Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


December 20, 2007

Flying Buttress

Make the Mac ipfirewall sturdy with this shareware tool
A Web Exclusive from Windows IT Pro
Jeff Fellinge
Toolbox
InstantDoc #97502
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Macintosh Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

 Executive Summary:
Flying Buttress is a tool that helps you manage and configure the ipfirewall (ipfw) firewall in Mac OS X. It offers granular configuration abilities and is a GUI alternative to using the command line.

We seem to be seeing more Macintosh computers in corporate environments these days. The Mac's UNIX underpinnings, Intel core, and fast speed have prompted many PC folks to change over to Apple’s flagship product. This month, we’ll look at Flying Buttress, a shareware application for Mac OS X that acts as a robust front end to Apple’s built-in firewall, ipfirewall (ipfw). Flying Buttress lets you configure this powerful firewall at a granular level. If you use a Mac or are responsible for the security of Macs within your organization, you’ll find Flying Buttress a useful addition to your toolbox.

The Mac Firewall—ipfw
Before we dive deeper into Flying Buttress, let's examine the firewall it helps manage. Included with every version of Mac OS X, ipfw is a well-regarded, command-based firewall that originated from FreeBSD. It can be configured as either a network- or host-based firewall. Using the command line, you can create a simple filter or rule. For example, typing

 ipfw add allow icmp from 192.168.0.0/24 to any

allows Internet Control Message Protocol (ICMP) traffic (e.g., ping) from the 192.168.0.0 Class C subnet to anywhere (e.g., the host computer). Immediately after you execute this command from the terminal, the firewall begins allowing traffic. To review firewall rules created by Mac OS X system preferences, type

ipfw list

Figure 1 shows the firewall configuration on a Mac OS X computer when you’ve instructed the computer to lock itself down. You can also see several rules that allow certain traffic. Using the firewall to lock everything down disables access to all services (including Windows sharing and remote logon using Secure Shell—SSH) and enables advanced options such as the ability to block UDP ports and enable stealth mode.

You can use Apple’s System Preferences Sharing dialog box to easily start and stop the firewall or configure the firewall to allow file sharing and remote logon services. However, Apple's built-in firewall management software doesn't let you configure to a granular level—for example, if you’re connected to a hostile network and you want to ensure your host is completely protected from outside traffic, or if you want to allow access to services from specific addresses or on specific interfaces. This is where Flying Buttress comes in—you can use it to protect your computer from any type of network access.

Flying Buttress Basics
Flying Buttress lets you configure rules for each interface. For example, you could permit remote SSH access (i.e., remote access that uses SSH) across your Ethernet cable connection but not across your wireless AirPort Express connection or your VPN connection. Flying Buttress includes utilities to view the firewall logs and metrics of your filters, making it easier to see the activity on your network interfaces.

Flying Buttress also provides a GUI to help you create rules. You can click the Expert button within Flying Buttress to configure your rules using the direct ipfw commands. Even if you use the Flying Buttress GUI to create your rules, you can click Expert to see the ipfw commands that Flying Buttress created based on your GUI configuration.

Installing Flying Buttress
You can install Flying Buttress by downloading it from developer Brian Hill's Web site (personalpages.tds.net/~brian_hill/flyingbuttress.html) and mounting the disk image (.dmg) file. Copy the Flying Buttress program from the mount to a location on your hard drive, such as the Applications or Applications, Utilities folder. Then, unmount the volume and run the program from your hard drive. (Because it’s a disk image, Mac OS X mounts it as a drive; as long as it's mounted, you can generally run an application from it without installing it on your drive. When you "eject" the .dmg, it no longer shows as a drive, but the file is still on your disk.) I recommend keeping the .dmg file around, as the author includes an uninstall program as well.

Using Flying Buttress
When you first run the program, a wizard asks how you connect to the Internet and which services you wish to share, such as allowing users to connect to a Web server that you host. You can also install a startup script that will configure ipfw each time you restart your computer. Figure 2 shows the Flying Buttress UI with rules displayed that apply to the AirPort wireless connection interface—a green Allow icon confirms that WWW and WWW SSL are allowed from the Internet to the host computer on TCP 80 and TCP 443, respectively. You can also see each of the network interfaces on the computer and create specific rules for other interfaces.

