Firewall Document Window

This section provides a description of the controls in the firewall document window. When you launch IPNetSentryX (IPNetRouterX) without opening a previously saved settings document, a firewall document appears containing your system settings (/Library/Preferences/com.sustworks.IPNetRouterX.ipnr).

It may seem odd at first to think of your firewall settings as both a configuration of the network stack and as a document on your hard drive. A firewall document is simply a snapshot of firewall settings that you can restore at a later time.

Maintaining firewall settings in editable documents offers some additional flexibility compared to the common embedded database approach:

  1. You can backup your firewall settings like any other document and share them easily with other computers.
  2. You can have more than one collection of firewall settings and easily switch between them.
  3. You can edit your firewall settings off-line without affecting the network state of the machine.

The important thing to remember is that the settings in any firewall document do not become active until you “Apply” them. Once you apply them, your firewall document mirrors the active settings in the network kernel.

General Firewall Controls

The “Apply” button in the lower right corner of the document window downloads the firewall settings in the document to a Mac OS X Network Kernel Extension (NKE) that performs the actual packet filtering. The “Show Active” button uploads the settings from the NKE and displays them in the current document. If you want to see the current network settings without changing the document you are editing, you can select “Expert View” from the tool menu to open a new document and upload the current settings.

The "IPNetSentry On" or "IPNetRouter On" check box in the upper right corner is the master ON/OFF switch for all packet filtering. Enabling the firewall actually inserts the Network Kernel Extension (NKE) that performs packet filtering in the data link layer for the selected interfaces under the Interfaces Tab. When the firewall is disabled, the NKE is removed from the network stack so has no affect what so ever on the network behavior of the machine.

In Mac OS X technical terms, the NKE is inserted as a DLIL (Data Link Interface Layer) Interface Filter which puts it directly above the corresponding device driver. This means the NKE has full access to both Classic and Mac OS X native packets for all “network” protocols including any link layer header (MAC addresses).

A status field along the bottom of the document window provides feedback to confirm firewall operations such as applying filter rules or enabling the firewall.

The disclosure triangle at the lower left of the window serves to show or hide the log drawer.

Saving your Settings

Once you have modified your configuration as desired, you should save it for future use. You can save (and backup) firewall configurations like any other document from the File menu and then open them later from the Finder. If the “IPNetSentry On” check box is selected when you save your settings, opening this document from the Finder will automatically apply your settings and enable the firewall. You can place a saved firewall configuration document in your Login Items folder to invoke those firewall settings each time that user logs in.

The Filters Tab

The Filters tab shows the firewall rules for the current document in outline or hierarchical form. Use the disclosure triangles along the left side of the outline to examine any rules in more detail. Option-Expand will expand all the rules beneath a single item.

The Parameter popup at the top right allows you to see firewall rules in action by selecting what is displayed in the parameter column. “Parameter” allows you to see and edit the parameter value for each rule if any. “Match Count” shows the number of packets that have matched each rule updated once each second. “Byte Count” shows the total number of bytes from all matching packets for each rule. “Last Time” shows the last time a packet matching that rule was detected.

The buttons along the top left are used for editing firewall rules.

The "Test" button attempts to open a URL using your preferred web browser to access a web based firewall tester. The instructions and controls on this web page allow you to confirm basic operation of your firewall by attempting to probe your system to show how the firewall detects and notifies you of such intrusion attempts. In order to test your firewall, the server needs the external IP address of your machine which the test button determines from the IP interfaces listed under the Interfaces Tab (Filters & External) and includes this address in the URL.

The "Defaults" button restores the default firewall configuration in the currend editing window.


To edit individual rules, FIRST select the corresponding row, and THEN select the desired value from the popup menu or double click in the desired column to enter a new value directly. If you click a popup button directly before selecting that row, the popup may still display values for the previously selected row.

To create a new rule, select the rule immediately before the rule you want to add and then select whether you want to add your new rule as a sibling or child using the disclosure triangle by this rule (if present) or to the right of the new button above. When an item is expanded, new rules will be added or pasted as children. When you add or remove children, the first existing child will be raised or lowered in the hierarchy accordingly. To insert or paste rules before an existing rule, press and hold the option key as you click on New or paste any rules you have copied.

You can copy and paste any contiguous selection of rules. If a parent rule is not expanded, copying that rule will include all of its children. If a rule is expanded, only the selected children will be copied. Copied rules are represented in plain text as NeXT style property lists, so you can paste them into any word processing document for future reference. Notice some rules in the default configuration are disabled. You can easily turn individual firewall rules on or off to experiment or satisfy more advanced requirements using the check box in the left column. Unchecking a parent will disable all its children even if they are still checked.

Use the Delete button to remove the selected rules from the outline.

See “Getting Started” for more information on editing the default configuration.

The Interfaces Tab

The Interfaces tab lists the current IP interfaces of the machine as read using the System Configuration Framework and BSD subsystem. Normally these should correspond to the interfaces configured under the Network Preferences Panel. The Interface ID and IP address are displayed as read only.The “Filters” column allows you to select whether packets on this IP interface should be matched and filtered using the firewall rules. The default firewall configuration filters on the first External or other interface available.

The “External” column allows you to specify which IP interfaces are directly connected to the public Internet. Currently this is used for determining the IP address for external firewall testing. In IPNetRouterX this is used to configure internet sharing. The default configuration designates the first interface listed in the Network Preferences panel as an external interface.

The "Bridge" column allows you to enable Ethernet Bridging between any Ethernet compatible interfaces selected.

Triggered Tab

The Triggered tab displays the triggered address table maintained as dynamic state by the packet filter when an undesirable access attempt is detected. Subsequent access from the host with this IP address is banned for a specified interval to prevent Internet vandals (or the terminally curious) from probing and analyzing your system for possible attack.

You can select and delete individual entries that were unintentionally triggered, and specify the expiration interval in seconds before inactive entries are removed.

You may also wish to obtain more information about the source of possible network attacks or probes. Pressing “Who Is” or “Trace” tries to invoke a corresponding URL with the IP address from the first selected row. If you have IPNetMonitorX or a similar helper application on your system, it should launch the corresponding tool to provide further information.

Tip: If the “Who Is” or “Trace” button launch a different application from the one desired, you can use the More Internet Pref panel <> to examine or change the mapping of URL schemes to helper applications. Alternatively, you can examine ~/library/preferences/ to remove the previous mapping and then launch the desired application to register a new one.

If you have comments or suggestions you can contact us at:

info "at" sustworks "dot" com

Copyright 2003-2004 Sustainable Softworks Inc.

Previous | Next | Return to IPNetSentryX Help