krypted.com

Tiny Deathstars of Foulness

The tools to automate OS X firewall events from the command line are still stored in /usr/libexec/ApplicationFirewall. And you will still use socketfilterfw there for much of the heavy lifting. However, now there are much more helpful and functional options in socketfilterfw that will allow you to more easily script the firewall. Some tricks I’ve picked up with the Mac Firewall/alf scripting:
  • Configure the firewall fully before turning it on (especially if you’re doing so through something like Casper, FileWave, Munki, or Absolute Manage where you might kick yourself out of your session otherwise).
  • Whatever you do, you can always reset things back to defaults by removing the com.apple.alf.plist file from /Library/Preferences replacing it with the default plist from /usr/libexec/ApplicationFirewall/com.apple.alf.plist.
  • Configure global settings, then per-application settings, then enable the firewall. If a remote system, do ;wait; and then enable the first time to make sure everything works before enabling the firewall for good.
  • To debug, use the following command: “/usr/libexec/ApplicationFirewall/socketfilterfw -d”
In /usr/libexec/ApplicationFirewall is the Firewall command, the binary of the actual application layer firewall and socketfilterfw, which configures the firewall. To configure the firewall to block all incoming traffic: /usr/libexec/ApplicationFirewall/socketfilterfw --setblockall on To see if block all is enabled: /usr/libexec/ApplicationFirewall/socketfilterfw --getblockall The output would be as follows, if successful: Firewall is set to block all non-essential incoming connections A couple of global options that can be set. Stealth Mode: /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on To check if stealth mode is enabled: /usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode Firewall logging: /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on You can also control the verbosity of logs, using throttled, brief or detail. For example, if you need to troubleshoot some issues, you might set the logging to detail using the following command: /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingopt: detail To start the firewall: /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on While it would be nice to think that that was going to be everything for everyone, it just so happens that some environments actually need to allow traffic. Therefore, traffic can be allowed per signed binary. To allow signed applications: /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned on To check if you allow signed apps: /usr/libexec/ApplicationFirewall/socketfilterfw --getallowsigned This will allow all TRUSTEDAPPS. The –listapps option shows the status of each filtered application: /usr/libexec/ApplicationFirewall/socketfilterfw --listapps To check if an app is blocked: /usr/libexec/ApplicationFirewall/socketfilterfw –getappblocked /Applications/MyApp.app/Contents/MacOS/myapp This shows the number of exceptions, explicitly allowed apps and signed exceptions as well as process names and allowed app statuses. There is also a list of TRUSTEDAPPS, which will initially be populated by Apple tools with sharing capabilities (e.g. httpd & smbd). If you are enabling the firewall using a script, first sign your applications that need to allow sharing but are not in the TRUSTEDAPPS section by using the -s option along with the application binary (not the .app bundle): /usr/libexec/ApplicationFirewall/socketfilterfw -s /Applications/MyApp.app/Contents/MacOS/myapp Once signed, verify the signature: /usr/libexec/ApplicationFirewall/socketfilterfw -v /Applications/MyApp.app/Contents/MacOS/myapp Once signed, trust the application using the –add option: /usr/libexec/ApplicationFirewall/socketfilterfw --add /Applications/MyApp.app/Contents/MacOS/myapp To see a list of trusted applications. You can do so by using the -l option as follows (the output is pretty ugly and needs to be parsed better): /usr/libexec/ApplicationFirewall/socketfilterfw -l If, in the course of your testing, you determine the firewall just isn’t for you, disable it: /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off To sanity check whether it’s started: /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate Or to manually stop it using launchctl (should start again with a reboot): launchctl unload /System/Library/LaunchAgents/com.apple.alf.useragent.plist launchctl unload /System/Library/LaunchDaemons/com.apple.alf.agent.plist If you disable the firewalll using launchctl, you may need to restart services for them to work again.

July 16th, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , , ,

By default, when you are using Time Machine in Mac OS X, every time you insert a drive the system will ask you if you would like to use that drive as a Time Machine backup destination.  If you are like me and you swap drives around a lot then this can get annoying.  So to stop it you can actually just disable a launchd System Daemon, com.apple.backupd-attach.  To do so, simply move the /System/Library/LaunchDaemons/com.apple.backupd-attach.plist to another location and viola, on the next restart when you attach a disk Time Machine won’t ask you if you wish to add the disk to your Time Machine destinations.
/System/Library/LaunchDaemons/com.apple.backupd-attach.plist
While this is one way, reader @Chealion pointed out on Twitter that the following command will go ahead and do the same thing without monkeying with launchd:
defaults write /Library/Preferences/com.apple.TimeMachine DoNotOfferNewDisksForBackup -bool true;

June 29th, 2009

Posted In: Mac OS X

Tags: , , , , , , ,