Creating new rules is a snap—just select the interface you wish to filter, click Add Filter, and enter the typical details about the service, such as the source address, destination address, and protocol type. Although the developer of Flying Buttress has done a good job at keeping the configuration simple, previous firewall experience is still helpful to understand the basics of creating an effective group of firewall rules.

Like the built-in firewall, in its default configuration Flying Buttress leaves some ports open. For example, you’ll still be able to ping your computer. Click the Advanced button, and you can disallow what Flying Buttress calls “important protocols,” including ICMP, Network Time Protocol (NTP), and FTP data port traffic.

Other features of Flying Buttress include an IP Sharing feature (similar to Internet Connection Sharing in Windows), which lets you share one Internet connection among several computers and use Flying Buttress to regulate available services to the connected computers. The Firewall Monitor feature shows you the status of your configured filters, including the amount of network traffic that’s been processed by a filter and the last time that a filter was used, which can be useful for identifying spurious rules or specific traffic patterns. For example, you could create a “deny” filter for known Trojan horse programs or specific malware activity—seeing any hits against that rule might indicate that you’re under attack.

Flying Buttress isn’t a complete host firewall like Check Point Software Technologies' ZoneAlarm or Symantec Norton Internet Security for Windows machines. Instead, it’s a rule interpreter for the built-in ipfw firewall, and it provides quick access to firewall log data. If you'd like to avoid using the command line, or if you just want a quick way to create a few firewall rules for your Mac, check out Flying Buttress—I think you’ll be pleased.

End of Article

Reader Comments

You must log on before posting a comment.

If you don't have a username & password, please register now.




Learning Path To learn some Mac OS X basics
"I'm a PC, I'm a Mac"
Top Viewed ArticlesView all articles
Accessing Database Data with ADO

...

The Memory-Optimization Hoax

Don't believe the hype. At best, RAM optimizers have no effect. At worst, they seriously degrade performance. ...

Friday at PASS Europe 2006

Kevin talks about the closing day of the event and shares a funny Microsoft film. ...
Security Whitepapers Protecting (You and) Your Data with Exchange Server 2007

Extended Validation SSL Certificates

Unauthorized applications: Taking back control
Related Events Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.

Job Openings in IT

ADS BY GOOGLE SPONSORED LINKS FEATURED LINKS

Maximize your SharePoint Investment – 8 Cities
Discover best practices and tips for both architecting and administering SharePoint. Early Bird Price of $99 through Sept 15th.

Find a new job now on the all new IT Job Hound!
Search jobs, post your resume, and set up job e-mail alerts!

Master SharePoint with 3 eLearning Seminars
Learn how to build a better SharePoint infrastructure and enable powerful collaboration with MVPs Dan Holme and Michael Noel. Register today!

Top Tools for Virtualization Disaster Recovery & Replication
View this web seminar on August 14th to learn about two tools that will result in faster backup and restore with P2V disaster recovery.

SharePointConnections Conference Fall 2008
Don’t miss the premier event for Microsoft IT Professionals in Las Vegas, November 10-13. Register and book your room by August 25 and receive a FREE room night (based on a three night minimum stay).

VMworld 2008 - Sign Up Today!
Join your peers on September 15-18 at The Venetian Hotel in Las Vegas as VMware hosts VMworld 2008, the leading Virtualization event.



Increase Application Performance
Free White Paper by Editor's Best winner, Texas Memory Systems.

Microsoft® Tech•Ed EMEA 2008 IT Professionals
Advance your thinking with new ideas and practical real-world solutions at Microsoft’s FIVE day technical infrastructure conference 3-7 Nov., 2008. Register before 26 September 2008 to save €300.

Order Your SQL Fundamentals CD Today!
Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.

Are You Really Compliant with Software Regulations?
View this web seminar that will help you with compliance best practices and check out a management solution to assure that you won’t be in jeopardy of an audit.

Virtualization Congress Oct. 14-16 in London
Don't miss Virtualization Congress, the premiere EMEA conference dedicated to hardware, OS and application virtualization. Oct. 14-16.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technical Resources Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing