Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Configure firewall ports automatically by application Network
With the recent security threats to OS X, I thought it would be a good idea to be able to automatically configure my firewall based on the applications I have open. If no application is using said port, it's closed. So with a little help from bash and AppleScript, I now have an application that automagically scans for open applications and configures the firewall accordingly. Enjoy!

  1. Go to the Firewall in System Preferences, and enable the firewall ports you want to activate dynamically.

  2. Go to the Terminal, and type sudo ipfw list. Take note of the ID numbers of the rules that concern these ports; it's the first column on the left.

  3. Type cd /usr/local/bin, followed by sudo pico configfw (and enter your password when prompted).

  4. Paste the following script:
    function psapp() {
      ps -ax | grep -i "$1" | grep -i -v -q  "grep.-i.$1"
    function addrule () {
      sudo ipfw -q delete "$2"
      if psapp "$1"; then
        sudo ipfw -q add $2 allow tcp from any to any dst-port $3 in
        echo "***$1 port activated ($3)***"
        echo "---$1 port deactivated ($3)---"
    addrule "Applicationname" "ruleid" "portnumber"
  5. In the addrule line, substitute Applicationname with the name of the application, ruleid with the number of the rule you noted in step two, and portnumber with the corresponding port number(s).

  6. Repeat adding a new addrule line for each of the applications you need to enable.

  7. Type Control-X, "Y", Enter.

  8. Open up Script Editor, and paste the following code (adding the username and password of an admin user):
    do shell script "sudo /usr/local/bin/configfw" user name "yourusername" 
    password "xxxxxx" with administrator priveleges
  9. Save the script as an application, and put it where you want it.
Done! The ports will now be configured automatically for each of the applications that has an addrule line in configf every time you run the applescript application.

To confirm that it works, disable the ports in System Preferences, then run one of the applications, run the AppleScript and do sudo ipfw list in the terminal. The rule for the application should show up in the ipfw configuration. To see the script in action, with output and all, just do sudo configfw in the Terminal.
  • Currently 1.00 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (1 vote cast)

Configure firewall ports automatically by application | 11 comments | Create New Account
Click here to return to the 'Configure firewall ports automatically by application' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Configure firewall ports automatically by application
Authored by: lincd0 on Mar 13, '06 08:46:50AM

This is, frankly, a terrible idea. You are writing your administrator password to disk in the clear, and also submitting it in the clear so that anyone who can log in can sniff it. Nobody who is so uninformed about security should be messing around with firewall rules at all. Either live with the defaults or turn it off.

[ Reply to This | # ]
Configure firewall ports automatically by application
Authored by: sparcleosx on Mar 13, '06 09:06:51AM

besides that, isn't that just what we don't like about microsoft? open all connections when the application thinks it has to?
if you don't know what you are doing.. then don't do it.

[ Reply to This | # ]
Configure firewall ports automatically by application
Authored by: Coumerelli on Mar 13, '06 09:42:22AM

The difference between this hint and MS is that I just told my computer when and what ports to open. It's not actually doing any thinking for itself. I've got the control. With MS, I'm not even sure you can disable some of that stuff.

"The best way to accelerate a PC is 9.8 m/s2"

[ Reply to This | # ]
Configure firewall ports automatically by application
Authored by: Coumerelli on Mar 13, '06 09:31:32AM

I think it's brilliant! And, hey, if someone has physical access for a long enough time to sniff my password sent in the clear (which is not sent over any network, mind you) then I have bigger problems. And by then I've probably already lost my laptop to theft anyway. This is hardly a security concern to me. And, if I can't trust a person (child of mine or spouse, perhaps?) who DOES have physical access to my computer, then I either lock them out from using programs that can sniff info such as this, or just plain don't give them said laptop to use. Am I right?

"The best way to accelerate a PC is 9.8 m/s2"

[ Reply to This | # ]
Configure firewall ports automatically by application
Authored by: timhaigh on Mar 13, '06 11:09:35AM

Just use Little Snitch it is an application aware firewall that controls your outgoing connections.

[ Reply to This | # ]
Configure firewall ports automatically by application
Authored by: xSmurf on Mar 13, '06 11:54:23AM

I really don't see the point. Maybe I'm missing something but what is the point of closing a port when no applications are using it... it's already closed....

PM G4 DP 800 / 1.25gb / 120Gb+80Gb / CD/DVD±RW/RAM/DL
- The only APP Smurf

[ Reply to This | # ]
I'm afraid...
Authored by: Whyatt on Mar 13, '06 02:41:17PM
I wasn't very clear on the use of this app. The point is that if you have your firewall enabled and you want optimal network performance in your network apps, you'll have to open the ports for these apps in the firewall. And these ports will remain open for incoming traffic even when the apps aren't loaded. Ichat, Skype, IRC, Limewire, whatever you use...

This app isn't because I'm worried about outgoing traffic, like someone already said, just use Little Snitch. That's not the point.

