How to setup the adaptive firewall

macos firewall server.app

Solution 1:

After diving into the Adaptive Firewall once more I got the impression that the whole system is flawed and the documentation is a mess.

The command .../hb_summary apparently doesn't work at all because it seems to rely on the file /private/var/db/af/blockedHosts getting populated by ipfw which isn't activated in 10.9 (and wouldn't work with the 400.AdaptiveFirewall anchor). pf doesn't use the file blockedHosts at all.

The best you can do is the following:

  • Enable the Adaptive Firewall service

    sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serverctl enable service=com.apple.afctl

  • Populate the whitelist with

    sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -c

  • Define max bad auth attempts (e.g. 3) and ban time (e.g. 60 minutes)

    sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -T 3
sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -H 60

    This will modify the file /Applications/Server.app/Contents/ServerRoot/private/etc/emond.d/rules/AdaptiveFirewall.plist.

    Check the mod with:

    sudo grep -m 2 -A 4 hostBlockThreshold /Applications/Server.app/Contents/ServerRoot/private/etc/emond.d/rules/AdaptiveFirewall.plist
  • Relaunch emond: sudo killall emond

  • Add known bad hosts for a long time:

    sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -a 104.16.35.178 -t 1000000

    (Please be aware of the y2038 problem). This will modify the file /private/var/db/af/blacklist. Hosts added here usually don't survive a reboot.

  • Start af with sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -f

  • To get blocked hosts enter:

    sudo pfctl -a com.apple/400.AdaptiveFirewall -t blockedHosts -T show -vvv

    To get pf's state enter sudo pfctl -s all.

This is tested with hostile ssh and openssl s_client -connect imapserver_ip:993 login attempts.

After a reboot the .../afctl -f command will start pf and af but in at least one of two cases it doesn't block hostile login attempts though it's announced in the log file.

Improvements:

After modifying the keys debugLevel and logEvents in the file /etc/emond.d/emond.plist,:

    ...
    <key>debugLevel</key>
    <integer>3</integer>
    ...
    <key>logEvents</key>
    <true/>
    ...

creating the file /System/Library/LaunchDaemons/com.apple.afctl_boot.plist with the content:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Disabled</key>
    <false/>
    <key>Label</key>
    <string>com.apple.afctl_boot</string>
    <key>Program</key>
    <string>/Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl</string>
    <key>ProgramArguments</key>
    <array>
        <string>/Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl</string>
        <string>-f</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
</dict>
</plist>

and loading it with:

sudo launchctl load /System/Library/LaunchDaemons/com.apple.afctl_boot.plist

it seems to work more reliably. The Adaptive Firewall will be loaded at boot time. No further afctl launch command is required!

Related

How to convert multiple .caf audio files to .wav?
iCloud says Password is Wrong Even Though I Know It's Right
Offline iPhone app to recognize Japanese words
How do I boot into Internet Recovery on a iMac?
Time Machine always makes a full backup
iPhone app that shows app usage statistics?
Xcode doesn't start
How can I search for meeting invites in Microsoft Outlook for Mac
Note taking for school
Is there software that allows me to use my Macbook Pro as a second monitor for iMac?
Give a new life to my 2007 MacBook Pro (help it live longer)
What is the best way to make free phone calls from an iPod touch?