OS X 10.9.2: install-my-ipfw

コンピュータの電源をいれた瞬間にネットワークに接続「できない」ようにする為のルール。

OS X 10.9.2: Disable AirDrop
http://midorex.blogspot.com/2014/03/os-x-1092-disable-airdrop.html
の

sudo ipfw -q add reject udp from any to me dst-port 5353

を、電源をいれた瞬間に反映させたい為。
しかしこの状態ではネットワークに接続できない為、起動後にネットワークに接続したくなったら
下記とは「別」のルールを作成しておく必要がある。

# install-my-ipfw.sh

#!/bin/bash
# OS X 10.9.2

sudo mkdir /usr/local
sudo chmod 755 /usr/local
sudo mkdir /usr/local/sbin
sudo chmod 755 /usr/local/sbin

sudo cp rc.firewall /usr/local/sbin/
sudo chmod 755 /usr/local/sbin/rc.firewall
sudo cp myfirewall.plist /Library/LaunchDaemons/
sudo chmod 644 /Library/LaunchDaemons/myfirewall.plist

# myfirewall.plist

<?xml version=“1.0” encoding=“UTF-8”?>
<!DOCTYPE plist PUBLIC “-//Apple Computer//DTD PLIST 1.0//EN”
“http://www.apple.com/DTDs/PropertyList-1.0.dtd”>
<plist version=“1.0”>
    <dict>
        <key>Label</key>
        <string>com.apple.firewall</string>
        <key>ProgramArguments</key>
        <array>
            <string>/usr/local/sbin/rc.firewall</string>
        </array>
        <key>RunAtLoad</key>
        <true/>
        <key>UserName</key>
        <string>root</string>
    </dict>
</plist>

# rc.firewall

#!/bin/bash
fw=/sbin/ipfw
fq="/sbin/ipfw -q"

$fw -f flush
$fq add allow ip from any to any via lo0
$fq add reject log ip from 127.0.0.0/8 to any in
$fq add reject log ip from any to 127.0.0.0/8 in

$fq add reject log icmp from any to any
$fq add reject log udp from any to any
$fq add reject log tcp from any to any

$fq add reject ipv6 from any to any
$fq add reject ipv6 from any to any in

$fq add reject log udp from any to any in
$fq add reject log tcp from any to any in
$fq add 65534 deny log ip from any to any in

# Reference
# Haught.org :: Articles :: OSX Firewall
# https://www.haught.org/article/osx-firewall/

$ chmod 700 install-my-ipfw.sh
$ sudo ./install-my-ipfw.sh

# LINK
Haught.org :: Articles :: OSX Firewall
https://www.haught.org/article/osx-firewall/