Home Forums AFP548 Community Projects Autofirewall – Network-aware firewall settings

This topic contains 0 replies, has 1 voice, and was last updated by  dead2sin 9 years, 10 months ago.

Viewing 1 post (of 1 total)
  • Author
    Posts
  • #376621

    dead2sin
    Participant

    I thought I’d post this here in hopes of someone else finding it useful. I decided that I would like the Macs at our University to behave like our PC Laptops do as far as firewalls go, so I made a launchd item and matching script to accomplish this for me.

    Basically, the script is run every time that /var/run/resolv.conf is modified (network connection change, unplug, etc). The script itself looks at the resolv.conf (if it exists) and greps the domain line to figure out if it is on your network or not. If it is on your network, it will disable the firewall (0). As soon as you unplug the network cable or if you join a network that is not one of yours, it enables the firewall (1).

    The script itself is fairly flexible, it uses a case to specify which actions to take using the domain listed in the resolv.conf, but it could be modified to use IP address and various other things. I hope that someone else might find this useful as well.

    Any input or suggestions are definitely welcome.

    Here is the LaunchAgent I’m using to kick off the script:

    [code]< ?xml version="1.0" encoding="UTF-8"?>
    < !DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    KeepAlive

    Label
    com.yourcompany.autofirewall
    ProgramArguments

    /Library/Scripts/yourcompany/autofirewall.sh

    RunAtLoad

    WatchPaths

    /var/run/resolv.conf

    [/code]

    And here is the script itself.

    [code]#!/bin/bash

    #Written by Nate Walck and Clint Armstrong
    #Liberty University 2009

    #This Script will automatically enable or disable the firewall depending upon which network it is on.

    #This function turns the firewall on or off, depending upon which state is desired.
    #If the firwall is already in the state desired, the script will leave it in that state.

    function firewall {
    #Reads the current state of the firewall and stores it in variable fw
    fw=$(defaults read /Library/Preferences/com.apple.alf globalstate)

    #This compares the option passed to function firewall to its current state.
    if [ “$1” != “$fw” ]
    then
    #If the option pased is different from current state, it changes it to the passed value.
    defaults write /Library/Preferences/com.apple.alf globalstate -int $1
    #For troubleshooting purposes, you can put in ‘say $1’ to see which state is being set.
    fi
    }

    #Determines if resolv.conf exists.
    if test -e /var/run/resolv.conf
    then
    #This stores the domain line of resolv.conf into variable NETWORK.
    NETWORK=$(cat /var/run/resolv.conf | grep domain | awk ‘{print $2}’)

    #This case looks at $NETWORK for specific domains and runs commands accordingly
    case “$NETWORK” in

    #If on VPN, function firewall turns the firewall on.
    vpn.yourcompany.com
    firewall 1
    ;;

    #On any other company domain, function firewall turns firewall off.
    *.yourcompany.com)
    firewall 0
    ;;

    #On any other domain, function firewall turns firewall on.
    *)
    firewall 1
    ;;

    esac

    else
    #If no network connection exists, function firewall turns the firewall on.
    firewall 1

    fi[/code]

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.

Comments are closed