I’ve spent time reading up on the adaptive firewall and afctl.
I understand the whitelist & blacklist and how to add/remove entries to it.
What’s confusing to me is what truly starts or stops the adaptive firewall? I’ve read different things, including the below 5 items. What does each of the below do and how are they different with regards to the adaptive firewall?
————————-
/etc/emond.d/rules/AdaptiveFirewall.plist
Find all instances of: ‘Active‘
Then on the next line, inside the ‘‘ tags, change the 1 to a 0 or vice versa
————————-
to reload/restart the AF:
cd /System/Library/LaunchDaemons
sudo launchctl unload com.apple.emond.plist
sudo launchctl load com.apple.emond.plist
————————-
forces afctl into a running state (changes Active flag in /etc/af.plist )
/usr/libexec/afctl -f
————————-
stopping/starting the main firewall
————————-
restarting the system
————————-
Secondly, playing around with the adaptive firewall, I’ve seen it sometimes log invalid AFP attempts after one invalid login attempt (and add the IP to the blacklist) and I’ve seen it not log/do anything at all despite entering in invalid credentials.
I added a few subnets to the whitelist, stopped and restarted the firewall via the Server Admin GUI and then tried to connect via AFP from a remote computer that is NOT in the whitelist. I expect it to log the invalid attempt and block that IP for 15 minutes but it’s not showing any indication that a connection attempt was even made. Sometimes it will after the first failed attempt, which is what I expect and by “sometimes”, I mean after playing around with it, making small changes (like those listed above) but I can’t seem to find any real consistency.
I’ve seen the log say, “will block for 15 minutes” but then will continue to let the same IP attempt to authenticate and will even allow an AFP mount if successful before the 15 minutes has expired.
What gives? What differences might there be between different versions of 10.5 Server?
How has this all changed with 10.6 Server?
Thanks!
.
.
Comments are closed