Soft lime

• SonicWall™ Mobile Connect for macOS is an app for Macs running Mac OS X El Capitan (10.11) or newer versions, including macOS High Sierra (10.13), that enables secure, mobile connections to private networks protected by SonicWall security appliances. Topics:. How Mobile Connect Works on page 3.
• Follow the steps in the flowchart below to avoid compatibility issues. Repairing an Endpoint that upgrade to an incompatible macOS version. If the macOS of an endpoint is upgraded before the SentinelOne Agent that supports the target version is available, the endpoint may experience unexpected behavior.

Based on my experience with the SE/30 and the Mac IIci/IIsi, I'd recommend System 7.1, and I'd also recommend installing it alongside a 32-bit clean ROM using the Mac ROM-inator II. The benefit of System 6 is the small size, low RAM requirements, and quick boot up. Use the directions below to turn on the Mac Firewall and then configure it if needed. Select the Apple menu in the upper left corner and then select System Preferences. Select Security & Privacy. Select the Firewall tab. Select the lock icon in the lower-left corner to unlock the settings.

PF

This post is material that comes from a slightly earlier version but is very relevant none the less. However, you should be aware that an OS Update will wipe out your existing pf.conf … very bad, because you won’t notice. What you should do is copy your pf.conf into a file that won’t be destroyed, for example, your domain-name.pf.conf and then, if your plist file, use that file name, not pf.conf.

This Mac is a Mac Mini 2012. July. It is NOT running Apple’s Server App. It IS running all the components of a server that I have either built myself or added with Homebrew. These include the following.

Apache 2.4, Postfix, Dovecot, Spamassassin, Amavis and numerous other small binaries needed to support them, and other things I’m doing.

This set of configurations are valid for OSX though, up to at least the latest macOS High Sierra Version 10.13.6. When the new release appears, I’ll check and update this post. That is, the sample pf.conf that follows this “tutorial” which in some cases is inaccurate… but mine works. It contains IPv6 settings as well as IPv4, and some settings that I’m working on as an experiment.

Remember, pf won’t work even if you load it, unless it’s Enabled. See below, and in the sample pf.conf.

Don’t forget to read the onboard man pages. $man pf.conf and $man pfctl

The Main Description

Mac OS X 10.6 (and earlier) came with IPFW, a port of FreeBSD’s stateful firewall^[1]. IPFW was deprecated in OS X 10.7, and was completely removed in OS X 10.10; it was replaced with PF. PF (Packet Filter) is OpenBSD’s system for filtering TCP/IP traffic and doing Network Address Translation^[2]. PF in OS X, however, appears to be based on the FreeBSD port of PF^[3], but with some notable additions (see below). Like FreeBSD 9.X and later, OS X appears to use the same version of PF as OpenBSD 4.5. Note that the latest OpenBSD version is 5.6 (as of January 2015);and the configuration syntax for PF changed around 4.6/4.7.

Apple has enhanced PF so that various system components might choose to enable and disable PF, as indicated by the following snippet in /etc/pf.conf:

These two flags, -E and -X, are absent from pfctl on other BSDs. Here’s how they are documented in pfctl(8):

The main PF configuration file is /etc/pf.conf, which defines the following main ruleset by default in OS X 10.9 & 10.10:

The main ruleset loads sub rulesets defined in /etc/pf.anchors/com.apple, using anchor^[4]:

The launchd configuration file for PF is /System/Library/LaunchDaemons/com.apple.pfctl.plist. PF is disabled by default:

Application Firewall

OS X v10.5.1 and later include Application Firewall that allow the users to control connections on a per-application basis (rather than a per-port basis)^[5]. Application Firewall is disabled by default.

After enabling the Application Firewall (System Preferences -> Security & Privacy -> -> ), you’ll find PF is enabled too:

Apparently Application Firewall enables PF using pfctl -E. In addition to its own rules, Application Firewall generates a set of dynamic rules (sub ruleset) for PF through anchor point com.apple/250.ApplicationFirewall. At this stage, the sub ruleset is empty, which got someone confused.

But if either “Enable stealth mode” or “Block all incoming connections” is checked in , dynamic rules for PF will indeed be created:

Note there is a bug in Apple’s implementation of PF! According to pfctl(8):

If the anchor name is terminated with a `*’ character, the -s flag will recursively print all anchors in a brace delimited block.

but it produces an error instead:

We have to use the full anchor path:

As you can see, a set of dynamic PF rules is created for AirDrop too. I surmise they are still created by Application Firewall, because according to the output of pfctl -s References, PF has only been enabled once, by Application Firewall.

Command Line

Besides using the Security & Privacy Preference pane, you can also configure the Application Firewall from the command line. The utilities for Application Firewall are stored in /usr/libexec/ApplicationFirewall. The default configuration file is /usr/libexec/ApplicationFirewall/com.apple.alf.plist; and the running configuration file is /Library/Preferences/com.apple.alf.plist^[6].

