Application firewall configuring
I've been scouring both these forums and the net generally (ie googling 'socketfilterfw') for info on this, and thought I'd start a dedicated thread for it.
The main config file editing seems simple enough. Despite what i gathered on [url=https://www.afp548.com/forum/viewtopic.php?forum=45&showtopic=24043]this thread[/url], it seems simple enough to
[code]/usr/libexec/PlistBuddy -c "Set globalstate 1" /Library/Preferences/com.apple.alf.plist # set access for specific services and applications
/usr/libexec/ApplicationFirewall/socketfilterfw -k # kill the firewall daemon
[/code]
which will turn on the application firewall and restart the firewall which reads in the plist, and the state is preserved after a reboot. all well and good.
BUT. how to add specific applications with "allow incoming connections"? according to the command line socketfilterfw -h (and cited on a few sites with no further comments) you should be able to do
[code]/usr/libexec/ApplicationFirewall/socketfilterfw -t /Applications/[yr application.app folder]/Contents/MacOS/[actual exe app][/code]
but no luck. (for the record, i'm trying to set it up to allow Universal Type Client, which needs the main app and a couple of helper apps inside its Resources folder). I have tried this with so many other options, like using launchctl to unload the firewall (LaunchAgent AND LaunchDaemon) "socketfilterfw -t", reload -- still no luck.
I even resorted to manually adding the data to the 'applications' array in the alf.plist (followed by a good-luck socketfilterfw -k) based on reading the plist after doing a manual configure with the preferencepane GUI. no luck - it LOOKs good, in that it's listed in the prefpane window. but start up the listed application and you get the usual prompt 'do you want to allow app x to accept...". Say yes and this seems to update the plist. the applications array in the plist is composed of a dictionary per app, and a mystery key 'reqdata' looks like the bit that's getting re-written.
should i just give up and fall back on the easier to configure ipfw (ipfw2?)
cheers you all