Launchd network access control in Mac OS Lion
First of all, I've used pf extensively on OpenBSD so I know its rule set quite well. Even though I'm more used to the more recent versions.
However, I would like to know if there is a simpler way to regulate network access to launchd, or more specifically afp.
I tried putting ALL: ALL (or launchd: ALL and other combinations) into /etc/hosts.deny but I don't think launchd uses these files at all. Can someone please confirm this? hosts_options(5) shows extensions made to it, by Apple perhaps, yet I can't figure out how to reload launchd to use these files.
My solution right now is to block all connections to port port 548 and then only allow my home computers. To do this I've modified /etc/pf.conf as follows, added the last line.
#
# Default PF configuration file.
#
# This file contains the main ruleset, which gets automatically loaded
# at startup. PF will not be automatically enabled, however. Instead,
# each component which utilizes PF is responsible for enabling and disabling
# PF via -E and -X as documented in pfctl(8). That will ensure that PF
# is disabled only when the last enable reference is released.
#
# Care must be taken to ensure that the main ruleset does not get flushed,
# as the nested anchors rely on the anchor point defined here.
#
# See pf.conf(5) for syntax.
#
#
# com.apple anchor point
#
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"
include "/etc/pf.userrules"
And in /etc/pf.userrules which is my own creation that might get overwritten at the next Apple update.
block in inet proto tcp from any to port 548
pass in inet proto tcp from { 10.10.10.11, 10.10.10.12 } to port 548
This works, but I wish I could uses the hosts access files.
Solution 1:
launchd
doesn't use the libwrap
, as shown by the command:
nm -a /sbin/launchd | grep hosts
The fact that this command doesn't output anything means that
launchd
isn't using any entrypoint within the libwrap
library
of TCP wrapper.
This answer was checked on Snow Leopard
and Lion
.
On lion
for example, libwrap
is used by sshd
and not telnetd
nor launchd
:
% nm -a /usr/sbin/sshd | grep hosts U _hosts_access % nm -a /usr/libexec/telnetd | grep hosts %
The libwrap
library doesn't exist on Mountain lion.