Launchd network access control in Mac OS Lion

First of all, I've used pf extensively on OpenBSD so I know its rule set quite well. Even though I'm more used to the more recent versions.

However, I would like to know if there is a simpler way to regulate network access to launchd, or more specifically afp.

I tried putting ALL: ALL (or launchd: ALL and other combinations) into /etc/hosts.deny but I don't think launchd uses these files at all. Can someone please confirm this? hosts_options(5) shows extensions made to it, by Apple perhaps, yet I can't figure out how to reload launchd to use these files.

My solution right now is to block all connections to port port 548 and then only allow my home computers. To do this I've modified /etc/pf.conf as follows, added the last line.

#
# Default PF configuration file.
#
# This file contains the main ruleset, which gets automatically loaded
# at startup.  PF will not be automatically enabled, however.  Instead,
# each component which utilizes PF is responsible for enabling and disabling
# PF via -E and -X as documented in pfctl(8).  That will ensure that PF
# is disabled only when the last enable reference is released.
#
# Care must be taken to ensure that the main ruleset does not get flushed,
# as the nested anchors rely on the anchor point defined here.
#
# See pf.conf(5) for syntax.
#

#
# com.apple anchor point
#
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"
include "/etc/pf.userrules"

And in /etc/pf.userrules which is my own creation that might get overwritten at the next Apple update.

block in inet proto tcp from any to port 548
pass in inet proto tcp from { 10.10.10.11, 10.10.10.12 } to port 548

This works, but I wish I could uses the hosts access files.


Solution 1:

launchd doesn't use the libwrap, as shown by the command:

nm -a /sbin/launchd | grep hosts

The fact that this command doesn't output anything means that launchd isn't using any entrypoint within the libwrap library of TCP wrapper.

This answer was checked on Snow Leopard and Lion.

On lion for example, libwrap is used by sshd and not telnetd nor launchd:

% nm -a /usr/sbin/sshd | grep hosts
                 U _hosts_access
% nm -a /usr/libexec/telnetd | grep hosts
%

The libwrap library doesn't exist on Mountain lion.