So.. you turned on the firewall on your remote Mac, and now you've locked yourself out of Screen Sharing? Good work. I've... err... never done that before. Show You can turn off the firewall by setting the global state to 0:
Then just restart the firewall agent services:
And presto! You're back into your Mac! This command lets you turn the build in OS X firewall on and off, on both for specific services or essential services. It works with OS X 10.5, 10.6, 10.7 and 10.8. It also works via Apple Remote Desktop. I'm developing an open source monitoring app called Leaf Node Monitoring, for windows, linux & android. Go check it out! Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs. You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $100 credit for 60 days. The tools to automate OS X firewall events from the command line are still stored in /usr/libexec/ApplicationFirewall. And you will still use socketfilterfw there for much of the heavy lifting. However, now there are much more helpful and functional options in socketfilterfw that will allow you to more easily script the firewall. Some tricks I’ve picked up with the Mac Firewall/alf scripting:
/usr/libexec/ApplicationFirewall/socketfilterfw --setblockall on To see if block all is enabled: /usr/libexec/ApplicationFirewall/socketfilterfw --getblockall The output would be as follows, if successful: Firewall is set to block all non-essential incoming connections A couple of global options that can be set. Stealth Mode: /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on To check if stealth mode is enabled: /usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode Firewall logging: /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on You can also control the verbosity of logs, using throttled, brief or detail. For example, if you need to troubleshoot some issues, you might set the logging to detail using the following command: /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingopt: detail To start the firewall: /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on While it would be nice to think that that was going to be everything for everyone, it just so happens that some environments actually need to allow traffic. Therefore, traffic can be allowed per signed binary. To allow signed applications: /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned on To check if you allow signed apps: /usr/libexec/ApplicationFirewall/socketfilterfw --getallowsigned This will allow all TRUSTEDAPPS. The –listapps option shows the status of each filtered application: /usr/libexec/ApplicationFirewall/socketfilterfw --getblockall 0 To check if an app is blocked: /usr/libexec/ApplicationFirewall/socketfilterfw –getappblocked /Applications/MyApp.app/Contents/MacOS/myapp This shows the number of exceptions, explicitly allowed apps and signed exceptions as well as process names and allowed app statuses. There is also a list of TRUSTEDAPPS, which will initially be populated by Apple tools with sharing capabilities (e.g. httpd & smbd). If you are enabling the firewall using a script, first sign your applications that need to allow sharing but are not in the TRUSTEDAPPS section by using the -s option along with the application binary (not the .app bundle): /usr/libexec/ApplicationFirewall/socketfilterfw --getblockall 1 Once signed, verify the signature: /usr/libexec/ApplicationFirewall/socketfilterfw --getblockall 2 Once signed, trust the application using the –add option: /usr/libexec/ApplicationFirewall/socketfilterfw --getblockall 3 To see a list of trusted applications. You can do so by using the -l option as follows (the output is pretty ugly and needs to be parsed better): /usr/libexec/ApplicationFirewall/socketfilterfw --getblockall 4 If, in the course of your testing, you determine the firewall just isn’t for you, disable it: /usr/libexec/ApplicationFirewall/socketfilterfw --getblockall 5 To sanity check whether it’s started: /usr/libexec/ApplicationFirewall/socketfilterfw --getblockall 6 Or to manually stop it using launchctl (should start again with a reboot): /usr/libexec/ApplicationFirewall/socketfilterfw --getblockall 7 If you disable the firewalll using launchctl, you may need to restart services for them to work again.Share:
RelatedHow do I enable Firewall in Terminal Mac?Required Action:. Click the Apple icon in the top left corner of your screen and then select “System Settings” from the drop-down menu.. In the left menu pane of the System Settings window, select the menu item labeled “Network”.. If the Firewall Options button is disabled, select "Firewall" to enable the firewall.. How do I check my Firewall on Mac terminal?Set firewall access for services and apps
On your Mac, choose Apple menu > System Settings, click Network in the sidebar, then click Firewall. (You may need to scroll down.) Click Options. If the Options button is disabled, first turn on Firewall.
How to disable Firewall on Mac command line?Here's how you configure the Application Firewall from the command line: From System Preferences, click the Security icon, click the Firewall tab, and, if locked, click the Lock icon in the lower left corner of the Security pane and authenticate. To turn off the firewall, click Stop.
How do I turn off Firewall on Mac Big Sur?To change these settings, choose Apple menu > System Settings, click Network in the sidebar, then click Firewall on the right. (You may need to scroll down.) Prevent unwanted connections from the internet or other networks. Choose how much to block incoming connections.
|