|
Mac GeekeryGet your geek on. |
Properly Modifying the Apple Firewall From the Command LineRecently I needed to find a way to add open ports to the built-in Apple firewall from the command line in a way that would NOT disable the firewall GUI in System Preferences. Many people suggest just running ipfw commands from the command line, but this disables the GUI and was therefore not a workable solution, and I was unable to find anything documented, but after some poking around I was able to get this working reliably. I have a version of this script that will add a Firewall entry into Panther systems as well, but it does not automatically activate it. If anyone can fiqure out how to get an automatically enabled entry to work in Panther I would love to hear about it. Sean
#!/bin/bash
# Mac OS X Script to open up the firewall port for the Retrospect client in a proper manner and
# disabled stealth mode.
# Note that this is not quite perfect. The first two if statemenst will incorrectly determine
# that port 497 is already in there when 4497 or something similar is in the file.
# By: Sean P. Kane
ANSWER1=`defaults read /Library/Preferences/com.apple.sharing.firewall allports | grep 497`
if [ -z "${ANSWER1}" ]; then
defaults write /Library/Preferences/com.apple.sharing.firewall allports -array-add 497
fi
ANSWER2=`defaults read /Library/Preferences/com.apple.sharing.firewall alludpports | grep 497`
if [ -z "${ANSWER2}" ]; then
defaults write /Library/Preferences/com.apple.sharing.firewall alludpports -array-add 497
fi
ANSWER3=`defaults read /Library/Preferences/com.apple.sharing.firewall firewall | grep "port = (497)"`
if [ -z "${ANSWER3}" ]; then
defaults write /Library/Preferences/com.apple.sharing.firewall firewall -dict-add 'Retrospect Client' '<dict><key>editable</key><integer>1</integer><key>enable</key><integer>1</integer><key>port</key><array><string>497</string></array><key>row</key><integer>100</integer><key>udpport</key><array><string>497</string></array></dict>'
fi
defaults write /Library/Preferences/com.apple.sharing.firewall stealthenabled -int 0
About spkane
Location
Home page/site
Author Biography Sean Kane is currently a Macintosh Engineer working for Affiliated Computer Services (ACS) on the Nike World Headquarters contract. In this position, with a team of two other engineers, he helps design, test, and implement solutions for the Macintosh user community at Nike HQ, and their locations worldwide.  |
|
||||
Oh very nice.
Run /usr/libexec/FirewallTool to activate your firewall ruleset.
I occasionally need to run a tftp server on my mac, and I don’t want to permanently enable the firewall rules in the sharing control panel so I enable port 69 with ipfw, and then when I’m done I just run FirewallTool and the rules are restored to the sharing panel state.
It’s actually very helpful because you can play with ipfw as much as you want, and make the rules anyway imaginable, and you’re always one command away from completely reverting all of your changes.
I use applescript so I have a double clickable way to set the firewall on my users Macs.
do shell script “/usr/bin/defaults write /Library/Preferences/com.apple.sharing.firewall state -bool YES” with administrator privilegeseditable 0 enable 1 port 2967 udpport 2967
do shell script “/usr/bin/defaults write /Library/Preferences/com.apple.sharing.firewall udpenabled -int 1” with administrator privileges
do shell script “/usr/libexec/FirewallTool” with administrator privileges
do shell script “/usr/bin/defaults write /Library/Preferences/com.apple.sharing.firewall firewall -dict-add ‘SAV’ ‘
Post new comment