Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Gregory Rivers
Gregory Rivers Author
User level: Level 2
470 points

Resetting the firewall?

we have Yosemite on both of our Macs at home; an early-2008 Mac Pro and a 2013 iMac. the firewall on both of the Macs is broken.


when the firewall is broken, processes are listed instead of packages, and the firewall actually stops all traffic irrespective of the custom app settings. turning the firewall off and on again does not fix the problem. removing all processes from the custom list does not fix the problem. rebooting the Mac does not fix the problem. in the past, complete clean reinstallation of the OS did not fix the problem.


with Mavericks, I was able to delete the alp.plist file (/Library/Preferences/com.apple.alf.plist) and reboot to fix the problem. that's no longer possible with Yosemite because Yosemite seems to be caching the data and reinstating it after a reboot. the result is that the firewall is permanently broken.


both of our Macs are now exposed because their firewalls need to be turned off to allow file sharing and screen sharing to work. don't tell me that because we're behind an NAT router that we don't need our firewalls. that's rubbish!


I've reported this serious security bug to Apple multiple times. they're acknowledged it privately but have so far been unable to fix it.


does anyone know how to reset the firewall on Yosemite?

a Terminal command-line would be nice.

any other pref/setting/config files that I could delete to reset the firewall?


cheers,

Gregory

Mac Pro (Early 2008), OS X Yosemite (10.10), 20GB RAM, ATI Radeon HD 4870

Posted on Nov 6, 2014 7:13 PM

Reply
Question marked as Top-ranking reply
User profile for user: Gregory Rivers
Gregory Rivers Author
User level: Level 2
470 points

Posted on Nov 7, 2014 2:54 AM

I've attached a screen shot example of our broken firewall. note the three processes listed. in our experience, if you can see processes like these listed, then the firewall will no longer allow outside connections to any of the services you've activated.


User uploaded file


I may have found a work around for the problem.


1. remove all packages/apps/processes from the list.

2. turn off the Firewall.

3. turn off all services in their respective Preference panes; e.g., the Sharing pane.

4. turn on the services you need.

*then*

5. turn on the Firewall

when asked if you wish to allow outside connections to 'kdc', click Allow.


that seems to clean up the Firewall list and allow the sharing services to work as expected; i.e., you can't activate services while the Firewall is turned on.


cheers,

Gregory

View in context
11 replies
Sort By: 
Question marked as Top-ranking reply
User profile for user: Gregory Rivers
Gregory Rivers Author
User level: Level 2
470 points

Nov 7, 2014 2:54 AM in response to Barney-15E

I've attached a screen shot example of our broken firewall. note the three processes listed. in our experience, if you can see processes like these listed, then the firewall will no longer allow outside connections to any of the services you've activated.


User uploaded file


I may have found a work around for the problem.


1. remove all packages/apps/processes from the list.

2. turn off the Firewall.

3. turn off all services in their respective Preference panes; e.g., the Sharing pane.

4. turn on the services you need.

*then*

5. turn on the Firewall

when asked if you wish to allow outside connections to 'kdc', click Allow.


that seems to clean up the Firewall list and allow the sharing services to work as expected; i.e., you can't activate services while the Firewall is turned on.


cheers,

Gregory

Reply
User profile for user: Gregory Rivers
Gregory Rivers Author
User level: Level 2
470 points

Dec 14, 2014 8:28 PM in response to Kevin Bandura

that worked before Yosemite.


I've found that I can usually reset the firewall now by:

  1. open Security & Privacy/Firewall/Firewall Options and delete all of the services/processes/applications.
  2. turn off the Firewall.
  3. turn off all Sharing services.
  4. turn on the Sharing services I need.
  5. turn on the Firewall.


at this point, I usually get asked to allow/reject access to a process (not application) called 'kdc'. I allow this process because it seems to be involved in the Firewall process itself. when I then open Firewall Options, the 'kdc' process will however not be listed, and the Firewall seems to work as expected.


fortunately, this method seems to work and doesn't require a Reboot... at least for now.



I don't know if it matters, but I've also changed another security aspect on our Macs. I now have a dedicated Admin account. our 'people' accounts no longer have admin privileges. someone here in the discussions community suggested this for better security and it makes a lot of sense. this change means that during the Firewall reset procedure above, I have to enter the admin's account/password 3 or 4 times but I don't mind the extra hassle for the extra security.

Reply
User profile for user: Lanny
Lanny
User level: Level 6
13,207 points

Nov 6, 2014 7:33 PM in response to Gregory Rivers

don't tell me that because we're behind an NAT router that we don't need our firewalls. that's rubbish!

You may think it is rubbish, but it is true. And, since most people are behind routers, that's one of the reasons why the firewall is off by default.

Reply
User profile for user: Barney-15E
Barney-15E
User level: Level 10
118,316 points

Nov 6, 2014 7:54 PM in response to Gregory Rivers

Gregory Rivers wrote:


we have Yosemite on both of our Macs at home; an early-2008 Mac Pro and a 2013 iMac. the firewall on both of the Macs is broken.


when the firewall is broken, processes are listed instead of packages,

Some firewalls filter packets, but I haven’t heard of one that filters packages.

The Mavericks and Yosemite firewall is an application firewall. It prevents traffic based on the process, not the port.

If you want it to be a packet filter, you can edit the pf.conf file using pfctl.

Reply
User profile for user: chattphotos
chattphotos
User level: Level 4
2,499 points

Dec 14, 2014 8:54 PM in response to Gregory Rivers

What are you doing on your mac that requires those processes to be allowed through the firewall?


I've been running with my firewall on for years on multiple types of networks, private, public, university, etc. and I've not encountered needing to allow those processes you've listed through the firewall.


Note, kdc - kerberos key distribution center (Single sign-on for network accounts, server connections, screen sharing etc.)

Kerberos is very important for any kind of network-based authentication.

Reply
User profile for user: Gregory Rivers
Gregory Rivers Author
User level: Level 2
470 points

Dec 15, 2014 12:24 AM in response to chattphotos

I don't add the processes. the system does. they're part of the 'packages' that get activated whenever a Sharing service is turned on. usually, you don't see the processes listed separately in Firewall Options, but for the last 5 to 7 years, I get this kind of list whenever I reboot my Mac. at the same time, the services stop working because the Firewall then blocks everything coming in to the Mac.


nothing special installed on my Macs. just normal services turned on, including File sharing and Screen sharing.


Apple has been unable to pinpoint the problem in all this time. since you're not seeing it, I have to wonder if it's specific to non-USA located Macs. we're in Hong Kong. I can reliably repeat the problem with newly installed systems on multiple devices including an iBook, a Macbook Pro, a Mac Pro 2008 and an iMac 2013.

Reply

Resetting the firewall?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up