Read Me for BOFH's NetBarrier and ipfw Configuration Files.

Disclaimer!!!

This file is provided as-is.

I do not guarantee that this file will work correctly on your Mac, nor do I take any responsibility for loss of connectivity or any other problems that may result from using this file. Furthermore, I make no promises that implementing this file will offer full and complete protection from determined hackers, LAN sniffers, trojans or any other attacks.
I can say that it has tested to work perfectly and without errors or noticeable slow-down of my net-access on my own Mac.

I don't know (and I frankly don't care) for what purpose you are going to use this file.
I do not condone nor encourage using this file to protect yourself in order to download copyrighted or illegal material. If you do so, the responsibility lies entirely with you.
Using this file to protect your privacy may be illegal in countries where government reserves the right to snoop on "its" citizens, such as Red China, North Korea, Burma, Ukraine, France, Great Britain or the United States.

The pre-configured NetBarrier file may work on earlier versions of Mac OS X and/or NetBarrier - I haven't tried, and have no idea if it will or how to go about importing it.
Any problems caused by trying will be yours alone, but you are welcome to experiment all you like...

Legally, this file is released under the GNU Public License (included in this download) which means you can edit, copy and redistribute it any way you like, as long as you publish it for free and in the public domain. As for credits, you can include them if you wish.

Software Requirements

Mac OS X 10.2 or later.
Intego NetBarrier X.

An important point to keep in mind when running NetBarrier (or any other Firewall Software) is, not to run more than one firewall at the same time.
If you are running Mac OS X' own ipfw, turn it off, as it conflicts with NetBarrier. This renders both ineffective, and may cause trouble connecting to the WWW at all.
The programs PeerGuardian and PeerVanguard utilise ipfw, and therefore, PeerGuardian/PeerVanguard and NetBarrier don't work together.
I have had no problems running NetBarrier and Little Snitch at the same time, but then, Little Snitch is not really a firewall.

Tech Support

If you experience difficulties, I can provide some degree of Tech Support, but before contacting me, make sure that you have read and followed all the instructions provided here.
I will not provide support or reply to questions regarding 3rd party software, such as Postfix Enabler, Apple Mail, PGP, Little Snitch etc. and any questions which can be answered by carefully reading through this documentation will be ignored.
I also encourage you to read the excellent NetBarrier Manual.
After all, trust is good, but knowledge is better.
There are several sites that can enlighten you as to the roots of any problems you might run into.
Some good places to get you started and to find out which ports to open and/or block:

• HNS - Securing Mac OS X
• Hardening your Macintosh
• Macintosh Security Site
• Well Known Mac OS X Ports
• "Well Known" TCP and UDP Ports Used By Apple Software Products
• OS X Terminal Commands

Other Recommended Security Software

Of course, a well regulated Firewall will go a long way to protect you, but evidently it is not enough.
The following are links to other essential security and privacy protection softwares.

• The FreeNet Project - An Alternative Internet.
• MUTE - Simple, Anonymous File Sharing.
• TOR - An Anonymizing Overlay Network for TCP.
• Privoxy - Advanced Web Filtering Proxy.
• Pretty Good Privacy - Still The Best Encryption Solution Available.
• JAP - Java Anonymous Proxy.
• NetShade - Anonymous Proxying Tool.
• Little Snitch - Spyware Protection Tool.
• KremlinEncrypt - Secure File Wiper, Encryption etc.
• HenWen - A GUI Front-end to the Snort IDS Tool.
• XNmap - Network Auditing Made Easy.
• MacNessus - Security Scanning Tool.
• Virex - Antivirus Solution.

What's In There?

The set-up is an original export from my own Mac, using an Airport Base Station as interface to the outside world. The setup should not be essentially different from any other router-based network.

Otherwise, it contains the latest update (as of 06 December 2006) to the PeerGuardian list of blocked IP addresses.

The pgupdate.sh file is a Shell Script, designed to download the latest version of the blocklist files from http://www.blocklist.org/ and convert it to a new NetBarrier Config-file.

Installing, Running and Uninstalling the Scripts

To install the scripts with all the necessary binaries included, log in as administrator and doubleclick the Install.command file in the NBConfig disk image. Enter your password when prompted, and let the installation run its course.

To uninstall everything, doubleclick the Uninstall.command file.

Important Note: The installation will only work if run from the disk image. Do not copy the files to your hard disk and try to run it from there - it won't work!

To run the update script manually, open a Terminal window and type:
/Users/Shared/NetBarrier/bin/pgupdate.sh

Using the pre-configured config-file

Important!!!
Don't forget to back-up your own setup if you have any special rules.

You may want to write down any special rules, as you will need to re-enter them after the import. Sorry, but I haven't been able to figure a work-around for that.
In NetBarrier, select "File > Export Settings" and save as Something-or-other.netb.

Then select "File > Import Settings" and select the Config-file.netb.
If you haven't made any modifications to the NetBarrier configuration, double-clicking the Config-file.netb will also start the import.
You should now be set to go.

What Do The Rules Do?

Rules 1+2: Allow any traffic to and from the internal network (LAN)
The addresses used are 10.0.1.n, 172.16.1.n, 192.168.1.n private addresses plus 127.0.0.1 (localhost), they can be changed depending on your setup, or removed, if you are connected directly to the web.
If you are connecting to an office LAN, this is the place to add the IP range of that particular network. Ask your Network Administrator for this information.

Rule 3: Allow outbound traffic on certain ports, such as http, https, pop3, imap, ssh etc. This means that you can still view the BSA or RIAA homepages, even though these organisations are blocked later on.

Rule 4: Allow inbound traffic on ports needed to run specific services, such as Network Time Synchronisation.
Any ports you wish to open to the world to run these services, should be added to this rule.

Rule 5: Block inbound traffic on certain ports, not initiated from within, such as ping, snmp and other ports used to establish whether you are "available" for attacks.

Rules 6+7: Block any traffic to and from the PeerGuard list of blacklisted IP addresses, not specifically allowed in previous rules.

Rule 8: Allow any outbound traffic not specifically blocked in previous rules.

Rules 9-11: Rules to allow inbound traffic when running an FTP Server, Web Server, or running eDonkey, MUTE and BitTorrent. Enable/Disable as needed. In rule 10, the UDP port 5044 and TCP port 22080 are remnants of my personal setup, running on Overnet and FreeNet respectively.
If you run either of these services, you will need to change your settings accordingly.

Rules 12+13: The Cleanup Rules. Clean up after all other rules, blocking any inbound and outbound traffic whatsoever. We are working under the old East German rules here: Anything not specifically allowed, is verboten!
Rule 12 is also called the "Stealth Rule". It blocks any inbound traffic not specifically allowed in previous rules, rendering your Mac virtually invisible. This is not the same as NetBarriers built-in "Stealth Mode".
Any inbound-allow rules (see Rules 9-11) must be placed before this rule, or they simply won't work!

The files can be downloaded here: NBConfig.tar.gz

BTW: I also have a shellscript for updating Apple's own ipfw. Get it here: ipfwpg.tar.gz