DaiJohn

Q: How do I make an adaptive firewall blacklist address permanent.

I am using OS X Server version 5.0.15 running on El Capitain. I have started the adaptive firewall changed the firewall address in af.plist to use the IP address my server is listening to.  When I add an IP address to the blacklist it is successful, but there is an expiry time of about 15 minutes.  If I look at the contents of the blacklist the IP address is listed but it is removed after 15 minutes.

 

How do I make the entry permanent?

Mac mini (Late 2014), OS X Yosemite (10.10.1)

Posted on Mar 18, 2016 3:43 PM

Close

Q: How do I make an adaptive firewall blacklist address permanent.

  • All replies
  • Helpful answers

  • by DaiJohn,Solvedanswer

    DaiJohn DaiJohn Mar 20, 2016 12:10 PM in response to DaiJohn
    Level 1 (32 points)
    Desktops
    Mar 20, 2016 12:10 PM in response to DaiJohn

    I may have found a partial solution. Use terminal to add the ip address and use -t to specify a long time - like this...

     

    sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -a xxx.xxx.xxx.xxx -t 200000

     

    Maybe there is something to put after -t to specify till infinity and beyond.  I will keep looking.

  • by hgelderbloem,

    hgelderbloem hgelderbloem Mar 22, 2016 10:43 AM in response to DaiJohn
    Level 1 (0 points)
    Mar 22, 2016 10:43 AM in response to DaiJohn

    Hi DaiJohn,


    Apple actually has some documentation of this. The following link will open the documentation regarding the adaptive firewall. There is some info in there about permanent blacklisting that may be what you are looking for.

     

    https://help.apple.com/serverapp/mac/5.1/#/apd4288B31F-0C3D-4004-9480-4B7E0AFBB8 18

     

    Regards,

    Henry

  • by DaiJohn,

    DaiJohn DaiJohn Mar 22, 2016 11:48 AM in response to hgelderbloem
    Level 1 (32 points)
    Desktops
    Mar 22, 2016 11:48 AM in response to hgelderbloem

    Thank for you reply.  I have seen that documentation but I did not find it helpful.  It mentions that you can add an entry permanently to the blacklist but it does not say how.  All I have found (so far) is -

     

    sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -a xxx.xxx.xxx.xxx


    The -a flag adds the specified address to the blacklist but it gets removed after a few minutes.  I have partially solved the problem by adding -t 200000 ; a long time.  There has to be some flag that makes the entry permanent.


    Dave

  • by Gino_Cerullo,Helpful

    Gino_Cerullo Gino_Cerullo May 16, 2016 8:15 AM in response to DaiJohn
    Level 3 (553 points)
    Apple TV
    May 16, 2016 8:15 AM in response to DaiJohn

    I don't believe the Adaptive Filter can be used for settings up permanent filters. You should probably set up rules using the Packet Filter (pf).

  • by DaiJohn,

    DaiJohn DaiJohn May 16, 2016 8:14 AM in response to Gino_Cerullo
    Level 1 (32 points)
    Desktops
    May 16, 2016 8:14 AM in response to Gino_Cerullo

    Thank you very much.  Being new to server I find I am learning new things from this community all the time.  I have had a quick look at pf and indeed it looks like the way I need to go.  I will mark you as the correct answer if I can learn how to use this site!

     

    Dave

  • by M. H. Sarmiento,

    M. H. Sarmiento M. H. Sarmiento Sep 7, 2016 4:20 PM in response to DaiJohn
    Level 1 (4 points)
    Sep 7, 2016 4:20 PM in response to DaiJohn

    To expand on this, you could edit the blacklist file directly (located in /var/db/af/) to make the rule expire on some future date. The timestamp in the file is stored in what is called “Epoch Time” or “Unix Time,” so you’ll need a converter—like those available at epochconverter.com—to set the time to some very far, future date.

     

    For example, if I wanted to block an IP address until September 7, 2046 at 12:00 PM GMT, I could use an epoch-time converter to produce the following line for the blacklist:

    192.168.1.1 2419934400.00 0

    That last number is a rule number that you could assign to the rule (based on whether or not you have other rules in the blacklist already).