Programmatic firewall configuration

  • I have an application that provides a service, listening on a user-
    configurable port.

    Currently, if OS X's firewall is active, the user must add a new
    entry for my app to the firewall configuration in the Sharing pref
    pane - otherwise the service can't be used from other machines.

    Is it possible to open a port programatically to save the user
    setting this up? Manipulating the ipfw rules manually is bad because
    it disables the preferences GUI. I found a post from a few years ago
    (10.2) on this topic, discussing direct manipulation of
    com.apple.sharing.firewall.plist (doesn't work), and indicating the
    possibility of an API for this purpose.

    Thank you,
    Adrian

    In 2003, Jens Alfke wrote:
    >> A simpler approach to just look at the settings from the gui; these
    >> are stored in a plist in
    >> /Library/Preferences/com.apple.sharing.firewall.plist .  This won't
    >> help if the user has set up a sophisticated manually configured
    >> firewall, but if they can do that, they can fix their own
    > problems :-)
    >
    > I just checked with Elizabeth Douglas, who owns the firewall GUI. She
    > would prefer that developers not access this file.
    >
    > * Above all else, DO NOT MODIFY the file. It merely shadows the real
    > firewall settings, so changing it will not affect the real firewall;
    > but it will confuse & annoy the firewall pref panel next time it runs.
    >
    > * It's possible to read the file to determine how the GUI has set up
    > the firewall, but the format of the file may change in the future, so
    > we'd rather you not do this.
    >
    > * In the next major OS X release there will be an API developers can
    > use to access the firewall settings; that will be the way to go.
  • Hi, Adrian,

    I get the feeling that, although it would be convenient, this is a
    Bad Idea (tm) because it changes an essential system behind the
    user's back.  Your product isn't malware, but what if malware somehow
    had this ability?  Perhaps other list users can chime in with a
    better idea, such as an illustrated walkthrough, displayed to the
    user, for the process of opening the Firewall port.

    Cheers,
        Andrew Merenbach

    On Sep 23, 2007, at 5:35 PM, Adrian wrote:

    > I have an application that provides a service, listening on a user-
    > configurable port.
    >
    > Currently, if OS X's firewall is active, the user must add a new
    > entry for my app to the firewall configuration in the Sharing pref
    > pane - otherwise the service can't be used from other machines.
    >
    > Is it possible to open a port programatically to save the user
    > setting this up? Manipulating the ipfw rules manually is bad
    > because it disables the preferences GUI. I found a post from a few
    > years ago (10.2) on this topic, discussing direct manipulation of
    > com.apple.sharing.firewall.plist (doesn't work), and indicating the
    > possibility of an API for this purpose.
    >
    > Thank you,
    > Adrian
    >
    >
    > In 2003, Jens Alfke wrote:
    >>> A simpler approach to just look at the settings from the gui; these
    >>> are stored in a plist in
    >>> /Library/Preferences/com.apple.sharing.firewall.plist .  This won't
    >>> help if the user has set up a sophisticated manually configured
    >>> firewall, but if they can do that, they can fix their own
    >> problems :-)
    >>
    >> I just checked with Elizabeth Douglas, who owns the firewall GUI. She
    >> would prefer that developers not access this file.
    >>
    >> * Above all else, DO NOT MODIFY the file. It merely shadows the real
    >> firewall settings, so changing it will not affect the real firewall;
    >> but it will confuse & annoy the firewall pref panel next time it
    >> runs.
    >>
    >> * It's possible to read the file to determine how the GUI has set up
    >> the firewall, but the format of the file may change in the future, so
    >> we'd rather you not do this.
    >>
    >> * In the next major OS X release there will be an API developers can
    >> use to access the firewall settings; that will be the way to go.

  • The networking list is a better place for the question, but
    historically the answer is that there is no API and no plans for an
    API because then any piece of malware could then open up your firewall.

    Dave

    On Sep 23, 2007, at 5:49 PM, Andrew Merenbach wrote:

    > Hi, Adrian,
    >
    > I get the feeling that, although it would be convenient, this is a
    > Bad Idea (tm) because it changes an essential system behind the
    > user's back.  Your product isn't malware, but what if malware
    > somehow had this ability?  Perhaps other list users can chime in
    > with a better idea, such as an illustrated walkthrough, displayed
    > to the user, for the process of opening the Firewall port.
    >
    > Cheers,
    > Andrew Merenbach
    >
    > On Sep 23, 2007, at 5:35 PM, Adrian wrote:
    >
    >> I have an application that provides a service, listening on a user-
    >> configurable port.
    >>
    >> Currently, if OS X's firewall is active, the user must add a new
    >> entry for my app to the firewall configuration in the Sharing pref
    >> pane - otherwise the service can't be used from other machines.
    >>
    >> Is it possible to open a port programatically to save the user
    >> setting this up? Manipulating the ipfw rules manually is bad
    >> because it disables the preferences GUI. I found a post from a few
    >> years ago (10.2) on this topic, discussing direct manipulation of
    >> com.apple.sharing.firewall.plist (doesn't work), and indicating
    >> the possibility of an API for this purpose.
    >>
    >> Thank you,
    >> Adrian
    >>
    >>
    >> In 2003, Jens Alfke wrote:
    >>>> A simpler approach to just look at the settings from the gui;
    >>> these
    >>>> are stored in a plist in
    >>>> /Library/Preferences/com.apple.sharing.firewall.plist .  This
    >>> won't
    >>>> help if the user has set up a sophisticated manually configured
    >>>> firewall, but if they can do that, they can fix their own
    >>> problems :-)
    >>>
    >>> I just checked with Elizabeth Douglas, who owns the firewall GUI.
    >>> She
    >>> would prefer that developers not access this file.
    >>>
    >>> * Above all else, DO NOT MODIFY the file. It merely shadows the real
    >>> firewall settings, so changing it will not affect the real firewall;
    >>> but it will confuse & annoy the firewall pref panel next time it
    >>> runs.
    >>>
    >>> * It's possible to read the file to determine how the GUI has set up
    >>> the firewall, but the format of the file may change in the
    >>> future, so
    >>> we'd rather you not do this.
    >>>
    >>> * In the next major OS X release there will be an API developers can
    >>> use to access the firewall settings; that will be the way to go.


    >
previous month september 2007 next month
MTWTFSS
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
Go to today