I want to test a fallback strategy for my memcached driver (in case port is protected by firewall). How can I deny access to a specific port, on 127.0.0.1?
-
1depending on which version of MacOS you are using, use either jaume's answer (= you are on 10.7 or later) or mine (you are on 10.6).– Florenz KleyCommented Nov 14, 2012 at 12:07
-
@FlorenzKley: Thank you both for the answers, I upvoted both of them. I decided to accept answer, as I am on OSX Snow Leopard :)– Vlad ZloteanuCommented Nov 20, 2012 at 16:44
2 Answers
Example for Mac OS X 10.6 (Snow Leopard)
to deny connections to localhost, port SSH (= 22, read from /etc/services
):
sudo ipfw add deny tcp from any to localhost ssh
-
ipfw is deprecated in OSX 10.7 and OSX 10.8 and no longer available on OSX 10.9– GuidoCommented Mar 12, 2015 at 9:16
-
that's why it says "Example for Mac OS X 10.6" in my answer... Commented Apr 17, 2015 at 8:33
You can use pfctl
.
OS X 10.7 "Lion" and later use the OpenBSD PF (Packet Filter). A pseudo-device called /dev/pf
allows user space tools to configure the packet filter. The command pfctl
provides most of the functionality.
To filter port 1234 on the loopback interface you can use a rule like this:
block drop quick on lo0 proto tcp from any to any port = 1234
This rules blocks all inbound/outbound traffic on lo0
for port 1234 (quick
means in this context that if this rule matches, no further rule should be applied).
The command to load the rule in PF is:
(sudo pfctl -sr 2>/dev/null; echo "block drop quick on lo0 proto tcp from any to any port = 1234") | sudo pfctl -nf -
Command pfctl -sr 2>/dev/null
lists all current rules (and sends the pretty annoying error message No ALTQ support in kernel ALTQ related functions disabled
to /dev/null
). The echo
adds the rule above to the output, which is piped to pfctl
. Option -n
means don't apply, just check.
If there's no error message (apart from the aforementioned No ALTQ support
message and the warning pfctl: Use of -f option, could result in flushing of rules present in the main ruleset added by the system at startup
), you can apply the rule:
(sudo pfctl -sr 2>/dev/null; echo "block drop quick on lo0 proto tcp from any to any port = 1234") | sudo pfctl -f - 2>/dev/null
This command differs from the previous one in that I removed -n
. Note that you may have to add option -e
to enable the packet filter (thanks for your comment, casey): (sudo pfctl -sr 2>/dev/null; echo "block drop quick on lo0 proto tcp from any to any port = 1234") | sudo pfctl -e -f - 2>/dev/null
You can list now the rules to check it has been added properly:
sudo pfctl -sr 2>/dev/null
(...)
block drop quick on lo0 proto tcp from any to any port = 1234
When you're done you can delete the rule:
either loading the original set of rules:
sudo pfctl -f /etc/pf.conf
or removing the rule in a similar manner the rule was added:
(sudo pfctl -sr 2>/dev/null | fgrep -v "block drop quick on lo0 proto tcp from any to any port = 1234") | sudo pfctl -f -
(I've tested the whole procedure on OS X 10.8.2 "Mountain Lion" and worked flawlessly.)
You can find more information in this excellent introduction: http://nomoa.com/bsd/gateway/pf/valid/pfctl.html.
ipfw
is still included in OS X 10.7 and 10.8 but is deprecated:
IPFW(8) BSD System Manager's Manual IPFW(8)
NAME
ipfw -- IP firewall and traffic shaper control program (DEPRECATED)
SYNOPSIS
(...)
DESCRIPTION
Note that use of this utility is DEPRECATED. Please use pfctl(8) instead.
-
6on a fresh computer you may actually have to enable it also. just change
-f
to-ef
– caseyCommented Mar 20, 2015 at 21:56 -
@casey Thanks, I edited my answer to add the information in your comment.– jaumeCommented Mar 21, 2015 at 10:46
-
2Nice answer, and amazingly terrible horrible interface. Whoever wrote
pfctl
should be sent back to school.– NetMageCommented Dec 30, 2021 at 5:33