Network firewalls, routing etc

In which years of study are needed have basic online safety

December 9, 2018 — September 9, 2019

computers are awful
Figure 1

You need to route network traffic cleverly, e.g. for a vpn, filesync client or ssh, or various server security concerns. Note that you might also want to look at application firewalls which stop specific software from doing things, as opposed to network activity.

Oh sweetie. If you are getting advice from me, you are royally fucked. I’m so sorry to find you in this bind. I’m not the kind of person who knows about network stacks. Otherwise how would I have had time to do the other things for which you would read the blog?

Anyway, let’s discover this together.

1 macOS

Certain friendly apps for macOS exist to make this possibly easier.


IceFloor 2 is group based, like the old ServerAdmin firewall tool. Control filtering, bandwidth, logs, connections and custom PF configurations.

(No longer current for recent macOS)


macOS features one of the best network firewalls: PF (Packet Filter). It comes in an “under the hood” fashion, installed and disabled by default.

Murus’ purpose is to unleash its potential. With its easy and intuitive icons-based and drag&drop-based interface, visual layers of abstraction and a friendly view of the PF firewall it’s a lean and mean tool to protect your Mac and network.

Designed with ease of use in mind, yet full of advanced options and monitoring tools, Murus is perfect for everybody; from the average user to the experienced UNIX guru/system administrator and even for educational purposes.

Configure and start the PF firewall in one click using built-in presets, use Murus graphical ruleset editor design tool or write fully customized rulesets using the advanced rule editor.

Murus Pro includes Vallum, an application-layer firewall. This allows you to take full control of your Mac at both application and network level.

2 Linux

Do you need one? Yeah. Do you have one by default? Usually not.

So what’s the Linux networking routing doo-dad called? iptables. This is how you interact with the netfilter subsytem. How does it work? idk; every time I touch it I break things because there are thousands of moving parts in a modern computer’s networking system and they all have abstruse up names. For some insight see the iptables community documentation which mentions lots of things that can go wrong.

There are a million firewall configuration apps for Linux, but the one that n00bs like me seem to get recommended is ufw the Uncomplicated FireWall, which is installed on This in turn provides a simpler front end to iptables which, as preaged, is not actually enabled per default.

Here you go, turn it on.

sudo ufw enable

This blocks incoming traffic.

You might need to enable certain traffic if you run servers. The following 2 are equivalent.

sudo ufw allow ssh
sudo ufw allow 22/tcp
sudo ufw status verbose

gufw is a notionally even friendlier GUI for ufw. GuFW AFAICT doesn’t add value in terms of visualising your firewall, which would be the big win. It’s just some knobs and buttons to type the firewall commands for you.

If your needs are a little more professional, you probably want to set up firewalls using basic iptables, which TBH doesn’t seem that complicated. An example of someone getting fancy with that, including cute hand-rolled DDOS protection, is diveyez’

At this point in seeking help on the issue of firewall configuration, the local office geek will tell you that the real pros use BSD for their network routing. But if you are a real pro, you ain’t reading this, I suspect. Gather your dilletantism about you like a cloak and sneak away.

I suppose if I wanted to prove something with slightly less re-learning I could try a stripped-down hardened distro like Alpine.