Need OSX / Darwin guru: Programmatic Firewall questions

[DeepT]

I have been using the ip_fw API, you know #include <ip_fw.h>. This is the API (or it seems to be) for using the Darwin firewall, which is used by the "ipfw" command at the terminal.

So far I have been able to add, enumerate, and delete rules. I did run into an issue where I could not turn on or off the firewall pragmatically, but after much digging I discovered:
sysctlbyname("net.inet.ip.fw.enable", ...) was the way to turn it on or off.

However, there is one feature of the "ipfw" command I have spent hours on without result and it is here I am coming hoping for some wisdom.

The ipfw command the concept of "sets". There are a total of 31 sets, and they represent a set of rules. You can add a rule set N, delete a rule from Set N, etc... You can also ENABLE or DISABLE sets like:
"ipfw set disable 0".

The problem for me is that I have no idea how to deal with sets from the API point of view. I do not know how to pick a set to add or remove a rule from. No member of the ip_fw struct seems to have any bearing on this. Furthermore I have no idea how to tell if a set is enabled or disabled, let alone actually enabling or disabling it.

The worst case scenario for me is to resort to a command line call to manage sets, but that only leaves me with enable or disable. I still can't tell anything about sets that way.

So if anyone knows about this stuff, please help me. The apple documentation frequently leads to some BSD man page which has the answer, except its for BSD and Darwin doesn't support that method.

Finally, if anyone can recommend a good book on deep programming specifically for Darwin / OS X, please let me know. I want the focus to be on the lower level stuff, not on making pretty windows and interfacing with ITunes and stuff like that. Its the deep under the hood stuff I need. How to rummage around the route table, manage the firewall, how to make a program run as a super-user "daemon" I think to work with a user level front end. It just needs to be deep stuff specific to OS X / Darwin because even though Darwin is very close to BSD, it is different enough to thwart most BSD guides on how to do things.

Oh, a semi-related question: How do I find the default gateway? I need it for the firewall stuff to protect users (or at least warn) them from locking them self out of the Internet.

Any help is greatly appreciated.

[jamesblast]

Hi,

I am also struggeling with the OS X firewall and was wondering if you found any useful sources of information. Or maybe some of your code is open source and I can have a look at it to get an idea how to deal with the beast

TIA
/jamesblast