Skip to end of metadata
Go to start of metadata

Symptom:

MacOS X (10.3 and up) contains an IPv6 firewall (ip6fw), which has been inherited from FreeBSD and the KAME project.

Problem:

However there are no configuration or startup scripts, nor any other support available in a stock MacOS X system to manage this firewall.

Solution

The script in the installer package attached to this article will read a firewall configuration from '/etc/ip6fw.conf' and will apply the IPv6 firewall rules to the MacOS X firewall. This script has been tested on MacOS X 10.5 and 10.6 (it might or might not work on older MacOS X versions).

The default configuration for the MacOS X firewall is
# MacOS X 10.x ip6fw configuration

logging=yes

# loopback
10000 allow ipv6 from any to any via lo0

# Duplicate Address detection (DAD)
20000 allow ipv6-icmp from any to FF02::/16

# Neighborhood discovery (ND)
20010 allow ipv6-icmp from FE80::/10 to FE80::/10
20015 allow ipv6-icmp from FE80::/10 to FF02::/16
20016 allow ipv6-icmp from any to any icmptype 135,136

# ICMPv6 from the network
20020 allow ipv6-icmp from any to any in icmptype 1,2,3,4,128,129

# Router Advertisements
20050 allow ipv6-icmp from any to any icmptype 134
20055 allow ipv6-icmp from any to any icmptype 133

# allow established TCP connections
20100 allow tcp from any to any established

# NTP multicast
20210 allow udp from any to ff02::1010 123 via en0

# mDNS (Rendezvous/Bonjour)
20220 allow udp from any to ff02::fb 5353 via en0

# allow all outgoing IPv6 connections
20230 allow ipv6 from any to any out

# allow DNS in and out
20240 allow udp from any to any 53 out
20241 allow udp from any 53 to any in

# Secure Shell
20500 allow tcp from any to any 22

# Web-Server
#20510 allow tcp from any to any 80

# Postfix SMTP
#20520 allow tcp from any to any 25

# IPP / CUPS
20530 allow tcp from any to any 631

# Apple Filing Protocol
20540 allow tcp from any to any 548
20541 allow tcp from any to any 427

# block all not otherwise allowed and log
65534 unreach admin log ipv6 from any to any
With 'sudo ip6fw list' on the terminal commandline we can check that all the rules are loaded and active:
# sudo ip6fw list
Password:
10000 allow ipv6 from any to any via lo0
20000 allow ipv6-icmp from any to ff02::/16
20010 allow ipv6-icmp from fe80::/10 to fe80::/10
20015 allow ipv6-icmp from fe80::/10 to ff02::/16
20016 allow ipv6-icmp from any to any icmptype 135,136
20020 allow ipv6-icmp from any to any in icmptype 1,2,3,4,128,129
20050 allow ipv6-icmp from any to any icmptype 134
20055 allow ipv6-icmp from any to any icmptype 133
20100 allow tcp from any to any established
20210 allow udp from any to ff02::1010 123 via en0
20220 allow udp from any to ff02::fb 5353 via en0
20230 allow ipv6 from any to any out
20240 allow udp from any to any 53 out
20241 allow udp from any 53 to any in
20500 allow tcp from any to any 22
20530 allow tcp from any to any 631
20540 allow tcp from any to any 548
20541 allow tcp from any to any 427
65534 unreach admin log ipv6 from any to any
65535 allow ipv6 from any to any

Additional information about this script and the contents of the installer package can be found at
http://blog.atariwiki.strotmann.de/roller/cas/entry/managing_the_macos_x_ipv6