Command Line ALF on Mac OS X

Mac OS X 10.5 and Mac OS X 10.6 have a multitude of ways to keep data from coming or going from a system. The traditional way is to use ipfw, although this isn’t the default way in 10.5 and above. Instead, you are meant to use the Application Layer Firewall (we’ll call it ALF for short), which is what you configure from the Security System Preference pane.

You can enable the firewall simply enough by using the defaults command to augment the /Library/Preferences/com.apple.alf.plist file, setting the globalstate key to an integer of 1:

defaults write /Library/Preferences/com.apple.alf globalstate -int 1

You can also configure the firewall from the command line. Stopping and starting ALF is easy enough, whether the global state has been set to 0 or 1, done using launchd. To stop:

launchctl unload /System/Library/LaunchAgents/com.apple.alf.useragent.plist
launchctl unload /System/Library/LaunchDaemons/com.apple.alf.agent.plist

To start:

launchctl load /System/Library/LaunchDaemons/com.apple.alf.agent.plist
launchctl load /System/Library/LaunchAgents/com.apple.alf.useragent.plist

These will start and stop the firewall daemon (aptly named firewall) located in the /usr/libexec/ApplicationFirewall directory. As you can imagine, the settings for ALF can be configured from the command line as well. The socketfilterfw command, in this same directory, is the command that actually allows you to manage ALF. ALF works not by the simple boolean means of allowing or not allowing access to a port but instead by limiting access by specific applications, more along the lines of Mandatory Access Controls (although not yet using the MAC framework).

When an application is allowed to open or accept a network socket, it’s known as a trusted application – and ALF keeps a list of all of the trusted applications. You can view trusted applications using socketfilterfw with the -l option; although the output can be difficult to read and so you can constrain it using grep for TRUSTEDAPPS as follows:

./socketfilterfw -l | grep TRUSTEDAPPS

You can also use the command line to add a trusted application using the -t option followed by the path to and then the actual application to be trusted. For example, to add FileMaker to the list of trusted apps you use something similar to the following, pointing to the binary, not the app bundle:

./socketfilterfw -t
“/Applications/FileMaker Pro 9/FileMaker Pro.app/Contents/MacOS/FileMaker Pro”

Note: You can also use the socketfilterfw command to sign applications, verify signatures and enable debugging, using the -s, -v options and -d options respectively.

Finally, there are a number of global preferences for the firewall that can be configured using the /usr/libexec/ApplicationFirewall/com.apple.alf.plist preferences file. You might be looking at the path to this file and thinking that it looks odd and it should really be in /Library/Preferences. And you might be right. But the com.apple.alf.plist file there appears to be a bit of silly misdirection. Changes there simply don’t seem to have the desired response. Therefore, stick with the one in the /usr/libexec/ApplicationFirewall directory. Some keys in this file that might be of interest include globalstate (0 disables the firewall, 1 configs for specific services and 2 is for essential services – as in the GUI), stealthenabled and loggingenabled. All are integers and fairly self explanatory vs. GUI settings from the System Preference pane.

  • kyue

    Hello,

    I am trying to use the command outlined in this article to add a trusted site to the ALF, but it doesn’t seem to be working. I am pointing to the binary file, but whenever I execute the command to add, it hangs there. This is my output:

    kyue:/usr/libexec/ApplicationFirewall> sudo ./socketfilterfw -t ~/[my binary path]
    adding ~/[my binary path] to the list of trusted applications
    GetSignException: creator ‘BNUp’
    GetSignException: creator ‘BNu2′
    GetSignException: creator ‘SWar’
    GetSignException: creator ‘StCm’
    GetSignException: creator ‘Dbl2′
    GetSignException: creator ‘PJ03′
    GetSignException: creator ‘PJ07′
    GetSignException: creator ‘FP98′

    And then it sits there for quite a while, with no further output. Is there a reason for it? Should it be taking over 5 minutes for it to process? I tried restarting my computer, thinking it may help, but it didn’t.

    Any ideas will be greatly appreciated!

    Kat

    • http://www.krypted.com admin

      I see that happen when the app isn’t signed before trying to add it to the trusted apps. Is the app signed?

  • kyue

    That thought did cross my mind. I’m not sure if my app is signed. Is this where I use -s file to sign it? This is what I tried and it killed socketfilterfw :(

    kyue:/usr/libexec/ApplicationFirewall> sudo ./socketfilterfw -s ~/[my binary path]nGetSignException: creator ‘BNUp’
    GetSignException: creator ‘BNu2′
    GetSignException: creator ‘SWar’
    GetSignException: creator ‘StCm’
    GetSignException: creator ‘Dbl2′
    GetSignException: creator ‘PJ03′
    GetSignException: creator ‘PJ07′
    GetSignException: creator ‘FP98′
    Killed

  • kyue

    Just to provide a bit of closure. After playing around with it some more. These “GetSignException” messages are for applications that are signed and not found on my Mac. These creators are from World of Warcraft, Diablo2, etc, which are irrelevant to what I am trying to do. I posted the question on Apple Discussions Forum. Someone said that this may be because this is no longer supported, therefore, does not work anymore.

    http://discussions.apple.com/thread.jspa?messageID=10900266&#10900266

  • http://www.krypted.com admin

    Hey, sorry for the delay. WoW and Diablo are signed. Thus when you try to sign them you break the in-application aspect of the signature. ALF should already have an exception for those apps specifically though as that bug was closed awhile back. Let me know if you don’t have a workaround and I can refile.

  • http://www.krypted.com admin

    PS – I applaud Blizzard for having been ahead of the curve and signing their stuff prior to Apple implementing ALF… Random (kinda) sidenote.