Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

A script to automtically enable and disable the firewall Network
This hints allows your firewall to automatically turn on or off based upon which network you are on. A LaunchAgent watches resolv.conf in order to detect when there are changes in the network. Save the following in /Library/LaunchAgents:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>KeepAlive</key>
  <false/>
  <key>Label</key>
  <string>com.yourcompany.autofirewall</string>
  <key>ProgramArguments</key>
  <array>
    <string>/Library/Scripts/yourcompany/autofirewall.sh</string>
  </array>
  <key>RunAtLoad</key>
  <false/>
  <key>WatchPaths</key>
  <array>
    <string>/var/run/resolv.conf</string>
  </array>
</dict>
</plist>
Create and save the following shell script as autofirewall.sh, in the location specified in the LaunchAgent (/Library/Scripts/yourcompany in this example):
#!/bin/bash

#Written by Nate Walck and Clint Armstrong
#Liberty University 2009

#This Script will automatically enable or disable the firewall depending upon which network it is on.

#This function turns the firewall on or off, depending upon which state is desired.
#If the firwall is already in the state desired, the script will leave it in that state.

function firewall {
  #Reads the current state of the firewall and stores it in variable fw
  fw=$(defaults read /Library/Preferences/com.apple.alf globalstate)
  
  #This compares the option passed to function firewall to its current state.
  if [ "$1" != "$fw" ]
    then
      #If the option pased is different from current state, it changes it to the passed value.
      defaults write /Library/Preferences/com.apple.alf globalstate -int $1
      #For troubleshooting purposes, you can put in 'say $1' to see which state is being set.
  fi
}

#Determines if resolv.conf exists.  
if test -e /var/run/resolv.conf
  then  
    #This stores the domain line of resolv.conf into variable NETWORK.
    NETWORK=$(cat /var/run/resolv.conf | grep domain | awk '{print $2}')
    
    #This case looks at $NETWORK for specific domains and runs commands accordingly
    case "$NETWORK" in
    
    #If on VPN, function firewall turns the firewall on.
    vpn.yourcompany.com
    firewall 1
    ;;
    
    #On any other company domain, function firewall turns firewall off.
    *.yourcompany.com)
    firewall 0
    ;;
    
    #On any other domain, function firewall turns firewall on.
    *)
    firewall 1
    ;;

    esac
    
  else
    #If no network connection exists, function firewall turns the firewall on.
    firewall 1    

fi
[robg adds: I haven't tested this one. You'll have to customize both scripts with your company's own information, replacing references to yourcompany.com.]
    •    
  • Currently 1.91 / 5
  You rated: 1 / 5 (11 votes cast)
 
[8,875 views]  

A script to automtically enable and disable the firewall | 6 comments | Create New Account
Click here to return to the 'A script to automtically enable and disable the firewall' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
A script to automtically enable and disable the firewall
Authored by: simondorfman on Jul 22, '09 09:24:07AM
You could probably do something like this with the handy freeware app: Marco Polo

[ Reply to This | # ]
A script to automtically enable and disable the firewall (based on location in 10.6)
Authored by: edljedi on Oct 09, '09 03:28:47AM

I liked the idea of the script, however, I have been using MarcoPolo and network locations. I changed the second half of the script to look at the network location. When MarcoPolo determines there is a change in the network it will change the location and subsequently the firewall status. This includes what looks like to be a new firewall state in 10.6 (or at least I don't remember seeing it in 10.5). Note: 0 = off; 1 = on; 2 = block all incoming

#Checks to see what the current location is and set the firewall accordingly
#This stores the current location from the networksetup command.
LOCATION=$(networksetup -getcurrentlocation)

#This case looks at $LOCATION for specific locations and runs commands accordingly
case "$LOCATION" in

#On my home location, function firewall turns firewall off.
Home)
firewall 0
;;

#On my work location, function firewall turns firewall on.
Work)
firewall 1
;;

#If on the automatic location, function firewall turns the firewall on w/ block all.
Automatic)
firewall 2
;;

#On any other location, function firewall turns firewall on w/ block all.
*)
firewall 2
;;

esac



[ Reply to This | # ]
A script to automtically enable and disable the firewall (based on location in 10.6)
Authored by: edljedi on Oct 09, '09 03:30:53AM

probably should have had networksetup be /usr/sbin/networksetup



[ Reply to This | # ]
A script to automtically enable and disable the firewall
Authored by: CarlRJ on Jul 22, '09 02:49:19PM
Cute idea, and nice use of LaunchDaemons. Couple of points:
  1. There's a closing ")" missing on the end of the "vpn.yourcompany.com" line in the "case $NETWORK in" statement.
  2. The line:
      NETWORK=$(cat /var/run/resolv.conf | grep domain | awk '{print $2}')
    really deserves to be simplified to:
      NETWORK=$(awk '/domain/ {print $2}' /var/run/resolv.conf)
    Why run three commands when one will do?
Essentially, you're turning off the firewall when you're connected inside your company's offices. That's making the assumption that there's zero chance of any other machine in the office being infected/controlled by blackhats. I wouldn't want to make that assumption.

Personally, I turned off the Application Firewall, and set up a script to run at startup that configures a traditional ipfw firewall that blocks any traffic that I'm not expecting (no, I wouldn't recommend this approach for everyone; configuring ipfw involves a lot of details that most people won't want to deal with, and such a setup isn't particularly portable from one machine to another).

[ Reply to This | # ]
A script to automtically enable and disable the firewall
Authored by: dead2sin on Jul 24, '09 11:59:54AM

Thanks for that edit to the script. The first bracket got messed up because of formatting (I have it there on the original).

Using ipfw sounds like a decent idea (I hadn't really thought about it a whole lot previously). I find Apple's firewall to be rather annoying, especially with some applications that are unsigned.

I might look into that considering its a much more secure solution.



[ Reply to This | # ]
A script to automtically enable and disable the firewall
Authored by: seewolf on Oct 01, '09 06:54:27AM

does it run under 10.6??



[ Reply to This | # ]