Configuring Client Systems Remotely
Utilizing SSH, ARD (Apple Remote Desktop), or other management tools to deliver shell commands to your remote system, you can enable or disable the default firewall, turn stealth mode on and off, and allow or block signed applications using simple defaults write commands.
Using defaults write commands to turn on the firewall from the command line without adding any options enables default mode, which allows signed application network traffic and shared services traffic to pass.
Here’s how you configure the Application Firewall from the command line:
- From System Preferences, click the Security icon, click the Firewall tab, and, if locked, click the Lock icon in the lower left corner of the Security pane and authenticate. To turn off the firewall, click Stop.
- From Applications > Utilities, open the Terminal application and enter the following command to enable the Application Firewall
in default mode:
sudo defaults write /Library/Preferences/com.apple.alf globalstate -int 1
- Enable the Allow Signed Applications option with the following defaults write command:
sudo defaults write /Library/Preferences/com.apple.alf allowsignedenabled -int 1
- Enable Stealth Mode from the command line with the following defaults write command:
sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -int 1
- To reverse any of these commands, simply rerun the command using a 0 as the integer instead of a 1. Be aware that changing the globalstate to 0 will disable the firewall.
Configuring a Dead Man’s Switch
When configuring client or server systems, you should take care that the rules you’re implementing don’t lock you out of the system. Configure an alternate path via a secondary interface—physical or virtual—that is not affected by the firewall, or that has different rules applied to it, to ensure that you can gain access if your rules accidentally deny access to SSH or other remote management tools like ARD.
Another technique you can use to protect yourself against accidental lockout is a dead man’s switch. This switch gets its name from the railroad industry, where the conductor’s throttle had a switch that required pressure at all times to keep the train moving. This was to slow the train to a stop if the conductor had a heart attack or, a more likely scenario, fell asleep.
For your purposes, a dead man’s switch enables a service but allows the administrator a temporary back door or other method to remediate an accidental lockout. A simple implementation of the dead man’s switch is a one-line set of bash commands that runs prior to activating the firewall.
- From Applications > Utilities, open the Terminal application.
- Issue the following set of commands on a single line to test a set of firewall rules with a dead man’s switch:
# sudo ls; sleep 90; sudo serveradmin start ipfilter; sudo serveradmin stop ipfilter
This process will enable the firewall and automatically disable the firewall in 90 seconds, allowing you time to verify that your remote access tools (such as ssh or ARD) are still working with the firewall enabled. If not, you can correct your firewall settings and test again before going live with the firewall.