How do I make an adaptive firewall blacklist address permanent.

Question

Level 1

28 points

How do I make an adaptive firewall blacklist address permanent.

I am using OS X Server version 5.0.15 running on El Capitain. I have started the adaptive firewall changed the firewall address in af.plist to use the IP address my server is listening to. When I add an IP address to the blacklist it is successful, but there is an expiry time of about 15 minutes. If I look at the contents of the blacklist the IP address is listed but it is removed after 15 minutes.

How do I make the entry permanent?

Mac mini (Late 2014), OS X Yosemite (10.10.1)

Posted on Mar 18, 2016 3:43 PM

Reply

Answer 1

DaiJohn Author

Level 1

28 points

Mar 20, 2016 12:10 PM in response to DaiJohn

I may have found a partial solution. Use terminal to add the ip address and use -t to specify a long time - like this...

sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -a xxx.xxx.xxx.xxx -t 200000

Maybe there is something to put after -t to specify till infinity and beyond. I will keep looking.

Reply

Answer 2

Mar 22, 2016 10:43 AM in response to DaiJohn

Hi DaiJohn,

Apple actually has some documentation of this. The following link will open the documentation regarding the adaptive firewall. There is some info in there about permanent blacklisting that may be what you are looking for.

https://help.apple.com/serverapp/mac/5.1/#/apd4288B31F-0C3D-4004-9480-4B7E0AFBB8 18

Regards,

Henry

Reply

Answer 3

DaiJohn Author

Level 1

28 points

Mar 22, 2016 11:48 AM in response to hgelderbloem

Thank for you reply. I have seen that documentation but I did not find it helpful. It mentions that you can add an entry permanently to the blacklist but it does not say how. All I have found (so far) is -

sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -a xxx.xxx.xxx.xxx

The -a flag adds the specified address to the blacklist but it gets removed after a few minutes. I have partially solved the problem by adding -t 200000 ; a long time. There has to be some flag that makes the entry permanent.

Dave

Reply

Answer 4

May 16, 2016 8:15 AM in response to DaiJohn

I don't believe the Adaptive Filter can be used for settings up permanent filters. You should probably set up rules using the Packet Filter (pf).

Reply

Answer 5

DaiJohn Author

Level 1

28 points

May 16, 2016 8:14 AM in response to Gino_Cerullo

Thank you very much. Being new to server I find I am learning new things from this community all the time. I have had a quick look at pf and indeed it looks like the way I need to go. I will mark you as the correct answer if I can learn how to use this site!

Dave

Reply

Answer 6

Sep 7, 2016 4:20 PM in response to DaiJohn

To expand on this, you could edit the blacklist file directly (located in /var/db/af/) to make the rule expire on some future date. The timestamp in the file is stored in what is called “Epoch Time” or “Unix Time,” so you’ll need a converter—like those available at epochconverter.com—to set the time to some very far, future date.

For example, if I wanted to block an IP address until September 7, 2046 at 12:00 PM GMT, I could use an epoch-time converter to produce the following line for the blacklist:

192.168.1.1 2419934400.00 0

That last number is a rule number that you could assign to the rule (based on whether or not you have other rules in the blacklist already).

Reply