mac, tips

Living with Leopard's Firewall

I made the plunge and upgraded to Leopard. A CompUSA rebate of $30 (bringing Leopard down to a mere $99) was too much to pass up. I like a lot of Leopard and I haven’t had many problems so far, though I do see a good amount of room for improvement. One place that needs serious improvement is Leopard’s new Firewall system. I’d heard that you could now choose to open the firewall on the application level, and I thought that was nice, but I hadn’t heard that you *had* to do on the application level. That’s dumb. Application level rules are fine if I have a simple application I want to open a port for, but if I want to open a port for something like a custom build of apache it can’t be done.

Thankfully you can still use the terminal to open ports in the firewall for Leopard. Not as easy as using the firewall in Tiger, but it gets the job done. Here’s a few helpful tips:

to add a port:
sudo ipfw add allow [udp or tcp] from [port] to [port]
So, if you want allow port 80 with tcp you’d type sudo ipfw add allow tcp from 80 to 80

to see your rules:
sudo ipfw list

to delete an open port:
first type sudo ipfw list, you’ll get something like this

33300 deny icmp from any to me in icmptypes 8
33400 allow udp from to
33500 allow tcp from to

take the number proceeding the rule you want to delete and type sudo ipfw deletem [rule number], so if I wanted to delete the rule “33500 allow tcp from to” I’d just type
sudo ipfw delete 33400

Hopefully Apple will realize that giving users no advanced options is dumb. But until then, start loving the terminal!


10 thoughts on “Living with Leopard's Firewall

  1. Juan says:

    We both did exactly the same thing: I bought my Leopard copy at 6pm in a compUSA and got the rebate. Works pretty good.

    I agree with you about the firewall issue. I thought little snitch was not going to be as useful as it was before, but i’m afraid it will be more needed than it was before :/

  2. Kotov says:

    dude only thing
    >> sudo ipfw add allow tcp from 80 to 80
    is not opening port, but rather treats it as IP, so this:
    >> 33400 allow udp from to
    is exactly what it looks like

    should be
    add allow tcp from any 80 to any 80
    or even ad allow tcp from any 80,8080… you get the point :)


  3. E Fox says:

    At least for me, the fix from Kotov did not work entirely, the syntax no longer makes the port into the ip (thanks Kotov), but it just did not get traction for me . . . so I found some other syntax that did. Hope this helps prevent the day I have had.

    ipfw add allow tcp from any 80 to any 80

    ipfw add allow tcp from any to any 80

    To test:
    run your portscan or nmap
    ipfw show
    ipfw delete (the entry number)
    run your portscan or nmap again

    repeat to convince yourself. . .


  4. hagbard_23 says:

    Thanks E Fox,
    I’ve been looking for this so long, but your commands finally worked!

  5. Well…i can enter this codes…but nothing seems to work with warcraft 3.

    The ports 6112 to 6119 should be open. it’s not my router because I can hoste fine on Vista…
    Mac on the other hand gives problems, and can’t figure out why.

    pleasy help.


  6. Pingback: rob zand » Blog Archive » links for 2008-06-17

  7. Jaiwant Mulik says:

    I found a workaround by enabling the right applications. I was trying to enable port 8080 to allow Plone to work. After not being able to get ipfw to work as expected I added (Resources) and the python executable (bin) to the “allow these applications to accept ..” option under firewall. Everything works as expected. Sometimes you have to scroll down in the allowed application textbox to see which applications are being actively blocked for accepting connections.

  8. ??? wtf???? says:

    Last login: Sun Feb 22 09:50:28 on console
    Macintosh:~ jovan$ sudo ipfw allow udp from 6110 to 6119
    ipfw: bad command `allow’
    Macintosh:~ jovanj$

Comments are closed.