Limit access to port 5900?

aamjohns
Contributor II

The university I work for wants us to prevent port 5900 from being open to the world. I've been trying to understand how to implement network filtering by port, protocol, and address range. I'm getting confused.

Can someone tell me how I can implement a limitation on ports to be accessible from on specified network ranges?

I'm sorry that this is a vague post but I'm used to doing this stuff in Windows and with the Mac it seems like the intent is 1) application based rules 2) allow or block.

Ideally I'd like to do this by script or config file and not have to buy anything. And I don't want to break our systems either with clumsy configuration or implementation.

Thank you,
AJ

5 REPLIES 5

thoule
Valued Contributor II

The Mac OS GUI firewall is an application layer firewall. Macs also ship with PF, a command line firewall with no default GUI to configure. You can use command line 'pfctl' to configure it however.

https://www.jamf.com/jamf-nation/discussions/13278/block-specific-outgoing-port

aamjohns
Contributor II

@thoule,
Hi, I appreciate your response. I have reviewed all that you mentioned. I just find the syntax and application of the pf firewall confusing as heck. I imagine the solution is in there for me, but I am cautious of breaking something by not fully understanding it.

I know it is up to me to learn to use it.

Thanks,
AJ

aamjohns
Contributor II

In case anyone is interested - I ended up getting a license for Murus Pro to have an easier way to configure pf for firewall. I am very impressed with Murus and the pricing (education discount) and support are awesome. There is also a capable free version. Additionally they have a product called Vallum that uses a GUI for application based firewall rules.

I was able to create groups that consist of IP address ranges in CIDR format and then create port rules and add the groups I wanted to have access. This way I have things like SSH and VNC locked down so only our support subnet can reach them. For some other ports I limited them to a wider range of all the university networks.

The way Murus works - you do not have to buy a license for all of your Macs. You only need to license the machine(s) you will use to make the firewall rules (GUI). Once the rules are created in the graphical app, use the install a boot script and enable pf logging function. The logging size and rotation is specified in preferences. To deploy to systems I just made a pkg from the required files:
/etc/murus.sh
/etc/murus/
/usr/local/bin/pfloggerd (for OS 10.12)
/Library/LaunchDaemons/it.murus.
.plist
/etc/syslog.conf
/etc/newsyslog.conf

Deploy these files to the client. Then a simple script to get it started bash /etc/murus.sh

Once the system is rebooted the daemon will load.

I knew systems were banging away at TCP port 22 (SSH) and it is nice to know that now port 22 can only be accessed from a couple of subnets. Be careful with the logging settings. Improperly configured or deployed logging could fill up a system's storage pretty quick. I used 2MB log file size and log file rotation at 5 logs.

Thank you,
AJ

thoule
Valued Contributor II

AJ - Thanks for the review on Murus. I'll have to take a look at it. I used a program called IceFloor before, but I found that to be just too messy and just as difficult as learning pf. But glad you got it working.

aamjohns
Contributor II

Hi Todd,
Give the free version a try. I found Murus pretty straightforward and much easier than scripting out all of the pf commands. Their support is great too.