 deny log udp from any to 140.254.12.124 10067 in recv en0
02017     0       0 deny log tcp from any to 140.254.12.124 12361 in recv en0
02018     0       0 deny log udp from any to 140.254.12.124 31337 in recv en0
02019     0       0 deny log udp from any to 140.254.12.124 31338 in recv en0
02020     0       0 deny log tcp from any to 140.254.12.124 31337 in recv en0
02021     0       0 deny log udp from any to 140.254.12.124 2140 in recv en0
02022     0       0 deny log udp from any to 140.254.12.124 31785 in recv en0
02023     0       0 deny log tcp from any to 140.254.12.124 31789,31791 in recv   en0
02024     0       0 deny log tcp from any to 140.254.12.124 21554 in recv en0
02025     0       0 deny log tcp from any to 140.254.12.124 6969 in recv en0
02026     0       0 deny log tcp from any to 140.254.12.124 23456 in recv en0
02027     0       0 deny log tcp from any to 140.254.12.124 1243,6776 in recv  en0
02028     0       0 deny log tcp from any to 140.254.12.124 15104,12754 in recv  en0
02029     0       0 deny log udp from any to 140.254.12.124 10498,6838 in recv  en0
02030     0       0 deny log udp from any to 140.254.12.124 31335 in recv en0
02031     0       0 deny log tcp from any to 140.254.12.124 27665,27444 in recv  en0
02032     0       0 deny log tcp from any to 140.254.12.124 20432 in recv en0
02033     0       0 deny log udp from any to 140.254.12.124 18753,20433 in recv  en0
52034   304   20021 allow ip from 140.254.12.124 to any out xmit en0
52035     0       0 deny log ip from any to 140.254.12.124 in recv en0
65535 13048 1498445 allow ip from any to any

You should now have a bit more output than you did previously. The open rule, which was the only rule before you started, is now the last rule. The Firewall Monitor in BrickHouse appears to be a graphical view of ipfw show.

Next run ifconfig -a again:

[localhost:~/brickhouse-misc] joray% ifconfig -a

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet 127.0.0.1 netmask 0xff000000
en0: flags=8863<UP,BROADCAST,b6,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 140.254.12.124 netmask 0xffffff00 broadcast 140.254.12.255
        inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
        ether 00:30:65:ca:f9:a2
        media: autoselect (100baseTX <half-duplex>) status: active
        supported media: none autoselect 10baseT/UTP <half-duplex> 10baseT/UTP
        <full-duplex> 100baseTX <half-duplex> 100baseTX <full-duplex>

If you configured your machine to be a gateway, you should now see information about your machine's interface to the internal and external networks. If you did not configure your machine to be a gateway, you should see no changes. Command documentation for ifconfig is included in Table 31.1.

