Firewall on iPhone/iOS (ipfw or pf)

Question

I want to run ipfw or pf on my iPhone -- or the equivalent. Seems simple, but I can't find anything that works.

Device is jailbroken, looked very carefully through Cydia, and even through some of the alternate repositories. I've tried off and on for months, digging and digging, it's been really frustrating.

I found this post: Can I block ports and network traffic when using Personal Hotspot? here on apple.stackexchange, and tried installing ipfw via theworm.altervista.org/cydia. It installed without issue, but no matter what I do it just says:

ipfw: getsockopt(IP_FW_GET): Protocol not available

Found this post: http://nixcraft.com/all-about-freebsd-openbsd-netbsd/3726-ipfw-getsockopt-ip_fw_get-protocol-not-available.html which suggests creating a file: /etc/rc.conf, with the following:

firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"

But that didn't help at all, still get the same error.

I'm aware of the Cydia/commercial software "IP Firewall", which would help with much of what I want to do, but not everything.

Please help!

Answer 1

Want to improve this post? Provide detailed answers to this question, including citations and an explanation of why your answer is correct. Answers without enough detail may be edited or deleted.

This thread over the FreeBSD forums suggests that pf works on iOS. Disclaimer: I haven't tested this myself.

Edit:

pfctl -sr

as root returns:

No ALTQ support in kernel
ALTQ related functions disabled

and no rules whatsoever, but it seems that pf is there

Answer 2

It seems "simple", but ipfw (or pf) require support directly within the kernel. That means Apple has to compile the iOS kernel to support those particular utilities and their required protocols (ipfw is a front end for ipfw and dummynet, the latter of which does the bandwidth shaping).

Firewall software (like ipfw) in Unix based systems run at the kernel layer (deep) and cannot be added unless the kernel itself supports them. OS X supports ipfw/pf but iOS does not. Apple has gone through great lengths to secure the OS and likely feels it an unnecessary addition (it's not that Apple has turned them off, they simply do not exist so no conf configurations will aid you). This is why you receive the protocol error. While iOS can run the program, ipfw cannot negotiate the required protocols because they simply do not exist.

At best, your only option is to find a firewall that runs atop the kernel, so in userspace (like Little Snitch on OS X for example).

Answer 3

I've always run Firewall iP on JB iOS, and really like it. http://cydia.saurik.com/package/com.yllier.firewall

I never checked that pfctl is also available on iOS -- it would be very nice to put together a iOS-oriented pf.conf and run the iOS firewall at load time to have a kernel-level firewall.

It's also possible block malware, trackers, and adware by downloading a list of bad hosts from hphosts.org and appending this to the /etc/hosts file.