Firewall (pare-feu) : iptables sur macbook?


Membre enregistré
14 Novembre 2011

Etant un grand utilisateur des distributions Linux...
Je m’intéresse dorénavant grandement aux macbook,
et je compte en aquérire un (Macbook Pro 13 pouces) d'ici peut. :)

Sachant que le système d'exploitation est MAC OS X (si je ne me trompe pas),
et que ce dernier fait bien partie de la famille Unix,
j'aurais souhaitez savoir si le pare-feu est bien (aussi) NETFILTER (IPTABLES) comme sous linux?

Car j'aurais souhaitez le paramétré en ligne de commande sous mon (futur) macbook.

Merci. :)


Membre expert
Club MacG
4 Janvier 2011
1 668

Je t'envoie le début du "man ipfw" sur Mac (snow leopard).
C'est bien sûr de la ligne de commande (c'est pour les masos...:D )

IPFW(8) BSD System Manager's Manual IPFW(8)

ipfw -- IP firewall and traffic shaper control program

ipfw [-cq] add rule
ipfw [-acdefnNStT] {list | show} [rule | first-last ...]
ipfw [-f | -q] flush
ipfw [-q] {delete | zero | resetlog} [set] [number ...]
ipfw enable {firewall | one_pass | debug | verbose | dyn_keepalive}
ipfw disable {firewall | one_pass | debug | verbose | dyn_keepalive}

ipfw set [disable number ...] [enable number ...]
ipfw set move [rule] number to number
ipfw set swap number number
ipfw set show

ipfw {pipe | queue} number config config-options
ipfw [-s [field]] {pipe | queue} {delete | list | show} [number ...]

ipfw [-cnNqS] [-p preproc [preproc-flags]] pathname

The ipfw utility is the user interface for controlling the ipfw(4) firewall and the dummynet(4) traffic shaper in FreeBSD.

An ipfw configuration, or ruleset, is made of a list of rules numbered from 1 to 65535. Packets are passed to ipfw from a number of
different places in the protocol stack (depending on the source and destination of the packet, it is possible that ipfw is invoked
multiple times on the same packet). The packet passed to the firewall is compared against each of the rules in the firewall ruleset.
When a match is found, the action corresponding to the matching rule is performed.

Depending on the action and certain system settings, packets can be reinjected into the firewall at some rule after the matching one
for further processing.

An ipfw ruleset always includes a default rule (numbered 65535) which cannot be modified or deleted, and matches all packets. The
action associated with the default rule can be either deny or allow depending on how the kernel is configured.

If the ruleset includes one or more rules with the keep-state or limit option, then ipfw assumes a stateful behaviour, i.e. upon a
match it will create dynamic rules matching the exact parameters (addresses and ports) of the matching packet.

These dynamic rules, which have a limited lifetime, are checked at the first occurrence of a check-state, keep-state or limit rule,
and are typically used to open the firewall on-demand to legitimate traffic only. See the STATEFUL FIREWALL and EXAMPLES Sections
below for more information on the stateful behaviour of ipfw.

All rules (including dynamic ones) have a few associated counters: a packet count, a byte count, a log count and a timestamp indicat-
ing the time of the last match. Counters can be displayed or reset with ipfw commands.

Rules can be added with the add command; deleted individually or in groups with the delete command, and globally (except those in set
31) with the flush command; displayed, optionally with the content of the counters, using the show and list commands. Finally, coun-
ters can be reset with the zero and resetlog commands.

Also, each rule belongs to one of 32 different sets , and there are ipfw commands to atomically manipulate sets, such as enable, dis-
able, swap sets, move all rules in a set to another one, delete all rules in a set. These can be useful to install temporary configu-
rations, or to test them. See Section SETS OF RULES for more information on sets.

The following options are available:

-a While listing, show counter values. The show command just implies this option.

-c When entering or showing rules, print them in compact form, i.e. without the optional "ip from any to any" string when this
does not carry any additional information.

-d While listing, show dynamic rules in addition to static ones.

-e While listing, if the -d option was specified, also show expired dynamic rules.

-f Don't ask for confirmation for commands that can cause problems if misused, i.e. flush. If there is no tty associated with
the process, this is implied.

-n Only check syntax of the command strings, without actually passing them to the kernel.

-N Try to resolve addresses and service names in output.

-q While adding, zeroing, resetlogging or flushing, be quiet about actions (implies -f). This is useful for adjusting rules by
executing multiple ipfw commands in a script (e.g., `sh /etc/rc.firewall'), or by processing a file of many ipfw rules across
a remote login session. If a flush is performed in normal (verbose) mode (with the default kernel configuration), it prints
a message. Because all rules are flushed, the message might not be delivered to the login session, causing the remote login
session to be closed and the remainder of the ruleset to not be processed. Access to the console would then be required to



Membre enregistré
14 Novembre 2011
Donc ipfw est l'équivalent de la commande Iptables de Netfilter? Ou repose t'il sur un système différent que netfilter et ces tables?


Membre expert
Club MacG
4 Janvier 2011
1 668
Je suis Mac uniquement à la maison, donc pas de QoS sur le réseau familial.
En pièce jointe, tu trouveras le man complet d'ipfw.
Bonne lecture...:)

Pour la QoS, c'est pas un routeur, il fait quand même pas grand chose!