How to debug macOS firewall? My application layer firewall (ALF) is not logging or blocking
macOS firewall (alf) socketfilterfw doesn't seem to be running properly on macOS catalina 10.15.2 ...
Any ideas on how to troubleshoot / debug the built-in macOS application layer firewall?
Solution 1:
Check ALF launch daemon is running
$ sudo launchctl list | grep alf
275 0 com.apple.alf
$ ps -ax | grep socketfilterfw
0 529 0:00.01 /usr/libexec/ApplicationFirewall/socketfilterfw
have restarted a few times and reloaded launchdaeamons with launchctl unload and load with:
unload firewall for editing
$ sudo launchctl unload /System/Library/LaunchAgents/com.apple.alf.useragent.plist
$ sudo launchctl unload /System/Library/LaunchDaemons/com.apple.alf.agent.plist
$ sudo pkill -HUP socketfilterfw
load firewall
$ sudo launchctl load /System/Library/LaunchDaemons/com.apple.alf.agent.plist
$ sudo launchctl load /System/Library/LaunchAgents/com.apple.alf.useragent.plist
console.log
socketfilterfw setting fw.verbose fails
socketfilterfw cannot open file at line 43353 of [378230ae7f]
socketfilterfw os_unix.c:43353: (2) open(/var/db/DetachedSignatures) - No such file or directory
system.log
com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.pid.socketfilterfw.467): - -Failed to bootstrap path: path = /usr/libexec/ApplicationFirewall/socketfilterfw, error = 108: Invalid path
socketfilterfw config
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
Firewall is enabled. (State = 2)
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getloggingopt
Log Option is brief
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getblockall
Firewall is set to block all non-essential incoming connections
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getallowsigned
Automatically allow built-in signed software DISABLED
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode
Stealth mode enabled
viewing alf.log and appfirewall.log -- empty
$ cat "/private/var/log/appfirewall.log" | wc -l
0
$ cat "/private/var/log/alf.log" | wc -l
0
running /usr/libexec/ApplicationFirewall/socketfilterfw manually
sudo /usr/libexec/ApplicationFirewall/socketfilterfw -l (-l for "Do logging and run in daemon mode." )
The value of the token is 15675822025110658885
kill running FW
Changetrustmode sw_msg_hdr len: 8 type: changetrustmode (13)
BLOCKALLSYSTEMWISE
WriteRules sw_msg_hdr len: 88 type: proc_rules (1) proc_name: proc_id: 0 rule_type: 7 rules: tc: 0x1010 tl: 0x100 tb: 0x100 uc: 0x1010 ub: 0x100
TRUSTEDAPPS httpd
WriteRules sw_msg_hdr len: 88 type: proc_rules (1)
proc_name: httpd proc_id: 0 rule_type: 2 rules: tc: 0x11 tl: 0x100 tb: 0x100 uc: 0x11 ub: 0x100
.
.
.
ALF: total number of exceptions = 9
ALF app_paths = 0x53600650 app_bundleid = 0x0
ALF: insert bundleid 0x0 alias 0x0 path /usr/libexec/configd to list
ALF app_paths = 0x536007c0 app_bundleid = 0x0
ALF: insert bundleid 0x0 alias 0x0 path /usr/sbin/mDNSResponder to list
ALF app_paths = 0x53600830 app_bundleid = 0x0
ALF: insert bundleid 0x0 alias 0x0 path /usr/sbin/racoon to list
ALF app_paths = 0x536008a0 app_bundleid = 0x0
.
.
.
ALF: total number of explicits = 7
Changelogmode sw_msg_hdr len: 8 type: changelogmode (12) flag: 0x1
Changelogopt sw_msg_hdr len: 8 type: changelogopt (15)
Adding SCDynamicStoreCreateRunLoopSource to runloop
alfCallback name = com.apple.alf object = FirewallDaemonstarted
zsh: killed sudo /usr/libexec/ApplicationFirewall/socketfilterfw -l