Qiita Teams that are logged in
You are not logged in to any team

Log in to Qiita Team
Community
OrganizationAdvent CalendarQiitadon (β)
Service
Qiita JobsQiita ZineQiita Blog
3
Help us understand the problem. What is going on with this article?
@htsun

macOS SierraでFireWall設定

More than 1 year has passed since last update.

某macOS機で稼働するAFPの提供範囲を特定セグメントのみに限定するため、macOS標準のpfを利用して、ホスト側でファイアウォール設定を行った。

pfの有効化


$ sudo pfctl -e
Password:
No ALTQ support in kernel
ALTQ related functions disabled
pf enabled

設定ファイルの変更

$ sudo vim /etc/pf.conf 

以下を追記

# AFPをデフォルト拒否
block in proto tcp from any to any port = 548

# 特定セグメントのみ許可
pass in proto tcp from 192.168.20.0/24 to any port = 548
pass in proto tcp from 192.168.0.0/22 to any port = 548

設定確認。シンタックスエラーがでなければOK

$ pfctl -nf /etc/pf.conf 
pfctl: Use of -f option, could result in flushing of rules
present in the main ruleset added by the system at startup.
See /etc/pf.conf for further details.

設定反映

$ sudo pfctl -f /etc/pf.conf 
pfctl: Use of -f option, could result in flushing of rules
present in the main ruleset added by the system at startup.
See /etc/pf.conf for further details.

No ALTQ support in kernel
ALTQ related functions disabled

あとはnmap等で外形を確認。
セキュリティ的には、まずはblock allしてから個々にポートを開けるのが、多分正しい。

3
Help us understand the problem. What is going on with this article?
Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
htsun

Comments

No comments
Sign up for free and join this conversation.
Sign Up
If you already have a Qiita account Login
3
Help us understand the problem. What is going on with this article?