User profile for user: jiwils
jiwils Author
User level: Level 1
19 points

Control Firewall from a Script or Command Line

There are a lot of searchable answers for controlling the firewall from the command line or a script out there, but none of them work in Mac OSX High Sierra. This suggestion is one such example. You can even change the integer passed to enable the firewall ("1") or block everything ("2"). Changes made via this command are reflected in the System Preferences user interface, but they are not made active. This is testable by using simple things such as ping, etc.


The same link above suggests that the firewall service/daemon needs to be restarted in order for these changes to take effect, but those commands do not work. Running 

sudo launchctl unload /System/Library/LaunchDaemons/com.apple.alf.agent.plist
returns /System/Library/LaunchDaemons/com.apple.alf.agent.plist: Operation not permitted while System Integrity Protection is engaged. There are articles out there that discuss how to turn off system integrity protection too, but that seems like overkill something as simple as this.


Does anyone have further ideas about how to 'restart' the firewall without all of this hassle?

Posted on Dec 19, 2017 2:47 PM

Reply
1 reply
User profile for user: Drew Reece
Drew Reece
User level: Level 6
10,684 points

Dec 22, 2017 11:31 AM in response to jiwils

The only way around it I can see would be to use user interface scripting to click the button for you.

Frankly that has been unreliable in the past & may not work well. It does interrupt a user as it controls the UI.

https://developer.apple.com/library/content/documentation/LanguagesUtilities/Con ceptual/MacAutomationScriptingGuide/Auto…


I don't know if UI scripting is 'SIP aware', it may prevent any changes that try to get around security settings.


I'd probably opt for the brute force approach & reboot the Mac.


I think you may need to bite the bullet & disable SIP if you need to run commands that Apple have locked. csrutil has options to only disable certain parts so it may be possible to allow launchctl via one option, leaving other SIP features active - sorry I have not investigated this personally.


See csrutil -h in recovery mode.


Another alternative is to use your own duplicated service…

macos - "restricted" folder/files in OS X El Capitan - Stack Overflow (See post by empedocle)

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Control Firewall from a Script or Command Line

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up