Application firewall configuring

[alantrewartha]

I’ve been scouring both these forums and the net generally (ie googling ‘socketfilterfw’) for info on this, and thought I’d start a dedicated thread for it.

The main config file editing seems simple enough. Despite what i gathered on [url=https://www.afp548.com/forum/viewtopic.php?forum=45&showtopic=24043]this thread[/url], it seems simple enough to

[code]/usr/libexec/PlistBuddy -c “Set globalstate 1” /Library/Preferences/com.apple.alf.plist # set access for specific services and applications
/usr/libexec/ApplicationFirewall/socketfilterfw -k # kill the firewall daemon
[/code]
which will turn on the application firewall and restart the firewall which reads in the plist, and the state is preserved after a reboot. all well and good.

BUT. how to add specific applications with “allow incoming connections”? according to the command line socketfilterfw -h (and cited on a few sites with no further comments) you should be able to do

[code]/usr/libexec/ApplicationFirewall/socketfilterfw -t /Applications/[yr application.app folder]/Contents/MacOS/[actual exe app][/code]

but no luck. (for the record, i’m trying to set it up to allow Universal Type Client, which needs the main app and a couple of helper apps inside its Resources folder). I have tried this with so many other options, like using launchctl to unload the firewall (LaunchAgent AND LaunchDaemon) “socketfilterfw -t”, reload — still no luck.

I even resorted to manually adding the data to the ‘applications’ array in the alf.plist (followed by a good-luck socketfilterfw -k) based on reading the plist after doing a manual configure with the preferencepane GUI. no luck – it LOOKs good, in that it’s listed in the prefpane window. but start up the listed application and you get the usual prompt ‘do you want to allow app x to accept…”. Say yes and this seems to update the plist. the applications array in the plist is composed of a dictionary per app, and a mystery key ‘reqdata’ looks like the bit that’s getting re-written.

should i just give up and fall back on the easier to configure ipfw (ipfw2?)

cheers you all

[alantrewartha]

🙁

i have run with an ipfw ruleset which is ok, but a lot less satisfactory.

[klombard]

i’m actually having the same difficulty. i was trying, as a test, to add CyberDuck to the exception list (“trusted application”), here’s my output:

——
bash-3.2$ sudo ./socketfilterfw -t /Applications/Cyberduck.app/Contents/MacOS/Cyberduck
Password:
adding /Applications/Cyberduck.app/Contents/MacOS/Cyberduck to the list of trusted applications
GetSignException: creator ‘BNUp’
GetSignException: creator ‘BNu2’
GetSignException: creator ‘SWar’
GetSignException: creator ‘StCm’
GetSignException: creator ‘Dbl2’
GetSignException: creator ‘PJ03’
GetSignException: creator ‘PJ07’
GetSignException: creator ‘FP98’
—-

and it just freezes, i have to ctrl+c out of it. am i missing something, like shutting down the firewall first? has anyone seen this error? it’d be super handy in my environment to be able to add firewall exceptions remotely.

[Author]

Posts