On the other hand, I have no idea how much an app like this in the end really does increase your machine's security. But I personally feel a lot safer knowing that I don't have any idle open ports lying around if I'm not actively asking for information on those ports.

[ Reply to This | # ]
I'm afraid...
Authored by: marook on Mar 13, '06 03:40:39PM

Well, as already mentioned above, if the app/service/deamon that would respond to the Incoming port is not running, then no service/port is open on that port - unless it's registred with launchd and then auto-open when traffic comes in on that port (as it has told launchd to respond to that port)

What the firewall does, is allow the traffic from the low-level network layer to reach the application layer if any app is listening on the given port.

So: Quit the app = port closed!


[ Reply to This | # ]
I'm afraid...
Authored by: Whyatt on Mar 13, '06 04:08:04PM
Well, I do see denied traffic in the ipfw logs for traffic from ports for apps which are currently running. This shows that unless you open up the port manually in the ipfw preferences, there will be denied traffic on these ports.

And leaving the ports open in the ipfw configuration leaves them always open. I've also seen this from denied traffic to these ports logged in the ipfw logs when these apps aren't running.


[ Reply to This | # ]
A better solution...
Authored by: tbo on Mar 13, '06 05:04:41PM

A port is only "open" if an application is listening on the port, and the port is not blocked by a firewall. If the port is not open, you are not vulnerable on that port (unless your network stack itself is vulnerable, in which case you're very, very screwed and a software firewall probably won't save you).

One of two things can happen if a remote computer tries to open a connection to a port on your computer that's not open. Normally, your computer will simply send a RST packet, telling the remote computer that that port is closed. This is what happens with no firewall, or with the Apple firewall (ipfw) in Apple's default configuration. If you turn on "stealth" mode, no response at all is sent. Go grab yourself a copy of nmap and play around to learn how this all works.

Your script gains you essentially no security against network-based attacks, and leaves you highly vulnerable to local attacks. In particular, any local user could use a privlige escalation attack (of which there are apparently some unpublished against OS X) to gain access to your unencrypted password. Since your login password is probably the same as your keychain password, they now own all the passwords in your keychain. This is very bad.

A much, much better thing would be if your firewall intelligently and dynamically allowed inbound traffic only from hosts to which you had already established an outgoing connection. This is called a stateful firewall (because it keeps track of state, in the form of recently open connections). The good news is that ipfw supports this, but you'll have to do it on the command line. What's more, it's not trivial. Go check out the man pages for ipfw and learn how your firewall works. Test things with nmap. For a few ports, you may need to open up a somewhat broader hole in the firewall, but with care that will be OK. It's important to note that this is something that requires you to know what you're doing to some degree, since everyone's network setup and needs are different and a one-size-fits-all solution can't work.

See this link for some help with a simple stateful firewall.

[ Reply to This | # ]
no need to do this
Authored by: mzs on Mar 13, '06 06:34:45PM

There have been some good responses as to why this hint is not a good idea. I think that what the original submitter of the hint was worried about was a scenario like this:

Say he wanted to run sshd (remote logins) or have other machines be able to talk to his X server ( sshd uses tcp port 22 and X uses tcp port 6000 (for DISPLAY=:0). Now he does not have these running all of the time but he only wants these ports open when he runs those apps. He thinks that there is something to gain by doing this. Probably he is worried that some other application will run and uses port 22 or 6000. Since he has those ports open in his firewall, then some adversary will be able to connect to that other program and possibly break into his machine. Here is why that will no happen:

Run this command in the terminal on your mac:

/usr/sbin/sysctl -a | fgrep net.inet.ip.portrange

net.inet.ip.portrange.first: 49152
net.inet.ip.portrange.last: 65535
net.inet.ip.portrange.hifirst: 49152
net.inet.ip.portrange.hilast: 65535
net.inet.ip.portrange.lowfirst: 1023
net.inet.ip.portrange.lowlast: 600

(Older systems may have first: 1024 and last: 5000)

When a program selects a port to use it can do that through a call to connect() or bind(). It can specify the port number it wishes to use. Alternatively if 0 is used for the port number, the system chooses a free ephemeral port on your behalf. These ephemeral ports are from first to last (or hifirst to hilast depending on the IP_PORTRANGE option but that is getting into too much detail). In any case in a default config any port that is automatically chosen will be in the range 49152 to 65535. Notice how ports 22 and 6000 are not in that range. Programs that deliberately choose certain port numbers choose ones that are not in the ranges 1024-5000 or 49152 -65535 for the reason of this convention.

So you will never have the situation occur that some application got an ephemeral port that happened to be one that you opened in the firewall. Any reasonable application that requires ports to be opened in a firewall for it to work correctly will use ports that are not in the ranges of ports used for ephemeral ports.

I hope that makes sense, it is not so hard to understand as I seem to have written :( In any case just trust me and the other respondents that wrote comments saying to use this hint serves no good purpose.

[ Reply to This | # ]