I had occasion recently to try and figure out how to use the Firewall built into Mac OS X to prevent a very bad mannered “bot” from hitting one of my sites – at times at the rate of 10 hits per second, and 2 seconds later another 8-10 hits!!! So I needed to be able to block certain IP numbers, or ranges of IP numbers. Mac OS X comes with the FreeBSD firewall programme called IPFW. This is a very powerful feature that can be accessed from Terminal.

Some Googling later I came up with several helpful sites that got me up and running with this.

First, using the Apache server logs identify the IP number, or range of IP numbers you want to block. I used TextWrangler to open the log file and do some preliminary editing, and then imported that into FileMaker Pro to get only the log lines applicable to PiplBot (BAD ROBOT!!!!). Over the course of about 5 hours it used 84 different IP numbers as it hit away at one of my sites over 19,000 times.

So once I had a list of these numbers, I was able to break them down into a number of shorter lists that had the first 2 or 3 octets of the IP number the same. With this done, this site http://www.mikero.com/misc/ipcalc/ provides a VERY handy calculator that will take the starting and ending IP numbers in a range, and convert it to a range in the CIDR notation (very technical explanation here) which takes a range of numbers like

67.228.42.161, 67.228.42.162, 67.228.42.169, 67.228.42.174

which potentially covers 14 different numbers and converts it to 67.228.42.160/28 which represents 16 numbers without the need to list them all out. And simlarly the range from 208.43.23.227 to 208.43.33.238 covers 2,572 addresses, and is represented by 208.43.0.0/18 – a range of 16,384 addresses.

So, armed with this knowledge and ability, I’m now able to understand the instructions on this page http://www.dancatts.com/articles/dealing-with-bad-bots-at-the-firewall-level.php and this page http://www.ibiblio.org/macsupport/ipfw/ which in their simplest form are saying that you can use Terminal with this instruction

sudo /sbin/ipfw add 02010 deny ip from 67.228.42.160/28 to any in

to add a block into the Firewall for the range of numbers 67.228.42.160/28. You can see the current status of your ipfw with this Terminal command

sudo /sbin/ipfw list

which will return a list in this form

02010 deny ip from 74.86.25.192/28 to any in
02020 deny ip from 67.228.42.160/27 to any in
02030 deny ip from 74.86.0.0/16 to any in
02040 deny ip from 75.126.0.0/16 to any in
02050 deny ip from 174.36.22.0/24 to any in
65535 allow ip from any to any

Changes made by Terminal only last as long as your Macintosh is running – they are not saved to be used on a Restart unless you write a startup script to do this. This site http://www.ibiblio.org/macsupport/ipfw/ provide details on this, including a number of sample scripts, but frankly this was way over my head, so I turned to MacUpdate to see if there was an application that would do this via a GUI (Graphical User Interface). I found several, and settled on WaterRoof by Hany El Imam. This allows you to define the rules you want to implement, and then takes care of creating the script that will activate these rules each time your Macintosh is started up.

WaterRoof Screen Shot

WaterRoof Screen Shot

This seems much easier to deal with 🙂

So for now PiplBot is banned, even though they seem to be honouring their statement that they would remove all of my sites from their list of sites to crawl.

I hope this helps someone else – I’ve written it partly to help me remember what I did, but also to help others.

  8 Responses to “Mac OS X ipfw Firewall”

  1. Very cool feature for monitoring ipfw. Is there a way to manage MAC addresses as well … so that i can configure my w-lan OSX internet-sharing with a MAC-filter.

    cheers

  2. I don’t see any reference in the WaterRoof Manual to being able to control MAC Address.

  3. I found this article whilst googling for an answer to how to ban ip ranges with MacOSX. I found it helpful but … I’m using OSX 10.6.8 and recently started using WaterProof 3.6. i added the rule
    deny ip from xxx.xxx.xxx.0/24 to me
    and despite saving to Boot, this does not seem to work. Banning individual ip addresses works fine. Unfortunately WaterProof does not have any support forums. Do you or anybody else have any advice on how to ban a sub-range in OSX10.6?

  4. uh, I meant WaterRoof, not WaterProof.

    In effect, for WaterRoof 3.6 the code is:

    /sbin/ipfw add 34210 deny ip from xxx.xxx.xxx.0/24 to me

    Rule Translator:
    Block every incoming ip connection from host xxx.xxx.xxx.0/24 to me through all interfaces.

  5. Sorry I don’t know what the problem might be – assuming you’re using actual numbers and not xxx.xxx.xxx

    At the time I wrote this, it did work to block a range of IP numbers, but that Bad Robot I was after has since tidied itself up, and so I only have a few single rules in place now, and no ranges. One of them looks like this

    deny log ip from 82.228.250.163 to any

    Roger

  6. Not sure why it was not working earlier, despite reboot. But the sub-range ban does now work as of today. Thank you very much for responding to my issue. 🙂

    Yes I know a lil’ about BOTs. That’s what I am blocking out. 😀 And no, these are not the friendly kind you can negotiate with like your average search-bot. These ones have poison spikes at the tips of their spears in the shape of virus/malware. 😀 Thank you USA Government for turning a blind eye to this. Long story but I will not pollute your very healthy topic with the details. 🙂

    And btw there are some infamous Chinese bots that do not respect the typical bot instructions on how to behave. These bots are also reknown for site theft of content to post elsewhere for commercial reasons, even when the it has been strongly stated the content is copyright.

  7. And I should have also said, the particular Chinese bots in question will also ping very fast and try to dig very deep, much deeper than your average bot. So much so that if you encounter them, they will affect the performance of your site slowing it down considerably. I found a cute answer to handle them. 😀

  8. Before you set the rules that should come into effect after a reboot, make sure you set the script! There is a script to activate the rules at boot time in one of the menus. Once installed, click the ‘boot’ button in WaterRoof.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)

   
© 2000 – 2017 Roger’s Ramblings Powered by WordPress Suffusion theme by Sayontan Sinha