Table 31.1. Command Documentation Table for `ifconfig`

`ifconfig`	Configures network interface parameters.
ifconfig <interface> <address_family> [<address> [<dest address>]] [<parameters>] ifconfig <interface> [<protocol family>] ifconfig -a [-d] [-u] [<address family>] ifconfig -l [-d] [-u] [<address family>]
`ifconfig` assigns an address to a network interface and/or configures network interface parameters. It must be used at boot time to define the network address of each network interface. It may also be used at a later time to redefine an interface's network address or other operating parameters.
Only the super user can modify the configuration of a network interface.
`-a`	Produces a full listing of all available interfaces.
`-l`	Produces a name-only listing of all available interfaces.
`-d`	Limits a listing to those interfaces that are down.
`-u`	Limits a listing to those interfaces that are up.
Available operands for `ifconfig` are
`<address>`	For the DARPA-Internet family, the address is either a hostname in the hostname database or a DARPA-Internet address expressed in the Internet standard dot notation.
`<address family>`	Specifies the `<address family>` , which affects interpretation of the remaining parameters. The address or protocol families currently supported are `inet`, `iso`, and `ns`.
`<interface>`	`<interface>` parameter is a string of the form `<name phys` `i` `cal unit>` , such as `en0`.
The following parameters may be set with `ifconfig` :
`alias`	Establishes an additional network address for this interface. This is sometimes useful when changing network numbers, while still accepting packets for the old interface. A `<netmask>` should be used with this parameter. If the new `<alias>` address is on the same subnet as an existing address assigned to this interface, the netmask must be `255.255.255.255`. If a netmask is not supplied, the command will use the one implied by the address itself. If the all ones netmask is used, the system will handle route installation. If another is used, a route to that address may have to be added by hand; for example, `route add -host xx.xx.xx.xx -interface 127.0.0.1`, where `xx.xx.xx.xx` is the alias. In either case, the route might have to be deleted by hand when the alias is removed (`-alias` or `delete`).
`arp`	Enables the use of the Address Resolution Protocol in mapping between network-level addresses and link-level addresses (default). This is currently implemented for mapping between DARPA-Internet addresses and 10 Mb/s Ethernet addresses.
`-arp`	Disables the use of the Address Resolution Protocol.
`broadcast`	(`inet` only) Specifies the address to use to represent broadcasts to the network. The default broadcast address is the address with a host part of all 1s.
`debug`	Enables driver-dependent bugging code. This usually turns on extra console logging.
`-debug`	Disables driver-dependent debugging code.
`delete`	Removes the network address specified. This would be used if you incorrectly specified an alias or it was no longer needed.
`dest_addr`	Specifies the address of the correspondent on the other end of a point-to-point link.
`down`	Marks an interface down. When an interface is marked down, the system does not attempt to transmit messages through that interface. If possible, the interface is reset to disable reception as well. This does not automatically disable routes using the interface.
`ipdst`	Specifies an Internet host to receive IP packets encapsulating NS packets bound for a remote network.
`metric <` `n` `>`	Sets the routing metric of the interface to `<` `n` `>`, default `0`. The routing metric is used by the routing protocol. Higher metrics make a less favorable route. Metrics are counted as addition hops to the destination network or host.
`netmask` `<mask>`	(`inet` and `ISO`) Specifies how much of the address to reserve for subdividing networks into subnetworks. The mask includes the network part of the local address and the subnet part, which is taken from the host field of the address. The mask can be specified as a single hexadecimal number beginning with 0x, as a dot-notation Internet address, or as a pseudo-network name listed in the network table networks. The mask contains 1s for the bit positions in the 32-bit address that are to be used for the network and subnet parts, and 0s for the host part.
`nsellength <` `n` `>`	(ISO only) Specifies a trailing number of bytes for a received NSAP used for local identification, the remaining leading part of which, is taken to be the NET (Network Entity Title). The default is `1`, which is conformant to US GOSIP. When an ISO address is set in an `ifconfig`, it is really the NSAP that is being specified.
`trailers`	Requests the use of a trailer-link-level encapsulation when sending (default). If a network interface supports trailers, the system encapsulates outgoing messages so that the number of memory-to-memory-copy operations performed by the receiver is minimized. On networks that support Address Resolution Protocol, this flag indicates that the system should request that other systems use trailers when sending to this host. Currently used by Internet protocols only.
`-trailers`	Disables the use of a trailer link level encapsulation.
`link[0-2]`	Enables special processing of the link level of the interface.
`-link[0-2]`	Disables special processing at the link level with the specified interface.
`up`	Marks an interface up. Can be used to enable an interface after `i` `f` `config down` has been run. It happens automatically when setting the first address on an interface. If the interface was reset when previously marked down, the hardware is reinitialized.

If you had BrickHouse install a startup script, you now have a /Library/StartupItems/ Firewall directory:

[localhost:~] joray% ls -l /Library/StartupItems/Firewall

     total 24
     -rwxrwxr-x  1 root  admin   535 Jun 19 11:30 Firewall
     -rw-rw-r—  1 root  admin   552 Jun 19 11:30 StartupParameters.plist
     -rwxrwxr-x  1 root  admin  2393 Jun 19 11:30 openniports.pl

Just as you saw earlier in the book with fonts and sounds, you can also place local startup items in the /Library directory, following the basic structure seen in /System; in this case, /Library/StartupItems. Here is a sample startup script installed by BrickHouse to start the firewall and its logging facilities:

[localhost:~] joray% more /Library/StartupItems/Firewall/Firewall

     #!/bin/sh
     # Firewall Boot Script
     # Generated by BrickHouse


     #===========================================================
     # Enable IP Firewall Logging
     #===========================================================
     /usr/sbin/sysctl -w net.inet.ip.fw.verbose=1

