Nov 212009

I had occasion recently to try and figure out how to use the Firewall built into Mac OS X to prevent a very bad mannered “bot” from hitting one of my sites – at times at the rate of 10 hits per second, and 2 seconds later another 8-10 hits!!! So I needed to be able to block certain IP numbers, or ranges of IP numbers. Mac OS X comes with the FreeBSD firewall programme called IPFW. This is a very powerful feature that can be accessed from Terminal.

Some Googling later I came up with several helpful sites that got me up and running with this.

First, using the Apache server logs identify the IP number, or range of IP numbers you want to block. I used TextWrangler to open the log file and do some preliminary editing, and then imported that into FileMaker Pro to get only the log lines applicable to PiplBot (BAD ROBOT!!!!). Over the course of about 5 hours it used 84 different IP numbers as it hit away at one of my sites over 19,000 times.

So once I had a list of these numbers, I was able to break them down into a number of shorter lists that had the first 2 or 3 octets of the IP number the same. With this done, this site provides a VERY handy calculator that will take the starting and ending IP numbers in a range, and convert it to a range in the CIDR notation (very technical explanation here) which takes a range of numbers like


which potentially covers 14 different numbers and converts it to which represents 16 numbers without the need to list them all out. And simlarly the range from to covers 2,572 addresses, and is represented by – a range of 16,384 addresses.

So, armed with this knowledge and ability, I’m now able to understand the instructions on this page and this page which in their simplest form are saying that you can use Terminal with this instruction

[code]sudo /sbin/ipfw add 02010 deny ip from to any in[/code]

to add a block into the Firewall for the range of numbers You can see the current status of your ipfw with this Terminal command

[code]sudo /sbin/ipfw list[/code]

which will return a list in this form

[code]02010 deny ip from to any in
02020 deny ip from to any in
02030 deny ip from to any in
02040 deny ip from to any in
02050 deny ip from to any in
65535 allow ip from any to any[/code]

Changes made by Terminal only last as long as your Macintosh is running – they are not saved to be used on a Restart unless you write a startup script to do this. This site provide details on this, including a number of sample scripts, but frankly this was way over my head, so I turned to MacUpdate to see if there was an application that would do this via a GUI (Graphical User Interface). I found several, and settled on WaterRoof by Hany El Imam. This allows you to define the rules you want to implement, and then takes care of creating the script that will activate these rules each time your Macintosh is started up.

WaterRoof Screen Shot

WaterRoof Screen Shot

This seems much easier to deal with 🙂

So for now PiplBot is banned, even though they seem to be honouring their statement that they would remove all of my sites from their list of sites to crawl.

I hope this helps someone else – I’ve written it partly to help me remember what I did, but also to help others.

 Posted by at 10:42 pm

  8 Responses to “Mac OS X ipfw Firewall”


    Before you set the rules that should come into effect after a reboot, make sure you set the script! There is a script to activate the rules at boot time in one of the menus. Once installed, click the ‘boot’ button in WaterRoof.


    And I should have also said, the particular Chinese bots in question will also ping very fast and try to dig very deep, much deeper than your average bot. So much so that if you encounter them, they will affect the performance of your site slowing it down considerably. I found a cute answer to handle them. 😀


    Not sure why it was not working earlier, despite reboot. But the sub-range ban does now work as of today. Thank you very much for responding to my issue. 🙂

    Yes I know a lil’ about BOTs. That’s what I am blocking out. 😀 And no, these are not the friendly kind you can negotiate with like your average search-bot. These ones have poison spikes at the tips of their spears in the shape of virus/malware. 😀 Thank you USA Government for turning a blind eye to this. Long story but I will not pollute your very healthy topic with the details. 🙂

    And btw there are some infamous Chinese bots that do not respect the typical bot instructions on how to behave. These bots are also reknown for site theft of content to post elsewhere for commercial reasons, even when the it has been strongly stated the content is copyright.


    uh, I meant WaterRoof, not WaterProof.

    In effect, for WaterRoof 3.6 the code is:

    /sbin/ipfw add 34210 deny ip from to me

    Rule Translator:
    Block every incoming ip connection from host to me through all interfaces.


      Sorry I don’t know what the problem might be – assuming you’re using actual numbers and not

      At the time I wrote this, it did work to block a range of IP numbers, but that Bad Robot I was after has since tidied itself up, and so I only have a few single rules in place now, and no ranges. One of them looks like this

      deny log ip from to any



    I found this article whilst googling for an answer to how to ban ip ranges with MacOSX. I found it helpful but … I’m using OSX 10.6.8 and recently started using WaterProof 3.6. i added the rule
    deny ip from to me
    and despite saving to Boot, this does not seem to work. Banning individual ip addresses works fine. Unfortunately WaterProof does not have any support forums. Do you or anybody else have any advice on how to ban a sub-range in OSX10.6?


    Very cool feature for monitoring ipfw. Is there a way to manage MAC addresses as well … so that i can configure my w-lan OSX internet-sharing with a MAC-filter.


 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>



This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this:

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.