Using the Lion Pf Firewall with the Emerging Threats List 18/08/2012 14:46

Using the Lion pf firewall with the Emerging Threats list 18/08/2012 14:46

Using the Lion pf firewall with the Emerging Threats list

Mac OS X has multiple firewall options. Most users are familiar with the application level firewall. Each application that opens a network socket needs explicit user permission and is managed through the System Preferences Firewall panel. There is also another less well known firewall tool available. It a kernel-level packet filter. Since parts of Mac OS X are derived from FreeBSD, the packet filter has been ipfw, the default packet filter in FreeBSD. With the release of Mac OS X Lion (10.7), there is another packet filter tool available: pf. In fact, ipfw is deprecated and pf is the new packet filter hotness.

pf is the OpenBSD packet filter. It is a robust software package with many impressive and useful features. FreeBSD also has pf, and now Lion does too. I have built several transparent bridge packet filters on FreeBSD and pf. The performance has been met our needs and that includes several tables with over 4000 entries that we block. One those tables includes the Emerging Threats Block IP list.

Emerging Threats is an open source community project that collects IP addresses of the “bad guys” and then shares that collection in the form of routers access control lists (ACLs), firewall rules, intrusion detection/prevention rules, and just a plain old list. The project collects IP addresses and network ranges of known attackers, spammers, malware sites, botnet control systems, and other unpleasantness on the internet. They publish rules and lists daily. When you load these rules into your network security device, you can block those IP addresses or get an alert when one attempts to reach your network. At my office, we just use the plain list and load it into a pf table with that says any IP address in this table is bad, so just block it.

Now that Lion supports pf, we can easily use the Emerging Threat list on our Macs. By loading the Emerging Threats block list into a table on your Lion system you can block packets from some of the bigger bad guys on the internet. Setting up rules using an anchor

Lion uses pf anchors to divide up filter rules into functional groups. We can also use this technique and create an anchor. Edit your /etc/pf.conf file to include the following lines:

anchor "emerging-threats" load anchor "emerging-threats" from "/etc/pf.anchors/emerging-threats"

Now we need to write the lines for the anchor we defined. From the pf.conf configuration we just added, those should go into the file /etc/pf.anchors/emerging-threats. Create that file and add these lines:

table persist file "/etc/emerging-Block-IPs.txt" block log from to any

The first line establishes a table called emerging_threats and on an initial start will load the contents of the /etc/emerging-Block-IPs.txt file.

The second line is the filter rule that blocks and logs from any IP address or network listed in the emerging_threats table. If you are not interested in logging the packets that are dropped, just leave out the log keyword.

Now, we need to acquire the Emerging Threats list and save it to the /etc directory. The URL for the list is

http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

You download it and save it using your browser or execute these commands:

$ curl http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt -o /tmp/emerging-Block-IPs.txt $ sudo cp /tmp/emerging-Block-IPs.txt /etc $ sudo chmod 644 /etc/emerging-Block-IPs.txt

To load the new pf rules, execute the following command:

$ sudo pfctl -f /etc/pf.conf http://ikawnoclast.com/2012/04/using-the-lion-pf-firewall-with-the-emerging-threats-list.html Page 1 of 2 Using the Lion pf firewall with the Emerging Threats list 18/08/2012 14:46

On system start, launchd loads pf from the /System/Library/LaunchDaemons/com.apple.pfctl.plist file. It loads the default rule set which now contains our anchor for the Emerging Threats table. So we are good to go with the basics. Logging dropped packets

For some strange reason, Lion does not include pflogd, a daemon to record logged packets into a file. The only way to capture the packets logged from the Emerging Threats block table is to use tcpdump to listen on the pflog0 interface and write the results to a file. To me that does not seem to be the best approach. I will spend time on this problem and post another blog entry on a solution.

For now, you can monitor those logged packets using this command from the pflog(4) man page as an example:

$ sudo tcpdump -n -e -ttt -i pflog0

Those are the basic steps needed to get pf to use the Emerging Threats list and avoid some of the less trustworthy IPs out there.

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.

http://ikawnoclast.com/2012/04/using-the-lion-pf-firewall-with-the-emerging-threats-list.html Page 2 of 2