May 03, '06 07:30:00AM • Contributed by: mzs
After using OSXvnc for a while I installed Apple Remote Desktop client 2.1 because I have two screens. Chicken of the VNC to ARD works great (though slowly) as long as I do not choose 8-bit mode and remember to send a password. That is not the problem. The problem is that I had OSXvnc working over ssh, but ARD added a firewall entry for itself that opens ports 5900 and 3283 every time I start it. This was a general problem for me; I did not like how enabling a service would open ports for it in the firewall, since I forward everything I can over ssh. In 10.3, I had a startup item that would configure ipfw itself, but you are supposed to use launchd in 10.4. So I decided I would figure out how to not have ports open automatically when I start a service.
[kirkmc adds: I had a bit of a problem testing this hint (well, at least verifying the steps; I didn't fully test it). The author mentions expanding "udport" in the plist file in Property List Editor, but I didn't find that key. I tried activating ARD VNC access, and setting a user and password, but the key still didn't show up.
By iChat, I asked Rob if he had it, and indeed he does. I don't know why there is a difference, so if you don't see it, well, I don't know what to suggest. Since this ARD access is a system function - you don't need to have a copy of ARD installed - there's no reason why one Tiger system would have it and another wouldn't.]
In Terminal, type:
sudo open /Library/Preferences/com.apple.sharing.firewall.plist
Expand "Root", expand "firewall", expand "Apple Remote Desktop", expand "port", highlight 5900 and click the "Delete" button at the top of the window, then highlight 3283 and click the Delete button again. Now expand "udpport" and delete both 5900 and 3283 there in the same manner. Now save, then quit Property List Editor.
You will need the Developer Tools installed to run Property List Editor. You can do it from the command line with the pl command and a text editor, but you are on your own for details if you do not want to install the Developer Tools.
You can do this for any other services in a similar way. In fact, it really makes sense to at least remove 5900 from UDP and 3283 from TCP for ARD since, as far as I know, Apple Remote Desktop uses only UDP and VNC only TCP.
% lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
ARDAgent 196 mzs 15u IPv4 0x2628750 0t0 UDP *:net-assistant
AppleVNCS 197 mzs 22u IPv4 0x2de9228 0t0 TCP *:5900 (LISTEN)
At first I changed "editable" from 0 to 1 in the plist; it allowed me to toggle the entry on and off in the Firewall of System Preferences. The problem was that every time I went to the Sharing Pane in System Preferences, the Firewall entries that go along with any of the services enabled were automatically reset! That is why I had to remove the ports from the lists instead. You can verify if the ports get opened or not in Terminal by typing sudo ipfw list | grep '(5900|3283)' and seeing if any ports are allowed.
I do not like launchd very much. It seems scary to start xinetd and init processes from the same process. Plus, I loved the fine grained control of xinetd.d and the new XML stuff is just too verbose. Sadly, there is no analogue to only_from in launchd. But here is what I did before I knew about how to disable things in the firewall like this. You can add this to files in /System/Library/LaunchDaemons/
<string>127.0.0.1</string>
<key>SockServiceName</key>
This works like bind did for xinetd. In fact, I added just this to /System/Library/LaunchDaemons/nmbd.plist in the "Listeners" dictionary because, even though I edited my com.apple.sharing.firewall.plist, netbios-ns is opened anyway.
% sudo ipfw list | grep '13[789]'
20340 allow udp from any to any dst-port 137 in
I guess there is some hard-coding in the preference pane, since there are two launchd plist files for samba. NETBIOS names will not resolve, but I use DNS names anyway so it all still works as far as I can tell.
So how do the Firewall entries for the System Sharing services get populated? Poking around in RemoteDesktopClient210.pkg with this command I discovered:
% lsbom RemoteDesktopClient210.pkg/Contents/Archive.bom
...
/System/Library/PrivateFrameworks/NetworkConfig.framework/
Versions/A/Resources/DefaultFirewallInfo.plist
That is where the original values are. I do not think you need to worry about future System Updates reverting the changes you made to com.apple.sharing.firewall.plist, because I touched the DefaultFirewallInfo.plist and restarted the Sharing pane of System Preferences and nothing got changed. Probably the code just checks to see if there is an entry of the same name and does nothing if there is. Also, my hunch is that the setuid /System/Library -> PrivateFrameworks -> NetworkConfig.framework -> Versions -> A -> Resources -> NetCfgTool calling /usr/libexec/FirewallTool is what actually manages the firewall.
With Startup Items in 10.3, it was easy to to make a shell script that used ipfw and have it run after the network was up but before any services started. I would ultimately like to do the same thing with launchd instead of messing with a preference file as in this hint. Does anyone have a quick explanation of how to run ipfw after the network is plumbed but before any services start? Also, wouldn't it be nice if Apple simply provided an option so that AppleVNCServer would could bind to localhost or use a port other than 5900? Finally, AppleVNCSserver seems to advertise the fact that I have a VNC session via Bonjour. That seems counterintuitive since I am tunneling over ssh. I wonder how I can get it to stop advertising the VNC server.
