More Info on Leopard's New Firewall

Wednesday, 2007-11-14; 11:19:00



So in my last entry, there was one thing missing that I didn't get around to checking: how to configure Leopard's application firewall from the command line. In Tiger and earlier, you could use the ipfw command to fine-tune the firewall. What's the equivalent in Leopard?

Well, Chris Pepper over at Extra Pepperoni figured out that the /usr/libexec/ApplicationFirewall/socketfilterfw command offers a limited amount of configuration of the Leopard firewall. (Apparently, in marketing copy it's called an "application firewall", whereas in technical terms it's actually a "socket firewall".) You can set trusted apps, turn on debugging or logging, sign, verify, and check files, and kill the daemon – this last option kills the socketfilterfw tool when it's told to do logging, which runs it in "daemon mode".

Also inside the /usr/libexec/ApplicationFirewall/ folder sits the actual Firewall itself, aptly named "Firewall", as well as another tool named "appfwloggerd". Not sure what this is for: it seems to take no command-line arguments, although you can manually launch it. Not sure what it logs or where it logs to, especially because the socketfilterfw app supposedly supports logging as well, and it doesn't launch the appfwloggerd tool to do it.

Finally, there's a plist file in that same folder named "com.apple.alf.plist". As Pepper points out, "alf" probably stands for "application level firewall". In any case, this plist file stores some interesting bits of info. There's an array named "exceptions" that contains, by default, the following tools:

  • /usr/bin/nmblookup
  • /sbin/mount_ftp
  • /usr/bin/gdb
  • /System/Library/Filesystems/ftp.fs/mount_ftp
  • com.apple.NetAuthAgent
  • /usr/bin/smbclient
  • /usr/sbin/mDNSResponder

Ostensibly, this list represents items that are always allowed through the Leopard firewall. So, NetBIOS to IP address mapping, FTP usage, code debugging, Windows file sharing, Bonjour networking, and the NetAuthAgent app — which lives at /System/Library/CoreServices/NetAuthAgent.app — seem to be always allowed through; at least that's what's implied by "exceptions". I haven't done any testing on this. Also, do these still require that they pass the code signing test? That's a good question, and the answer could affect where hackers first attempt to breach the Leopard firewall.

"Trusted" applications, which you can supposedly set via the socketfilterfw tool, are different, and seem to represent some of the various services exposed in the Sharing preference pane. These are actually stored in the "firewall" dictionary, but the "-d" argument for the socketfilterfw tool notes that these are trusted. In particular, the default trusted apps are:

  • AppleVNCServer (Apple Remote Desktop)
  • ftpd (FTP service)
  • AppleFileServer (Personal File Sharing)
  • httpd (Personal Web Sharing)
  • cupsd (Printer Sharing)
  • AEServer (Remote Apple Events, i.e.: AppleScript)
  • sshd-keygen-wrapper (Remote Login via SSH)
  • smbd (Windows File Sharing)

Note that as far as I know, all of these services are turned off by default, so this doesn't represent a reliable way to hack into a Mac or propagate malicious viruses.

I tried adding Memory Usage Getter and TuneTagger to the list of trusted apps via the "-t" option in the socketfilterfw tool, but the tool always seems to hang when I do that, no matter if I give a path to the application bundle, the application executable, or even just a bundle identifier. It prints a message that it's going to add the app to the list of trusted applications, but it never seems to actually work. Looks like this firewall is still a work in progress.

Finally, there's an array in this plist file named "explicitauths", which contains paths to python, ruby, perl, java, and php executables. These are all code interpreters, but I'm not sure what is meant by "explicitauths". Does this allow incoming connections to any code run with these interpreters? Hopefully not.

There are some other parameters included in the "com.apple.alf.plist" file; in particular, an empty "applications" array, and "firewallunload", "globalstate", "loggingenabled", "stealthenabled", and "version" parameters, with values that seem to represent the default state for the firewall. The empty "applications" array represents what apps the user has been prompted for, or what apps the user has specifically added via the Security preference pane. (Since it's empty, no applications — well, other than the trusted apps and the exceptions and the explicitauths — are allowed through.) Note that logging is enabled by default, but stealth mode is not. These two settings can also be changed by clicking the "Advanced..." button in the Firewall tab of the Security preference pane in Leopard.

If you're looking for your actual firewall configuration file, look no further than /Library/Preferences/com.apple.alf.plist. Any apps you've added to the Security preference pane will show up in the "applications" array, and the values for the various firewall parameters will also reflect how they're set in the Security preference pane.


Technological Supernova   Tips   Older   Newer   Post a Comment