Sample Firewall Rules For Mac OS X

[Mac:~] damien% sudo ipfw list
Password:
02000 allow ip from any to any via lo*
02010 deny ip from 127.0.0.0/8 to any in
02020 deny ip from any to 127.0.0.0/8 in
02030 deny ip from 224.0.0.0/3 to any in
02040 deny tcp from any to 224.0.0.0/3 in
02050 allow tcp from any to any out
02060 allow tcp from any to any established
02070 allow tcp from any to any 22 in
12190 deny tcp from any to any
65535 allow ip from any to any
[Mac:~]

[Mac:~] damien% sudo ipfw list
Password:
01000 allow ip from any to any via lo0
01002 allow tcp from any to any established
01003 allow ip from any to any frag
01004 allow icmp from any to any icmptype 3,4,11,12
02000 allow udp from any 67-68 to any 67-68 via en0
02001 allow ip from any to 255.255.255.255 via en0
02002 unreach host log ip from any to any via en0 ipopt ssrr,lsrr
02003 allow udp from any 123 to any 1024-65535 via en0
02004 allow icmp from any to any via en0
02005 allow tcp from any 20-21 to any 1024-65535 in recv en0
02006 allow udp from any 1024-65535 to any 53 out xmit en0
02007 allow udp from any 53 to any 1024-65535 in recv en0
02008 allow tcp from 192.168.0.2 to any 1-1023 in recv en0
02008 allow tcp from any 1-1023 to 192.168.0.2 out xmit en0
02009 allow udp from 192.168.0.2 to any 1-1023 in recv en0
02009 allow udp from any 1-1023 to 192.168.0.2 out xmit en0
02010 allow tcp from 192.168.0.2 to any 20-21 in recv en0
02010 allow tcp from any 20-21 to 192.168.0.2 out xmit en0
02011 allow tcp from 192.168.0.2 to any 22 in recv en0
02011 allow tcp from any 22 to 192.168.0.2 out xmit en0
02012 allow tcp from 192.168.0.0/24 to any 80 in recv en0
02012 allow tcp from any 80 to 192.168.0.0/24 out xmit en0
02013 allow tcp from 192.168.0.2 to any 137-139 in recv en0
02013 allow tcp from any 137-139 to 192.168.0.2 out xmit en0
02014 allow udp from 192.168.0.2 to any 137-139 in recv en0
02014 allow udp from any 137-139 to 192.168.0.2 out xmit en0
02015 allow tcp from 192.168.0.2 to any 600-1000,111,2049 in recv en0
02015 allow tcp from any 600-1000,111,2049 to 192.168.0.2 out xmit en0
02016 allow tcp from any to 192.168.0.0/24 6000 out xmit en0
02016 allow tcp from 192.168.0.0/24 6000 to any in recv en0
02017 deny log tcp from any to any 1-1023 in recv en0
02018 deny log udp from any to any 1-1023 in recv en0
02019 deny log tcp from any to any 1524 in recv en0
02020 deny log tcp from any to any 12345 in recv en0
02021 deny log udp from any to any 10067 in recv en0
02022 deny log tcp from any to any 12361 in recv en0
02023 deny log udp from any to any 31337 in recv en0
02024 deny log udp from any to any 31338 in recv en0
02025 deny log tcp from any to any 31337 in recv en0
02026 deny log udp from any to any 2140 in recv en0
02027 deny log udp from any to any 31785 in recv en0
02028 deny log tcp from any to any 31789,31791 in recv en0
02029 deny log tcp from any to any 21554 in recv en0
02030 deny log tcp from any to any 6969 in recv en0
02031 deny log tcp from any to any 23456 in recv en0
02032 deny log tcp from any to any 1243,6776 in recv en0
02033 deny log tcp from any to any 15104,12754 in recv en0
02034 deny log udp from any to any 600-1000,111,2049 in recv en0
02035 deny log udp from any to any 10498,6838 in recv en0
02036 deny log udp from any to any 31335 in recv en0
02037 deny log tcp from any to any 27665,27444 in recv en0
02038 deny log tcp from any to any 20432 in recv en0
02039 deny log udp from any to any 18753,20433 in recv en0
02040 allow tcp from 192.168.0.2 to any 1-1023 in recv en0
02040 allow tcp from any 1-1023 to 192.168.0.2 out xmit en0
02041 allow udp from 192.168.0.2 to any 1-1023 in recv en0
02041 allow udp from any 1-1023 to 192.168.0.2 out xmit en0
02042 allow tcp from 192.168.0.2 to any 20-21 in recv en0
02042 allow tcp from any 20-21 to 192.168.0.2 out xmit en0
02043 allow tcp from 192.168.0.2 to any 22 in recv en0
02043 allow tcp from any 22 to 192.168.0.2 out xmit en0
02044 allow tcp from 192.168.0.0/24 to any 80 in recv en0
02044 allow tcp from any 80 to 192.168.0.0/24 out xmit en0
02045 allow tcp from 192.168.0.2 to any 137-139 in recv en0
02045 allow tcp from any 137-139 to 192.168.0.2 out xmit en0
02046 allow tcp from 192.168.0.2 to any 600-1000,111,2049 in recv en0
02046 allow tcp from any 600-1000,111,2049 to 192.168.0.2 out xmit en0
02047 allow tcp from any to 192.168.0.0/24 6000 out xmit en0
02047 allow tcp from 192.168.0.0/24 6000 to any in recv en0
02048 allow udp from 192.168.0.2 to any 137-139 in recv en0
02048 allow udp from any 137-139 to 192.168.0.2 out xmit en0
03000 allow udp from any 67-68 to any 67-68 via ppp0
03001 allow ip from any to 255.255.255.255 via ppp0
03002 unreach host log ip from any to any via ppp0 ipopt ssrr,lsrr
03003 allow udp from any 123 to any 1024-65535 via ppp0
03004 allow icmp from any to any via ppp0
03005 allow tcp from any 20-21 to any 1024-65535 in recv ppp0
03006 allow udp from any 1024-65535 to any 53 out xmit ppp0
03007 allow udp from any 53 to any 1024-65535 in recv ppp0
04000 allow udp from any 67-68 to any 67-68 via ppp0
04001 allow ip from any to 255.255.255.255 via ppp0
04002 unreach host log ip from any to any via ppp0 ipopt ssrr,lsrr
04003 allow udp from any 123 to any 1024-65535 via ppp0
04004 allow icmp from any to any via ppp0
04005 allow tcp from any 20-21 to any 1024-65535 in recv ppp0
04006 allow udp from any 1024-65535 to any 53 out xmit ppp0
04007 allow udp from any 53 to any 1024-65535 in recv ppp0
05000 allow udp from any 67-68 to any 67-68 via en1
05001 allow ip from any to 255.255.255.255 via en1
05002 unreach host log ip from any to any via en1 ipopt ssrr,lsrr
05003 allow udp from any 123 to any 1024-65535 via en1
05004 allow icmp from any to any via en1
05005 allow tcp from any 20-21 to any 1024-65535 in recv en1
05006 allow udp from any 1024-65535 to any 53 out xmit en1
05007 allow udp from any 53 to any 1024-65535 in recv en1
52049 allow ip from any to any out xmit en0
52050 deny log ip from any to any in recv en0
53008 allow ip from any to any out xmit ppp0
53009 deny log ip from any to any in recv ppp0
54008 allow ip from any to any out xmit ppp0
54009 deny log ip from any to any in recv ppp0
55008 allow ip from any to any out xmit en1
55009 deny log ip from any to any in recv en1
65535 allow ip from any to any
[Mac:~] damien%