     # Put a limit on each rule's logging
     /usr/sbin/sysctl -w net.inet.ip.fw.verbose_limit=500

     #===========================================================
     # Process Firewall Rules File
     #===========================================================
     /sbin/ipfw -q /etc/firewall.conf

As you can see from the startup script, BrickHouse installed a configuration file that it called firewall.conf in /etc. Look at the configuration file, especially if you did not switch to the Expert Configuration mode in BrickHouse. The file is nicely commented. If you need to make additional changes to the ruleset, you can do so either in the BrickHouse interface, or you can edit the /etc/firewall.conf file directly. Be sure to check the ifpw man page for specific details. This configuration file works in a similar manner to the newer TCP Wrappers configuration method. The ipfw program reads the configuration file on a first-match-wins basis.

The general format of the lines the BrickHouse created in the /etc/firewall.conf file is

add <rule_number> <action> <protocol> from <source> to <destination> [<options>] [via

      
    <interface>]

If you selected AppleShare as one of your services, you have entries that look approximately like this:

#################################################
## AppleShare IP/iDisk
#################################################
add 2010 allow tcp from any to 140.254.12.124 548 in via en0
add 2010 allow tcp from 140.254.12.124 548 to any out via en0

The first line is a rule that enables incoming tcp packets from any host to the host machine on port 548 via the interface en0. The second AppleShare rule enables outgoing tcp packets from the host machine on port 548 to any host via the en0 interface.

As mentioned in the previous section, if your OS X machine is an NFS client, you might have to allow all incoming packets to the NFS server. You could do that with a rule like this:

add <rule_number> allow ip from <NFS_Server-IP> to <host_IP> via en0

The ip packet description means all packets. You can also use all. Command documentation for ipfw is included in Table 31.2.

Table 31.2. Command Documentation Table for `ipfw`

`ipfw`	Controlling utility for IP firewall
ipfw [-q] [-p <preproc> [-D <macro>[=<value>]] [-U <macro>] <file> ipfw [-f \| -q] flush ipfw [-q] zero [<number> ...] ipfw delete <number> ... ipfw [-aftN] list [<number>...] ipfw [-ftN] show [<number>...] ipfw [-q] add [<number>] <action> [log] <proto> from <src> to <dst> [via <name> \| <ipno>] [<options>]
If used as shown in the first line, a `<file>` is read line by line and applied as arguments to `ipfw`.
A preprocessor can be specified using `-p <preproc>` where `<file>` is to be piped through. Typical preprocessors include `m4` and `cpp`. Optional `-D` and `-U` macro specifications can be given to pass on to the preprocessor.
Each incoming and outgoing packet is sent through the `ipfw` rules. In the case of a host acting as a gateway, packets that are forwarded by the host are processed twice—once when entering and once when leaving. Each packet can be filtered based on the following associated information:
Receive Interface (`recv`)	Interface over which the packet was received.
Transmit Interface (`xmit`)	Interface over which packet would be transmitted.
Incoming (`in`)	Packet was just received.
Outgoing (`out`)	Packet would be transmitted.
Source IP Address	Sender's IP address.
Destination IP Address	Target's IP address.
Protocol	IP protocol, including but not limited to IP (`ip`), UDP (`udp`), TCP (`tcp`), ICMP (`icmp`).
Source Port	Sender's `UDP` or `TCP` port.
Destination Port	Target's `UDP` or `TCP` port.
Connection Setup Flag (`setup`)	Packet is a request to set up a TCP connection.
Connection Established Flag (`established`)	Packet is part of an established TCP connection.
All TCP Flags (`tcpflags`)	One or more of the TCP flags: close connection (`fin`), open connection (`syn`), reset connection (`rst`), push (`psh`), acknowledgement (`ack`), urgent (`urg`) .
Fragment Flag (`frag`)	Packet is a fragment of an IP packet.
IP Options (`ipoptions`)	One or more IP options: strict source route (`ssrr`), loose source route (`lsrr`), record route (`rr`), timestamp (`ts`).
ICMP Types (`icmptypes`)	One or more of the ICMP types: echo reply (`0`), destination unreachable (`3`), source quench (`4`), redirect (`5`), echo request (`8`), router advertisement (`9`), router solicitation (`10`), time-to-live exceeded (`11`), IP header bad (`12`), timestamp request (`13`), timestamp reply (`14`), information request (`15`), information reply (`16`), address mask request (`17`), address mask reply (`18`).
Note that it may be dangerous to filter on source IP address or source TCP/UDP port because either or both could be spoofed.
The `ipfw` utility works by going through the rule list for each packet until a match is found. All rules have two associated counters: a packet count and a byte count. These are updated when a packet matches the rule.
Rules are ordered by line number, from `1` to `65534`. Rules are tried in increasing order, with the first matching rule being the one that applies. Multiple rules might have the same number and are applied in the order they were added.
If a rule is added without a number, it is numbered `100` higher than the highest defined rule number unless the highest rule number is `65435` or greater, in which case the new rules are given that same number.
One rule is always present: `65535` deny all from any to any.
This rule, not to allow anything, is the default policy.
If the kernel option `IPFIREWALL_DEFAULT_TO_ACCEPT` has been enabled, the default rule is `65535` allow all from any to any.
The previous rule is the default rule in OS X.
`Add`	Adds a rule.
`delete`	Deletes the first rule with number `<number>` , if any.
`List`	Prints out the current rule set.
`show`	Equivalent to `ipfw -a` list.
`zero`	Zeroes the counters associated with rule number `<number>` .
`flush`	Removes all rules.
The following options are available:
`-q`	Uses quiet mode when adding, flushing, or zeroing (implies `-f`). Useful for adjusting rules by executing multiple `ipfw` commands in a script.
`-f`	Does not ask for confirmation for commands that can cause problems if misused (for example, `flush`).
`-a`	Shows counter values while listing. See also `show`.
`-t`	Shows last match timestamp while listing.
`-N`	Tries to resolve addresses and service names in output.
Available options for *`<action>`* :
`allow`	Allows packets that match rule. The search terminates. Aliases are `pass`, `permit`, `accept`.
`deny`	Discards packets that match rule. The search terminates. Alias is `drop`.
`reject`	(Deprecated) Discards packets that match `rule`, and tries to send an ICMP host unreachable notice. The search terminates.
`unreach` `<code>`	Discards packets that match rule, and tries to send an ICMP unreachable notice with code `<code>` , where `<code>` is a number from `0` to `255`, or one of these aliases: `net`, `host`, `protocol`, `port`, `nee` `d` `frag`, `srcfail`, `net-unknown`, `host-unknown`, `isolated`, `net-prohib`, `host-prohib`, `tosnet`, `toshost`, `filter-prohib`, `host-precedence`, `precedence-cutoff`. The search terminates.
`reset`	TCP packets only. Discards packets that match rule, and tries to send a TCP reset (`RST`) notice. The search terminates.
`count`	Updates counters for all packets that match rule. The search continues with the next rule.
`divert` `<port>`	Diverts packets that match rule to divert (`4`) socket bound to port `<port>` . The search terminates.
`tee` `<port>`	Sends a copy of packets matching rule to the divert (`4`) socket bound to port `<port>` . The search terminates.
`fwd` `<ipaddr>` `[,` `<port>` `]`	Changes to the next hop on matching packets to `<ipaddr>` , which can be a dotted quad address or hostname. If `<ipaddr>` is not directly reachable, the route as found in the local routing table for that IP address is used instead. If `<ipaddr>` is a local address, when a packet enters the system from a remote host, it is diverted to `<port>` on the local machine, keeping the local address of the socket set to the original IP address for which the packet was destined. This is intended for use with transparent proxy servers. If `<ipaddr>` is not a local address, then `<port>` , if specified, is ignored, and the rule applies only to packets leaving the system. If `<port>` is not given, the port in the packet is used instead. The kernel must have been compiled with option `IPFIREWALL_FORWARD`.
`skipto` `<number>`	Skips subsequent rules numbered less than `<nu` `m` `ber>` . The search continues with the first rule numbered `<number>` or higher.
If a packet matches more than one divert and/or tee rule, all but the last are ignored.
If the kernel was compiled with `IPFIREWALL_VERBOSE`, when a packet matches a rule with the log keyword, a message is printed on the console. If the kernel was compiled with `IPFIREWALL_VERBOSE_LIMIT`, logging ceases after the number of packets specified by the option is received for that particular entry. Logging can then be re-enabled by clearing the packet counter for that entry.
Console logging and the log limit are adjustable dynamically through the `sysctl` (`8`) interface.
Available options for *`<proto>`* :
`Ip`	Matches all packets. The same as the alias all.
`Tcp`	Matches only TCP packets.
`Udp`	Matches only UDP packets.
`Icmp`	Matches only ICMP packets.
`<number\|name>`	Matches only packets for the specified protocol. See `/etc/protocols` for a complete list.
`<src>` and `<dst>` have the form
`<address/mask>` [ `<ports>` ]
`<address/mask>` may be specified as
`Ipno`	Has the form `1.2.3.4`. Only this exact number matches the rule.
`Ipno/bits`	Has the form `1.2.3.4/24`. In this case, all IP numbers from `1.2.3.0` to `1.2.3.255` match.
`Ipno:mask`	Has the form `1.2.3.4:255.255.240.0`. In this case, all IP numbers from `1.2.0.0` to `1.2.15.255` match.
The sense of match can be inverted by preceding an address with the `not` modifier, causing all other addresses to match instead. This does not affect the selection of port numbers.
Rules can apply to packets when they are incoming or outgoing or both. The keyword `in` indicates that the rule should only match incoming packets. The keyword `out` indicates that the rule should only match outgoing packets.
To match packets going through a certain interface, specify the interface with `via`.
`via` `<ifX>`	Matches packets going through the interface `<ifX>` .
`via` `<if>`*	Matches packets going through the interface `<` `if`* `>`, where `*` is any unit.
`via any`	Matches packets going through some interface.
`via ipno`	Matches packets going through the interface having the IP address `<ipno>` .
The keyword `via` causes the interface to always be checked. If `recv` or `xmit` is used instead, only the `receive` or `transmit` interface (respectively) is checked. By specifying both, it is possible to match packets based on both `receive` and `transmit` interfaces; for example:
ipfw add 100 deny ip from any to any out recv en0 xmit en1
The `recv` interface can be tested on either incoming or outgoing packets, while the `xmit` interface can only be tested on outgoing packets. So `out` is required (an `in` is invalid) whenever `xmit` is used. Specifying `via` together with `xmit` or `recv` is invalid.
Options available for *`<options>`* :
`frag`	Matches if the packet is a fragment and it is not the first fragment of the datagram. `frag` cannot be used in conjunction with either `tcpflags` or `TCP/UDP` port specifications.
`in`	Matches if the packet was on the way in.
`out`	Matches if the packet was on the way out.
`ipoptions` `<spec>`	Matches if the IP header contains the comma-separated list of options specified in `<spec>` . The supported IP options are `ssrr` (strict source route), `lsrr` (loose source route), `rr` (record packet route), and `ts` (timestamp). The absence of a particular option may be denoted with `a !`.
`established`	TCP packets only. Matches packets that have the `RST` or `ACK` bits set.
`setup`	TCP packets only. Matches packets that have the `SYN` bit set but no `ACK` bit.
`tcpflags` `<spec>`	Matches if the TCP header contains the comma-separated list of flags specified in `<spec>` . The supported TCP flags are `fin`, `syn`, `rst`, `psh`, `ack`, and `urg`. The absence of a particular flag may be denoted by an `!`. A rule that contains a `tcpflags` specification can never match a fragmented packet that has a non-zero offset.
`icmptypes` `<types>`	Matches if the `ICMP` type is in the list `<types>` . The list may be specified as any combination of ranges or individual types separated by commas.
Important points to consider when designing your rules:
Remember that you filter both packets going in and out. Most connections need packets going in both directions.
Remember to test very carefully. It is a good idea to be at the console at the time.
Don't forget the `loopback` interface.

BrickHouse might also have installed a configuration file, /etc/natd.conf, for natd. Here is a sample /etc/natd.conf created by BrickHouse:

interface en0
use_sockets yes
same_ports yes

This configuration file specifies the interface to be used. In addition, the use_sockets option is included as well as the same_ports option. The use_sockets option allocates a socket for the connection, and is useful for guaranteeing connections when ports conflict. The same_ports option specifies that natd should try to keep the same port number when altering outgoing packets. This also aids in guaranteeing the success of the connection. Command documentation for natd is included in Table 31.3.

Table 31.3. Command Documentation Table for `natd`

`natd`	Network Address Translation Daemon
natd [-ldsmvu] [-dynamic] [-i <inport>] [-o <outport>] [-p <port>] [-a <address>] [-n <interface>] [-f <configfile>] natd [-log] [-deny_incoming] [-log_denied] [-use_sockets] [-same_ports] [-verbose] [-log_facility <facility_name>] [-unregistered_only] [- dynamic] [-inport <inport>] [-outport <outport>] [-port <port>] [- alias_address <address>] [-interface <interface>] [-config <configfile>] [-redirect_port <linkspec>] [-redirect_address <localIP> <publicIP>] [-reverse] [-proxy_only] [-proxy_rule <proxyspec>] [-pptal ias <localIP>]
`natd` provides a Network Address Translation facility for use with divert (`4`) sockets. It is intended for use only with `NIC`s—if you want to do `NAT` on a `PPP` link, use the `-alias` switch to `ppp` (`8`).
`natd` normally runs in the background as a daemon. It is passed raw IP packets as they travel into and out of the machine, and will possibly change these before reinjecting them back into the IP packet stream.
`natd` changes all packets destined for another host so that their source IP number is that of the current machine. For each packet changed in this way, an internal table entry is created to record this fact. The source port number is also changed to indicate the table entry applying to the packet. Packets that are received with a target IP of the current host are checked against this internal table. If an entry is found, it is used to determine the correct target IP number and port to place in the packet.
`-l`
`-log`	Logs various aliasing statistics and information to the file `/var/log/alias.log`. This file is truncated each time `natd` is started.
`-d`
`-deny_incoming`	Rejects packets destined for the current IP number that have no entry in the internal translation table.
`-s`
`-use_sockets`	Allocates a socket (`2`) to establish an FTP data or `IRC DCC send` connection. This option uses more system resources, but guarantees successful connections when port numbers conflict.
`-m`
`-same_ports`	Tries to keep the same port number when allocating outgoing packets. With this option, protocols such as `RPC` will have a better chance of working. If it is not possible to maintain the port number, it will be silently changed as per normal.
`-v`
`-verbose`	Doesn't call `fork` (`2`) or `daemon` (`3`) on startup. Instead, it stays attached to the controlling terminal and displays all packet alterations to the standard output. This option should be used only for debugging.
`-u`
`-unregistered_only`	Only alters outgoing packets with an unregistered source address. According to `RFC 1918`, unregistered source addresses are `10.0.0.0/8`, `176.16.0.0/12`, `192.168.0.0/16`.
`-log_denied`	Logs denied incoming packets via `syslog` (see also `log_facility`)
`-log_facility` `<facility_name>`	Uses specified log facility when logging information via `syslog`. Facility names as in `syslog.conf` (`5`).
`-dynamic`	If the `-n` or `-interface` option is used, `natd` monitors the routing socket for alterations to the `<interface>` passed. If the interface IP number is changed, `natd` will dynamically alter its concept of the alias address.
`-i` `<inport>`
`-inport` `<inport>`	Reads from and writes to `<inport>` , treating all packets as packets coming into the machine.
`-o <output>`
`-outport` `<outport>`	Reads from and writes to `<outport>` , treating all packets as packets going out of the machine.
`-p` `<port>`
`-port` `<port>`	Reads from and writes to `<port>` , distinguishing packets as incoming or outgoing using the rules specified in divert. If `<port>` is not numeric, it is searched for in the `/etc/services` database. If this flag is not specified, the divert port named `natd` is used as a default.
`-a` `<address>`
`-alias_address` `<address>`	Uses `<address>` as the alias address. If this option is not specified, the `-n` or `-interface` option must be used. The specified address should be the address assigned to the public-network interface. All data passing out through this address's interface is rewritten with a source address equal to `<address>` . All data arriving at the interface from outside is checked to see if it matches any already-aliased outgoing connection. If it does, the packet is altered accordingly. If not, all `-redirect_port` and `-redirect_address` assignments are checked and acted on. If no other action can be made, and if `-deny_incoming` is not specified, the packet is delivered to the local machine and port as specified in the packet.
`-n <interface>`
`-interface` `<interface>`	Uses `<interface>` to determine the alias address. If there is a possibility that the IP number associated with `<i` `n` `terface>` might change, the `-dynamic` flag should also be used. If this option is not specified, the `-a` or `-alias_address` flag must be used. The specified `<interface>` must be the public network interface.
`-f <configfile>`
`-config` `<configfile>`	Reads the configuration from `<configfile>` . `<configfile>` contains a list of options, one per line, in the same form as the long form of the command-line flags. For example, the line alias_address 158.152.17.1 specifies an alias address of `158.152.17.1`. Options that don't take an argument are specified with an option of yes or no in the configuration file. For example, the line `-log yes` is synonymous with `-log`. Empty lines and lines beginning with `#` are ignored.
`-redirect_port` `<proto>` `<targetIP>:` `<targetPORT>` `[` `<aliasIP>:` `]` `<aliasPORT>` `[` `<remoteIP>` `[:` `<remotePORT>` `]`	Redirects incoming connections arriving to given port to another host and port. `<proto>` is either `tcp` or `udp`; `<targetPORT><targetIP>` is the desired target IP number; is the desired target PORT number; `<al` `i` `asPORT>` is the requested PORT Number and `<aliasIP>` if the aliasing address. `<remoteIP>` and `<remotePORT>` can be used to specify the connection more accurately, if necessary. For example, the argument tcp inside1:telnet 6666 means that TCP packets destined for port `6666` on this machine will be sent to the `telnet` port on the `i` `n` `side1` machine. -redirect_address <localIP> <publicIP> Redirects traffic for public IP address to a machine on the local network. This function, known as `static NAT`, is normally useful if your ISP has allocated a small block of IP addresses to you, but it can be used in the case of a single address: redirect_address 10.0.0.8 0.0.0.0 The previous command would redirect incoming traffic to machine `10.0.0.8`. If several address aliases specify the same public address as follows redirect_address 192.168.0.2 <public_addr> redirect_address 192.168.0.3 <public_addr> redirect_address 192.168.0.4 <public_addr> The incoming traffic will be directed to the last translated local address (`192.168.0.4`), but outgoing traffic to the first two addresses will be aliased to the specified public address.
`-reverse`	Reverses operation of `natd`. This can be useful in some transparent proxying situations when outgoing traffic is redirected to the local machine and `natd` is running on the incoming interface (it usually runs on the outgoing interface).
`-proxy_only`	Forces `natd` to perform transparent proxying only. Normal address translation is not performed.
`-proxy_rule [` `<type>` `encode_ip_hdr \| encode_tcp_stream] port` `<xxxx>` `server` `<a.b.c.d:yyyy>`	Enables transparent proxying. Packets with the given port going through this host to any other host are redirected to the given server and port. Optionally, the original target address can be encoded into the packet. Use `e` `n` `code_ip_header` to put this information into the IP option field or `encode_tcp_stream` to inject the data into the beginning of the TCP stream.
`-pptpalias` `<localIP>`	Enables `PPTP` packets to go to the defined local IP address. `PPTP` is `VPN` or secure IP-tunneling technology being developed primarily by Microsoft. For its encrypted traffic, it uses an old IP-encapsulation protocol called `GRE`. This `natd` option will translate any traffic of this protocol to a single server to be serviced with `natd`. If you are setting up a server, don't forget to allow the TCP traffic for PPTP setup. For a client or server, you must allow `GRE` (protocol 47) if you have firewall lists active.

Recovery

After you are done with BrickHouse, you might leave your machine in an unusable state. If you need to uninstall BrickHouse while you work out a solution, the documentation suggests that you select Remove Startup Script under the Options menu and reboot, or throw out the /Library/StartupItems/Firewall folder and reboot. The documentation also points out that Clear All Rules under the Options menu will temporarily uninstall the firewall.

If your machine is so unusable that you can't do any of the previous suggestions, reboot into single-user mode and remove the /Library/StartupItems/Firewall directory. You can also remove the /etc/firewall.conf and /etc/natd.conf files. Upon rebooting, your machine is restored to the condition it was in before you used BrickHouse. The next time you are ready to use BrickHouse, just start with the Setup Assistant and work from there.

Intrusion Detection | Next Section

Previous Section