▸ Stopping and starting Application Firewall is easy enough, using launchd^[7]. To stop:

▸ To start:

We can configure the settings of Application Firewall using socketfilterfw:

pflog

Logging support for PF is provided by pflog. The pflog interface is a pseudo-device which makes visible all packets logged by PF. Logged packets can easily be monitored in real time by invoking tcpdump on the pflog interface.

▸ Create a pflog interface:

▸ Monitor all packets logged by PF:

▸ Destroy the pflog interface when done:

precedence

Mac Os Versions

If two firewalls, Application Firewall & PF, are running, you may wonder whose rules take precedence. Let’s find out.

The logs of Application Firewall are saved in /var/log/appfirewall.log. You’ll see a lot entries like the following, repeating roughly 2 times per minute on my iMac:

Add the following as the first rule of /etc/pf.conf:

Add the following 3 lines to /etc/pf.conf (to block incoming traffic but allow outgoing traffic):

The first rule is to allow incoming Bonjour traffic. In a hostile environment, e.g., a public WiFi, we’ll put the above 3 lines at the end of the file to block all incoming traffic, in which case, the sub rulesets in anchor “com.apple” will have no effect! Note For each packet or connection evaluated by PF, the last matching rule in the ruleset is the one which is applied. In work environment, you can put the 3 lines right above the line:

Reload /etc/pf.conf:

Show the currently loaded filter rules:

Check /var/log/appfirewall.log again. You’ll find no new log entry for Application Firewall appears in the file.

So one can conclude that PF rules are applied first, then the rules for Application Firewall.

SSH

To enable OpenSSH server on OS X, in the Sharing Preference pane of System Preferences, check “Remote Login”. Or from the command line:

launchctl(1) says such about the -w flag:

-w Overrides the Disabled key and sets it to false. In previous versions, this option would modify the configuration file. Now the state of the Disabled key is stored elsewhere on-disk.

but where exactly is the ‘elsewhere’? After some digging, I find it is /private/var/db/launchd.db/com.apple.launchd/overrides.plist.

However, I don’t like the default configuration for sshd. I prefer to have password authentication disabled. Add the following options to /etc/sshd_config:

Restart sshd:

Note to allow incoming traffics to the OpenSSH server through Application Firewall, you must allow incoming connections for /usr/libexec/sshd-keygen-wrapper, either in System Preferences -> Security & Privacy -> -> , or from the command line:

Configuring PF

The Application Firewall’s rule of allowing all incoming incoming traffics to the OpenSSH server offers no defense against brute force attack. Leaving the ssh port open on the internet, the server will get thousands of brute force login attempts each day. PF provides an elegant solution to this problem.

▸ Append the following lines to /etc/pf.conf (see Section 30.3.3.5. Using Overload Tables to Protect SSH of FreeBSD Handbook for an explanation):

▸ Reload /etc/pf.conf:

Over time, the table bruteforce will be filled by overload rules and its size will grow incrementally, taking up more memory. We can expire table entries using pfctl. For example, this command will remove bruteforce table entries which have not been referenced for a day (86400 seconds):

To automate the process, let’s create a timed job using launchd that runs the above command once per day^[8].

▸ Create a launchd configuration file /Library/LaunchDaemons/edu.ucsc.manjusri.pfctl-expire.plist, with the following content:

Spikewall Mac Os Download

▸ Start the timed job:

P.S. There are a few articles on the Internet on using PF on Mac OS X, but they often bypass the configuration file /etc/pf.conf^[9]. If one takes that route, one must disable the Application Firewall. Otherwise Application Firewall will enable PF using the ruleset in /etc/pf.conf. Only one ruleset will get loaded at last and become effective; but which one wins will probably be indeterministic or at least could be a surprise. I choose the approach described in this article, because:

1. I alway like to try something different
2. I prefer layered defense. In this case, I have 2 firewalls running on the Mac.

Spikewall Mac Os Downloads

References

1. ↑FreeBSD Handbook – IPFW
2. ↑PF: The OpenBSD Packet Filter
3. ↑FreeBSD Handbook – PF
4. ↑PF: Anchors
5. ↑OS X: About the application firewall
6. ↑krypted.com – socketfilterfw
7. ↑A launchd Tutorial
8. ↑Timed Jobs Using launchd
9. ↑Using pf on OS X Mountain Lion

Spikewall Mac Os Download

Sample pf.conf called by my .plist

Mac Os Catalina

Per ITS policy, all Macs on SU's network should have a firewall enabled. You can enable it using the following instructions:

1. Go to the  menu in the top left corner of your screen > System Preferences
   
2. In System Preferences, select Security & Privacy
   
3. Select the 'Firewall' tab
   

4. If you Firewall is off, click the button that says 'Turn On Firewall'

   Unable to turn on your firewall?

   Make sure the screen says it is unlocked for changes. If not, click on the lock icon in the bottom left corner of the window to unlock the settings. You will be prompted to enter the administrator password for the computer.

5. If the Firewall has been turned on, you will see a green light and the wording Firewall: On
   
6. Click on the lock icon to lock down the settings