Mac OS X,  Mac OS X Server,  Mac Security,  Mass Deployment

Using afctl To Manage The Adaptive Firewall In OS X Yosemite Server

OS X Server (Yosemite 10.10 running Server 3.5 has an adaptive firewall built in, or a firewall that controls incoming access based on clients attempting to abuse the server. The firewall automatically blocks incoming connections that it considers to be dangerous. For example, if a client attempts too many incorrect logins then a firewall rule restricts that user from attempting to communicate with the server for 15 minutes. If you’re troubleshooting and you accidentally tripped up one of these rules then it can be a bit frustrating. Which is why Apple gives us afctl, a tool that interacts with the adaptive firewall.

The most basic task you can do with the firewall is to disable all of the existing rules. To do so, simply run afctl (all afctl options require sudo) with a -d option:

afctl -d

When run, the adaptive firewall’s rules are disabled. To re-enable them, use the -e option:

afctl -e

Turning off the rules seems a bit much for most troubleshooting tasks. To remove a specific IP address that has been blacklisted, use the -r option followed by the IP address (rules are enforced by IP):

afctl -r 192.168.210.69

To add an IP to the blacklist, use the -a option, also followed by the IP:

afctl -a 192.168.210.69

To permanently add a machine to the whitelist, use -w with the IP:

afctl -w 192.168.210.69

To remove an IP from that whitelist, use -x:

afctl -x 192.168.210.69

To straight up disable afctl, use -X:

afctl -X

To turn it back on, use -f:

afctl -f

You can also set the number of bad attempts before a host gets automatically added to the blacklist using -T:

afctl -T 5

To understand what is going on under the hood, consider this. The blacklisted computers are stored in plain text in /var/db/af/blacklist and the whitelisted computers are stored in the same path in a file called whitelist. The afctl binary itself is stored in /usr/libexec/afctl and the service is enabled by /System/LIbrary/LaunchDaemons/com.apple.afctl.plist, meaning to stop the service outright, use launchctl:

launchctl unload com.apple.afctl.plist

The configuration file for afctl is at /etc/af.plist. Here you can change the path to the blacklist and whitelist files, change the interval with which it is run, etc. Overall, the adaptive firewall is a nice little tool for Mac OS X Server security, but also something a number of open source tools can do as well. But for something built-in and easy, worth using.

There’s a nice little command called hb_summary located in /Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/AdaptiveFirewall.bundle/Contents/MacOS that provides statistics for blocked hosts. To see statistics about how much the Adaptive Firewall is being used, just run the command with no options:

/Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/AdaptiveFirewall.bundle/Contents/MacOS/hb_summary

The output provides the following information (helpful if plugging this information into a tool like Splunk):
• Date
• Date statistics start
• Number of hosts blocked
• Addresses blocked
• Number of times each address was blocked
• Last time a host was blocked
• Total number of times a block was issued

In the past 23 hours 59 minutes the following hosts were blocked by the Adaptive Firewall
from 2014-09-13 06:10:54 +0000
to 2014-09-14 06:10:53 +0000

Address Count(Total) Last Block Time

0 unique hosts 0 total blocks 0 overall
Count indicates the number of times a host was blocked during this
reporting period. Total indicates the total number of times this host
was blocked in the last week
See the “Security:Firewall Service” section of http://help.apple.com/advancedserveradmin/
for more information about the Adaptive Firewall.

You can also use the -v argument in order to run commands verbosely.