Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.4: Change firewall rules for system Sharing services Network
Tiger only hintAfter using OSXvnc for a while I installed Apple Remote Desktop client 2.1 because I have two screens. Chicken of the VNC to ARD works great (though slowly) as long as I do not choose 8-bit mode and remember to send a password. That is not the problem. The problem is that I had OSXvnc working over ssh, but ARD added a firewall entry for itself that opens ports 5900 and 3283 every time I start it. This was a general problem for me; I did not like how enabling a service would open ports for it in the firewall, since I forward everything I can over ssh. In 10.3, I had a startup item that would configure ipfw itself, but you are supposed to use launchd in 10.4. So I decided I would figure out how to not have ports open automatically when I start a service.

[kirkmc adds: I had a bit of a problem testing this hint (well, at least verifying the steps; I didn't fully test it). The author mentions expanding "udport" in the plist file in Property List Editor, but I didn't find that key. I tried activating ARD VNC access, and setting a user and password, but the key still didn't show up.

By iChat, I asked Rob if he had it, and indeed he does. I don't know why there is a difference, so if you don't see it, well, I don't know what to suggest. Since this ARD access is a system function - you don't need to have a copy of ARD installed - there's no reason why one Tiger system would have it and another wouldn't.]

In Terminal, type:
sudo open /Library/Preferences/com.apple.sharing.firewall.plist
Expand "Root", expand "firewall", expand "Apple Remote Desktop", expand "port", highlight 5900 and click the "Delete" button at the top of the window, then highlight 3283 and click the Delete button again. Now expand "udpport" and delete both 5900 and 3283 there in the same manner. Now save, then quit Property List Editor.

You will need the Developer Tools installed to run Property List Editor. You can do it from the command line with the pl command and a text editor, but you are on your own for details if you do not want to install the Developer Tools.

You can do this for any other services in a similar way. In fact, it really makes sense to at least remove 5900 from UDP and 3283 from TCP for ARD since, as far as I know, Apple Remote Desktop uses only UDP and VNC only TCP.
% lsof -i 
COMMAND   PID USER   FD   TYPE    DEVICE SIZE/OFF NODE NAME
ARDAgent  196  mzs   15u  IPv4 0x2628750      0t0  UDP *:net-assistant
AppleVNCS 197  mzs   22u  IPv4 0x2de9228      0t0  TCP *:5900 (LISTEN)
At first I changed "editable" from 0 to 1 in the plist; it allowed me to toggle the entry on and off in the Firewall of System Preferences. The problem was that every time I went to the Sharing Pane in System Preferences, the Firewall entries that go along with any of the services enabled were automatically reset! That is why I had to remove the ports from the lists instead. You can verify if the ports get opened or not in Terminal by typing sudo ipfw list | grep '(5900|3283)' and seeing if any ports are allowed.

I do not like launchd very much. It seems scary to start xinetd and init processes from the same process. Plus, I loved the fine grained control of xinetd.d and the new XML stuff is just too verbose. Sadly, there is no analogue to only_from in launchd. But here is what I did before I knew about how to disable things in the firewall like this. You can add this to files in /System/Library/LaunchDaemons/
                  <string>127.0.0.1</string>
                        <key>SockServiceName</key>
This works like bind did for xinetd. In fact, I added just this to /System/Library/LaunchDaemons/nmbd.plist in the "Listeners" dictionary because, even though I edited my com.apple.sharing.firewall.plist, netbios-ns is opened anyway.
% sudo ipfw list | grep '13[789]'
20340 allow udp from any to any dst-port 137 in
I guess there is some hard-coding in the preference pane, since there are two launchd plist files for samba. NETBIOS names will not resolve, but I use DNS names anyway so it all still works as far as I can tell.

So how do the Firewall entries for the System Sharing services get populated? Poking around in RemoteDesktopClient210.pkg with this command I discovered:
% lsbom RemoteDesktopClient210.pkg/Contents/Archive.bom
...
/System/Library/PrivateFrameworks/NetworkConfig.framework/
     Versions/A/Resources/DefaultFirewallInfo.plist
That is where the original values are. I do not think you need to worry about future System Updates reverting the changes you made to com.apple.sharing.firewall.plist, because I touched the DefaultFirewallInfo.plist and restarted the Sharing pane of System Preferences and nothing got changed. Probably the code just checks to see if there is an entry of the same name and does nothing if there is. Also, my hunch is that the setuid /System/Library -> PrivateFrameworks -> NetworkConfig.framework -> Versions -> A -> Resources -> NetCfgTool calling /usr/libexec/FirewallTool is what actually manages the firewall.

With Startup Items in 10.3, it was easy to to make a shell script that used ipfw and have it run after the network was up but before any services started. I would ultimately like to do the same thing with launchd instead of messing with a preference file as in this hint. Does anyone have a quick explanation of how to run ipfw after the network is plumbed but before any services start? Also, wouldn't it be nice if Apple simply provided an option so that AppleVNCServer would could bind to localhost or use a port other than 5900? Finally, AppleVNCSserver seems to advertise the fact that I have a VNC session via Bonjour. That seems counterintuitive since I am tunneling over ssh. I wonder how I can get it to stop advertising the VNC server.
    •    
  • Currently 1.67 / 5
  You rated: 1 / 5 (6 votes cast)
 
[20,160 views]  

10.4: Change firewall rules for system Sharing services | 5 comments | Create New Account
Click here to return to the '10.4: Change firewall rules for system Sharing services' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.4: Change firewall rules for system Sharing services
Authored by: mzs on May 03, '06 10:51:06AM

Possibly the udpport keys show-up when yu turn on firwalling of UDP in the 10.4 firewall. I don't know for sure though.



[ Reply to This | # ]
10.4: Change firewall rules for system Sharing services
Authored by: mcamou on May 04, '06 05:58:35AM

I was looking for the launchd config file for an IMAP server I had installed quite a while ago and didn't find it in /System/Library/LaunchAgents. Looking at the launchd man page, it turns out there are also launchd config files in:

~/Library/LaunchAgents
/Library/LaunchAgents
/Library/LaunchDaemons
/System/Library/LaunchAgents
/System/Library/LaunchDaemons



[ Reply to This | # ]
10.4: Change firewall rules for system Sharing services
Authored by: mcamou on May 04, '06 06:09:45AM
The hint is misleading. What you should do is add a SockNodeName tag and the IP address right before the SockServiceName tag. For example:
                                SockNodeName
                                127.0.0.1
                                SockServiceName
In this case, the SockServiceName key was already there, I added the two lines before it.

[ Reply to This | # ]
10.4: Change firewall rules for system Sharing services
Authored by: mcamou on May 04, '06 06:12:19AM
GACK! The preview looked fine but my post got messed up anyway. The correct sequence is:

                                <key>SockNodeName</key>
                                <string>127.0.0.1</string>
                                <key>SockServiceName</key>


[ Reply to This | # ]
10.4: Change firewall rules for system Sharing services
Authored by: avocade on Dec 21, '07 09:44:08AM

Simpler way is just to add an extra 0 to the com.apple.sharing.firewall.plist preferences, making it 59000 and 32830. Save and restart Remote Desktop in Sharing, and you can't longer access 5900 through the firewall. I know it's a _potential_ risk of having those two open... nah. This is a simple hack for those just wanting to ssh in to do vnc, without a lot of ipfw-hackery. Works great on my iPhone with VNSea.


---
Sanity is statistical



[ Reply to This | # ]