#3250 Mac os x 10.5.5: ipfw: unrecognised option [-1] auth\n


WebMin 1.441 running on Mac OS X 10.5.5 (Darwin 9.5.0 on i386)

When using module BSD Firewall (IPFW version 1) for the first time, and choosing "Block all except SSH, IDENT, ping and high ports on interface:" en0

a list of 14 rules is being generated.

When trying to "Apply Configuration", the error message below is returned.

Failed to apply configuration : /sbin/ipfw add 00800 allow tcp from any to any auth failed : ipfw: unrecognised option [-1] auth\n


  • cj0

    cj0 - 2008-11-25

    Rule 00800 has Rule comment: "Allow connections to our IDENT server"

  • Jamie Cameron

    Jamie Cameron - 2008-11-25

    Looks like the problem is that the /etc/services file on your system's doesn't have the 'auth' service. The quick fix is to click on that rule in the list, and change the destination port from "auth" to "113", click Save, and then click Apply.

    I will use numeric ports in the next Webmin release, to avoid this.

  • Jamie Cameron

    Jamie Cameron - 2008-11-25
    • status: open --> closed-fixed
  • cj0

    cj0 - 2008-11-25

    Strange: auth is available in /etc/services on that machine

    $ cat /etc/services
    # Network services, Internet style
    # Note that it is presently the policy of IANA to assign a single well-known
    # port number for both TCP and UDP; hence, most entries here have two entries
    # even if the protocol doesn't support UDP operations.
    # The latest IANA port assignments can be gotten from
    # http://www.iana.org/assignments/port-numbers
    # The Well Known Ports are those from 0 through 1023.
    # The Registered Ports are those from 1024 through 49151
    # The Dynamic and/or Private Ports are those from 49152 through 65535
    # $FreeBSD: src/etc/services,v 1.89 2002/12/17 23:59:10 eric Exp $
    # From: @(#)services 5.8 (Berkeley) 5/9/91
    mcidas 112/udp # McIDAS Data Transmission Protocol
    mcidas 112/tcp # McIDAS Data Transmission Protocol
    # Glenn Davis <support@unidata.ucar.edu>
    auth 113/udp # Authentication Service
    ident 113/tcp auth #
    # Mike St. Johns <stjohns@arpa.mil>
    audionews 114/udp # Audio News Multicast
    audionews 114/tcp # Audio News Multicast
    # Martin Forssen <maf@dtek.chalmers.se>

  • cj0

    cj0 - 2008-11-25

    This case is reopened, due to the fact that editing rule 00800 gives "Destination ports" set to "Any ports" and not to "auth" as you expected.

  • cj0

    cj0 - 2008-11-25
    • status: closed-fixed --> open-fixed
  • Jamie Cameron

    Jamie Cameron - 2008-11-26

    Odd, on my system the "Destination ports" shows "auth" just fine.

    What does your /etc/webmin/ipfw/ipfw.rules file contain?

  • cj0

    cj0 - 2008-11-26

    /etc/webmin/ipfw/ipfw.rules contains:

    # Skip next rule for external interface
    00100 skipto 00300 all from any to any recv en0
    # Allow all traffic on internal interfaces
    00200 allow all from any to any
    # Allow established TCP connections
    00300 allow tcp from any to any established
    # Allow traffic with ACK flag set
    00400 allow tcp from any to any tcpflags ack
    # Accept responses to DNS queries
    00500 allow udp from any 53 to any 1024-65535
    # Accept safe ICMP types
    00600 allow icmp from any to any icmptypes 0,3,4,11,12
    # Allow connections to our SSH server
    00700 allow tcp from any to any ssh
    # Allow connections to our IDENT server
    00800 allow tcp from any to any auth
    # Respond to pings
    00900 allow icmp from any to any icmptypes 8
    # Protect our NFS server
    01000 deny tcp from any to any 2049-2050
    # Protect our X11 display server
    01100 deny tcp from any to any 6000-6063
    # Protect our X font server
    01200 deny tcp from any to any 7000-7010
    # Allow connections to unprivileged ports
    01300 allow tcp from any to any 1024-65535
    10000 deny all from any to any
    65535 allow ip from any to any

  • Jamie Cameron

    Jamie Cameron - 2008-11-27

    I just tested that exact rules file with Webmin 1.441 on OSX, and was able to click on rule 00800 and change the 'auth' port with no problems. However, if the 'auth' port isn't in /etc/services (or wherever OSX 10.5 stores named ports) on your system, it will not be detected by Webmin..

    The quick work-around is to edit ipfw.rules and change 'auth' to '113'. The next Webmin release will do this as part of the firewall setup..

  • Jamie Cameron

    Jamie Cameron - 2008-11-27
    • status: open-fixed --> closed-fixed

Log in to post a comment.