Skip to content

macOS: how to set firewall rules to prevent RSTs

Jump to bottom Edit New page
Robert David Graham edited this page Jun 11, 2017 · 1 revision

This page describes how to configure macOS firewall rules so that masscan can establish a TCP connection. Masscan contains it's own TCP/IP stack, so when the system gets a SYN-ACK from a probe, the main operating system's TCP/IP stack doesn't know what to do with it, so it sends a RST in response. This prevents masscan from establishing a TCP connection, such as when using the --banners option.

In older versions of macOS, ipfw was used to set such firewall rules. Starting in macOS X 10.7 ("Lion") the pfctl interface (from OpenBSD) is now used.

The trick is to set a range of ports for masscan to use, then configure the firewall to block incoming packets on these ports.

Since macOS 10.7, the operating system has used as its ephemeral port range 49152 - 65535. You can verify this range by calling sysctl -a and looking for the options net.inet.ip.portrange.first and net.inet.ip.portrange.last. If you need to, you can use the sysctl program to set different values. More information on this can be found at https://www.cymru.com/jtk/misc/ephemeralports.html.

In these examples, we are going to use the range 40000 through 41023 (1024 ports) as our range for masscan.

For the first step, we need to edit the /etc/pf.conf file that contains all the firewall rules. Add the following line at the bottom of the file:

block in proto tcp from any to any port 40000 >< 41024

In order to test our new rules, to make sure we haven't made a mistake, but without attempting to load the rules, type the following:

pfctl -vnf /etc/pf.conf

To make sure the firewall is running, run the following command (to 'enable' it):

pfctl -e

Now we re-load the new rules with the command:

pfctl -f /etc/pf.conf

At this point, we can verify that our rules have been accepted by running the following command, which should list our rule.

pfctl -s rules

Now that we've configured the firewall, it's time to configure masscan. One way is to always put on the command-line --source-port 40000-41023, but that's tedious. The better way is to edit the file /etc/masscan/masscan.conf and add the parameter:

source-port = 40000-41023

Then, masscan will automatically use that source range from now on.

Now, to test it, simply run masscan against some web server:

masscan 10.0.0.50 -p80 --banners

If you get a banner, then you know the configuration has succeeded.

Add a custom footer
Add a custom sidebar
Clone this wiki locally