Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.4: Reorder the list of firewall rules System 10.4
Tiger only hintIf you're using the built-in firewall in OS X, you'll find that you can't rearrange the order of the rules in the GUI -- things are stuck in the order that they're shown in the panel. This can make it difficult to find the rules you've added, for instance, as they'll be at the bottom of the list.

If you'd like to rearrange the list, I've figured out how to do it. Read on for the solution...

[robg adds: I haven't tested this one...]

Here's what I did to rearrange the rules:
  1. Copy and paste each of the following lines into Terminal. Do not copy the $; that's just the command prompt:
    $ sudo cp /Library/Preferences/com.apple.sharing.firewall.plist \
    ~/Desktop/
    $ sudo chown $USER:$USER ~/Desktop/com.apple.sharing.firewall.plist
    $ plutil -convert xml1 ~/Desktop/com.apple.sharing.firewall.plist
  2. The firewall rules file s now on your Desktop, and you can edit it with your favorite text editor. If you have the Developer Tools installed, then you can use Property List Editor as well. I personally use vim, but it's up to you.

  3. I opened the Firewall tab of the Sharing prefrences panel while I was doing the editing, because I'm used to the the order that Apple has given these rules. So as a reference, I just started at the Personal File Sharing entry and worked my way down.

    After opening the file, search for Personal File Sharing, and within that entry, you will see a line for row; change its value from 0 to 10.

  4. Next, search for Windows Sharing, and change its row value to 11. Repeat with each rule you'd like to reorder. There are four built-in rules that are editable, so I put these at rows 6 to 9; you can double-up on rows, as it's not that picky about the numbers.

  5. Once you're done with the system rules, you can start on your personal rules. Start them at 0, and increment them by one for the row that you would like each rule to appear in.

  6. Quit System Preferences, then save your edited file and quit the editor.

  7. In Terminal, copy and paste the line to make sure you edited the file properly. It should return OK at the end of the line:
    plutil  ~/Desktop/com.apple.sharing.firewall.plist 
  8. Now move the file back into the System, and change its ownership back to the system by copying these two commands into Terminal:
    $ sudo chown root:admin ~/Desktop/com.apple.sharing.firewall.plist
    $ sudo cp ~/Desktop/com.apple.sharing.firewall.plist /Library/Preferences/
    You don't have to worry about converting the file back to binary, as System Preferences does this for you the next time you change the file.

Now open System Preferences, and you should see your newly ordered list.

If you are running any services like httpd or sshd on strange ports, you can add them to that particular rule -- just look at how they are formatted. That is, the line would look like row 22; copy the line and add it directly underneath as a new entry. Then change the number in the line you just added to the port your server is running on. Now you won't have to turn on the service and make sure your firewall is open as well.
    •    
  • Currently 3.00 / 5
  You rated: 4 / 5 (5 votes cast)
 
[8,835 views]  

10.4: Reorder the list of firewall rules | 5 comments | Create New Account
Click here to return to the '10.4: Reorder the list of firewall rules' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.4: Reorder the list of firewall rules
Authored by: cdss on May 08, '06 01:57:57PM

Either I'm being particularly obtuse but I fail to see the purpose of this hint. Perhaps someone better and smarter than me can explain the logic.



[ Reply to This | # ]
10.4: Reorder the list of firewall rules
Authored by: sjk on May 08, '06 06:03:52PM

Maybe the purpose is for inexperienced users to unnecessarily risk messing up firewall preferences? ;-)

Seriously, most people won't have a good reason to do this. I think it belongs in the hypothetical "just because you can doesn't you should" hint category.



[ Reply to This | # ]
10.4: Reorder the list of firewall rules
Authored by: hbp4c on May 09, '06 07:26:48AM

Actually, sometimes you want a specific rule to come before another rule in advanced firewall configurations.

Firewall rules are generally executed starting with rule number 1, and continuing until a matching rule is found.

For example, lets say you want three rules, access to port 80 (for a web service) from any host, block all other ports to any host, but leave open port 22 (for remote login/ssh) from your home network.

If the rules are set up like this:
1- allow port 80 from all
2- deny all ports from all
3- allow port 22 from you favorite home machine
then what will happen is you'll not be able to ssh from your home machine, because rule #2 explicitly denies all connections before rule 3 is evaluated.

Therefore, reordering the rules so that #3 above comes before #2, allows ssh connections.



[ Reply to This | # ]
10.4: Reorder the list of firewall rules
Authored by: jacobolus on May 08, '06 04:10:08PM
This series of steps seems a bit unnecessarily complicated. Why not just edit the file in place? Open it in TextWrangler or TextMate or something. you want:
sudo plutil -convert xml1 /Library/Preferences/com.apple.sharing.firewall.plist
And then something like:
open -a «favorite editor» /Library/Preferences/com.apple.sharing.firewall.plist
Where «favorite editor» could be TextEdit or something.

[ Reply to This | # ]
Would this be useful for guardian
Authored by: heavyboots on May 08, '06 05:53:21PM
Here's an interesting question. Does this allow you to add more "number space" at the beginning of the 10.4 firewall rules? Or is the 10.4 rule incrementation not editable?

Currently, they start at 02000 and increment by 10 for each rule. As someone who would eventually like to integrate guardian into a 10.4 machine someday, I'm wondering if there's a way to create a bigger gap at some point in that ruleset (ie probably right after the "02000 allow ip from any to any via lo*" rule.

(Guardian, which is a script that runs with snort, is a way to block access to ssh password guessing scripts in situations where you must allow access by username, btw.)

[ Reply to This | # ]