open ports mac firewall - PORTS not APPS

Question

Level 1

15 points

open ports mac firewall - PORTS not APPS

In the OS X Snow Leopard firewall interface, there is no longer a menu or dropdown in the preference pane that allows you to open specific ports. I previously used this option with other versions of OS X when I wanted to manually open a specific port. I am now getting ready to host some services that will be accessible from outside. I have verified that all of the necessary ports are not blocked by my ISP, and I have also verified that these ports are being forwarded correctly through the NAT and firewall of my router. In other words, if I turn off the OS X firewall, I can go outside my local network and access the ports (they respond as "refused" because there is no service running, but they can't respond as "refused" unless the port is accessible.) But if I turn the OS X firewall back on, and go outside my local network, the requests all time out, showing there is not access to the ports.

So it is definitely the OS X firewall doing the blocking. Here is a screenshot of the Snow Leopard preferences pane, where in all OS X versions before you could add a new service by creating a service and specifying the port. User uploaded file

One would think you could add a service simply by clicking the plus sign. But you do not get that option anymore. Instead, the plus sign opens a file browser that lets you select an app. According to what I've read, selecting an app automagically opens the ports for that app. But this does not seem to apply to things that you cannot browse to.

Thanks.

Posted on Jun 22, 2011 9:24 AM

Reply

Answer 1

Jun 22, 2011 9:28 AM in response to raresilk

Little Snitch allows you to block and allow different ports.

Reply

Answer 2

Jun 22, 2011 9:39 AM in response to raresilk

You are correct. The Firewall is functioning just like it has been designed. You can also add command line applications to the list.

Mac OS X v10.5, 10.6: About the Application Firewall

ipfw via Terminal is another option.

Reply

Answer 3

raresilk Author

Level 1

15 points

Jun 22, 2011 12:52 PM in response to J D Knight III

JD, I've seen the support page you linked to several times in my searches, and I don't see where it explains how to add command line applications to the list. The only thing that pops up when you select the plus sign is a Finder browser. I'd be happy to add the command line applications FROM the command line - in fact, that's exactly the information I'm looking for. But nothing in this support page describes that process.

That is probably a function implemented only in ipfw, and I have also read the man page for ipfw from Terminal. I did read it all of the way through, and it gave a lot of information for very complex configurations which I'm sure is valuable to many people, but as far as a straightforward example syntax of what you do in order to open one or two ports, period, I couldn't find that. So that's also probably the information I'm looking for - someone who has configured ipfw simply to open a port and can show me their simple config file.

Reply

Answer 4

raresilk Author

Level 1

15 points

Jun 22, 2011 12:56 PM in response to chrisfromhopewell

Chris, I've heard of Little Snitch, and I may wind up going that way. However, $50 USD seems a bit steep when all I really need to do is open a couple of ports in the Apple firewall. I have plenty of monitoring on my NAT firewall, and all I have to do to get port forwarding at that level is the usual thing. This has to be a simple config file edit, somewhere, that's documented somehow, that someone has done before and didn't have to pay $50 bucks just to do this one thing. At least I hope so . . . .

Reply

Answer 5

raresilk Author

Level 1

15 points

Jun 22, 2011 12:59 PM in response to raresilk

And yes, the truly elegant solution is just to turn off the Apple firewall permanently, since my NAT has a firewall. But I like the idea of keeping redundant protection for the ports I don't need open in either direction.

Reply

Answer 6

Jun 22, 2011 1:16 PM in response to raresilk

raresilk wrote:

JD, I've seen the support page you linked to several times in my searches, and I don't see where it explains how to add command line applications to the list. The only thing that pops up when you select the plus sign is a Finder browser.

True the page doesn't tell you how to make a command line application.

You make one like you would for any other repeating task. Use Automator, create an Application that contains Run Shell Script. Then you just link to that app you created. Any process calling for ports should be a sub of the named app and act like any other app.

Reply

Answer 7

Barney-15E

Level 10

122,144 points

Jun 22, 2011 4:50 PM in response to raresilk

Just use the built-in ipfw. Wateroof is a third-party GUI, or just read up on configuring ipfw.

While it talks about the old firewall in Tiger, this article discusses how to configure ipfw, and it has links to Wateroof and other ipfw tools.

Reply

Answer 8

Linc Davis

Level 10

209,739 points

Jun 22, 2011 4:59 PM in response to raresilk

Turn off the built-in firewall and configure port forwarding in your router. Your server needs to have a manually assigned IP address on the local network, not a DHCP address. That's all you need to do.

Reply